Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
Hi Tom,
I just wanted to put this in. By default isa server system policy only allows ntp for the internal network. This therefore prevents any synchronization from an external source.
Hi Nod,
The first step would be configuration of your Windows server so that it is the authoritative time server on your network. for that you have http://support.microsoft.com/kb/816042
The next step is to allow ntp service to update from an external source (if you configured it to update from an external source as in KB above). The following are the steps
ISA Mgmt Console ==> servername ==> Firewall Policy .. Now if you rightclick the firewall policy you get Edit System Policy on the resulting drop down. On the system policy editor ==> Network Services you have NTP, select NTP and on your right hand click Enable (the explanation on this tab is right on spot in terms of relevance)
Then at the top go to the To tab, you have internal network already added, now here you add the external network. (If you want to be more specific the you would add domain name sets etc)
Now if you run this command on cmd; w32tm /resync then you will note that you will get a successful update notification, you can also check the event viewer to see two successful time sync notifications.
Posts: 30
Joined: 6.Aug.2005
From: Norfolk, VA
Status: offline
Thanks for this! Unfortunately even after following your directions, on my ISA 2004 server, with the most current SP, I still get Denied Connection errors in Live Logging - by my Last Default Rule.
Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
Sean,
Have you enabled direct access for all computers on your internal domain? (of course taking into account if this is a trusted environment)
One other thing is that this traffic is passing through ISA, and if traffic between localhost and internal network is not explicitly allowed (or in your case btn localhost and DC), then the traffic may be blocked on this count.
If you have allowed Direct Access, then enabling the System Policy rule as in earlier write-up should work, otherwise you want to allow traffic to Domain Name Set and Localhost
Posts: 30
Joined: 6.Aug.2005
From: Norfolk, VA
Status: offline
quote:
Have you enabled direct access for all computers on your internal domain?
I do not understand what you mean here. On the DC, I installed the FW Client to try to resolve the issue.
quote:
One other thing is that this traffic is passing through ISA, and if traffic between localhost and internal network is not explicitly allowed (or in your case btn localhost and DC), then the traffic may be blocked on this count.
Just as web browsing passes through the ISA server, but my rule to allow browsing does not include localhost in the To tab. I don't understand why I need to add localhost to the To tab of the NTP Access rule.
Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
To confirm that Direct Access is allowed, you'd go to ISA Mgt Console -> Server -> Configuration -> Networks and right-click the Internal
There are two Tabs here; Domains & Web Browser. If you specify your domain udner the Domains Tab, then clients on that domain won't need to go though ISA to connect in that Domain
Web Browser tab brings us to the all important Configuration Script; there is the option of Directly access computers specified in the domains tab and Directly access computers specified in the Addresses Tab. But emphasis must be given here that this behavior will be ONLY enabled for computers that are able to get the Automatic Configuration Script from ISA therefore make sure that Autodiscovery (one of the tabs too) is enabled and working.
Posts: 30
Joined: 6.Aug.2005
From: Norfolk, VA
Status: offline
quote:
ORIGINAL: hantahipi
To confirm that Direct Access is allowed, you'd go to ISA Mgt Console -> Server -> Configuration -> Networks and right-click the Internal
There are two Tabs here; Domains & Web Browser. If you specify your domain udner the Domains Tab, then clients on that domain won't need to go though ISA to connect in that Domain
Web Browser tab brings us to the all important Configuration Script; there is the option of Directly access computers specified in the domains tab and Directly access computers specified in the Addresses Tab. But emphasis must be given here that this behavior will be ONLY enabled for computers that are able to get the Automatic Configuration Script from ISA therefore make sure that Autodiscovery (one of the tabs too) is enabled and working.
Domains & Web Browser tabs were set as you recommended.
I've verified that the DC is using the Auto Config. settings and can browse the internet.
I added Localhost to the TO tab on the NTP Access Rule.
I'm still getting the Denied Connection - Default Rule error in Live Logging.
quote:
ORIGINAL: hantahipi Query, is ISA a member of your domain?
Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
I would ask that you affirm the peer that you put in your registry edit NTPServer, is it the same as the as the domain name you are allowing? You want to actually check this
I would also advise that for testing, you first relax the rule: ie in the System Policy edit To tab, add the external network as opposed to a domain name set.
This is supposed to work without even the use of the access rule.
But just incase it doesn't, then on the access rule you should allow NTP (UDP) from NTP Server To External (As opposed to domain name set) for All Users
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> ISA Server blocking NTP 
ISA Server blocking NTP - 
RE: ISA Server blocking NTP - 
Additional information 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread