Documentation\Technical\Network\Firewall and Router Issues
|
Any trusted time source that provides time protocols can be used
to obtain correct time, such as systems using GPS clock cards, cesium clocks, or other time servers on the network.
Domain Time II can also obtain the time directly from Internet Time servers. Depending on the server(s) you choose, this
can be a method of obtaining fairly accurate UTC time -- usually within a half-second, and often better.
(See Public NTP/SNTP Servers for more information).
If you wish to obtain the time from an Internet Time server through a firewall, the firewall must be configured to pass the
required time protocol using the correct TCP/IP port. NTP/SNTP uses the well-known
port 123, TIME/ITP uses port 37, and the Domain Time II (DT2) protocol uses IANA-registered port 9909.
Time can also be obtained from Internet Time Servers through firewalls that have proxies
or plug gateways for the time protocols.
In addition, Domain Time II provides the unique ability to obtain time through firewalls using
existing web proxies or plug gateways using the Domain Time II over HTTP protocol on the
well-known HTTP port 80. Pass-thru gateways on port 80, and most proxies that honor immediate
page update requests, should work correctly (although accuracy can suffer somewhat if the proxy
adds significant delays to the web traffic).
Note: Due to the additional overhead and lesser latency correction, this protocol should only be used if you are unable to open your
firewall to use the standard time protocols mentioned above (i.e. DT2, NTP, TIME ITP, ect.).
Domain Time II also supports SOCKS4 proxies for the Domain Time II over HTTP protocol.
Note: Some caching web proxies may be configured
in a manner that may not pass along the information Domain Time II requires in a timely enough manner
to be used reliably, or performance may suffer unduly under heavy traffic. Thus, trial
and error is the only way to determine if any individual proxy will be suitable.
Time can also be obtained through firewalls that have an existing Web proxy.
The Domain Time II Server and Domain Time II Clients employ sophisticated network
latency analysis and clock timing adjustment methods to ensure that both the time received
and time served are as accurate as possible on every machine on the network (an entire domain,
including remote sites over WAN links, can often be held to an variance of less than 100 milliseconds
using Domain Time II protocols).
Using Domain Time II's exclusive HTTP feature, time can be obtained through many existing web
proxies with no changes to the firewall.
Distributing time successfully within your network
Simple networks with a single subnet have very few firewall issues beyond those discussed above in obtaining time or those discussed in the
Personal firewall section below. However, more complicated network topologies with multiple subnets can present obstacles to passing the
necessary traffic to synchronize time and to pass the Domain Time II control messages used to manage the Domain Time II hierarchy.
Any routers or switches used to segment the network should be configured to pass traffic to/from the Domain Time II port 9909 UDP.
Traffic should be passed bi-directionally, since traffic may originate from any Domain Time II components to/from any subnet. Domain Time
components use Winsock standards for TCP/IP communication and thus typically use ephemeral source ports sending to fixed destination ports.
Domain Time II components also use the standard Winsock methods of host name resolution.
If you will be synchronizing using other time protocols such as NTP across routers or switches, you will need to pass those protocols as well.
See the Time Protocols page for more specific info on the various time protocols.
Broadcast Traffic
In addition to normal unicast communication, some features of Domain Time II components require port 9909 UDP broadcasts be enabled.
Broadcast traffic typically originates from an ephemeral source port sent to the broadcast address of designated subnets intended for destination
port 9909. Domain Time II components that receive the broadcast then respond via unicast from source port 9909 back to the sending IP address's
ephemeral port. This broadcast discovery process is substantially the same as the process used by DHCP, TFTP, and other standard broadcast
discovery methods.
Stateful firewalls/routers will often require additional configuration to ensure broadcast discovery operates correctly, since unlike normal
unicast UDP communication, the originating traffic is not sent to the same IP address from which the reply will come. Broadcast traffic is
sent to the address xxx.xxx.xxx.255, but the unicast replies from that subnet may come from any (or all) addresses in the range xxx.xxx.xxx.1-254.
Normal stateful firewall rules typically only open the firewall for replies from the same IP address to which the originating traffic was sent,
so even if unicast port 9909 UDP traffic is enabled and working, broadcast traffic may still fail. Therefore, most firewalls have special rules that can be
applied to allow broadcasts to function correctly, (such as ip helper-address, ip directed-broadcast and ip forward-port
functions on Cisco equipment, for example). Check with your firewall manufacturer for the correct broadcast address configuration instructions
for your particular systems.
See Working across subnets for more information on configuring Domain Time II to work across subnets.
Personal firewall configuration
Many individual machines have personal firewall products installed. These products can interfere with the proper operation of Domain Time unless they
are correctly configured. Personal firewalls should be configured to pass the same protocols as used on the general network, i.e. especially port 9909 UDP for
Domain Time II time and control protocols. Any other time protocols to be used should also be enabled, such as NTP (123 UDP).
Particularly, Windows XP/2003/Vista/Win7/2008/Win8/2012 systems have a built-in firewall that needs to be configured to pass the correct protocols if it is enabled. An exemption for port
9909 UDP should be entered.
To make this change
- Open the firewall settings configuration screen for your network connection(s). (You can usually get there by clicking on the Control Panel --> Windows Firewall icon.)
- Click the Exception tab and then click the Add Port button.
- Enter a descriptive name for the exception, enter 9909 in the Port Number field. Be sure the UDP radio button is selected.
Setting an exception for port 9909 UDP.
- Repeat the process for any other ports you want to exempt, such as NTP port 123 UDP.
- Enable Network Discovery via the Network and Sharing Center applet in Control Panel.
Windows operating systems running Vista or later have a network control function called Network Discovery, which controls whether or not machines
on the network are visible to each other for making network connections. Network Discovery is actually a specific combination of
services and firewall settings which are enabled or disabled by settings in the Network and Sharing Center. If present on any system
running Domain Time II components, Network Discovery must be enabled so that Domain Time II Manager and/or Audit Server can ping the
remote systems, connect to their administrative shares, and connect to their registry as necessary. You must have at least the Network Discovery
and File Sharing options enabled.
See Microsoft's
What is network discovery? page for more info.
- Important: Restart the Firewall service or reboot the computer after making the above changes.
Allowing remote control/installation or other advanced features
Domain Time II offers the ability to remotely install/upgrade/remove or remotely control Domain Time components on other systems. This is done
either from the command-line on certain utilities or by using programs such as Domain Time II Manager. Other Domain Time II programs such as
Audit Server have the ability to perform advanced features like remote log collection, adding machines that synchronize with Domain Time II
servers to the Audit List automatically, etc.
These features require additional network access beyond the communication over port 9909 UDP described above. In general, these functions require
the following three functions to work correctly across subnets:
- Ping
All machines must respond to ping requests. Firewalls must pass ICMP echo traffic.
- File System and Remote Registry access
Machines such as Domain Time II Manager or Audit Server must be able to connect to administrative shares
and read/write files through that share using Windows Networking via NetBIOS over TCP/IP (NetBT). These programs must also connect
to the Remote Registry service running on the remote systems using NetBT. NetBT uses the following ports:
- UDP port 137 (name services)
- UDP port 138 (datagram services)
- TCP port 139 (session services)
For security purposes, we recommend you restrict firewall access through these ports to traffic originating from/replying to the specific
Domain Time II Manager and/or Audit Server machines only.
See KB 2001.728 from our knowledgebase for more detailed information on the necessary access for
remote control/advanced feature operation.
Useful links
Microsoft TCP/IP Host Name Resolution Order
TCP/IP Client (Ephemeral) Ports and Client/Server Application Port Use
Broadcasts And The IP Helper-Address Command
Cisco Broadcast Helper Addresses
|