W32time and opening port NDP port 123

TheMSsForum.com: The Microsoft Software Forum

I have had a problem with two domain controllers in our network no longer
replicating as the time difference between the two became more then than 5
minutes.

On the operations master (also acting as the PDC) i want to setup W32time to
use an external time server (time.micorosoft.com). W32time logs NTP server
not responding and ShieldsUp! reports 123 as being closed on our network. So
I guess the port 123 is blocked by our ISA server. How can I open this port
to send receive?

TIA,

Fred Blum
Top

Re: W32time and opening port NDP port 123 by IBC

IBC
Wed Feb 25 09:10:32 CST 2004

I added this filter:

Go to ISA\Access Policy\IP Packet Filters
Right click IP Packet Filters and select New\Filter
Give the Filter a name (like Time Server or whatnot)
Select Allow Packet transmission
Select Custom
IP Protocol is UDP
Direction is Send/receive
Local port is All ports
Remote port is Fixed Port
Port Number is 123
Filter applies to the default addresses on the external interface
Filter applies to all computers.

Give that a whirl.


"Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
news:eGIeAe6#DHA.4060@TK2MSFTNGP10.phx.gbl...
>
> I have had a problem with two domain controllers in our network no longer
> replicating as the time difference between the two became more then than 5
> minutes.
>
> On the operations master (also acting as the PDC) i want to setup W32time
to
> use an external time server (time.micorosoft.com). W32time logs NTP server
> not responding and ShieldsUp! reports 123 as being closed on our network.
So
> I guess the port 123 is blocked by our ISA server. How can I open this
port
> to send receive?
>
> TIA,
>
> Fred Blum
>
>
>
>
>
>
>
>
>


Top

Re: W32time and opening port NDP port 123 by Fred

Fred
Wed Feb 25 10:06:53 CST 2004



I've changed my packet filter from Local Port fiexed 123 to all ports. My
filter settings where for the rest the same.
Still Shields Up!http://grc.com/x/ne.dll?rh1dkyd2 reports the port as
closed.

----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2004-02-25 at 15:56:02

Results from probe of port: 123

0 Ports Open
1 Ports Closed
0 Ports Stealth
---------------------
1 Ports Tested

THE PORT tested was found to be: CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.

----------------------------------------------------------------------The
event log has the follwing error: The NTP server didn't respond. I've set
the authorative time server to time.microsoft.com as according to KB 216734
this machine is available. Should I try another one?0Or is this port indeed
closed? Howto override this in ISA? Regards,Fred





"IBC" <spamityspam@spam.spam> wrote in message
news:eDrlEG7%23DHA.2636@TK2MSFTNGP09.phx.gbl...
> I added this filter:
>
> Go to ISA\Access Policy\IP Packet Filters
> Right click IP Packet Filters and select New\Filter
> Give the Filter a name (like Time Server or whatnot)
> Select Allow Packet transmission
> Select Custom
> IP Protocol is UDP
> Direction is Send/receive
> Local port is All ports
> Remote port is Fixed Port
> Port Number is 123
> Filter applies to the default addresses on the external interface
> Filter applies to all computers.
>
> Give that a whirl.
>
>
> "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> news:eGIeAe6#DHA.4060@TK2MSFTNGP10.phx.gbl...
> >
> > I have had a problem with two domain controllers in our network no
longer
> > replicating as the time difference between the two became more then than
5
> > minutes.
> >
> > On the operations master (also acting as the PDC) i want to setup W32tim
e
> to
> > use an external time server (time.micorosoft.com). W32time logs NTP
server
> > not responding and ShieldsUp! reports 123 as being closed on our
network.
> So
> > I guess the port 123 is blocked by our ISA server. How can I open this
> port
> > to send receive?
> >
> > TIA,
> >
> > Fred Blum
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>


Top

Re: W32time and opening port NDP port 123 by IBC

IBC
Wed Feb 25 10:22:53 CST 2004

But is the time server able to connect? I'm not an ISA pro, but if the
filter is set up as send/receive I think that means only communications sent
FROM the server OUT can come back in, otherwise it will show as blocked.

Maybe somebody else could confirm that.....


"Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
news:elW#jl7#DHA.4060@TK2MSFTNGP10.phx.gbl...
>
>
> I've changed my packet filter from Local Port fiexed 123 to all ports. My
> filter settings where for the rest the same.
> Still Shields Up!http://grc.com/x/ne.dll?rh1dkyd2 reports the port as
> closed.
>
> ----------------------------------------------------------------------
>
> GRC Port Authority Report created on UTC: 2004-02-25 at 15:56:02
>
> Results from probe of port: 123
>
> 0 Ports Open
> 1 Ports Closed
> 0 Ports Stealth
> ---------------------
> 1 Ports Tested
>
> THE PORT tested was found to be: CLOSED.
>
> TruStealth: FAILED - NOT all tested ports were STEALTH,
> - NO unsolicited packets were received,
> - A PING REPLY (ICMP Echo) WAS RECEIVED.
>
> ----------------------------------------------------------------------The
> event log has the follwing error: The NTP server didn't respond. I've set
> the authorative time server to time.microsoft.com as according to KB
216734
> this machine is available. Should I try another one?0Or is this port
indeed
> closed? Howto override this in ISA? Regards,Fred
>
>
>
>
>
> "IBC" <spamityspam@spam.spam> wrote in message
> news:eDrlEG7%23DHA.2636@TK2MSFTNGP09.phx.gbl...
> > I added this filter:
> >
> > Go to ISA\Access Policy\IP Packet Filters
> > Right click IP Packet Filters and select New\Filter
> > Give the Filter a name (like Time Server or whatnot)
> > Select Allow Packet transmission
> > Select Custom
> > IP Protocol is UDP
> > Direction is Send/receive
> > Local port is All ports
> > Remote port is Fixed Port
> > Port Number is 123
> > Filter applies to the default addresses on the external interface
> > Filter applies to all computers.
> >
> > Give that a whirl.
> >
> >
> > "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> > news:eGIeAe6#DHA.4060@TK2MSFTNGP10.phx.gbl...
> > >
> > > I have had a problem with two domain controllers in our network no
> longer
> > > replicating as the time difference between the two became more then
than
> 5
> > > minutes.
> > >
> > > On the operations master (also acting as the PDC) i want to setup
W32tim
> e
> > to
> > > use an external time server (time.micorosoft.com). W32time logs NTP
> server
> > > not responding and ShieldsUp! reports 123 as being closed on our
> network.
> > So
> > > I guess the port 123 is blocked by our ISA server. How can I open this
> > port
> > > to send receive?
> > >
> > > TIA,
> > >
> > > Fred Blum
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>


Top

Re: W32time and opening port NDP port 123 by Dave

Dave
Wed Feb 25 11:06:51 CST 2004

Right - you'll notice that generally all your ports show as closed. Your
server sends out a request to the time server, and ISA opens port 123 to the
response. At other times, the port is closed to incoming traffic.


"IBC" <spamityspam@spam.spam> wrote in message
news:ehEBgu7%23DHA.2804@tk2msftngp13.phx.gbl...
> But is the time server able to connect? I'm not an ISA pro, but if the
> filter is set up as send/receive I think that means only communications
sent
> FROM the server OUT can come back in, otherwise it will show as blocked.
>
> Maybe somebody else could confirm that.....
>
>
> "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> news:elW#jl7#DHA.4060@TK2MSFTNGP10.phx.gbl...
> >
> >
> > I've changed my packet filter from Local Port fiexed 123 to all ports.
My
> > filter settings where for the rest the same.
> > Still Shields Up!http://grc.com/x/ne.dll?rh1dkyd2 reports the port as
> > closed.
> >
> > ----------------------------------------------------------------------
> >
> > GRC Port Authority Report created on UTC: 2004-02-25 at 15:56:02
> >
> > Results from probe of port: 123
> >
> > 0 Ports Open
> > 1 Ports Closed
> > 0 Ports Stealth
> > ---------------------
> > 1 Ports Tested
> >
> > THE PORT tested was found to be: CLOSED.
> >
> > TruStealth: FAILED - NOT all tested ports were STEALTH,
> > - NO unsolicited packets were received,
> > - A PING REPLY (ICMP Echo) WAS RECEIVED.
> >
>
> ----------------------------------------------------------------------The
> > event log has the follwing error: The NTP server didn't respond. I've
set
> > the authorative time server to time.microsoft.com as according to KB
> 216734
> > this machine is available. Should I try another one?0Or is this port
> indeed
> > closed? Howto override this in ISA? Regards,Fred
> >
> >
> >
> >
> >
> > "IBC" <spamityspam@spam.spam> wrote in message
> > news:eDrlEG7%23DHA.2636@TK2MSFTNGP09.phx.gbl...
> > > I added this filter:
> > >
> > > Go to ISA\Access Policy\IP Packet Filters
> > > Right click IP Packet Filters and select New\Filter
> > > Give the Filter a name (like Time Server or whatnot)
> > > Select Allow Packet transmission
> > > Select Custom
> > > IP Protocol is UDP
> > > Direction is Send/receive
> > > Local port is All ports
> > > Remote port is Fixed Port
> > > Port Number is 123
> > > Filter applies to the default addresses on the external interface
> > > Filter applies to all computers.
> > >
> > > Give that a whirl.
> > >
> > >
> > > "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> > > news:eGIeAe6#DHA.4060@TK2MSFTNGP10.phx.gbl...
> > > >
> > > > I have had a problem with two domain controllers in our network no
> > longer
> > > > replicating as the time difference between the two became more then
> than
> > 5
> > > > minutes.
> > > >
> > > > On the operations master (also acting as the PDC) i want to setup
> W32tim
> > e
> > > to
> > > > use an external time server (time.micorosoft.com). W32time logs NTP
> > server
> > > > not responding and ShieldsUp! reports 123 as being closed on our
> > network.
> > > So
> > > > I guess the port 123 is blocked by our ISA server. How can I open
this
> > > port
> > > > to send receive?
> > > >
> > > > TIA,
> > > >
> > > > Fred Blum
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Top

Re: W32time and opening port NDP port 123 by Dave

Dave
Wed Feb 25 23:14:23 CST 2004

I get these log entries every 2 or 3 days, but I'm fairly certain the sync
is happening most of the time. My packet filter is same as IBC suggests...
Try a manual sync:
Stop the windows time service, open a command prompt, type "w32tm -once" (no
quotes) and see if it connects...

I check this whenever I seem to be getting too many of the log errors - as a
matter of fact I just had one 2 hours ago. I did the manual sync and my
system connected and was only 57ms off...

Probably flaky network conditions or the time server is too busy (?) Also,
I use IP addresses rather than DNS names, seem to have better luck that way.

Hth - DS


"Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
news:elW%23jl7%23DHA.4060@TK2MSFTNGP10.phx.gbl...
>
>
> I've changed my packet filter from Local Port fiexed 123 to all ports. My
> filter settings where for the rest the same.
> Still Shields Up!http://grc.com/x/ne.dll?rh1dkyd2 reports the port as
> closed.
>
> ----------------------------------------------------------------------
>
> GRC Port Authority Report created on UTC: 2004-02-25 at 15:56:02
>
> Results from probe of port: 123
>
> 0 Ports Open
> 1 Ports Closed
> 0 Ports Stealth
> ---------------------
> 1 Ports Tested
>
> THE PORT tested was found to be: CLOSED.
>
> TruStealth: FAILED - NOT all tested ports were STEALTH,
> - NO unsolicited packets were received,
> - A PING REPLY (ICMP Echo) WAS RECEIVED.
>
> ----------------------------------------------------------------------The
> event log has the follwing error: The NTP server didn't respond. I've set
> the authorative time server to time.microsoft.com as according to KB
216734
> this machine is available. Should I try another one?0Or is this port
indeed
> closed? Howto override this in ISA? Regards,Fred
>
>
>
>
>
> "IBC" <spamityspam@spam.spam> wrote in message
> news:eDrlEG7%23DHA.2636@TK2MSFTNGP09.phx.gbl...
> > I added this filter:
> >
> > Go to ISA\Access Policy\IP Packet Filters
> > Right click IP Packet Filters and select New\Filter
> > Give the Filter a name (like Time Server or whatnot)
> > Select Allow Packet transmission
> > Select Custom
> > IP Protocol is UDP
> > Direction is Send/receive
> > Local port is All ports
> > Remote port is Fixed Port
> > Port Number is 123
> > Filter applies to the default addresses on the external interface
> > Filter applies to all computers.
> >
> > Give that a whirl.
> >
> >
> > "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> > news:eGIeAe6#DHA.4060@TK2MSFTNGP10.phx.gbl...
> > >
> > > I have had a problem with two domain controllers in our network no
> longer
> > > replicating as the time difference between the two became more then
than
> 5
> > > minutes.
> > >
> > > On the operations master (also acting as the PDC) i want to setup
W32tim
> e
> > to
> > > use an external time server (time.micorosoft.com). W32time logs NTP
> server
> > > not responding and ShieldsUp! reports 123 as being closed on our
> network.
> > So
> > > I guess the port 123 is blocked by our ISA server. How can I open this
> > port
> > > to send receive?
> > >
> > > TIA,
> > >
> > > Fred Blum
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>


Top

Re: W32time and opening port NDP port 123 by Fred

Fred
Thu Feb 26 04:35:03 CST 2004


I installed the firewall client on the PDC and now W32tm connects without an
error. Dumm.

Thanks,

Fred

"Dave Stoecker" <david_stoecker@hotCOFFEEmail.com> wrote in message
news:OntkndC$DHA.2520@TK2MSFTNGP11.phx.gbl...
> I get these log entries every 2 or 3 days, but I'm fairly certain the sync
> is happening most of the time. My packet filter is same as IBC
suggests...
> Try a manual sync:
> Stop the windows time service, open a command prompt, type "w32tm -once"
(no
> quotes) and see if it connects...
>
> I check this whenever I seem to be getting too many of the log errors - as
a
> matter of fact I just had one 2 hours ago. I did the manual sync and my
> system connected and was only 57ms off...
>
> Probably flaky network conditions or the time server is too busy (?)
Also,
> I use IP addresses rather than DNS names, seem to have better luck that
way.
>
> Hth - DS
>
>
> "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> news:elW%23jl7%23DHA.4060@TK2MSFTNGP10.phx.gbl...
> >
> >
> > I've changed my packet filter from Local Port fiexed 123 to all ports.
My
> > filter settings where for the rest the same.
> > Still Shields Up!http://grc.com/x/ne.dll?rh1dkyd2 reports the port as
> > closed.
> >
> > ----------------------------------------------------------------------
> >
> > GRC Port Authority Report created on UTC: 2004-02-25 at 15:56:02
> >
> > Results from probe of port: 123
> >
> > 0 Ports Open
> > 1 Ports Closed
> > 0 Ports Stealth
> > ---------------------
> > 1 Ports Tested
> >
> > THE PORT tested was found to be: CLOSED.
> >
> > TruStealth: FAILED - NOT all tested ports were STEALTH,
> > - NO unsolicited packets were received,
> > - A PING REPLY (ICMP Echo) WAS RECEIVED.
> >
>
> ----------------------------------------------------------------------The
> > event log has the follwing error: The NTP server didn't respond. I've
set
> > the authorative time server to time.microsoft.com as according to KB
> 216734
> > this machine is available. Should I try another one?0Or is this port
> indeed
> > closed? Howto override this in ISA? Regards,Fred
> >
> >
> >
> >
> >
> > "IBC" <spamityspam@spam.spam> wrote in message
> > news:eDrlEG7%23DHA.2636@TK2MSFTNGP09.phx.gbl...
> > > I added this filter:
> > >
> > > Go to ISA\Access Policy\IP Packet Filters
> > > Right click IP Packet Filters and select New\Filter
> > > Give the Filter a name (like Time Server or whatnot)
> > > Select Allow Packet transmission
> > > Select Custom
> > > IP Protocol is UDP
> > > Direction is Send/receive
> > > Local port is All ports
> > > Remote port is Fixed Port
> > > Port Number is 123
> > > Filter applies to the default addresses on the external interface
> > > Filter applies to all computers.
> > >
> > > Give that a whirl.
> > >
> > >
> > > "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> > > news:eGIeAe6#DHA.4060@TK2MSFTNGP10.phx.gbl...
> > > >
> > > > I have had a problem with two domain controllers in our network no
> > longer
> > > > replicating as the time difference between the two became more then
> than
> > 5
> > > > minutes.
> > > >
> > > > On the operations master (also acting as the PDC) i want to setup
> W32tim
> > e
> > > to
> > > > use an external time server (time.micorosoft.com). W32time logs NTP
> > server
> > > > not responding and ShieldsUp! reports 123 as being closed on our
> > network.
> > > So
> > > > I guess the port 123 is blocked by our ISA server. How can I open
this
> > > port
> > > > to send receive?
> > > >
> > > > TIA,
> > > >
> > > > Fred Blum
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Top

Re: W32time and opening port NDP port 123 by Dave

Dave
Thu Feb 26 12:01:18 CST 2004

It is not recommended to install the FC on the ISA server...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;304919
Keep your fingers crossed ; )
DS


"Fred Blum" <h.f.blum@nounsollicitedemail.nemad.nl> wrote in message
news:%23g7IzQF$DHA.3536@tk2msftngp13.phx.gbl...
>
> I installed the firewall client on the PDC and now W32tm connects without
an
> error. Dumm.
>
> Thanks,
>
> Fred
>
> "Dave Stoecker" <david_stoecker@hotCOFFEEmail.com> wrote in message
> news:OntkndC$DHA.2520@TK2MSFTNGP11.phx.gbl...
> > I get these log entries every 2 or 3 days, but I'm fairly certain the
sync
> > is happening most of the time. My packet filter is same as IBC
> suggests...
> > Try a manual sync:
> > Stop the windows time service, open a command prompt, type "w32tm -once"
> (no
> > quotes) and see if it connects...
> >
> > I check this whenever I seem to be getting too many of the log errors -
as
> a
> > matter of fact I just had one 2 hours ago. I did the manual sync and my
> > system connected and was only 57ms off...
> >
> > Probably flaky network conditions or the time server is too busy (?)
> Also,
> > I use IP addresses rather than DNS names, seem to have better luck that
> way.
> >
> > Hth - DS
> >
> >
> > "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> > news:elW%23jl7%23DHA.4060@TK2MSFTNGP10.phx.gbl...
> > >
> > >
> > > I've changed my packet filter from Local Port fiexed 123 to all ports.
> My
> > > filter settings where for the rest the same.
> > > Still Shields Up!http://grc.com/x/ne.dll?rh1dkyd2 reports the port as
> > > closed.
> > >
> > > ----------------------------------------------------------------------
> > >
> > > GRC Port Authority Report created on UTC: 2004-02-25 at 15:56:02
> > >
> > > Results from probe of port: 123
> > >
> > > 0 Ports Open
> > > 1 Ports Closed
> > > 0 Ports Stealth
> > > ---------------------
> > > 1 Ports Tested
> > >
> > > THE PORT tested was found to be: CLOSED.
> > >
> > > TruStealth: FAILED - NOT all tested ports were STEALTH,
> > > - NO unsolicited packets were received,
> > > - A PING REPLY (ICMP Echo) WAS RECEIVED.
> > >
> >
>
> ----------------------------------------------------------------------The
> > > event log has the follwing error: The NTP server didn't respond. I've
> set
> > > the authorative time server to time.microsoft.com as according to KB
> > 216734
> > > this machine is available. Should I try another one?0Or is this port
> > indeed
> > > closed? Howto override this in ISA? Regards,Fred
> > >
> > >
> > >
> > >
> > >
> > > "IBC" <spamityspam@spam.spam> wrote in message
> > > news:eDrlEG7%23DHA.2636@TK2MSFTNGP09.phx.gbl...
> > > > I added this filter:
> > > >
> > > > Go to ISA\Access Policy\IP Packet Filters
> > > > Right click IP Packet Filters and select New\Filter
> > > > Give the Filter a name (like Time Server or whatnot)
> > > > Select Allow Packet transmission
> > > > Select Custom
> > > > IP Protocol is UDP
> > > > Direction is Send/receive
> > > > Local port is All ports
> > > > Remote port is Fixed Port
> > > > Port Number is 123
> > > > Filter applies to the default addresses on the external interface
> > > > Filter applies to all computers.
> > > >
> > > > Give that a whirl.
> > > >
> > > >
> > > > "Fred Blum" <h.f.blum@marketconnectnospam.nl> wrote in message
> > > > news:eGIeAe6#DHA.4060@TK2MSFTNGP10.phx.gbl...
> > > > >
> > > > > I have had a problem with two domain controllers in our network no
> > > longer
> > > > > replicating as the time difference between the two became more
then
> > than
> > > 5
> > > > > minutes.
> > > > >
> > > > > On the operations master (also acting as the PDC) i want to setup
> > W32tim
> > > e
> > > > to
> > > > > use an external time server (time.micorosoft.com). W32time logs
NTP
> > > server
> > > > > not responding and ShieldsUp! reports 123 as being closed on our
> > > network.
> > > > So
> > > > > I guess the port 123 is blocked by our ISA server. How can I open
> this
> > > > port
> > > > > to send receive?
> > > > >
> > > > > TIA,
> > > > >
> > > > > Fred Blum
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>


Top