Does this site look plain?

This site uses advanced css techniques

Evolution Logo

This Evo Tip was written for the Franklin release, much of which has been substantially changed in Garfield and later releases.

The Evolution Payroll system makes nearly exclusive use of TCP for communications, both internal and from remotes. This document attempts to describe all port usage in the context of the overall system architecture.

The main parts of the system are shown in this diagram and described below:

[Evolution Network block diagram]
Registration Daemon
This is the "traffic cop" in the center of the entire system; it receives client connections and hands off work to the package servers. It's responsible for maintaining licenses of all kinds, both locally and by "phoning home" to the iSystems servers once a month. A single Evolution system can have only one Registration Daemon.
The protocol used between clients and the Registration Daemon is a line-oriented text protocol, with virtually everything except the login password sent in cleartext. This protocol is entirely unsuitable for transmission over the internet.
Service Bureau clients running EvoLocal connect to the Registration Daemon directly, because the local LAN is assumed to be trusted. External users connect to Evolution indirectly via the Remote Access Servers.
Remote Access Server
This program accepts connections from remote clients and handles all encryption and compression before passing the cleartext traffic to the Registration Daemon. As far as the RegDaemon is concerned, the RAS is just another Evolution client.
An Evolution installation can have more than one Remote Access Server feeding one Registration Daemon, though this does require giving different IP addresses to customers so may not be productive. The RAS can live on a different computer than the Registration Daemon, and though this does offload the compression and encryption load on the RD's CPU, it also increases the network traffic.
Package Servers
The Package Servers do the real work in the Evolution system, and they receive their instructions from the Registration Daemon which has proxied them from clients. A Package Server runs one worker thread per CPU, and requests of all types queue up serially waiting for them. An an Evolution installation can benefit greatly from having plenty of Package Servers on multiple computers (though each computer can run only one Package Server).
The connect.ini file is used to provide the access information for the database files, and though it can be managed by the Registration Daemon (in the DB Config tab), they are used by the Package Servers. No other part of Evolution talks to the databases.
When the Package Server starts, it makes a connection to the Registration Daemon and announces itself with a special codeword. To protect against rogue package servers, the Registration Daemon must recognize the codeword before it will pass any work off to the Package Server.
Evolution Remote and Local
This is the Evolution.exe program employed by all users, whether remote clients or service-bureau staff. Ultimately it's talking strictly with the Registration Daemon, though it may employ the Remote Access Service to add a level of encryption and compression when used over the insecure internet.
Though it's possible to use RAS from within a service bureau, it's really pointless to add the extra overhead for no real benefit.
Firebird Database Servers
Evolution stores its data in the Firebird (formerly "Interbase") SQL-based database management system, and this is typically done on one or more Linux computers (though Windows machines can host Firebird, it's not recommended).
Each payroll client (with possibly multiple companies) is stored in a physically separate database file, and the system administrators can split the load across multiple database servers.

TODO - We have not looked into replication yet

Summary of TCP and UDP Port Usage

While researching this paper we started collecting a list of all the IP ports used by all parts of the system; that list is represented here. See the following section for further information on firewall issues.

Port Open in
Listener Source Description
9901/tcp OK Remote Access Server EvoRemote Service for remote users at T1 speeds; adds SSL encryption plus minimal compression.
9902/tcp OK Remote Access Server EvoRemote Service for remote users at DSL/Cable speeds; adds SSL encryption plus moderate compression.
9903/tcp OK Remote Access Server EvoRemote Service for remote users at dialup speeds; adds SSL encryption plus maximum compression.
9500/tcp Never Registration Daemon EvoLocal; Remote Access Server Evolution client/server protocol in cleartext; used by EvoLocal within a service bureau, and from the Remote Access Server. This port should not be exposed to the internet.
9501/tcp Never Registration Daemon not sure We see that the RegDaemon is listening on this port, but don't know what it's used for.
9502/tcp Never Registration Daemon Package Servers The (possibly-multiple) Package Servers login to the Registration daemon and accept work assignments proxied from clients.
9499/tcp Outgoing
only Registration Daemon iSystems License server; makes a connection at the start of each month to validate the licenses. If this connection is not made, the Evolution servers will shut down after a few days.
3050/tcp Never Firebird database
(Linux servers)
Package Servers These are standard database connections to the Linux database servers from the Package Servers.
Never Enterprise Controller Deployment Service, Version Directory Service Advertises the existance of these services to the EEC
Never Package Servers EvoADR Client Service Notifies ADR of "Evolution Events"
9510/tcp Sometimes ADR Server ADR Client Client-to-server ADR replication traffic
9550/tcp Bad idea, but not out of the question ADR Client and server ADR Client Controller, ADR Server Controller Used to connect the controller to the service

Service Bureau Firewall Considerations

The majority of the ports in the previous table should not be opened to the outside world; they are for internal use only and would expose confidential data to unauthorized parties. In particular, opening 9500/tcp would allow unencrypted access to the entire payroll system. This must never be allowed.

The only ports that should be opened to outside access are those used by the Remote Access Server: 9901..9903/tcp. Traffic on these ports is encrypted and safe for exposure to the outside world.

The only outbound traffic is to iSystems for the purposes of licensure validation.

Note: we believe that the Registration Daemon also "phones home" to iSystems periodically to check for software updates; we don't yet know the target machine, port, mechanism used.

Evolution Remote Firewall Considerations

Assuming the Service Bureau's firewall is set up correctly, there is nothing that most clients need to do in order to use Evolution remotely. But depending on their security policy, some changes on their end may be required to make this function.

First, their network must allow outbound traffic to ports 9901..9903/tcp on the Service Bureau network. Though in practice the client will choose just one of the three connction modes (T1, DSL/Cable, Dialup), it's generally best to open the three as a set to allow maximum flexibility in the future (perhaps for testing with SB staff).

No inbound ports are ever required for Evolution use from the client network's perspective.

In addition to the network firewall issues, we've found that some client PCs run a software firewall that prohibits unauthorized communications of any kind (including outbound). Generally this manifests itself with some kind of popup message that indicates that Evolution.EXE is trying to communicate with the Internet; this traffic must be permitted.

This information is not produced or endorsed by iSystems, LLC.

First published: 2005/07/04