Top of Page

 Documentation\Technical\Network\Firewall and Router Issues
    .  Obtaining time through firewalls
    .  Distributing time successfully within your network
    .  Personal firewall configuration
    .  Allowing remote control/installation or other advanced features

     

    This document requires a working knowledge of network principles and operation, as well as familiarity with configuring operating systems in a networked environment. Networks are assumed to be correctly configured with working physical layers, TCP/IP communications, name resolution via DNS and WINS, correctly configured and fully-operational Windows Networking such as proper Windows domain structures and trusts, working Active Directory, etc. Configuration of these items are beyond the scope of this document. Consult your network and/or firewall administrators for assistance as required.

    Obtaining time through firewalls


    Domain Time II can obtain the time from any trusted time source, either from the Internet or from local sources such as cesium clocks and GPS systems that provide a network time protocol. The more reliable the time source, the better. Domain Time II contains tools to help you determine the reliability of your time source - see the DT Test and NTPCheck utilities.

    Using Local Time Source
    Any trusted time source that provides time protocols can be used
    to obtain correct time, such as systems using GPS clock cards,
    cesium clocks, or other time servers on the network.

      Domain Time II can also obtain the time directly from Internet Time servers. Depending on the server(s) you choose, this can be a method of obtaining fairly accurate UTC time -- usually within a half-second, and often better. (See Public NTP/SNTP Servers for more information). If you wish to obtain the time from an Internet Time server through a firewall, the firewall must be configured to pass the required time protocol using the correct TCP/IP port. NTP/SNTP uses the well-known port 123, TIME/ITP uses port 37, and the Domain Time II (DT2) protocol uses IANA-registered port 9909.

      Using Proxy or Plug Firewall
      Time can also be obtained from Internet Time Servers through firewalls that have
      proxies or plug gateways for the time protocols.

      In addition, Domain Time II provides the unique ability to obtain time through firewalls using existing web proxies or plug gateways using the Domain Time II over HTTP protocol on the well-known HTTP port 80. Pass-thru gateways on port 80, and most proxies that honor immediate page update requests, should work correctly (although accuracy can suffer somewhat if the proxy adds significant delays to the web traffic).

      Note: Due to the additional overhead and lesser latency correction, this protocol should only be used if you are unable to open your firewall to use the standard time protocols mentioned above (i.e. DT2, NTP, TIME ITP, ect.).

      Domain Time II also supports SOCKS4 proxies for the Domain Time II over HTTP protocol.

      Note: Some caching web proxies may be configured in a manner that may not pass along the information Domain Time II requires in a timely enough manner to be used reliably, or performance may suffer unduly under heavy traffic. Thus, trial and error is the only way to determine if any individual proxy will be suitable.

      Using Proxy or Plug Firewall
      Time can also be obtained through firewalls that have an existing Web proxy.

      The Domain Time II Server and Domain Time II Clients employ sophisticated network latency analysis and clock timing adjustment methods to ensure that both the time received and time served are as accurate as possible on every machine on the network (an entire domain, including remote sites over WAN links, can often be held to an variance of less than 100 milliseconds using Domain Time II protocols).

      Using Domain Time II via HTTP protocol
      Using Domain Time II's exclusive HTTP feature, time can be obtained through
      many existing web proxies with no changes to the firewall.

       

      Distributing time successfully within your network

      Simple networks with a single subnet have very few firewall issues beyond those discussed above in obtaining time or those discussed in the Personal firewall section below. However, more complicated network topologies with multiple subnets can present obstacles to passing the necessary traffic to synchronize time and to pass the Domain Time II control messages used to manage the Domain Time II hierarchy.

      Any routers or switches used to segment the network should be configured to pass traffic to/from the Domain Time II port 9909 UDP. Traffic should be passed bi-directionally, since traffic may originate from any Domain Time II components to/from any subnet. Domain Time components use Winsock standards for TCP/IP communication and thus typically use ephemeral source ports sending to fixed destination ports. Domain Time II components also use the standard Winsock methods of host name resolution.

      If you will be synchronizing using other time protocols such as NTP across routers or switches, you will need to pass those protocols as well. See the Time Protocols page for more specific info on the various time protocols.

      Broadcast Traffic
      In addition to normal unicast communication, some features of Domain Time II components require port 9909 UDP broadcasts be enabled. Broadcast traffic typically originates from an ephemeral source port sent to the broadcast address of designated subnets intended for destination port 9909. Domain Time II components that receive the broadcast then respond via unicast from source port 9909 back to the sending IP address's ephemeral port. This broadcast discovery process is substantially the same as the process used by DHCP, TFTP, and other standard broadcast discovery methods.

      Stateful firewalls/routers will often require additional configuration to ensure broadcast discovery operates correctly, since unlike normal unicast UDP communication, the originating traffic is not sent to the same IP address from which the reply will come. Broadcast traffic is sent to the address xxx.xxx.xxx.255, but the unicast replies from that subnet may come from any (or all) addresses in the range xxx.xxx.xxx.1-254.

      Normal stateful firewall rules typically only open the firewall for replies from the same IP address to which the originating traffic was sent, so even if unicast port 9909 UDP traffic is enabled and working, broadcast traffic may still fail. Therefore, most firewalls have special rules that can be applied to allow broadcasts to function correctly, (such as ip helper-address, ip directed-broadcast and ip forward-port functions on Cisco equipment, for example). Check with your firewall manufacturer for the correct broadcast address configuration instructions for your particular systems.

      See Working across subnets for more information on configuring Domain Time II to work across subnets.

       

      Personal firewall configuration

      Many individual machines have personal firewall products installed. These products can interfere with the proper operation of Domain Time unless they are correctly configured. Personal firewalls should be configured to pass the same protocols as used on the general network, i.e. especially port 9909 UDP for Domain Time II time and control protocols. Any other time protocols to be used should also be enabled, such as NTP (123 UDP).

      Particularly, Windows XP/2003/Vista/Win7/2008/Win8/2012 systems have a built-in firewall that needs to be configured to pass the correct protocols if it is enabled. An exemption for port 9909 UDP should be entered.

      To make this change

      1. Open the firewall settings configuration screen for your network connection(s). (You can usually get there by clicking on the Control Panel --> Windows Firewall icon.)

      2. Click the Exception tab and then click the Add Port button.

      3. Enter a descriptive name for the exception, enter 9909 in the Port Number field. Be sure the UDP radio button is selected.

        Windows
        Setting an exception for port 9909 UDP.

      4. Repeat the process for any other ports you want to exempt, such as NTP port 123 UDP.

      5. Enable Network Discovery via the Network and Sharing Center applet in Control Panel.

        Windows operating systems running Vista or later have a network control function called Network Discovery, which controls whether or not machines on the network are visible to each other for making network connections. Network Discovery is actually a specific combination of services and firewall settings which are enabled or disabled by settings in the Network and Sharing Center. If present on any system running Domain Time II components, Network Discovery must be enabled so that Domain Time II Manager and/or Audit Server can ping the remote systems, connect to their administrative shares, and connect to their registry as necessary. You must have at least the Network Discovery and File Sharing options enabled.

        See Microsoft's What is network discovery? page for more info.

      6. Important: Restart the Firewall service or reboot the computer after making the above changes.

       

      Allowing remote control/installation or other advanced features

      Domain Time II offers the ability to remotely install/upgrade/remove or remotely control Domain Time components on other systems. This is done either from the command-line on certain utilities or by using programs such as Domain Time II Manager. Other Domain Time II programs such as Audit Server have the ability to perform advanced features like remote log collection, adding machines that synchronize with Domain Time II servers to the Audit List automatically, etc.

      These features require additional network access beyond the communication over port 9909 UDP described above. In general, these functions require the following three functions to work correctly across subnets:

      1. Ping
        All machines must respond to ping requests. Firewalls must pass ICMP echo traffic.

      2. File System and Remote Registry access
        Machines such as Domain Time II Manager or Audit Server must be able to connect to administrative shares and read/write files through that share using Windows Networking via NetBIOS over TCP/IP (NetBT). These programs must also connect to the Remote Registry service running on the remote systems using NetBT. NetBT uses the following ports:

        • UDP port 137 (name services)
        • UDP port 138 (datagram services)
        • TCP port 139 (session services)

        For security purposes, we recommend you restrict firewall access through these ports to traffic originating from/replying to the specific Domain Time II Manager and/or Audit Server machines only.

      See KB 2001.728 from our knowledgebase for more detailed information on the necessary access for remote control/advanced feature operation.

       

      Useful links
      Microsoft TCP/IP Host Name Resolution Order
      TCP/IP Client (Ephemeral) Ports and Client/Server Application Port Use
      Broadcasts And The IP Helper-Address Command
      Cisco Broadcast Helper Addresses

Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2018 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.