11-05-2018 03:50 PM
Our firewall sees the workflow timer service hit random IPs when starting, if blocked the service fails to start. They seem to serve no functional purpose if blocked after the service has started it seems to function normally.
I need to know what these are for and document the firewall requirements, IP ranges or FQDN, ports and the purpose of such connections to be able to use that service for security concerns.
I am having trouble finding such documentation or posts.
11-06-2018 04:33 AM
As Ryan pointed out some ports may be accessed by the Timer Work Tasks that the Workflow Timer Service is running. However, if you have the Workflow Timer Service Administrator application open when running the service (or if you're starting the service from the Workflow Timer Service Administrator) then there is communication between the Administrator and the Workflow Timer Service itself.
By default the port number for connections initiated from the Workflow Timer Service Administrator is 8900.
This is from the Workflow Timer Service Administrator config file (Hyland.Applications.Workflow.Timers.Admin.exe.config😞
And the Workflow Timer Service's config file (Hyland.Core.Workflow.NTService.exe.config😞
I suspect the 'random' ports that the you are seeing are the ports for the responses to the connections initiated by the Workflow Timer Service Administrator on port 8900. You could confirm this by starting the Workflow Timer Service without the Workflow Timer Service Administrator being open.
11-06-2018 04:59 AM
Hi Andrew,
If you are seeing it hit specific IP addresses and the service won't start if they are blocked, then I am thinking that this is the Timer Service trying to verify the integrity and authenticity of the executable against Microsoft's signing servers.
I would recommend reaching out to your first line of support as they can help you in determining if this is the case as well as provide more information on the code signing process.
11-06-2018 09:35 AM
Some of the IPs I see it reaching out to when starting the service are:
8.252.36.254
23.5.251.27
8.250.235.254
8.253.133.120
8.252.68.126
Whois reveals either noanet or level3, both big companies, so those IPs could be anything. Nslookup isn't revealing their identity either.
The code signing process might make some sense, but I still need a way to prove it.
We have no external resources the timer services should be accessing that I can discern.
11-06-2018 09:52 AM
I am thinking that it is definitely the code signing verification process. At this point, go ahead and reach out to your FLOS and they can help you investigate further to confirm that.
11-06-2018 10:23 AM
Will do. My boss is now telling me he doesn't want any outbound traffic to the internet, it should only be accessible either way from our internal\partner network. So I must find a way to disable that function, we use the service primarily for collecting scanned documents.
10-30-2019 10:26 AM
When disabling internet the services are not running including the workflow timer service. Iam suspecting hitting the same bug. We are ob17 sp1.
what was the re solution in your case ? And your onbase version???
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.