In addition to the packet filter that you have you will need to edit the registry to be able to sync with an external source. An long excerpt from an even longer KB article: Configuring the Windows Time service to use an external time source To configure an internal time server to synchronize with an external time source, follow these steps: Change the server type to NTP. To do this, follow these steps: Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ Type In the right pane, right-click Type, and then click Modify. In Edit Value, type NTP in the Value data box, and then click OK. Set AnnounceFlags to 5. To do this, follow these steps: Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\Anno unceFlags In the right pane, right-click AnnounceFlags, and then click Modify. In Edit DWORD Value, type 5 in the Value data box, and then click OK. Enable NTPServer. To do this, follow these steps: Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvide rs\NtpServer\Enabled In the right pane, right-click Enabled, and then click Modify. In Edit DWORD Value, type 1 in the Value data box, and then click OK. Specify the time sources. To do this, follow these steps: Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ NtpServer In the right pane, right-click NtpServer, and then click Modify. In Edit Value, type Peers in the Value data box, and then click OK. Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect. Select the poll interval. To do this, follow these steps: Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvide rs\NtpClient\SpecialPollInterval In the right pane, right-click SpecialPollInterval, and then click Modify. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK. Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 384. This value configures the Time Server to poll every 15 minutes. Configure the time correction settings. To do this, follow these steps: Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxP osPhaseCorrection In the right pane, right-click MaxPosPhaseCorrection, and then click Modify. In Edit DWORD Value, select Decimal in the Base box. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK. Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxN egPhaseCorrection In the right pane, right-click MaxNegPhaseCorrection, and then click Modify. In Edit DWORD Value, select Decimal in the Basebox. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK. Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source. Amy -----Original Message----- From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 1:14 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: SOLVED! RE: Time Sync Problem http://www.ISAserver.org Gather you have a working ntp now. Does it differ from mine, maybe I should copy whatever works for you. -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 1:54 PM To: [ISAserver.org Discussion List] Subject: [isalist] SOLVED! RE: Time Sync Problem http://www.ISAserver.org Problem solved. The packet filter installed by the SBS/ISA wizard at set up is wrong. Now, to whom do I report this error at Microsoft and is there a prize? Amy -----Original Message----- From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 12:16 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org I have a custom filter as below Filter Type: Custom IP Protocol: UDP, protocol number 17 Direction: Send Receive Local Port: Dynamic Remote Port: Fixed, port 123 Filter Applies To Local: Default IP address(s) on external interfaces Applies To Remote: All remote computers I do not know what the proper method is to verify that the time service is working correctly other than by checking the event logs for failures. At this time I am only receiving Warnings in the System Event log: w32time, error 11, NTP server did not respond. This could be a timeout issue or a problem. Not sure which. I have an unresolved open incident with Microsoft on this and will post further when and if it is resolved. -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 12:51 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org ISA 2000 SP2, SBS2003 (windows 2003) The packet that gets configured by default is detailed below in the original email. I no longer have any client with SBS2000 installed so it will be interesting to see what you have. Amy -----Original Message----- From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 11:50 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org Amy, I am working my way through the same problem in SBS2000 with ISA sp2 (standard edition). You do have to set up a allow udp filter but how depends very likely on whether you are using ISA 2000 or ISA 2004 and possibly also on whether it is SBS2003 or SBS2000. Please come back with the details and I will give you the filter that I am using that may or may not be working at this time. -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 12:34 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org Since this is SBS that is essentially what I'm trying to do. Out of the box the usually wonderful wizards of SBS setup certain packet filters. It has done this for time however the wizard set it up using TCP. (see filter details below) Either I don't fully understand how the time sync works or the SBS wizard has it set up wrong. So is the packet filter below wrong or is it just me? I've been looking at the problem too long to trust myself. Amy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, September 29, 2004 11:22 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org Hi Amy, How about creating a packet filter on the ISA firewall for NTP and configure it as the time server? http://support.microsoft.com/default.aspx?scid=kb;en-us;323621 HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 10:52 AM To: [ISAserver.org Discussion List] Subject: [isalist] Time Sync Problem http://www.ISAserver.org The situation is that the client has purchase time keeping software and it will use the domain time to track when an employee punches in and out. All client computers are sync'd with the server; that part is working fine. The server is not able to sync with an external time source. On the server, I get event 38 "The time provider NtpClient cannot reach or is currently receiving invalid time data from harbor.ecn.purdue.edu (ntp.m|0x1|192.168.1.100:123->128.46.154.76:123)." ISA log shows 192.168.1.100 128.46.154.76 Udp 123 123 - BLOCKED 192.168.1.100 192.168.1.100 is the external IP address of the SBS2003 server. A DSL router does the NAT from our static IP. The time service is supposed to be allowed in the default SBS setup. ISA has a packet filter for TCP 123, receive only on all local ports, remote port is fixed 123 on the external IP address. Shouldn't this be UDP? There is a Protocol Definition for 123 UDP Send/Receive. I've been hunting everywhere except in ISA for the problem, so I've already tried various time providers, FQDN and IP, modified registry entries and applied a hot fix. Amy ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pmerner@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pmerner@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pmerner@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx