Docs
Free trial

Agent vs Agentless

Generally speaking, the two options for communicating with remote machines are agent-based and agentless. Agent-based relies on an agent installed on the target, such as the Octopus Tentacle. Agentless is a misnomer, as there is an agent pre-installed on the machine, specifically SSH for Linux machines and Windows Remote Management (WinRM) for Windows.

At Octopus, we prefer and recommend agent-based, using Octopus Tentacles. In this document, we compare the two approaches.

Octopus supports both agent-based and agentless communications for Linux, via Tentacle and SSH, respectively.

For Windows, Tentacle is required. WinRM is not supported.

Connectivity Model

Tentacle Tentacle can operate in Listening or Polling communication modes. This avoids firewall headaches by allowing outbound-only connections from the targets.
SSH Inbound over port 22. This is standard in most Linux environments.
WinRM Inbound over ports 5985 (HTTP) or 5986 (HTTPS).

Authentication and Security

Tentacle Mutual X.509 certificate authentication. Both the Octopus Server and the Tentacle generate their own X.509 certificates when they’re installed. These are exchanged during the initial “trust” setup (the handshake). After that, each side verifies the other using the certificates before allowing communication.

All communication between the Octopus Server and Tentacle is encrypted using TLS.

There is no reliance on domain-trust or OS accounts.
SSH Uses the SSH protocol with public-key cryptography.

Octopus Deploy proves identity with a configured key, either:

  • SSH private key
  • Username + password
WinRM For encryption, it typically uses HTTPS with TLS. Uses Windows authentication models:
  • Kerberos
  • NTLM
  • Basic authentication

Installation and Configuration

Tentacle Requires installing a lightweight service (Windows or Linux).

Upgrades can be automated from Octopus.
SSH No additional agent required.

Requires correct system configuration and credential management.
WinRM No additional agent required.

Requires correct system configuration and credential management.

Summary

Using the Tentacle agent comes with the upfront cost of installing the service on target machines, but this is offset by advantages, including:

  • A more flexible connectivity model that supports both listening and polling modes.
  • Strong security independent of domain-trust or OS credentials, making it less likely to be misconfigured.

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Thursday, August 28, 2025

Edit on GitHub