11-05-2018 03:50 PM
Our firewall sees the workflow timer service hit random IPs when starting, if blocked the service fails to start. They seem to serve no functional purpose if blocked after the service has started it seems to function normally.
I need to know what these are for and document the firewall requirements, IP ranges or FQDN, ports and the purpose of such connections to be able to use that service for security concerns.
I am having trouble finding such documentation or posts.
11-06-2018 04:33 AM
As Ryan pointed out some ports may be accessed by the Timer Work Tasks that the Workflow Timer Service is running. However, if you have the Workflow Timer Service Administrator application open when running the service (or if you're starting the service from the Workflow Timer Service Administrator) then there is communication between the Administrator and the Workflow Timer Service itself.
By default the port number for connections initiated from the Workflow Timer Service Administrator is 8900.
This is from the Workflow Timer Service Administrator config file (Hyland.Applications.Workflow.Timers.Admin.exe.config😞
And the Workflow Timer Service's config file (Hyland.Core.Workflow.NTService.exe.config😞
I suspect the 'random' ports that the you are seeing are the ports for the responses to the connections initiated by the Workflow Timer Service Administrator on port 8900. You could confirm this by starting the Workflow Timer Service without the Workflow Timer Service Administrator being open.
11-05-2018 06:19 PM
There isn't necessarily any ports or firewall rules that you need to apply to the timer service itself. It really all depends on all of the locations that your different timers are going to be accessing. So for example. If you have a timer for a DIP process, then depending in where those files are located it might be accessing that server which could be a different IP address than the server with the service on it. On top of that, say it picks up the files and then it needs to run OCR On them and that is on another server, then that IP could be being accessed.
If anything, I would check and see what the errors show as in the Event Viewer as that might give you some more details as to what the root cause might be.
11-06-2018 10:42 AM
That is incorrect as it is now. If outbound traffic to the internet is blocked, the service will not start.
If it is a configuration somewhere, I need to find where it might be.
11-06-2018 04:33 AM
As Ryan pointed out some ports may be accessed by the Timer Work Tasks that the Workflow Timer Service is running. However, if you have the Workflow Timer Service Administrator application open when running the service (or if you're starting the service from the Workflow Timer Service Administrator) then there is communication between the Administrator and the Workflow Timer Service itself.
By default the port number for connections initiated from the Workflow Timer Service Administrator is 8900.
This is from the Workflow Timer Service Administrator config file (Hyland.Applications.Workflow.Timers.Admin.exe.config😞
And the Workflow Timer Service's config file (Hyland.Core.Workflow.NTService.exe.config😞
I suspect the 'random' ports that the you are seeing are the ports for the responses to the connections initiated by the Workflow Timer Service Administrator on port 8900. You could confirm this by starting the Workflow Timer Service without the Workflow Timer Service Administrator being open.
11-06-2018 11:19 AM
I looked at Hyland.Applications.Workflow.Timers.Admin.exe.config, it is also pointing at the local host. The section seems identical to what you posted. I do not see it referencing external resources other than the xml schema whose IP is not reached out to when starting the service. I could not find Hyland.Core.Workflow.NTService.exe.config on the server that service resides on.
The problem is it is initiating unknown traffic to the internet; and does not start when blocked. My boss wants all internet traffic blocked from the server this service is installed on.
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.