"Hello Network, can i have the time?"

G/day Forum,

A bit of background to the set up of my network.

2 Sites, SiteA and SiteB with a 2 way transitive trust between the two -
linked by a private leased line. These sites have their own connections to
the internet.

A Cisco Router links to the ISP on both networks, and a Cisco PIX 515E is
the demarcation point between the public and private networks. I've got a
Quad card on each PIX. So i've got 6 networks with different priorities
hanging from each PIX. These networks are lan, public, and 4 other public
service segments hosting services like DNS, Web, FTP, SMTP, WebServices,
Extranet Services, etc.

We're planning on going live soon with an application on SiteA. This will be
hosted on a DMZ, a workgroup environment, and will remote to an application
server on SiteA's private network (172.16.1.0/24). This server needs to talk
to a database server on SiteB's private network. (172.16.2.0/24)

There are discrepancies in the network time thats affecting services on our
Web Server. My question is how do i ensure that both my networks have the
correct system time set on all servers.

I've thought about how i would do this. My Active Directory controllers are
setting the times on my internal servers and workstations. If i want to
allow my web servers get the time from my AD controllers i will have to
place access-lists on my firewall to allow tcp traffic to pass through port
123 from my web server to my ad controller - i don't like the sound of that.
Its got security breach written all over it. Then i've got to figure out
where do my AD controllers get their time. All these problems.

I know someone out their will be amazed that i've got this far without
having a proper sntp set up, and trust me i've been burnt a few times
because of this. Its one of my new year resolutions to never again worry
about where my network is getting its time from. Hear my cry for help....
please!!!!!

Regards,
Steve.

On Wed, 31 Dec 2003 12:57:43 -0000, "Stephen O'Sullivan"
<steve@nospam_noway_dontyoudare.net> wrote:

>G/day Forum,

You mean Forum*s*. You missed alt.britney-spears in your crosspost by
the way...>

>My question is how do i ensure that both my networks have the
>correct system time set on all servers.

If I drop all the other descriptions, I believe what you're looking
for is:

http://www.winnetmag.com/Article/Art...943/14943.html

Jeff

Stephen O'Sullivan wrote:

> There are discrepancies in the network time thats affecting services
> on our Web Server. My question is how do i ensure that both my
> networks have the correct system time set on all servers.
>
> I've thought about how i would do this. My Active Directory
> controllers are setting the times on my internal servers and
> workstations. If i want to allow my web servers get the time from my
> AD controllers i will have to place access-lists on my firewall to
> allow tcp traffic to pass through port 123 from my web server to my
> ad controller - i don't like the sound of that. Its got security
> breach written all over it. Then i've got to figure out where do my
> AD controllers get their time. All these problems.

Buy a couple of atomic clocks. At least one for AD (or one for each AD site
maybe), and one other for your web server/servers.

So from where is your forest currently getting its time sync ?
I mean, to where is the forestroot PDC FSMO requesting NTP sync ?

Why not run a timeserver, that syncs to your national time services,
and the is used to source time sync to all of your deployments ?
Similarly, if it is not critical that your DMZ based resources be in
sync with your AD, why not just sync them ?
Keep in mind that you can tie these down to only the desired IPs
for port 123.

--
Roger
"Stephen O'Sullivan" <steve@nospam_noway_dontyoudare.net> wrote in message
news:O$(E-Mail Removed)...
> G/day Forum,
>
> A bit of background to the set up of my network.
>
> 2 Sites, SiteA and SiteB with a 2 way transitive trust between the two -
> linked by a private leased line. These sites have their own connections to
> the internet.
>
> A Cisco Router links to the ISP on both networks, and a Cisco PIX 515E is
> the demarcation point between the public and private networks. I've got a
> Quad card on each PIX. So i've got 6 networks with different priorities
> hanging from each PIX. These networks are lan, public, and 4 other public
> service segments hosting services like DNS, Web, FTP, SMTP, WebServices,
> Extranet Services, etc.
>
> We're planning on going live soon with an application on SiteA. This will
be
> hosted on a DMZ, a workgroup environment, and will remote to an
application
> server on SiteA's private network (172.16.1.0/24). This server needs to
talk
> to a database server on SiteB's private network. (172.16.2.0/24)
>
> There are discrepancies in the network time thats affecting services on
our
> Web Server. My question is how do i ensure that both my networks have the
> correct system time set on all servers.
>
> I've thought about how i would do this. My Active Directory controllers
are
> setting the times on my internal servers and workstations. If i want to
> allow my web servers get the time from my AD controllers i will have to
> place access-lists on my firewall to allow tcp traffic to pass through
port
> 123 from my web server to my ad controller - i don't like the sound of
that.
> Its got security breach written all over it. Then i've got to figure out
> where do my AD controllers get their time. All these problems.
>
> I know someone out their will be amazed that i've got this far without
> having a proper sntp set up, and trust me i've been burnt a few times
> because of this. Its one of my new year resolutions to never again worry
> about where my network is getting its time from. Hear my cry for help....
> please!!!!!
>
> Regards,
> Steve.
>
>
>
>
>

"Stephen O'Sullivan" <steve@nospam_noway_dontyoudare.net> wrote in message
news:O$(E-Mail Removed)...
> I've thought about how i would do this. My Active Directory controllers
are
> setting the times on my internal servers and workstations. If i want to
> allow my web servers get the time from my AD controllers i will have to
> place access-lists on my firewall to allow tcp traffic to pass through
port
> 123 from my web server to my ad controller - i don't like the sound of
that.
> Its got security breach written all over it. Then i've got to figure out
> where do my AD controllers get their time. All these problems.
>

Stephen,

The following option comes to mind

Allow the Domain controllers to sync with an Internet time source such as
NIST and instead of the DMZ systems syncing to internal systems allow the
them (DMZ systems) to sync with the same Internet time source.

AFAIK, you only need to allow outgoing NTP on each system.

Its not syncing!! No external time source is being used........ as i said in
my original post 'that i've got this far without having a proper sntp set
up, and trust me i've been burnt a few times'.

My Web Servers have to be in sync with my AD, cos information is received
from my db server that requires my Web, App and db to be off the same time
all down to event sequence and timing. I know i should have mentioned this
in the earlier post, but i've got an Integrated install of ISA Server on
each site. Most of my clients are SecureNat clients with the odd Firewall
client. Now this acts as a gateway to the Internet from each of the private
172.16.0.0 segments within my network. I cant set a timeserver on this
because its automatically getting its time from AD........ if this wasn't
happening, i could have this server sync with an ntp host on the web, and
have all my server deployments, on all networks get its time from this ISA
server.

Your thoughts.....
Regards,
Steve.


"Roger Abell [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> So from where is your forest currently getting its time sync ?
> I mean, to where is the forestroot PDC FSMO requesting NTP sync ?
>
> Why not run a timeserver, that syncs to your national time services,
> and the is used to source time sync to all of your deployments ?
> Similarly, if it is not critical that your DMZ based resources be in
> sync with your AD, why not just sync them ?
> Keep in mind that you can tie these down to only the desired IPs
> for port 123.
>
> --
> Roger
> "Stephen O'Sullivan" <steve@nospam_noway_dontyoudare.net> wrote in message
> news:O$(E-Mail Removed)...
> > G/day Forum,
> >
> > A bit of background to the set up of my network.
> >
> > 2 Sites, SiteA and SiteB with a 2 way transitive trust between the two -
> > linked by a private leased line. These sites have their own connections
to
> > the internet.
> >
> > A Cisco Router links to the ISP on both networks, and a Cisco PIX 515E
is
> > the demarcation point between the public and private networks. I've got
a
> > Quad card on each PIX. So i've got 6 networks with different priorities
> > hanging from each PIX. These networks are lan, public, and 4 other
public
> > service segments hosting services like DNS, Web, FTP, SMTP, WebServices,
> > Extranet Services, etc.
> >
> > We're planning on going live soon with an application on SiteA. This
will
> be
> > hosted on a DMZ, a workgroup environment, and will remote to an
> application
> > server on SiteA's private network (172.16.1.0/24). This server needs to
> talk
> > to a database server on SiteB's private network. (172.16.2.0/24)
> >
> > There are discrepancies in the network time thats affecting services on
> our
> > Web Server. My question is how do i ensure that both my networks have
the
> > correct system time set on all servers.
> >
> > I've thought about how i would do this. My Active Directory controllers
> are
> > setting the times on my internal servers and workstations. If i want to
> > allow my web servers get the time from my AD controllers i will have to
> > place access-lists on my firewall to allow tcp traffic to pass through
> port
> > 123 from my web server to my ad controller - i don't like the sound of
> that.
> > Its got security breach written all over it. Then i've got to figure out
> > where do my AD controllers get their time. All these problems.
> >
> > I know someone out their will be amazed that i've got this far without
> > having a proper sntp set up, and trust me i've been burnt a few times
> > because of this. Its one of my new year resolutions to never again worry
> > about where my network is getting its time from. Hear my cry for
help....
> > please!!!!!
> >
> > Regards,
> > Steve.
> >
> >
> >
> >
> >
>
>

If you are not syncing the AD domain, you probably should. Here is a good
list of public time servers.
http://www.eecis.udel.edu/~mills/ntp/servers.html I know that cisco routers
can act as a time source, but Im not sure about a PIX. If so, you could
sync the pix with an external source and sync the domain and the DMZ from
the pix. Just a thought.

Mark
"Nobody" <nobody> wrote in message
news:u%(E-Mail Removed)...
>
> "Stephen O'Sullivan" <steve@nospam_noway_dontyoudare.net> wrote in message
> news:O$(E-Mail Removed)...
> > I've thought about how i would do this. My Active Directory controllers
> are
> > setting the times on my internal servers and workstations. If i want to
> > allow my web servers get the time from my AD controllers i will have to
> > place access-lists on my firewall to allow tcp traffic to pass through
> port
> > 123 from my web server to my ad controller - i don't like the sound of
> that.
> > Its got security breach written all over it. Then i've got to figure out
> > where do my AD controllers get their time. All these problems.
> >
>
> Stephen,
>
> The following option comes to mind
>
> Allow the Domain controllers to sync with an Internet time source such as
> NIST and instead of the DMZ systems syncing to internal systems allow the
> them (DMZ systems) to sync with the same Internet time source.
>
> AFAIK, you only need to allow outgoing NTP on each system.
>
>

I'd like to have the service protected by a firewall. If its on my
peripheral router..... then that would not be the case.

Steve.

"Mark" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> If you are not syncing the AD domain, you probably should. Here is a good
> list of public time servers.
> http://www.eecis.udel.edu/~mills/ntp/servers.html I know that cisco
routers
> can act as a time source, but Im not sure about a PIX. If so, you could
> sync the pix with an external source and sync the domain and the DMZ from
> the pix. Just a thought.
>
> Mark
> "Nobody" <nobody> wrote in message
> news:u%(E-Mail Removed)...
> >
> > "Stephen O'Sullivan" <steve@nospam_noway_dontyoudare.net> wrote in
message
> > news:O$(E-Mail Removed)...
> > > I've thought about how i would do this. My Active Directory
controllers
> > are
> > > setting the times on my internal servers and workstations. If i want
to
> > > allow my web servers get the time from my AD controllers i will have
to
> > > place access-lists on my firewall to allow tcp traffic to pass through
> > port
> > > 123 from my web server to my ad controller - i don't like the sound of
> > that.
> > > Its got security breach written all over it. Then i've got to figure
out
> > > where do my AD controllers get their time. All these problems.
> > >
> >
> > Stephen,
> >
> > The following option comes to mind
> >
> > Allow the Domain controllers to sync with an Internet time source such
as
> > NIST and instead of the DMZ systems syncing to internal systems allow
the
> > them (DMZ systems) to sync with the same Internet time source.
> >
> > AFAIK, you only need to allow outgoing NTP on each system.
> >
> >
>
>