KB1001.033
Problem: Domain Time is blocked by a firewall

This article applies to Domain Time II.

Last Updated: 1 October 2014

Problem

    Domain Time may be blocked by a firewall

Details

    If you are using Domain Time to obtain the time from external time sources, you may experience problems if you have a firewall in place that does not allow the time protocol(s) you are using to pass through the firewall.

Solution

    Open the following holes in your firewall for Domain Time to use:

    1. Ports 9909 UDP and TCP -- for use by Domain Time II protocol
    2. Port 80 TCP -- for use with the Domain Time over HTTP protocol (you may also use this protocol through a normal web proxy server without adjusting your firewall)
    3. Port 9910 TCP -- if using Domain Time Real-Time Alert Sharing
    4. Ports 9911 UDP and/or TCP -- if using Domain Time Service Status Monitor
    5. Port 123 UDP -- for use by the NTP/SNTP protocol
    6. Ports 319 and 320 UDP -- for use by the PTPv2 (IEEE 1588-2008/2019) protocol
    7. Ports 37 UDP and/or TCP -- for use by the TIME/ITP (RFC 868) protocol (Domain Time Server only)
    8. Port 13 TCP -- for use by the Daytime (RFC 867) protocol (Domain Time Server only)

      You may also need to specify access permissions based on username. See KB1001.034 for details.

      If you are restricting access by machine IP number as well, then only Domain Time's designated Time Server (by default the domain's PDC) needs access to these ports. Other machines in the domain will retrieve the time from the Time Server directly, and do not need Internet access.

      There are no known security risks associated with opening these ports. The protocols are fairly simple, and cannot be used to gain control of or access to your protected machines.

      IMPORTANT: See the Planning page of the Domain Time II Documentation for more detailed discussion of network requirements.

    You may quickly open all relevant ports in the Windows Firewall using the following command as Administrator from a command-prompt (Version 5.2 and later):

      dtcheck -firewall:open -all

    NOTE: Certain versions of Windows block these ports by default regardless of whether the Windows Firewall service is running. The Windows Firewall service must be started to run the above command. If the service is disabled, you must re-enable it temporarily to run the command, then re-disable the service if you wish.

See also

Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2024 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.