Generally speaking, the two options for communicating with remote machines are agent-based and agentless. Agent-based relies on an agent installed on the target, such as the Octopus Tentacle. Agentless is a misnomer, as there is an agent pre-installed on the machine, specifically SSH for Linux machines and Windows Remote Management (WinRM) for Windows.
At Octopus, we prefer and recommend agent-based, using Octopus Tentacles. In this document, we compare the two approaches.
Octopus supports both agent-based and agentless communications for Linux, via Tentacle and SSH, respectively.
For Windows, Tentacle is required. WinRM is not supported.
Connectivity Model
Tentacle | Tentacle can operate in Listening or Polling communication modes. This avoids firewall headaches by allowing outbound-only connections from the targets. |
SSH | Inbound over port 22. This is standard in most Linux environments. |
WinRM | Inbound over ports 5985 (HTTP) or 5986 (HTTPS). |
Authentication and Security
Tentacle |
Mutual X.509 certificate authentication. Both the Octopus Server and the Tentacle generate their own X.509 certificates when they’re installed. These are exchanged during the initial “trust” setup (the handshake). After that, each side verifies the other using the certificates before allowing communication.
All communication between the Octopus Server and Tentacle is encrypted using TLS. There is no reliance on domain-trust or OS accounts. |
SSH |
Uses the SSH protocol with public-key cryptography.
Octopus Deploy proves identity with a configured key, either:
|
WinRM |
For encryption, it typically uses HTTPS with TLS.
Uses Windows authentication models:
|
Installation and Configuration
Tentacle |
Requires installing a lightweight service (Windows or Linux).
Upgrades can be automated from Octopus. |
SSH |
No additional agent required.
Requires correct system configuration and credential management. |
WinRM |
No additional agent required.
Requires correct system configuration and credential management. |
Summary
Using the Tentacle agent comes with the upfront cost of installing the service on target machines, but this is offset by advantages, including:
- A more flexible connectivity model that supports both listening and polling modes.
- Strong security independent of domain-trust or OS credentials, making it less likely to be misconfigured.
Help us continuously improve
Please let us know if you have any feedback about this page.
Page updated on Thursday, August 28, 2025