Forgot your password?
typodupeerror
Networking

Time Syncing Through a Firewall Without NTP? 112

Posted by Cliff
from the route-around-the-problem dept.
dvdsmith asks: "Say are dealing with a Windows network that for internet access must pass through a firewall that you have no control over. Said firewall apparently blocks the known time protocols (NTP,daytime,etc) and you know from experience that those who control it will not allow any exceptions. If one sets up an internal NTP server (Windows XP or 2000 workstation) for all others to sync from, is there another reliable method for updating time on the server, like pulling from a Java website? See the time.gov website as an example. Any ideas?"
This discussion has been archived. No new comments can be posted.

Time Syncing Through a Firewall Without NTP?

Comments Filter:
  • by captnitro (160231) * on Saturday July 30, 2005 @06:57PM (#13204465)
    Of course, your most important ingredient is this baby right here: the external web service. You can get it in a can but to really do things right, you gotta strangle yourself a fresh one.

    We're going to sync with our outside web service using a simple SOAP client, written in whatever language you prefer, and setting the time. (Your users will get their time from you via NTP still, of course.) This isn't required, but for that fresh BAM! taste, it's recommended. Mind the delay calculations if you're writing the client side of it yourself [php.net], the WWWait will have a little bit more effect here depending on your setup. If you want to make it quick and dirty, there's no reason to go through the SOAP/WSDL hoops, the point is having it on a known port and piggybacking across HTTP's fame and success, and then sleeping with its girlfriend, and stealing her wallet on the way out. BAM!
    • by Anonymous Coward
      Use SOAP XML bloat to get the current time? Jebus. People in this industry are utterly clueless. How about a 10-line daemon in C that sends the current time as a 64-bit value when you connect to it?? Or can't people program any more unless they use SOAP and PHP???
      • You're not going to get a reply that way. Here, let me try:

        We're going to sync with our outside web service using a simple SOAP client,

        A SOAP client? Interesting!

        written in whatever language you prefer, and setting the time. (Your users will get their time from you via NTP still, of course.) This isn't required, but for that fresh BAM! taste, it's recommended. Mind the delay calculations if you're writing the client side of it yourself [php.net], the WWWait will have a little bit more effect h

      • amen, rdate still works as well now as ever. Trivial server to run too, no security breaches
      • And what port is that C daemon going to listen on? Port 80? What if that is proxied? The only thing that is certain to get through is HTTP traffic.

        I'd go for a much simpler approach. It depends on how accurate this needs to be, but find a web server with accurate time (Perhaps a friend has webspace or a dedicated server, or even a home DSL/Cable connection), and put a one-line PHP, Perl, anything, script on it that simply sends the timestamp. Perhaps try to speed things up marginally by removing all but the
    • You don't want to make a new SOAP service and have to do all the delay calculations.

      If you have access to an external server, just tunnel NTP over HTTP. (http://htun.runslinux.net/docs.html [runslinux.net])

      Essentially no programming required.

      It might be slighly less accurate than your way, but only if the time on the existing server really is hyperaccurate.

      (That is, SOAP directly to an authoritative time server is probably more accurate than a tunneling proxy, but a tunneling proxy is probably more accurate than the two s
  • by Anonymous Coward on Saturday July 30, 2005 @07:09PM (#13204509)
    Ask the morons in charge of the firewall to please open the NTP port and take the time to explain why this is important.
    Take it up with management if said morons disagree.
    • I'm almost in excatly the same boat as "dvdsmith" - the most likely solution for our situation is a GPS stabilized NTP appliance. We've also been taking a hit with the lack of FTP access and a couple of other protocols - we have a clear need for access, but that doesn't seem to make any difference to the IT guys.

      One basic problem is that the IT folks are being graded on keeping their costs down - but not graded on whether they keep the overall costs down.

      • Who is playing the political games? IT does what the boss tells them to. If you are a typical slashdotter you do not play the political games well. So you should have your boss play them for you, that is his job. Just tell your boss that you need good time, and let him do it.

        If you boss won't play those games, think about sending thing up the line. Start asking questions in the company meetings about why IT isn't responding to employee needs. Your point will get across. (Careful here though, thi

        • Who is playing the political games? IT does what the boss tells them to.

          W-e-l-l, IT's ultimate boss is 4 to 5 levels up in management (I'm part of a very large organization, IT is largely in India). My boss is well aware of the problem and his boss is well aware of the problem but isn't in the position to do anything about it. :-(

          • My boss is well aware of the problem and his boss is well aware of the problem but isn't in the position to do anything about it. :-(

            Then go to someone who can. This is a no-brainer - it's probably worth speaking to your IT Security Head - any application logging is worthless unless you can rely on the timestamp. If your company is quoted on the NYSE - they'll have to answer questions like this soon anyway because of Sarbanes-Oxley etc.
            • I don't think you comprehend what it means to be part of a very large organization. It would probably be cheaper to spring for the GPS unit than to go through the process of trying to convince corporate IT to open a hole in the firewall.

              As far as SarbOx and $500 for a GPS NTP server - the IT guys may very well say that is small potatoes compared to the cost of a network breach - and they would most likely be right (probability > 99.9%). Even if that probability is small, it still may be cheaper to sprin


              • If you are part of a truly large organisation, then, trust me - somewhere on your network a Time server already exists.

                It would be cheaper still to state what you need (a valid reliable time source) and let the IT guys solve that problem - not "Some dork developer wants us to open up port what on the firewall?!?!?"

              • I don't think you comprehend what it means to be part of a very large organization.

                LOL. We have 4 satellite receivers and an atomic clock on our private network. Trust me - I do. All I'm saying is that they should do something - either open the firewall OR multiple internal time sources (in LargeOrganisations(TM) and for SOX404 you need redundancy, and anyway from such a large network you probably don't want all your Tier 2 pointing at the same Tier 1). The Tier 1's ahould sync amongst themselves and
      • by ColaMan (37550) on Saturday July 30, 2005 @10:23PM (#13205300) Homepage Journal
        Get quotes for your time-sync hardware, and a *formal* quote from IT. (if no formal quote is forthcoming, keep your evidence of attempting to obtain one, and do a best-guess yourself, factoring labour/bandwidth/etc).

        Go up the chain to whoever manages both the IT and your division. Say "We need time sync for such-and-such. It's necessary."

        Give them a breakdown of costs like so:

        $x for GPS stabilised NTP appliance.
        $y for some bonehead in IT to open the port up.

        Make sure you put the expensive one first. If it costs the IT department more to poke a hole in the firewall, well, hell, you'll get a new toy to play with. But most likely management will say (paraphrased) "WTF? Bring me the head of the IT department manager, on a silver platter."

        IT departments are there to provide services for the rest of the company. That's their job. If they're not doing their job, call them on it. They're just a lead weight around the company's neck otherwise.
        • by secolactico (519805) on Saturday July 30, 2005 @11:36PM (#13205604) Journal
          Give them a breakdown of costs like so:

          $x for GPS stabilised NTP appliance.
          $y for some bonehead in IT to open the port up.


          And don't forget to include installation costs in the breakdown. Depending on your building infrastructure, you might have to run wiring for an external gps antenna, plus related costs of mounting an outdoor equipment, which will probably be done by the maintenance people or subcontracted.
        • > IT departments are there to provide services ...

          In one college I teach in they have an internal time server, and that server is one hour off... The way they set it to daylight savings time is by adding one hour to UTC... (And by inspecting email headers I think that's the way most IT departments in Israel do it. Then of course they cannot sync to an external time server because then everything is one hour off what they think is correct. But it might be the common knowledge of all system admins in Israe
          • In one college I teach in they have an internal time server, and that server is one hour off... The way they set it to daylight savings time is by adding one hour to UTC...

            Great Scott! The rest of the world (including weird places like Arizona that don't use summer time while everyone around them does) has no problem with shifting UTC offsets. (NTP itself is UTC, it doesn't care about time zones -- that's upto the user applications.) Why is Israel in this mysterious temporal anomaly?

            • > Why is Israel in this mysterious temporal anomaly?

              I guess that's because of politicians. The authority on setting the duration of Daylight Savings Time in Israel is given to the minister of interior. Over the past 30 years or so the politicians have been constantly changing the duration of daylight savings time to suit the needs of different political parties (or to comply with supreme court decisions when the court ruled the changes exceeded the minister's authority set in the law). Often it happened
              • Over the past 30 years or so the politicians have been constantly changing the duration of daylight savings time to suit the needs of different political parties ... the dates change each year (because they correspond to Hebrew calendar dates)

                Ye Gods! That does sound like a mess. Why does the authority need to be given to someone? Just pass a law in the Knesset defining it, in terms of the Hebrew calendar as reqd. I assume the Hebrew calendar is not arbitrary, i.e. given a date, a computer can always ca

                • > Why does the authority need to be given to someone?
                  Well... that's because politicians want authrity to do... whatever. Anything goes... It gives them bargaining power.

                  > Just pass a law ...
                  This finally happened this year. The compromise they reached includes starting on a day determined by the Gregorian calender and the end day by the Hebrew calendar. Both happen on 2AM on Friday or Sunday preceding the fixed date. So at least it's predictable.

                  > I guess it's just another example of things that wo
        • With a firewall, you can easily block incoming syn/ack's through the ntp port, but use a keep-state to allow outgoing TCP connections (someone internally has to initialize it, then you can get bi-directional communication). ...at least with PF.

          Cost? 30 seconds to modify pf.conf and 5 seconds to load in the new rule. What's that for an hourly wage? Hell, drop 5 bucks on the table and the company made a profit.
          • [...snip...] outgoing TCP connections (someone internally has to initialize it, then you can get bi-directional communication). ...at least with PF.

            I think you misspelt "UDP" ;-). (IANA does list 123/tcp and 123/udp as both being NTP, but it only uses udp).
            --
            I'm not politically incorrect, I'm just differently articulate

      • lack of FTP access

        Well, any techie worth their salt shouldn't consider FTP except in very special cases. Plaintext passwords is a huge security hole in the security models at most businesses.

        I always encourage use of SFTP instead. However, most developers seem scared of SFTP for some reason. It's pretty much the same darn thing.

        And I always allow NTP :)
    • by Anonymous Coward
      If these IT guys are worth their salt, the must already have NTP servers inside the firewall. Why not just use those?

      Afterall, if those internal servers are not reliable, then that reflects poorly on the IT guys, which gives you even more leverage to justify removing the restriction.
      • Slick, that turns the problem around and drops it in their lap. Providing reliable network time would certainly be their job (especially if they block access to outside servers), and it would be easy to show that it's a requirement for network operation and logging. (OP might want to jury rig something to periodically test their time for accuracy.)
    • The guy already said, "It's impossible to change the firewall." You can't answer that by saying, "Change the firewall."
      • Then either the firewall is crap, somebody lost the manual, or the firewall manager is a frigging idiot.

        Based on my IT experiences, my guess is all of the above.

        • The original article says specifically that the guy who manages the firewall would refuse to change it come hell or high water.
          • Well, then if it is truly is impossible you wind up buying the GPS hardware and installing all that stuff. Odds are though that when the costs make their way up the management chain, "impossible" becomes "yes sir, I'll stop being a butthead"
    • " Ask the morons in charge of the firewall to please open the NTP port and take the time to explain why this is important. Take it up with management if said morons disagree."

      I strongly suspect said firewall is placed at country level (think Arab countries, or North Korea) and said "morons" are the boyz from the Interior - or whatever - Ministry. Now you were talking about taking up with the "management"...?
      • I strongly suspect said firewall is placed at country level (think Arab countries, or North Korea) and said "morons" are the boyz from the Interior - or whatever - Ministry. Now you were talking about taking up with the "management"...?

        I've been behind every national Arab firewall besides Libya (not sure whether they have one at the country level) and never had problems with NTP (or SSH or anything else, except a few web sites). Never been to North Korea but I doubt many people in North Korea are able t

        • I have experience working in another country with a repressive paranoid regime (not Middle East; not North Korea) and until about three years ago every non-well-known port was blocked plus - I can't remember exactly here - at least one or likely all of the 'time' ports. I don't think Slashdot has ever been blocked but quite a few websites still are (including Google Groups and Geocities). That's my perspective on the situation. Something about the vague wording of the originl poster's situation made me susp
    • He has good reason to be very afraid of the "morons", as you, brave Mr. AC, have so cavalierly stated.

      Remember - Do not meddle in the affairs of wizards, for you are crunchy and taste good with ketchup.

      Simon

  • Tunnel. (Score:5, Informative)

    by SharpFang (651121) on Saturday July 30, 2005 @07:10PM (#13204514) Homepage Journal
    Set up a host outside the firewall, and tunnel the NTP data over some "allowed" port, so it gets through. Or set it up as NTP server on non-standard port (80?) outside the firewall.
    If you want precise measurement, this is the way to go. NTP software will correct the latency errors, no matter if you have direct connection or if it goes through tunnels around the globe, so you have precise time. But if you go for methods like reading time from website applet, all the network latency problems get completely neglected and just add up to the error of the internal server. You could just as well sync it to your hand watch instead.
  • radio (Score:4, Interesting)

    by Fëanáro (130986) on Saturday July 30, 2005 @07:11PM (#13204518)
    you could build a device that gets the time via radio (LINK [buzzard.me.uk]) or buy one that does this (like a gps receiver?).

    or if any udp port is open in the firewall, set up a ntp server outside that answers on that port
    • Re:radio (Score:4, Insightful)

      by samjam (256347) on Saturday July 30, 2005 @07:41PM (#13204687) Homepage Journal
      I like this idea.

      First get a written refusal in response to a written request to open NTP on the firewall.

      Then use this to justify a hardware purchase for the clock hardware.

      Wait till bosses realise that a $500 piece of kit and a couple of days setting up could be replaced by 5 mins configuration by a dolt.

      Sam
      • thats the way i would do it too
      • Wait till bosses realise that a $500 piece of kit and a couple of days setting up could be replaced by 5 mins configuration by a dolt.
        You sure about that? My boss told me to buy a switch so that I could have additional ports in my cube (I have 2 and need 2, but one is used by the workgroup printer), as opposed to having someone move the printer 6 feet to hook up to an unused second port in another cube - or just get a longer LAN cable.
        • Well, that makes sense.

          You are already feeling the pinch of the scarcity of switch ports, juggling them around isn't a long term solution and one day the pinch will be very inconvenient.

          Better get a new switch now before it gets urgent instead of afterwards.

          The expense will be offset against the convenience now and the lack of severe inconvenience in the future.

          Sam
          • No, he wants a small switch (actually, he asked that I purchase a "router" complete with a WAP built in, even though the company doesn't support wireless networks and it'd be a big security problem if left open) just in my cube to serve only me. I'm one of a very few people who have a second computer, so the idle LAN drops in the other 90% of cubes (yes, they wired 2 for each cube, but don't use them) are going to remain idle for a very, very long time.
  • Tunneling (Score:2, Informative)

    The most common solution to a firewall blocking a particular port or service: tunnel it. SSH is probably the easiest form of tunneling and putty has a great command line utility for just that. But you can also tunnel over HTTP using some basic programming skills. Worst case: set up a port forwarder on the outside of the network that forwards requests on port 80 to time.gov (or some other trusted NTP server) then set your internal NTP server to sync with it on port 80. (This assumes, of course, port based fi
  • by moreati (119629) <alex@moreati.org.uk> on Saturday July 30, 2005 @07:31PM (#13204640) Homepage
    1. Hook up a GPS receiver directly, via the usb/serial port, use whatever software [google.co.uk] to interface

    2. Use HTP: HTTP Time Protocol [clevervest.com]

    • 1. Hook up a GPS receiver directly, via the usb/serial port, use whatever software to interface

      This might work if your server is near a window, or you could get a GPS with an external antena that you can run outside.

      GPS's tend not to work too well when you are inside a building. Mine does not work inside unless it is near a window. In fact it does not work too well with heavy tree cover. If I am an a forest with large trees, and cannot see the sky, it gets no signal. Sadly, when I am in the trees like
  • Find a new job that comes with the authority you need to do it.
  • You should use NTP (Score:5, Insightful)

    by Anonymous Coward on Saturday July 30, 2005 @07:40PM (#13204684)
    Correct subsecond time is important.

    If your boxes are hacked and you go into court and you can't demonstrate that your log timestamps have anything to do with reality, you might not be able to use them as evidence.

    You also would like to be able to accurately judge HTTP cache timeouts and other time-sensitive things.

    You also don't want your time to "step" (jump by more than one second) if you can help it. It screws up sensitive daemons and I've seen more than one box crash and burn and start spawning crap when the clock jumped backwards.

    Have them open up the damn firewall, set up a reliable Unix-based NTP server on the inside that syncs to something outside, and have the workstations sync up with that.

    You CANNOT tunnel NTP over SSH. NTP uses UDP.

    You also don't want to just get the time from some web page and set the clock because your clock may jump, and you don't adjust for latency correctly either (NTP is *complicated* because there are a lot of edge cases and complex concepts here). Also you'd like to be able to select from multiple sources and throw out any outliers, in case one has been hacked.

    If you can't do the sane thing, which is open up the firewall, you can just set up a local Unix NTP server and at least your boxes will all have the same time as that box, even if it's the "wrong" time.

    You can also use GPS or a dialup modem to set the time on your NTP server.

    To recap:

    1) set up a centralized NTP server
    2) sync to that NTP server
    3) if possible, sync that NTP server to another external NTP server, OR a radio or modem signal.

    It ain't rocket science folks.
    • You can tunnel NTP over SSH if you first tunnel the UDP over TCP, e.g. using tcptunnel(1).
    • Hmmm, curious, I thought you could tunnel IP over SSH. It doesn't matter what what NTP uses as transport for it. It should tunnel. Now, it might screw up the protocol. However, the protocol should just treat the tunnel as a UDP connection with fairly odd properties.

      Kirby

    • If your boxes are hacked and you go into court and you can't demonstrate that your log timestamps have anything to do with reality, you might not be able to use them as evidence.

      Unless you are logging to write once media, or something other than a text file that you can manually edit, aren't many courts that'll consider logs as evidence. Police may like them, and use them as pointers for a trail to 'real evidence', but logfiles themselves wont stand up to cross examination, unless they are proven to be

  • "Atomic Clock" card (Score:5, Informative)

    by SA Stevens (862201) on Saturday July 30, 2005 @07:57PM (#13204767)
    You can run a local NTP server, and install an 'Atomic Clock' receiver in it, on a Card. Basically it's a 10 MHz WWV receiver that decodes the time info and reads it into the PC. They've been around a long time.
    • This has got to be the easiest suggestion someone has said. Not only are you avoiding potential NTP exploits in the network, you are also not going head to head with your boss. The solution is likely extremely cost effective, easy to implement, and relatively pain free. It solves all of his problems and very elegantly too. Sir, you deserve to be modded up, but for some reason, I have not seen modpoints for months now. What's going on with that? I tried metamoderating 20 times in a row and still no modpoints
    • Have you checked the obvious? Many routers and firewalls also serve NTP. Try polling NTP on the firewall. It just might work.

      If that doesn't work, try polling the local router. Try polling a remote router that's still inside the firewall.

      A customer of mine has several sites, and the sites are linked through frame relay (or is it T-1?). The firewall blocks port 123, so NTP with the outside world is (generally) out of the question. However, the frame provider is MCI, who also happens to manage the routers for
  • :~> curl --dump-header - -o /dev/null time.gov
    HTTP/1.1 200 OK
    Server: Netscape-Enterprise/4.1
    Date: Sat, 30 Jul 2005 23:55:38 GMT
    Content-type: text/html
    Etag: "3f2f157-1-292b-41dc304b"
    Last-modified: Wed, 05 Jan 2005 18:22:03 GMT
    Content-length: 10539
    Accept-ranges: bytes


    You don't have milliseconds this way, but with a program smart enough you can collect them over time.
  • That site uses Javascript, not Java.

    Furthermore, all the Javascript does is tick a clientside counter. A timestamp is supplied when the page is loaded, and a javascript increments it using ticks on your PC, not the server.

    You could parse the HTML page to pull off the timestamp. It wouldn't be very precise, but might be good enough. NTP does lots more then just ask a server for a timestamp though, it does predictions of network latency and factors that in as well.
  • Synced with what? (Score:4, Interesting)

    by spaceyhackerlady (462530) on Sunday July 31, 2005 @12:48AM (#13205890)

    Do the systems need to be synced to the outside world, or merely consistent with each other?

    If the silly firewall people won't help you (you might remind them that you do in fact work for the same company...), you need to set up your own NTP server. Either a real one with a GPS receiver, or a pretend one that everybody can follow and have the same time, regardless of what that time actually is (see initial question).

    The occasional phone call to the NIST's dialup time server [nist.gov] might be useful too.

    ...laura

  • Companies make GPS-timeclock receivers that connect to your server with a serial cable and have software to do clock drift adjustment. If you can get a GPS signal, you're set.
  • HTPdate [clevervest.com] would seem to be what you're after here.

    There's a perl implementation that will work on Windows machines.

  • I just use a nice little program that, among many other features, happens to synch the clock over HTTP. It's called Naviscope and is, the last time I looked, now abandonware. No biggie since they never charged for it in the first place.

    Other features include: DNS caching, programmable (delayable) prefetch by site including number of threads and depth, blocking of (simple) advertisements, site backgrounds, blinking text, pop-ups (while loading or entirely), UserAgent, Referrer, cookies, Javascripts, and

  • You want NTP opened on the firewall. Do you have a business need for time or will just having your systems synch'd with each meet the requirements?

    If you can get by with keeping the same time, set up a master/secondary time server and keep time with those.

    If you need accurate time, you start with a formal request to the group that maintains the firewall. State your case, list the time source(s) you'll be using. Assuming that request is turned down, you provide the quotes for setting up in house time

  • Cisco routers (almost always...) have the ability to be an NTP server and client. Have them do that. Clean, simple solution.

    Failing that, look at clockspeed from DJB. He's terribly clever.

    --
    lds
  • Most webservers return the date in the HTTP headers.

    For example, try:
    curl --head http://www.google.com/ [google.com]
  • Try NIST.pl [freshmeat.net]
  • I'm in the UK and we sync from the Rugby time service, which broadcasts UTC time over radio. This is reliable, but not authenticated.
    You can get a serial dongle and software that receives this for very little money.
  • Use a cheap GPS (Score:3, Informative)

    by Telecommando (513768) on Sunday July 31, 2005 @12:43PM (#13208177)
    Buy a Delorme Tripmate on Ebay. Buy or build a power/serial cable. Connect pins 2&3 on the serial port so the Tripmate will self start. Parse the ASCII strings sent by the Tripmate. The string you need looks like this:

    $GPRMC,HHMMSS,A,LATITUDE,N/S,LONGITUDE,E/W,SPEED,D IRECTION,DDMMYY,MAGNETIC,E/W*CHECKSUM

    A search on Google for "Delorme Tripmate" and/or "NMEA-0183" should turn up plenty of info.

    I use a Tripmate in my car connected to a Microchip PIC and an LCD to display time, date, location, speed and direction.

    • Pins 2&3 on a 9-pin or 25-pin port? (I'm guessing it's 9-pin, but please be specific.)
    • Cheap mass market GPS's don't make very good time sources for NTP. They don't output the NMEA text on the GPS second, and they don't output the NMEA text at precise 1-second intervals.

      There are inexpensive OEM GPS boards that include a precision PPS output that work very well with NTP.

      Getting the IT idiots to open up the NTP port seems like the easiest thing though.

  • HTTP servers send a Date: modifier in their response. It doesn't get you millisecond resolution but it's better than nothing the way some machines' clocks drift.

    $ telnet ntp.isc.org 80
    Trying 204.152.184.138...
    Connected to ntp.isc.org.
    Escape character is '^]'.
    HEAD / HTTP/1.0

    HTTP/1.1 302 Found
    Date: Sun, 31 Jul 2005 17:10:58 GMT
    Server: Apache
    Location: http://ntp.isc.org/bin/view/Main/WebHome [isc.org]
    Connection: close
    Content-Type: text/html; charset=iso-8859-1

    Connection closed by foreign host.
  • by ken95357 (666403)
    Why not ask the firewall people if they have an NTP source you can use? If they don't, ask them to set one up for you that way they don't have to open their firewalls to your NTP needs.
  • TV tuner card (Score:2, Interesting)

    by Hangeron (314487)
    I have a cheap Hauppauge WinTV card and I sometimes use alevt-date in linux to set clock. I've setup a script that sets clocks on 3 other computers aswell through ssh.
  • Configure your internal NTP server to syncronize with the internal domain controller(s).

    Sometimes having Linux-on-the-Brain makes you dumb...

  • I understand the extreme paranoia of a firewall admin, especially if there are large numbers of windoze machines on her network. There may be a touch of tin-foil hat syndrome from rumours that windoze machines report activation codes encoded in SNTP requests to time.windows.com. If you are on a government network, then some security dudes have already demo'd tunneling secret info over NTP UDP [doxpara.com] packets, resulting in your properly locked down windoze network. There really is no reason a windoze machine needs t
  • Forget time syncing. If you absoultely can't get the time from outside -- get a GPS time piece. They hook up to your computer and provide accurate time signals from the GPS satelites which all carry atomic clocks. Use the computer this is connected to to run internal NTP.
  • If the firewall truly cannot be changed, then use your own NTP primary time source which syncs off of the GPS constellation. This is a more secure way of keeping accurate time and is used by telecoms to sync their networks.

    http://www.truetime.net/nts200.html [truetime.net]

  • Is there anything particularly wrong with getting a few UNIX boxen (for redundancy) with accurate clocks and setting their times manually?
  • Hardware boxes (Score:3, Interesting)

    by wcdw (179126) on Monday August 01, 2005 @03:16PM (#13216440) Homepage
    This is not what the submitter wanted to know. However, for all of you who have proposed hardware GPS-based solutions, you might want to note that there are also companies making similar hardware which get their time signal from the CDMA cellphone signals.

    CDMA in turn gets its time from GPS, but is far easier to receive in most locations - no need to run an antenna cable up to the roof. They also tend to be cheaper.
    • There are no actual guarentees that CDMA time will be accurate. Its supposed to be, but it doesn't have to be. A friend that does cell phone work has recorded cell towers off by minutes.. even days.

      • I don't work in the industry, but I have read the literature on the CDMA devices. It is also my understanding that the cellphone network requires accurate timestamps in order to generate proper billing records.

        In practice, I have never found the time displayed on my phone to be incorrect (as compared to an NTP-synched box). I also regularly find time.twc.weather.com as the primary source in my NTP list(s) -- notable as that *is* a CDMA-based box.

        YMMV....
  • Like the title says, do you really need to pull time from the outside world, or are you just looking for reasonable consistancy?

    If it's the latter (and assuming the servers support feeding time to clients, which they probably do), you can use a windows task on the client machines to run the following command:

    net time \\server /set /y

    You can put that into a batch file, put a "cls" at the end, set the task to run said batch file (as an account with admin priv's) and make it run whenever you feel like it. Logo

No amount of genius can overcome a preoccupation with detail.

Working...