As of Version 5.2.b.20150828, Domain Time supports automatic management of the Windows Firewall to allow
access to the required time protocol and control ports. In prior versions, the administrator either
needed to use the DTCheck utility to open the necessary ports, or needed to manage the firewall manually.
Only the built-in Windows Firewall is supported. If you are using a third-party firewall, you must open
the needed ports yourself and should not use Domain Time's automatic firewall management.
Note: The Windows Firewall can be controlled by Group Policies. Changes made by Domain Time to a firewall
managed by Group Policies will either fail, or only last until the next time Group Policies are applied,
depending on the operating system and your settings.
Necessary Ports
Various services and time protocols require certain ports to be open to operate correctly.
Server needs to have its listening ports opened to allow clients (either Domain Time or other clients)
to obtain the time, and for monitoring and auditing purposes. Server ports include 9909 UDP and 9909 TCP
for the DT2 protocol, 123 UDP for the NTP protocol, a TCP port (normally 80) for DT2-HTTP, 13 UDP and
13 TCP for the Daytime protocol, and 37 UDP and 37 TCP for the TIME/ITP protocol.
Client needs to have ports 9909 UDP and 9909 TCP opened for monitoring and auditing purposes, and
123 UDP open for NTP broadcast reception or ntpq-style querying.
Both Server and Client need ports 319 UDP and 320 UDP opened if they are deriving time using
IEEE-1588 Precision Time Protocol (PTP) as a time source. Additionally, if the Service Status
Monitor is being used, Server and Client need ports 9911 UDP and 9911 TCP opened for remote
access to Service Status Monitor.
Audit Server needs to have port 9910 TCP opened for Real-Time Alert sharing (the DTAlert
program), and for communication between an active Audit Server and a stand-by Audit Server.
Only three ports used by Domain Time are user-configurable; the others are governed by RFCs
or convention, and cannot be changed. The configurable ports are:
Real-Time Alert Sharing, used by Audit Server, normally 9910 (TCP only)
Service Status Monitor, used by Client and Server, normally 9911 (UDP, TCP, or both)
DT2-HTTP, used by Server to serve DT2-HTTP, normally 80 (TCP only)
If automatic management of the Windows Firewall is enabled, and you change any of these
ports (or are already using non-standard ports), then Domain Time will make sure the
firewall rule matches the port you are using. The change in the firewall happens when
you make the change in Domain Time. If you are not letting Domain Time manage the
Windows Firewall, you will have to adjust the firewall rules yourself. Note that this
dynamic management will only create rules if they don't already exist, or update the
port numbers if the rules do exist. Dynamic management will not change any other aspects
of the rules.
Firewall Rules and Profiles
The Windows Firewall service must be running (but need not be enabled)
in order for Domain Time to check or change rules. If automatic management of the Windows Firewall
is enabled, Domain Time will check at service startup to ensure the needed rules are present. If the
rules already exist, Domain Time will not change them (other than to correct port numbers if wrong).
When a Domain Time service creates a firewall rule on XP or 2003, it will enable it for
both the Standard and Domain profiles, regardless of which one is currently in use.
When a Domain Time service creates a firewall rule on Vista or above, it will enable it
for the Private profile, and, if the machine is a domain member, for the Domain profile
as well.
If a rule already exists, Domain Time services do not change that rule's profile, enabled/disable
status, or other rule settings, such as interface restrictions. This allows you to
let Domain Time create the rules for you, then fine-tune them yourself without further
interference from Domain Time. For example, you could disable the rules for the ports you
don't need or want shared, or change the profile to which the rule applies, or add IP range
restrictions, etc.
Note: Domain Time will never change ICMP echo (ping) firewall settings. Ping is required for
some operations that use TCP, or for Manager to install, upgrade, remove, or control remote
machines. Ping is also required for Client or Server to send Real-Time Alerts (Status Reports)
to Audit Server when using TCP. If your firewall blocks ICMP echo, you must allow it if you
desire these functions.
Domain Time services record all firewall change activity in a text file called DTFirewall.log in the
System32 folder.
Firewall Rule Names
These are the names used by Domain Time II for its firewall rules. If you have used DTCheck from
an earlier version to open the firewall, the old names will be replaced by the names below:
Rule Name
Component
Default Port/Address
Domain Time II DT2-UDP
Client or Server
always 9909 UDP
Domain Time II DT2-TCP
Client or Server
always 9909 TCP
Domain Time II PTPv2-Event
Client or Server
always 319 UDP
Domain Time II PTPv2-General
Client or Server
always 320 UDP
Domain Time II NTP
Client or Server
always 123 UDP
Domain Time II Daytime-UDP
Server only
always 13 UDP
Domain Time II Daytime-TCP
Server only
always 13 TCP
Domain Time II TIME/ITP-UDP
Server only
always 37 UDP
Domain Time II TIME/ITP-TCP
Server only
always 37 TCP
Domain Time II Status Monitor-UDP
Client or Server
defaults to 9911 UDP
Domain Time II Status Monitor-TCP
Client or Server
defaults to 9911 TCP
Domain Time II Real-Time Alert Sharing
Audit Server only
defaults to 9910 TCP
Domain Time II DT2-HTTP
Server only
defaults to 80 TCP
Firewall Settings on Specific Domain Time II Components
The Setup utility
You may use the Setup utility to enable or disable the Auto-Manage Windows Firewall function on components when
you install or upgrade them.
The Auto-Manage Windows Firewall checkbox defaults to checked.
This is a tri-state checkbox (checked, unchecked, indeterminate). Click the box multiple times to cycle through the options.
When installing or upgrading Client or Server:
If checked, Client or Server will automatically manage the Windows Firewall, regardless of prior settings.
If unchecked, Client or Server will not automatically manage the Windows Firewall, regardless of prior settings.
If indeterminate, Client or Server's firewall management will not be changed. Note that on
new installs, Client and Server default to not managing the Windows Firewall.
When installing or upgrading the Management Tools:
If checked, Manager's default setting for installs, upgrades, or reset configurations will be to "Force Auto-Manage Windows Firewall"
on its Remote Computer Operation dialog. In addition, if Audit Server is installed, the "Auto-Manage Windows Firewall" setting
for Alert Sharing will be enabled.
If unchecked, the default Remote Computer Operation setting in Manager will not be set to "Force Auto-manage Windows Firewall".
The Audit Server firewall management setting for Alert Sharing will also be disabled.
If indeterminate, Manager's default setting will be unchanged. If you are upgrading from a previous
version of Manager that does not have firewall management settings, then Manager (and Audit Server, if installed) will default to checked.
Domain Time II Client and Server
Client and Server both have the ability to auto-manage the Windows Firewall for their respective necessary ports.
The Auto-Manage Windows Firewall checkbox appears on the Network\Security
property page of the applet. This is a binary checkbox (checked or unchecked). The default is unchecked, unless you have
used a customized template that specifies otherwise, or have pushed the installation from Manager and specified that you
want firewall management enabled.
If checked, Client or Server will automatically manage the Windows Firewall.
If unchecked, Client or Server will not touch the Windows Firewall.
Domain Time II Manager
Domain Time II Manager has the ability to enable or disable the Auto-Manage Windows Firewall
function on Clients or Servers it installs, upgrades, or resets configuration on remotely.
The Force Auto-Manage Windows Firewall checkbox appears
on the Remote Computer Operation dialog that is used for installing, upgrading, or resetting the
configuration on other machines. This is a tri-state checkbox (checked, unchecked, indeterminate). Click
the box multiple times to cycle through the options.
When using Manager to install, upgrade, or reset configuration on Client or Server:
If checked, Client or Server will automatically manage the Windows Firewall, regardless of
prior settings and template entries.
If unchecked, Client or Server will not automatically manage the Windows Firewall, regardless
of prior settings and template entries.
If indeterminate, Client or Server's firewall management settings will be affected as follows:
—
On Installs: Client and Server default to not managing the Windows Firewall unless you are using a custom template that enables it.
—
During Upgrades: Manager will either preserve the existing Client or Server settings or override them with the settings from the selected template (as configured on the
Choose Templates dialog).
—
Reset configuration: Client or Server will either be reset to their default configuration (not auto-managed) or use the settings specified in the selected template (as chosen on the Remote Computer Operation dialog).
NOTE: Custom templates you create by exporting settings from Client or Server will
contain that machine's setting for management of the Windows Firewall. The template setting
is called "Auto-Manage Firewall" and can either be True or False (string).
If present in the selected install/upgrade/reset template, this setting will be applied unless you tell Manager to override the setting. The default
templates shipped with Domain Time do not contain the "Auto-Manage Firewall" setting; only templates you create yourself might have it.
Domain Time II Audit Server
Audit Server, if installed, has the ability to auto-manage firewall settings for its Alert Sharing and Standby-mode replication features.
The Auto-Manage Windows Firewall checkbox for Alert Sharing is located on the
Advanced Real-Time Alert Configuration dialog (found via the Manager menu - choose Audit Server -> Alerts -> Configure, then click the Advanced button).
This is a binary checkbox (checked or unchecked), and controls only whether or not Audit Server should automatically manage the
Windows Firewall for the Real-Time Alert sharing port (default 9910 TCP).
The DTCheck Utility
DTCheck is a command-line utility program that ships with Domain Time. By default, it is
installed in the System32 folder when you install Client or Server, and is in the Manager
folder when you install the management tools.
DTCheck has two commands that affect the Windows Firewall:
dtcheck -firewall:close
Deletes all Domain Time II firewall rules. There are no optional parameters.
dtcheck -firewall:open [optional parameter]
Creates rules that if they don't exist, enables existing rules that aren't enabled, and sets the profile(s) used.
Optional parameters for -firewall:open are
-public -private -domain and -standard. (Only -domain
and -standard are allowed for XP/2003; only -public -private and -domain are allowed for newer
operating systems.) The default, if you specify no parameters is -domain and -standard for XP/2003,
and -private and -domain (if the machine is a domain member) for newer operating systems.
Note that unlike the Domain Time services described above, DTCheck's -firewall:open forces the rules to be present,
enabled, and set to the profile(s) you choose. DTCheck will also force the port numbers to
match the protocols in use, including the user-configurable port numbers mentioned above.
DTCheck's -firewall:open detects whether you have Client or Server installed, and opens only
the ports needed for Client or Server. In addition, DTCheck detects if Audit Server is installed,
and opens the Real-Time Alert Sharing port if needed.
Unlike firewall management by services, DTCheck writes its results to the commmand window
instead of to the System32\DTFirewall.log file.
Be sure to read the