This site uses advanced css techniques
This Evo Tip was written for the Franklin release, much of which has been substantially changed in Garfield and later releases.
The Evolution Payroll system makes nearly exclusive use of TCP for communications, both internal and from remotes. This document attempts to describe all port usage in the context of the overall system architecture.
The main parts of the system are shown in this diagram and described below:
TODO - We have not looked into replication yet
While researching this paper we started collecting a list of all the IP ports used by all parts of the system; that list is represented here. See the following section for further information on firewall issues.
Port | Open in firewall? |
Listener | Source | Description |
---|---|---|---|---|
9901/tcp | OK | Remote Access Server | EvoRemote | Service for remote users at T1 speeds; adds SSL encryption plus minimal compression. |
9902/tcp | OK | Remote Access Server | EvoRemote | Service for remote users at DSL/Cable speeds; adds SSL encryption plus moderate compression. |
9903/tcp | OK | Remote Access Server | EvoRemote | Service for remote users at dialup speeds; adds SSL encryption plus maximum compression. |
9500/tcp | Never | Registration Daemon | EvoLocal; Remote Access Server | Evolution client/server protocol in cleartext; used by EvoLocal within a service bureau, and from the Remote Access Server. This port should not be exposed to the internet. |
9501/tcp | Never | Registration Daemon | not sure | We see that the RegDaemon is listening on this port, but don't know what it's used for. |
9502/tcp | Never | Registration Daemon | Package Servers | The (possibly-multiple) Package Servers login to the Registration daemon and accept work assignments proxied from clients. |
9499/tcp | Outgoing only |
license.isystemsllc.com | Registration Daemon | iSystems License server; makes a connection at the start of each month to validate the licenses. If this connection is not made, the Evolution servers will shut down after a few days. |
3050/tcp | Never | Firebird database (Linux servers) |
Package Servers | These are standard database connections to the Linux database servers from the Package Servers. |
9450/udp (broadcast) |
Never | Enterprise Controller | Deployment Service, Version Directory Service | Advertises the existance of these services to the EEC |
9469/udp (broadcast) |
Never | Package Servers | EvoADR Client Service | Notifies ADR of "Evolution Events" |
9510/tcp | Sometimes | ADR Server | ADR Client | Client-to-server ADR replication traffic |
9550/tcp | Bad idea, but not out of the question | ADR Client and server | ADR Client Controller, ADR Server Controller | Used to connect the controller to the service |
The majority of the ports in the previous table should not be opened to the outside world; they are for internal use only and would expose confidential data to unauthorized parties. In particular, opening 9500/tcp would allow unencrypted access to the entire payroll system. This must never be allowed.
The only ports that should be opened to outside access are those used by the Remote Access Server: 9901..9903/tcp. Traffic on these ports is encrypted and safe for exposure to the outside world.
The only outbound traffic is to iSystems for the purposes of licensure validation.
Note: we believe that the Registration Daemon also "phones home" to iSystems periodically to check for software updates; we don't yet know the target machine, port, mechanism used.
Assuming the Service Bureau's firewall is set up correctly, there is nothing that most clients need to do in order to use Evolution remotely. But depending on their security policy, some changes on their end may be required to make this function.
First, their network must allow outbound traffic to ports 9901..9903/tcp on the Service Bureau network. Though in practice the client will choose just one of the three connction modes (T1, DSL/Cable, Dialup), it's generally best to open the three as a set to allow maximum flexibility in the future (perhaps for testing with SB staff).
No inbound ports are ever required for Evolution use from the client network's perspective.
In addition to the network firewall issues, we've found that some client PCs run a software firewall that prohibits unauthorized communications of any kind (including outbound). Generally this manifests itself with some kind of popup message that indicates that Evolution.EXE is trying to communicate with the Internet; this traffic must be permitted.
This information is not produced or endorsed by iSystems, LLC.
First published: 2005/07/04