Top of Page

Domain Time II
Version 5.2

Auto-Manage Windows Firewall Settings


How to use Domain Time's auto-management of Windows Firewall settings.

. Be sure to read the Prepare your network to pass the necessary traffic section of the Planning page.

    As of Version 5.2.b.20150828, Domain Time supports automatic management of the Windows Firewall to allow access to the required time protocol and control ports. In prior versions, the administrator either needed to use the DTCheck utility to open the necessary ports, or needed to manage the firewall manually.

    Only the built-in Windows Firewall is supported. If you are using a third-party firewall, you must open the needed ports yourself and should not use Domain Time's automatic firewall management.

    Note: The Windows Firewall can be controlled by Group Policies. Changes made by Domain Time to a firewall managed by Group Policies will either fail, or only last until the next time Group Policies are applied, depending on the operating system and your settings.

    Necessary Ports
    Various services and time protocols require certain ports to be open to operate correctly.

    • Server needs to have its listening ports opened to allow clients (either Domain Time or other clients) to obtain the time, and for monitoring and auditing purposes. Server ports include 9909 UDP and 9909 TCP for the DT2 protocol, 123 UDP for the NTP protocol, a TCP port (normally 80) for DT2-HTTP, 13 UDP and 13 TCP for the Daytime protocol, and 37 UDP and 37 TCP for the TIME/ITP protocol.

    • Client needs to have ports 9909 UDP and 9909 TCP opened for monitoring and auditing purposes, and 123 UDP open for NTP broadcast reception or ntpq-style querying.

    • Both Server and Client need ports 319 UDP and 320 UDP opened if they are deriving time using IEEE-1588 Precision Time Protocol (PTP) as a time source. Additionally, if the Service Status Monitor is being used, Server and Client need ports 9911 UDP and 9911 TCP opened for remote access to Service Status Monitor.

    • Audit Server needs to have port 9910 TCP opened for Real-Time Alert sharing (the DTAlert program), and for communication between an active Audit Server and a stand-by Audit Server.

      Only three ports used by Domain Time are user-configurable; the others are governed by RFCs or convention, and cannot be changed. The configurable ports are:

      • Real-Time Alert Sharing, used by Audit Server, normally 9910 (TCP only)
      • Service Status Monitor, used by Client and Server, normally 9911 (UDP, TCP, or both)
      • DT2-HTTP, used by Server to serve DT2-HTTP, normally 80 (TCP only)

      If automatic management of the Windows Firewall is enabled, and you change any of these ports (or are already using non-standard ports), then Domain Time will make sure the firewall rule matches the port you are using. The change in the firewall happens when you make the change in Domain Time. If you are not letting Domain Time manage the Windows Firewall, you will have to adjust the firewall rules yourself. Note that this dynamic management will only create rules if they don't already exist, or update the port numbers if the rules do exist. Dynamic management will not change any other aspects of the rules.

     
    Firewall Rules and Profiles
    The Windows Firewall service must be running (but need not be enabled) in order for Domain Time to check or change rules. If automatic management of the Windows Firewall is enabled, Domain Time will check at service startup to ensure the needed rules are present. If the rules already exist, Domain Time will not change them (other than to correct port numbers if wrong).

      When a Domain Time service creates a firewall rule on XP or 2003, it will enable it for both the Standard and Domain profiles, regardless of which one is currently in use.

      When a Domain Time service creates a firewall rule on Vista or above, it will enable it for the Private profile, and, if the machine is a domain member, for the Domain profile as well.

      If a rule already exists, Domain Time services do not change that rule's profile, enabled/disable status, or other rule settings, such as interface restrictions. This allows you to let Domain Time create the rules for you, then fine-tune them yourself without further interference from Domain Time. For example, you could disable the rules for the ports you don't need or want shared, or change the profile to which the rule applies, or add IP range restrictions, etc.

      Note: Domain Time will never change ICMP echo (ping) firewall settings. Ping is required for some operations that use TCP, or for Manager to install, upgrade, remove, or control remote machines. Ping is also required for Client or Server to send Real-Time Alerts (Status Reports) to Audit Server when using TCP. If your firewall blocks ICMP echo, you must allow it if you desire these functions.

      Domain Time services record all firewall change activity in a text file called DTFirewall.log in the System32 folder.

      Firewall Rule Names
      These are the names used by Domain Time II for its firewall rules. If you have used DTCheck from an earlier version to open the firewall, the old names will be replaced by the names below:

        Rule Name Component Default Port/Address
        Domain Time II DT2-UDPClient or Serveralways 9909 UDP
        Domain Time II DT2-TCPClient or Serveralways 9909 TCP
        Domain Time II PTPv2-EventClient or Serveralways 319 UDP
        Domain Time II PTPv2-GeneralClient or Serveralways 320 UDP
        Domain Time II NTPClient or Serveralways 123 UDP
        Domain Time II Daytime-UDPServer onlyalways 13 UDP
        Domain Time II Daytime-TCPServer onlyalways 13 TCP
        Domain Time II TIME/ITP-UDPServer onlyalways 37 UDP
        Domain Time II TIME/ITP-TCPServer onlyalways 37 TCP
        Domain Time II Status Monitor-UDPClient or Serverdefaults to 9911 UDP
        Domain Time II Status Monitor-TCPClient or Serverdefaults to 9911 TCP
        Domain Time II Real-Time Alert SharingAudit Server onlydefaults to 9910 TCP
        Domain Time II DT2-HTTPServer onlydefaults to 80 TCP
     

    Firewall Settings on Specific Domain Time II Components

    The Setup utility
    You may use the Setup utility to enable or disable the Auto-Manage Windows Firewall function on components when you install or upgrade them.

      The Auto-Manage Windows Firewall checkbox defaults to checked. This is a tri-state checkbox (checked, unchecked, indeterminate). Click the box multiple times to cycle through the options.

      When installing or upgrading Client or Server:

      • If checked, Client or Server will automatically manage the Windows Firewall, regardless of prior settings.

      • If unchecked, Client or Server will not automatically manage the Windows Firewall, regardless of prior settings.

      • If indeterminate, Client or Server's firewall management will not be changed. Note that on new installs, Client and Server default to not managing the Windows Firewall.

      When installing or upgrading the Management Tools:

      • If checked, Manager's default setting for installs, upgrades, or reset configurations will be to "Force Auto-Manage Windows Firewall" on its Remote Computer Operation dialog. In addition, if Audit Server is installed, the "Auto-Manage Windows Firewall" setting for Alert Sharing will be enabled.

      • If unchecked, the default Remote Computer Operation setting in Manager will not be set to "Force Auto-manage Windows Firewall". The Audit Server firewall management setting for Alert Sharing will also be disabled.

      • If indeterminate, Manager's default setting will be unchanged. If you are upgrading from a previous version of Manager that does not have firewall management settings, then Manager (and Audit Server, if installed) will default to checked.
     

    Domain Time II Client and Server
    Client and Server both have the ability to auto-manage the Windows Firewall for their respective necessary ports.

      The Auto-Manage Windows Firewall checkbox appears on the Network\Security property page of the applet. This is a binary checkbox (checked or unchecked). The default is unchecked, unless you have used a customized template that specifies otherwise, or have pushed the installation from Manager and specified that you want firewall management enabled.

      • If checked, Client or Server will automatically manage the Windows Firewall.

      • If unchecked, Client or Server will not touch the Windows Firewall.
     

    Domain Time II Manager
    Domain Time II Manager has the ability to enable or disable the Auto-Manage Windows Firewall function on Clients or Servers it installs, upgrades, or resets configuration on remotely.

      The Force Auto-Manage Windows Firewall checkbox appears on the Remote Computer Operation dialog that is used for installing, upgrading, or resetting the configuration on other machines. This is a tri-state checkbox (checked, unchecked, indeterminate). Click the box multiple times to cycle through the options.

      When using Manager to install, upgrade, or reset configuration on Client or Server:

      • If checked, Client or Server will automatically manage the Windows Firewall, regardless of prior settings and template entries.

      • If unchecked, Client or Server will not automatically manage the Windows Firewall, regardless of prior settings and template entries.

      • If indeterminate, Client or Server's firewall management settings will be affected as follows:
        — On Installs: Client and Server default to not managing the Windows Firewall unless you are using a custom template that enables it.
        — During Upgrades: Manager will either preserve the existing Client or Server settings or override them with the settings from the selected template (as configured on the Choose Templates dialog).
        — Reset configuration: Client or Server will either be reset to their default configuration (not auto-managed) or use the settings specified in the selected template (as chosen on the Remote Computer Operation dialog).

      NOTE: Custom templates you create by exporting settings from Client or Server will contain that machine's setting for management of the Windows Firewall. The template setting is called "Auto-Manage Firewall" and can either be True or False (string). If present in the selected install/upgrade/reset template, this setting will be applied unless you tell Manager to override the setting. The default templates shipped with Domain Time do not contain the "Auto-Manage Firewall" setting; only templates you create yourself might have it.
     
    Domain Time II Audit Server
    Audit Server, if installed, has the ability to auto-manage firewall settings for its Alert Sharing and Standby-mode replication features.

      The Auto-Manage Windows Firewall checkbox for Alert Sharing is located on the Advanced Real-Time Alert Configuration dialog (found via the Manager menu - choose Audit Server -> Alerts -> Configure, then click the Advanced button). This is a binary checkbox (checked or unchecked), and controls only whether or not Audit Server should automatically manage the Windows Firewall for the Real-Time Alert sharing port (default 9910 TCP).
     

    The DTCheck Utility
    DTCheck is a command-line utility program that ships with Domain Time. By default, it is installed in the System32 folder when you install Client or Server, and is in the Manager folder when you install the management tools.

      DTCheck has two commands that affect the Windows Firewall:

    • dtcheck -firewall:close

        Deletes all Domain Time II firewall rules. There are no optional parameters.

    • dtcheck -firewall:open [optional parameter]

        Creates rules that if they don't exist, enables existing rules that aren't enabled, and sets the profile(s) used.

        Optional parameters for -firewall:open are -public -private -domain and -standard. (Only -domain and -standard are allowed for XP/2003; only -public -private and -domain are allowed for newer operating systems.) The default, if you specify no parameters is -domain and -standard for XP/2003, and -private and -domain (if the machine is a domain member) for newer operating systems.

        Note that unlike the Domain Time services described above, DTCheck's -firewall:open forces the rules to be present, enabled, and set to the profile(s) you choose. DTCheck will also force the port numbers to match the protocols in use, including the user-configurable port numbers mentioned above.

        DTCheck's -firewall:open detects whether you have Client or Server installed, and opens only the ports needed for Client or Server. In addition, DTCheck detects if Audit Server is installed, and opens the Real-Time Alert Sharing port if needed.

        Unlike firewall management by services, DTCheck writes its results to the commmand window instead of to the System32\DTFirewall.log file.

 


Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2024 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.