Security monitoring tools (such as Microsoft Defender for Endpoint) flag the CA Release Automation (Nolio) Agent for initiating unexpected outbound traffic. Observed behaviors include:

• Outbound connections to external or internal IP addresses on TCP Port 88 (Kerberos).
• Communication with Dynatrace endpoints
• Traffic originates from the NolioAgent process (e.g., /opt/nolio/jre/bin/NolioAgent).

• Operating System: Linux / Windows
• Application: CA Release Automation (Nolio) Agent (6.8.*, 6.9.*, 6.10.*)
• Third-Party Software: Dynatrace OneAgent

The outbound communication is not initiated by the Nolio Agent’s native application logic. Instead, it is caused by a third-party APM agent (Application Performance Management  - e.g., Dynatrace OneAgent) that has been injected into the Nolio Agent's Java Virtual Machine (JVM).

When the monitoring agent is active within the Nolio process:

1. It periodically connects to its own management server (Dynatrace Controller) to report metrics.
2. If the environment is configured for domain authentication, these connections may trigger Kerberos authentication requests on Port 88 via the OS networking stack.

Example for Dyntrace Oneagent :

- Following Linux command

lsof | grep -i 'Nolio' | grep -i 'Dynatrace'

returns some Dynatrace OneAgent files indicating that it is injected in the NolioAgent java process

- In /var/lib/dynatrace/oneagent/agent/config/deployment.conf there is following line indicating the Auto Injection is enabled
AutoInjectionDisabled=false

- In /var/lib/dynatrace/oneagent/agent/config/ruxitagentproc.conf the agent Monitoring mode value is defined :

[General]
...
agentMonitoringMode FULL

or

agentMonitoringMode CLOUD_INFRASTRUCTURE_MONITORING

This behavior is expected in environments where the Nolio Agent is being monitored by an APM solution. To resolve the security flags, perform the following:

1. Identify Injected Agents: Verify the Nolio Agent startup parameters or environment variables for signs of APM injection (e.g., -agentpath or ruxitagent).
2. Verify Monitoring Mode: If using Dynatrace, check the agentMonitoringMode in ruxitagentproc.conf. Modes like FULL or CLOUD_INFRASTRUCTURE_MONITORING will result in different traffic patterns.
3. Cross-Reference Security Logs: Check system-level logs (e.g., /var/log/secure or journalctl -u sssd) to confirm if Port 88 traffic is related to standard system Kerberos ticket requests.
4. Consult Internal Teams: Confirm with your internal APM or Security teams that monitoring is intentionally enabled for the Nolio Agent servers.
5. Exemption/Allow-listing: Once confirmed as legitimate APM traffic, work with your security team to allow-list these specific outbound patterns from the Nolio process to the known monitoring endpoints.