Is it a must to install NTP to Window Servers? Based on Symantec whitepapers, it is recommended to install due to better protection (http://www.symantec.com/business/support/index?page=content&id=TECH92440), but from what I read from several forums, many people, including Symantec Employees and technical support, discourages the installation, but didn't provide reasons or any documentation. Below are some of the links from the forums:

http://www.symantec.com/connect/forums/what-network-protection-firewall-really-do

http://www.symantec.com/connect/forums/sep-blocking-dhcp-requests-adding-rule-does-not-resolve

http://www.symantec.com/connect/forums/server-2003-inaccessible-threat-protection-network-activate

Can anyone helps to clarify?

(The reasons I'm asking is because I now have issues with TSM and teaming when NTP is installed. No problem if NTP not installed)

NTP adds more security, however care needs to be taken to verify the rules before enabling block. The reason is server being handling many client connection , it should not happen it block relevant traffic.

Though it is stealth there could be slight delay in the analyzing the network traffic.

server does lot of other functions to do, if you want to use NTP then you have to compromise your servers' performance. Installing without testing the firewall rules might put your server to halt... since we all have a hardware  firewall in gateway, we never thought that its important to have NTP on servers, I would rather skipp it than installing it without testing..

Hi Rafeeq

Is there any documentation to support your statement regarding 'it's not important to have NTP on servers as a hardware firewall in gateway already in place'?

My management might not be convinced without proof....

This should be of some help to you

http://www.symantec.com/business/support/index?page=content&id=TECH92440&locale=en_US

Best Practices for Installing Symantec Endpoint Protection on Windows Servers

Hi pete_4u2002

Although NTP adds more security, but aren't they doing double work since this security task can be handled by Gateway firewall, as mentioned in the next thread?

how about the system that is already compromised within the network and try to exploit the other systems in the network. This protection is needed on desktop unless you feel so.

This linked document says the following:

Intrusion Protection Signatures (IPS) help to block attacks and threats based on the type of network traffic. While there are rare instances in which a server's activities may trigger one of these alerts, using IPS is strongly recommended to prevent against non-file based attacks against servers.

This is definitely not an argument for not using NTP!

sandra

NTP is very important if for no other reason than for Intrusion Prevention, even if you put the firewall component in 'passthrough mode' by withdrawing the firewall policy:

Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347

Edit: you said you're having "issues with TSM and teaming when NTP is installed"--care to elaborate? Which version of SEP is installed? Maybe we can assist.

sandra

Hi Sandra

I'll reproduce TSM issue with Symantec Support as follows:

--------------------------------------------------------------------------------------------------------------------------------

I have this IBM TSM reporter but the TEPS connectivity service cannot startup. After removing network threat feature from SEP, it works. Before I remove network threat, i have check the logs but no blocking at all.
The following link pinpoint network threat feature in SEP is the culprit:
http://adsm.org/forum/showthread.php?21068-TEPS-connectivity-fail

--------------------------------------------------------------------------------------------------------------------------------

Have performed webex session with Symantec Support:

Confirmed the following :-
- Disabling NTP did not help.
- Window Firewall turned off.
- Moved Allow all application rule to the top but it did not help.

--------------------------------------------------------------------------------------------------------------------------------

Log collected from TSM:

(4CEF6E38.0000-12B8:kbbssge.c,52,"BSS1_GetEnv") KEYFILE_DIR="d:\IBM\itm\keyfiles"
(4CEF6E38.0001-12B8:kbbssge.c,52,"BSS1_GetEnv") KEYFILE_DIR="d:\IBM\itm\keyfiles"
(4CEF6E38.0002-12B8:kdssqrun.c,951,"CreatePath") Create Path Error. status 1021 path NCS:{SOCKET=ip.pipe:#169.254.95.120[1918]} CT/DS:{SERVER=SRVR01}
(4CEF6E38.0003-1BDC:ctauthorizationevaluator_i.cpp,917,"CTAuthorization::Evaluator_i::executeQuery") EXCEPTION: ::CTProperty::PropertyBasedException - Failed when validating user through Authenication service
(4CEF6E38.0004-1BDC:ctrashelper.cpp,61,"RAS_CORBA_UserException") EXCEPTION: CORBA User Exception has occurred

(4CEC9E4C.002E-E98:kdhslqm.c,188,"add_listener") listening: ip.ssl.https:49270
(4CEC9E4C.002F-E70:kdebpap.c,125,"KDEBP_AssignPort") ip.pipe bound to port 1918: base=1918, limit=6014
(4CEC9E4C.0030-E70:kdebpap.c,125,"KDEBP_AssignPort") ip6.pipe bound to port 1918: base=1918, limit=6014
(4CEC9E4C.0031-E70:kdebpap.c,125,"KDEBP_AssignPort") ip6.spipe bound to port 3660: base=3660, limit=7756
(4CEC9E4C.0032-E70:kbbssge.c,52,"BSS1_GetEnv") KGL_MSG2_UNIVERSAL="YES"
(4CEC9E4C.0033-E70:kglmsww.c,137,"SendUniversalMessage") Universal Message send failed.
(4CEC9E4C.0034-E70:kbbssge.c,52,"BSS1_GetEnv") KGL_MSG2_EVENTLOG="FORMAT kdsmain.msg"
(4CEC9E4C.0035-E70:kglmsww.c,137,"SendUniversalMessage") Universal Message send failed.

--------------------------------------------------------------------------------------------------------------------------------

Symantec Support suspect the issue is the connection through IPV6, and suggest to do the following:

1. Disable IPv6
2. Reinstall NTP back
3. Reproduce the issue.

All performed, issue still appears
--------------------------------------------------------------------------------------------------------------------------------

Do webex with Symantec Support:

SEP installed with AV/AS and NTP.
Ran Wireshark and SylinkMonitor >> reproduced the issue >> saved Wireshark and SylinkMonitor.
Disabling NTP >> issue still occurs.
Uninstalled NTP and rebooted the machine.
Reproduced the issue >> TEPS connectivity, works fine.

--------------------------------------------------------------------------------------------------------------------------------

Symantec Support setup the tsm server and monitoring server on their test site with help from my vendor IBM, and able to reproduce issue at their site with vendor's help. The action now is:
Awaiting backline response as case needs to be escalated further

--------------------------------------------------------------------------------------------------------------------------------

End of story, but to be continued, as I'm still waiting for the backline response...... :(

 

We too use IBM TSM to back up our servers with NTP installed. Can't say that we've seen this error.

Will have to keep an eye out for this error. Please report back the outcome of your case.

Hi Ian

Your TSM working fine with NTP installed? May I know how you configure your NTP, for example, what to exclude?

Hi.

IBM manages our TSM backend. I have no idea what happens there. We simply install the agent, configure the options file for inclusions & exclusions & review the daily log files.

As to the setup of our NTP in SEPM

• Enable Intrusion Prevention = On (tick in the box)
• Enable Denial of Service detection = On
• Enable Port Scan detection = On
• Excluded hosts = All our server to server communications. This excludes the TSM backend server IP addresses. This means TSM servers could potentially be blocked for 600 seconds.
• Enable Smart DHCP = On
• Enable Smart DNS = On
• Enable Smart WINS = On
• Enable NetBIOS protection = Off (no tick in the box)
• Allow token ring traffic = Off
• Enable Reverse DNS lookup = Off
• Enable anti-MAC spoofing = Off

In the Policy Components list under Network Services we have a definition for TSM Client

• TCP remote = 1550
• TCP local = 1555