Polling Tentacle Firewall problem

Hanna's Avatar

Hanna

12 Apr, 2017 01:06 PM

Hi.

We're trying to install Polling tentacle inside of network with the Firewall. During the installation, there was the following error

1  INFO  Checking connectivity on the server communications port 10943...
1 ERROR  ===============================================================================
FATAL  The remote server returned an error: (403) Forbidden.
System.Net.WebException: The remote server returned an error: (403) Forbidden.
For more details please see attached file.

We tried to install with different Polling tentacle proxy settings:

  • Do not use proxy
  • Use the proxy server configured in IE
  • Use the proxy server configured in IE, with custom credentials.

And we’ve got the same error in every installation.

I checked Troubleshooting section and did all mentioned cases to check connection to the Octopus Deploy server on port 10943. I’ve got the following results:

  • IE browser – failed (firewall error)
  • curl – success (‘Octopus server configured successfully’)
  • PowerShell – failed
  • (Additional) telnet – success

The same problem mentioned in this topic, but there is no answer.
Is there anything, that should be done to resolve this problem?

Thank you.

  1. Support Staff 1 Posted by Robert Wagner on 13 Apr, 2017 06:28 AM

    Robert Wagner's Avatar

    Hi Hanna,

    Thank you for getting in touch. How are you specifying the proxy? Could you share the command line you are using?

    I noticed in the logs you provided that "Proxy use is disabled".

    The "Use the proxy server configured in IE" option won't work it IE can't connect. What are the options you are using with Curl? What kind of proxy is it?

    Robert W

  2. 2 Posted by Hanna on 13 Apr, 2017 07:06 AM

    Hanna's Avatar

    Hi Robert,
    Thank you very much for reply.
    Do you mean proxy settings in process of tentacle installation?

    As for curl, I just downloaded in from curl website and used the command, that mentioned in Troubleshooting page.

    curl https://your-octopus:10943 -k
    
    And nothing more.
  3. Support Staff 3 Posted by Robert Wagner on 13 Apr, 2017 08:39 AM

    Robert Wagner's Avatar

    Hi Hanna,

    Ah I see, you have a proxy configured in Internet Explorer (hence the error in IE). But since curl (without proxy parameters) works, a proxyless connection works. For some reason the "No Proxy" option is not bypassing your IE Proxy. I will have to check up on that when everyone is back at work, which won't be before Tue (Australian time).

    However, try adding the octopus server address to the list of addresses to bypass in your IE proxy configuration.

    Robert W

  4. 4 Posted by Hanna on 13 Apr, 2017 12:46 PM

    Hanna's Avatar

    Hi Robert,

    We have auto-detected proxy settings, but I tried to change IE proxy manually and nothing has changed. The same error in IE.

    Thank you. Looking forward to the results.

  5. Support Staff 5 Posted by Robert Wagner on 18 Apr, 2017 10:27 AM

    Robert Wagner's Avatar

    Hi Hanna,

    Could you tell me more about your network configuration please? Should a proxy be required? If so, what kind of proxy (SOCKS/HTTP/etc)? If not, try disabling the proxy altogether in IE.

    Did you try to bypass the server address in the IE Settings?

    Could you try the --noproxy option with curl? It could be picking up proxy details from the environment details.

    Does the firewall only allow outgoing connections for certain processes?

    Robert W

  6. 6 Posted by Hanna on 19 Apr, 2017 07:26 AM

    Hanna's Avatar

    Hi Robert,
    Thank you for the reply.

    To tell the truth, I don't know so much about network configuration. I just know that proxy is required and auto-configurated, therefore I can't just change settings in the IE for a long time to solve it, because they are should be generated automatically (by the way, I mentioned in the previous message, that, unfortunately, it didn't solve this problem).
    As we know, the port 10943 is open for all connections.

  7. Support Staff 7 Posted by Robert Wagner on 19 Apr, 2017 09:14 AM

    Robert Wagner's Avatar

    Hi Hanna,

    Did you try the --noproxy option with curl?

    An alternative is setting up the tentacles to talk via WebSockets, which may be more proxy friendly. The idea is that you talk back to the Octopus Server on port 443.

    Robert W

  8. 8 Posted by Hanna on 20 Apr, 2017 03:17 PM

    Hanna's Avatar

    Hi Robert,

    I tried the following commands:

    curl --noproxy '*' https://your-octopus:10943 -k
    curl --noproxy '*' https://your-octopus:10943
    
    In case without -k parameter I've got the following error:
    curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT
    (0x80090325) - The certificate chain was issued by an authority that is not trusted.
    
    I'll try to use WebSockets and I'll notify you about results. Thank you.
  9. 9 Posted by Hanna on 21 Apr, 2017 11:31 AM

    Hanna's Avatar

    Hi Robert,

    I'm trying to configure Octopus server with WebSockets. But on the following command

    .\Octopus.Server.exe configure --instance OctopusServer --commsListenWebSocket https://+:443/OctopusComms
    
    I got the error:
    Unrecognized command line arguments:  --commsListenWebSocket https://+:443/OctopusComms
    
    Octopus server version - 3.4.9
  10. Support Staff 10 Posted by Robert Wagner on 24 Apr, 2017 05:34 AM

    Robert Wagner's Avatar

    Hi Hanna,

    Ah, sorry I didn't realise you were on an older version. The WebSockets feature got introduced in 3.12. If possible, upgrading may help as we have fixed some proxy issues since 3.4.

    So it looks like you cannot connect to the Octopus listening port using the proxy configured in IE, but bypassing it works.

    I setup a proxy in IE that does not exist and that caused my register-with command not to work. However when I issues the following command, the register-with command worked:

    .\Tentacle.exe proxy --proxyEnable=false

    If that does not work, could you send me the commands that you are using to configure the tentacle?

    There may be a problem if you need the proxy to connect to the API, but you must bypass it to access the listening port. The reason is that octopus only allows either the use of a proxy or not. Try issuing the following command to see if that is the case (insert the WebUI url of your site:

    curl --noproxy '*' http://your-octopus/Api -k

    Robert W

  11. 11 Posted by Hanna on 26 Apr, 2017 01:58 PM

    Hanna's Avatar

    Hi Robert,

    We've upgraded Octopus server to the latest version. After it I tried to configure Tentacle with the following commands, but I've got the same error (403 Forbidden) in command prompt on the last command:

    .\Tentacle create-instance --instance=InstanceName --config=E:\Octopus\Tentacle.config
    .\Tentacle configure --instance=InstanceName --home=E:\Octopus\InstanceName --noListen=true
    .\Tentacle register-with --instance=InstanceName --server=http://our-server-address/octopus --apiKey=OurAPIKey --environment=EnvironmentName --role=role1 --role=role2 --role=role3
    .\Tentacle proxy --instance=InstanceName --proxyEnable=false
    .\Tentacle service --instance=InstanceName --install
    .\Tentacle poll-server --instance=InstanceName --server=http://our-server-address/octopus/ --apiKey=OurAPIKey
    

    The command for curl, that you mentioned in the previous message returns JSON for Octopus server.

  12. 12 Posted by Hanna on 26 Apr, 2017 02:35 PM

    Hanna's Avatar

    Hi Robert,

    By the way, I tried to use WebSockets, but with the following command:

    .\Tentacle.exe register-with --instance InstanceName --server "https://our-server-address"  --server-web-socket "wss://our-server-address:443/OctopusComms" --comms-style TentacleActive --apikey "our-API-key" --environment "EnvironmentName" --role "role1" --role "role2" --role "role3"
    
    and I've got the following error:
    Checking connectivity on the server web socket address wss://our-server-address/OctopusComms...
    -------------------------------------------------------------------------------
    Error: The remote server returned an error: (503) Server Unavailable.
    -------------------------------------------------------------------------------
    Full error details are available in the log files.
    At: E:\Octopus\InstanceName\Logs
    ===============================================================================
    The remote server returned an error: (503) Server Unavailable.
    System.Net.WebException
       at System.Net.HttpWebRequest.GetResponse()
       at Octopus.Tentacle.Communications.OctopusServerChecker.<>c_DisplayClass2_0.<CheckServerCommunicationsIsOpen>b_1() in OctopusServerChecker.cs:line 70
       at Octopus.Tentacle.Communications.OctopusServerChecker.Retry(Action action, Int32 retryCount, TimeSpan initalDelay, Double backOffFactor) in OctopusServerChecker.cs:line 93
       at Octopus.Tentacle.Communications.OctopusServerChecker.CheckServerCommunicationsIsOpen(Uri serverAddress, IWebProxy proxyOverride) in OctopusServerChecker.cs:line 74
       at Octopus.Tentacle.Commands.RegisterMachineCommand.StartAsync in RegisterMachineCommand.cs:line 95
       at Octopus.Tentacle.Commands.RegisterMachineCommand.Start() in RegisterMachineCommand.cs:line 72
       at Octopus.Shared.Startup.AbstractCommand.Octopus.Shared.Startup.ICommand.Start(String[] commandLineArguments, ICommandRuntime commandRuntime, OptionSet commonOptions, String displayName, String version, String informationalVersion, String[] environmentInformation, String instanceName) in AbstractCommand.cs:line 78
       at Octopus.Shared.Startup.OctopusProgram.Start(ICommandRuntime commandRuntime) in OctopusProgram.cs:line 252
       at Octopus.Shared.Startup.ConsoleHost.Run(Action`1 start, Action shutdown) in ConsoleHost.cs:line 77
       at Octopus.Shared.Startup.OctopusProgram.Run() in OctopusProgram.cs:line 101
    
  13. Support Staff 13 Posted by Robert Wagner on 26 Apr, 2017 09:02 PM

    Robert Wagner's Avatar

    Hi Hanna,

    Thank you for trying that.

    Looking at the steps you are running, you do not need to issue the poll-server command, that is designed for high availability to register the second machine. The register-with command you are running registers the machine as an listening tentacle, so if that succeeds, does the tentacle appear on the server? If you want a polling tentacle, use the --comms-style TentacleActive parameter with poll-server See this page for example scripts.

    I'm wondering also whether the user for the API key you are using has permission to create machines.
    Could you please restart the Octopus Service service, try again and check the server log for any errors. Also look at the startup log entries, it will let you know the listening ports.

    When you issued the the command command, did it print Registering the tentacle with the server at before the 403? (this is a new message added in 3.11). If so that would indicate it connected to the the port correctly, connected the API and authenticated but the user did not have the right permissions.

    If that still doesn't work, please send me the server log and the full output of the register-with command.

    Robert W

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • OctopusTentacle.txt 5.15 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac