Windows Targets

Last updated

When you deploy software to Windows Servers, you need to install Tentacle, a lightweight agent service, on all of those Window Servers.

Once installed, Tentacles:

  • Run as a Windows Service called OctopusDeploy Tentacle.
  • Wait for jobs from Octopus (deploy a package, run a script, etc).
  • Report the progress and results back to the Octopus Server.

Before you install Tentacle, review the the software and hardware requirements for:

Download the Tentacle Installer

The latest Octopus Tentacle MSI can always be downloaded from the Octopus Deploy downloads page.


Octopus and Tentacle can be configured to communicate two different ways depending on your network setup. The mode you are using will change the installation process slightly.

Listening Mode is Recommended
When choosing a communication mode, we recommend listening mode when possible. Listening mode uses the least resources (listening on a TCP port is cheaper than actively trying to connect to one). It also gives you the most control (you can use rules in your firewall to limit which IP addresses can connect to the port). Octopus and Tentacle use SSL when communicating, and Tentacle will outright reject connections that aren't from an Octopus server that it trusts (identified by an X.509 certificate public key that you provide during setup).

SSL Offloading is Not Supported
The communication protocol used by Octopus and Tentacle requires intact end-to-end TLS connection for message encryption, tamper-proofing, and authentication. For this reason SSL offloading is not supported.

Proxy Servers Supported for Tentacle Communications Since Octopus 3.4
The communication protocol used by Octopus and Tentacle 3.4 and above supports proxies. Read more about configuring proxy servers for Tentacle communications in proxy support.

If you are using a version of Octopus/Tentacle prior to 3.4 refer to either Listening Tentacles or Polling Tentacles for more information on configuring a bypass rule.

Tentacle can be installed and configured directly from the command prompt, which is very useful when you need to install Tentacle on a large number of machines. See more in automating Tentacle installations.

Cloning Tentacle VMs
In a virtualized environment, it may be desirable to install Tentacle on a base virtual machine image, and clone this image to create multiple machines.

If you choose to do this, please do not complete the configuration wizard before taking the snapshot. The configuration wizard generates a unique per-machine cryptographic certificate that should not be duplicated. Instead, use PowerShell to automate configuration after the clone has been materialized.

Calamari Warning in Health Check
When you first install a Tentacle it does not have the latest Calamari package installed. So, on the first health check a warning will be written to the log with the following message Not running latest version of Calamari. Directory does not exist: C:<TentacleHomeDirectoryChosenDuringInstallation>\Calamari, this message can safely be ignored as we will automatically push the latest Calamari package to the Tentacle on the first deployment made to it, or you can manually push the latest Calamari package to the Tentacle from the Environments page.

Tentacle Manager

The Tentacle MSI installer is very simple: it extracts the core program files on disk, adds an event log source, and that's about it. The actual configuration of your Tentacle is done through a tool called Tentacle Manager. When the MSI completes Tentacle Manager will appear, and you can access it any time from your start menu/start screen. Tentacle Manager is a Windows application that:

  • Has a setup wizard to configure your Tentacle instance
  • Has wizards to configure Tentacle to use a proxy server, or delete the Tentacle instance
  • Shows other diagnostic information about Tentacle


By default, the Tentacle Windows Service runs under the Local System context. You can configure Tentacle to run under a different user account by modifying the service properties via the Services MMC snap-in (services.msc).

The account that you use requires, at a minimum:

  • Log on as a service right on the current machine - learn more.
  • Rights to enumerate the Local Machine certificate store.
  • Permissions to load the private key of the Tentacle X.509 certificate from the Local Machine certificate store.
  • Read/Write permissions to the Tentacle "Home directory" that you selected when Tentacle was installed (typically, C:\Octopus).
  • Rights to manage Windows Services (start/stop) - learn more.

Please be aware that to perform automatic Tentacle updates you need an account with extra permissions.

In addition, since you are probably using Tentacle to install software, you'll need to make sure that the service account has permissions to actually install your software. This totally depends on your applications, but it might mean:

  • Permissions to modify IIS (C:\Windows\system32\inetsrv).
  • Permissions to connect a SQL Server database.

If you Reinstall a Tentacle using the Tentacle Manager, the Windows Service account will revert to Local System.

Using a Managed Service Account (MSA)

You can run Tentacle using a Managed Service Account (MSA):

  1. Install the Tentacle and make sure it is running correctly using one of the built-in Windows Service accounts or a Custom Account.
  2. Reconfigure the Tentacle Windows Service to use the MSA, either manually using the Service snap-in, or using sc.exe config "OctopusDeploy Tentacle" obj= Domain\Username$.
  3. Restart the Tentacle Windows Service.

Learn about using Managed Service Accounts.

In This Section

The following topics are explained further in this section: