From what I have read about Jenkins agents, the communications channel is from the controller to the agent. Is it possible to reverse this?
I have a controller that is contactable from the internet, but the agents are behind a NAT’ing firewall, so the controller cannot call to them, I need the agent to call to the controller.
Any advice on this would be greatly appreciated.
Hello @MarkLFT and welcome to this community 
As far as I know, you’re right, communication is from the controller to the agent, and not vice-versa (at least for the ssh agent).
As for the inbound agent, it looks like it can be done the other way around, that is launching the agent while telling it where the server lies…
Maybe I’m wrong, maybe not, you could give it a try.
You can setup a jnlp agent. Once you create one, it’ll give you a java command to run, and that reaches out to the jenkins controller and does the handshake. It can also use websockets if you don’t want to open up a dedicate port.
The other method is ssh client style, controller reaches out to the agent, and then does the handshake thingie.
For the most part controller controls the agent,t he agent can’t impact the controller, for security reasons, but its over that dedicated channel, so you can choose which instigates it