RE: Time Sync Problem
- From: "Peter W. Merner" <pmerner@xxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 29 Sep 2004 13:15:45 -0400
I have a custom filter as below
Filter Type: Custom
IP Protocol: UDP, protocol number 17
Direction: Send Receive
Local Port: Dynamic
Remote Port: Fixed, port 123
Filter Applies To Local: Default IP address(s) on external interfaces
Applies To Remote: All remote computers
I do not know what the proper method is to verify that the time service is
working correctly other than by checking the event logs for failures. At
this time I am only receiving Warnings in the System Event log: w32time,
error 11, NTP server did not respond. This could be a timeout issue or a
problem. Not sure which. I have an unresolved open incident with Microsoft
on this and will post further when and if it is resolved.
-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, September 29, 2004 12:51 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Time Sync Problem
http://www.ISAserver.org
ISA 2000 SP2, SBS2003 (windows 2003)
The packet that gets configured by default is detailed below in the
original email. I no longer have any client with SBS2000 installed so it
will be interesting to see what you have.
Amy
-----Original Message-----
From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx]
Sent: Wednesday, September 29, 2004 11:50 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Time Sync Problem
http://www.ISAserver.org
Amy, I am working my way through the same problem in SBS2000 with ISA
sp2
(standard edition). You do have to set up a allow udp filter but how
depends
very likely on whether you are using ISA 2000 or ISA 2004 and possibly
also
on whether it is SBS2003 or SBS2000. Please come back with the details
and I
will give you the filter that I am using that may or may not be working
at
this time.
-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, September 29, 2004 12:34 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Time Sync Problem
http://www.ISAserver.org
Since this is SBS that is essentially what I'm trying to do. Out of the
box the usually wonderful wizards of SBS setup certain packet filters.
It has done this for time however the wizard set it up using TCP. (see
filter details below) Either I don't fully understand how the time sync
works or the SBS wizard has it set up wrong. So is the packet filter
below wrong or is it just me? I've been looking at the problem too long
to trust myself.
Amy
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, September 29, 2004 11:22 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Time Sync Problem
http://www.ISAserver.org
Hi Amy,
How about creating a packet filter on the ISA firewall for NTP and
configure it as the time server?
http://support.microsoft.com/default.aspx?scid=kb;en-us;323621
HTH,
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, September 29, 2004 10:52 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Time Sync Problem
http://www.ISAserver.org
The situation is that the client has purchase time keeping software and
it will use the domain time to track when an employee punches in and
out. All client computers are sync'd with the server; that part is
working fine. The server is not able to sync with an external time
source.
On the server, I get event 38
"The time provider NtpClient cannot reach or is currently receiving
invalid time data from harbor.ecn.purdue.edu
(ntp.m|0x1|192.168.1.100:123->128.46.154.76:123)."
ISA log shows
192.168.1.100 128.46.154.76 Udp 123 123 - BLOCKED
192.168.1.100
192.168.1.100 is the external IP address of the SBS2003 server. A DSL
router does the NAT from our static IP.
The time service is supposed to be allowed in the default SBS setup. ISA
has a packet filter for TCP 123, receive only on all local ports, remote
port is fixed 123 on the external IP address. Shouldn't this be UDP?
There is a Protocol Definition for 123 UDP Send/Receive.
I've been hunting everywhere except in ISA for the problem, so I've
already tried various time providers, FQDN and IP, modified registry
entries and applied a hot fix.
Amy
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pmerner@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pmerner@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
