Enable, allow, any request, always in Protocol Rules rather than filters though -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 1:47 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org Peter, What do you have under protocol definitions for NTP? Amy -----Original Message----- From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 12:16 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org I have a custom filter as below Filter Type: Custom IP Protocol: UDP, protocol number 17 Direction: Send Receive Local Port: Dynamic Remote Port: Fixed, port 123 Filter Applies To Local: Default IP address(s) on external interfaces Applies To Remote: All remote computers I do not know what the proper method is to verify that the time service is working correctly other than by checking the event logs for failures. At this time I am only receiving Warnings in the System Event log: w32time, error 11, NTP server did not respond. This could be a timeout issue or a problem. Not sure which. I have an unresolved open incident with Microsoft on this and will post further when and if it is resolved. -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 12:51 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org ISA 2000 SP2, SBS2003 (windows 2003) The packet that gets configured by default is detailed below in the original email. I no longer have any client with SBS2000 installed so it will be interesting to see what you have. Amy -----Original Message----- From: Peter W. Merner [mailto:pmerner@xxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 11:50 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org Amy, I am working my way through the same problem in SBS2000 with ISA sp2 (standard edition). You do have to set up a allow udp filter but how depends very likely on whether you are using ISA 2000 or ISA 2004 and possibly also on whether it is SBS2003 or SBS2000. Please come back with the details and I will give you the filter that I am using that may or may not be working at this time. -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 12:34 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org Since this is SBS that is essentially what I'm trying to do. Out of the box the usually wonderful wizards of SBS setup certain packet filters. It has done this for time however the wizard set it up using TCP. (see filter details below) Either I don't fully understand how the time sync works or the SBS wizard has it set up wrong. So is the packet filter below wrong or is it just me? I've been looking at the problem too long to trust myself. Amy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, September 29, 2004 11:22 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Time Sync Problem http://www.ISAserver.org Hi Amy, How about creating a packet filter on the ISA firewall for NTP and configure it as the time server? http://support.microsoft.com/default.aspx?scid=kb;en-us;323621 HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 29, 2004 10:52 AM To: [ISAserver.org Discussion List] Subject: [isalist] Time Sync Problem http://www.ISAserver.org The situation is that the client has purchase time keeping software and it will use the domain time to track when an employee punches in and out. All client computers are sync'd with the server; that part is working fine. The server is not able to sync with an external time source. On the server, I get event 38 "The time provider NtpClient cannot reach or is currently receiving invalid time data from harbor.ecn.purdue.edu (ntp.m|0x1|192.168.1.100:123->128.46.154.76:123)." ISA log shows 192.168.1.100 128.46.154.76 Udp 123 123 - BLOCKED 192.168.1.100 192.168.1.100 is the external IP address of the SBS2003 server. A DSL router does the NAT from our static IP. The time service is supposed to be allowed in the default SBS setup. ISA has a packet filter for TCP 123, receive only on all local ports, remote port is fixed 123 on the external IP address. Shouldn't this be UDP? There is a Protocol Definition for 123 UDP Send/Receive. I've been hunting everywhere except in ISA for the problem, so I've already tried various time providers, FQDN and IP, modified registry entries and applied a hot fix. Amy ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pmerner@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pmerner@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pmerner@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx