"Hello Network, can i have the time?"

  • Thread starter Thread starter Stephen O'Sullivan
  • Start date Start date
S

Stephen O'Sullivan

G/day Forum,

A bit of background to the set up of my network.

2 Sites, SiteA and SiteB with a 2 way transitive trust between the two -
linked by a private leased line. These sites have their own connections to
the internet.

A Cisco Router links to the ISP on both networks, and a Cisco PIX 515E is
the demarcation point between the public and private networks. I've got a
Quad card on each PIX. So i've got 6 networks with different priorities
hanging from each PIX. These networks are lan, public, and 4 other public
service segments hosting services like DNS, Web, FTP, SMTP, WebServices,
Extranet Services, etc.

We're planning on going live soon with an application on SiteA. This will be
hosted on a DMZ, a workgroup environment, and will remote to an application
server on SiteA's private network (172.16.1.0/24). This server needs to talk
to a database server on SiteB's private network. (172.16.2.0/24)

There are discrepancies in the network time thats affecting services on our
Web Server. My question is how do i ensure that both my networks have the
correct system time set on all servers.

I've thought about how i would do this. My Active Directory controllers are
setting the times on my internal servers and workstations. If i want to
allow my web servers get the time from my AD controllers i will have to
place access-lists on my firewall to allow tcp traffic to pass through port
123 from my web server to my ad controller - i don't like the sound of that.
Its got security breach written all over it. Then i've got to figure out
where do my AD controllers get their time. All these problems.

I know someone out their will be amazed that i've got this far without
having a proper sntp set up, and trust me i've been burnt a few times
because of this. Its one of my new year resolutions to never again worry
about where my network is getting its time from. Hear my cry for help....
please!!!!!

Regards,
Steve.
 
Stephen said:
There are discrepancies in the network time thats affecting services
on our Web Server. My question is how do i ensure that both my
networks have the correct system time set on all servers.

I've thought about how i would do this. My Active Directory
controllers are setting the times on my internal servers and
workstations. If i want to allow my web servers get the time from my
AD controllers i will have to place access-lists on my firewall to
allow tcp traffic to pass through port 123 from my web server to my
ad controller - i don't like the sound of that. Its got security
breach written all over it. Then i've got to figure out where do my
AD controllers get their time. All these problems.
Click to expand...

Buy a couple of atomic clocks. At least one for AD (or one for each AD site
maybe), and one other for your web server/servers.
 
So from where is your forest currently getting its time sync ?
I mean, to where is the forestroot PDC FSMO requesting NTP sync ?

Why not run a timeserver, that syncs to your national time services,
and the is used to source time sync to all of your deployments ?
Similarly, if it is not critical that your DMZ based resources be in
sync with your AD, why not just sync them ?
Keep in mind that you can tie these down to only the desired IPs
for port 123.
 
Stephen O'Sullivan said:
I've thought about how i would do this. My Active Directory controllers are
setting the times on my internal servers and workstations. If i want to
allow my web servers get the time from my AD controllers i will have to
place access-lists on my firewall to allow tcp traffic to pass through port
123 from my web server to my ad controller - i don't like the sound of that.
Its got security breach written all over it. Then i've got to figure out
where do my AD controllers get their time. All these problems.
Click to expand...

Stephen,

The following option comes to mind

Allow the Domain controllers to sync with an Internet time source such as
NIST and instead of the DMZ systems syncing to internal systems allow the
them (DMZ systems) to sync with the same Internet time source.

AFAIK, you only need to allow outgoing NTP on each system.
 
Its not syncing!! No external time source is being used........ as i said in
my original post 'that i've got this far without having a proper sntp set
up, and trust me i've been burnt a few times'.

My Web Servers have to be in sync with my AD, cos information is received
from my db server that requires my Web, App and db to be off the same time
all down to event sequence and timing. I know i should have mentioned this
in the earlier post, but i've got an Integrated install of ISA Server on
each site. Most of my clients are SecureNat clients with the odd Firewall
client. Now this acts as a gateway to the Internet from each of the private
172.16.0.0 segments within my network. I cant set a timeserver on this
because its automatically getting its time from AD........ if this wasn't
happening, i could have this server sync with an ntp host on the web, and
have all my server deployments, on all networks get its time from this ISA
server.

Your thoughts.....
Regards,
Steve.
 
If you are not syncing the AD domain, you probably should. Here is a good
list of public time servers.
http://www.eecis.udel.edu/~mills/ntp/servers.html I know that cisco routers
can act as a time source, but Im not sure about a PIX. If so, you could
sync the pix with an external source and sync the domain and the DMZ from
the pix. Just a thought.

Mark
 
I'd like to have the service protected by a firewall. If its on my
peripheral router..... then that would not be the case.

Steve.
 
Back
Top