• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA Server blocking NTP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> ISA Server blocking NTP Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA Server blocking NTP - 22.Mar.2006 8:52:51 AM   
nodarych

 

Posts: 5
Joined: 22.Mar.2006
From: Russia
Status: offline
I have a problem with ISA server 2004.
ISA is blocking NTP traffic, so time synchronization impossible. OS: Windows Server 2003 SP1.

What rule should I create to solve this problem?

Please, help!

_____________________________

nodarych
Post #: 1
RE: ISA Server blocking NTP - 22.Mar.2006 3:08:07 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Nod,

What evidence do you have that the ISA firewall is blocking NTP?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to nodarych)
Post #: 2
RE: ISA Server blocking NTP - 22.Mar.2006 4:06:23 PM   
hantahipi

 

Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
Hi Tom,

I just wanted to put this in. By default isa server system policy only allows ntp for the internal network. This therefore prevents any synchronization from an external source.

Hi Nod,

The first step would be configuration of your Windows server so that it is the authoritative time server on your network. for that you have http://support.microsoft.com/kb/816042

The next step is to allow ntp service to update from an external source (if you configured it to update from an external source as in KB above). The following are the steps

ISA Mgmt Console ==> servername ==> Firewall Policy .. Now if you rightclick the firewall policy you get Edit System Policy on the resulting drop down. On the system policy editor ==> Network Services you have NTP, select NTP and on your right hand click Enable (the explanation on this tab is right on spot in terms of relevance)
 
Then at the top go to the To tab, you have internal network already added, now here you add the external network. (If you want to be more specific the you would add domain name sets etc)

Now if you run this command on cmd; w32tm /resync then you will note that you will get a successful update notification, you can also check the event viewer to see two successful time sync notifications.

I hope thats what you are looking for

Thanks


(in reply to tshinder)
Post #: 3
RE: ISA Server blocking NTP - 22.Mar.2006 10:45:35 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Hanta,

thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to hantahipi)
Post #: 4
RE: ISA Server blocking NTP - 23.Mar.2006 8:53:16 AM   
nodarych

 

Posts: 5
Joined: 22.Mar.2006
From: Russia
Status: offline
Hi Tom,
quote:


What evidence do you have that the ISA firewall is blocking NTP?

I'm watching "Denied connection" by protocol NTP(UDP) in Logging window of ISA.

Hi Hanta,

and many thanks!

It's really working.


(in reply to tshinder)
Post #: 5
RE: ISA Server blocking NTP - 3.Jul.2007 9:50:57 AM   
SeanRinVA

 

Posts: 30
Joined: 6.Aug.2005
From: Norfolk, VA
Status: offline
Thanks for this!  Unfortunately even after following your directions, on my ISA 2004 server, with the most current SP, I still get Denied Connection errors in Live Logging - by my Last Default Rule.





Denied Connection
VOA-NOR-C 7/3/2007 9:45:03 AM

Log type: Firewall service

Status:

Rule: Default rule

Source: Internal (voa-nor-f.domain.net 10.0.0.36:123)

Destination: External ( 172.16.200.1:123)

Protocol: NTP (UDP)

User:



Additional information

Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 10.0.0.36
Client agent:

_____________________________

Dad o' 6.

(in reply to hantahipi)
Post #: 6
RE: ISA Server blocking NTP - 3.Jul.2007 3:14:51 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
Have you tried adding a custom allow rule from your server/s ip to your trusted NTP sources now that you have enabled NTP in the system policy?

(in reply to SeanRinVA)
Post #: 7
RE: ISA Server blocking NTP - 3.Jul.2007 5:05:07 PM   
SeanRinVA

 

Posts: 30
Joined: 6.Aug.2005
From: Norfolk, VA
Status: offline
Yes, I have set up a custom rule...see below, from a previous post...


Name:              NTP Access
Action:             Allow
Protocols:         NTP (UDP)
From/Listener:  NTP Server
To:                   NTP (Domain Name Set, set to *.ntp.org)
Condition:        All Users

I still get the Denied - Default Rule when the DC tries to Sync time.

_____________________________

Dad o' 6.

(in reply to jmilito)
Post #: 8
RE: ISA Server blocking NTP - 4.Jul.2007 1:40:20 AM   
hantahipi

 

Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
Sean,

Have you enabled direct access for all computers on your internal domain? (of course taking into account if this is a trusted environment)

One other thing is that this traffic is passing through ISA, and if traffic between localhost and internal network is not explicitly allowed (or in your case btn localhost and DC), then the traffic may be blocked on this count.

If you have allowed Direct Access, then enabling the System Policy rule as in earlier write-up should work, otherwise you want to allow traffic to Domain Name Set and Localhost

(in reply to SeanRinVA)
Post #: 9
RE: ISA Server blocking NTP - 4.Jul.2007 5:10:56 AM   
SeanRinVA

 

Posts: 30
Joined: 6.Aug.2005
From: Norfolk, VA
Status: offline
quote:

Have you enabled direct access for all computers on your internal domain?


I do not understand what you mean here.  On the DC, I installed the FW Client to try to resolve the issue.

quote:

One other thing is that this traffic is passing through ISA, and if traffic between localhost and internal network is not explicitly allowed (or in your case btn localhost and DC), then the traffic may be blocked on this count.


Just as web browsing passes through the ISA server, but my rule to allow browsing does not include localhost in the To tab.  I don't understand why I need to add localhost to the To tab of the NTP Access rule.

_____________________________

Dad o' 6.

(in reply to hantahipi)
Post #: 10
RE: ISA Server blocking NTP - 4.Jul.2007 5:41:27 AM   
hantahipi

 

Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
To confirm that Direct Access is allowed, you'd go to ISA Mgt Console -> Server -> Configuration -> Networks and right-click the Internal

There are two Tabs here; Domains & Web Browser. If you specify your domain udner the Domains Tab, then clients on that domain won't need to go though ISA to connect in that Domain

Web Browser tab brings us to the all important Configuration Script; there is the option of Directly access computers specified in the domains tab and Directly access computers specified in the Addresses Tab. But emphasis must be given here that this behavior will be ONLY enabled for computers that are able to get the Automatic Configuration Script from ISA therefore make sure that Autodiscovery (one of the tabs too) is enabled and working.

Query, is ISA a member of your domain?

(in reply to SeanRinVA)
Post #: 11
RE: ISA Server blocking NTP - 4.Jul.2007 10:01:40 AM   
SeanRinVA

 

Posts: 30
Joined: 6.Aug.2005
From: Norfolk, VA
Status: offline
quote:

ORIGINAL: hantahipi

To confirm that Direct Access is allowed, you'd go to ISA Mgt Console -> Server -> Configuration -> Networks and right-click the Internal

There are two Tabs here; Domains & Web Browser. If you specify your domain udner the Domains Tab, then clients on that domain won't need to go though ISA to connect in that Domain

Web Browser tab brings us to the all important Configuration Script; there is the option of Directly access computers specified in the domains tab and Directly access computers specified in the Addresses Tab. But emphasis must be given here that this behavior will be ONLY enabled for computers that are able to get the Automatic Configuration Script from ISA therefore make sure that Autodiscovery (one of the tabs too) is enabled and working.


Domains & Web Browser tabs were set as you recommended.

I've verified that the DC is using the Auto Config. settings and can browse the internet.

I added Localhost to the TO tab on the NTP Access Rule.

I'm still getting the Denied Connection - Default Rule error in Live Logging.

quote:

ORIGINAL: hantahipi
Query, is ISA a member of your domain?


Yes, the ISA server is a Domain Member.

_____________________________

Dad o' 6.

(in reply to hantahipi)
Post #: 12
RE: ISA Server blocking NTP - 5.Jul.2007 12:34:47 AM   
hantahipi

 

Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
I would ask that you affirm the peer  that you put in your registry edit NTPServer, is it the same as the as the domain name you are allowing? You want to actually check this

I would also advise that for testing, you first relax the rule: ie in the System Policy edit To tab, add the external network as opposed to a domain name set.

This is supposed to work without even the use of the access rule.

But just incase it doesn't, then on the access rule you should allow NTP (UDP) from NTP Server To External (As opposed to domain name set) for All Users


(in reply to SeanRinVA)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> ISA Server blocking NTP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts