Versions Compared

Old Version 4

changes.mady.by.user Jyothi KP

Saved on

compared with

New Version Current

changes.mady.by.user Jyothi KP

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To secure communications between a NIOS appliance and an NTP server, you can authenticate communications between the appliance and the NTP server. When you configure authentication, you must obtain the key information from the administrator of the NTP server and enter the key on the appliance. For information, see the Authenticating NTP section.

In a Grid, you can configure the Grid Master and Grid members to synchronize their clocks with external NTP servers. When you enable the NTP service on the Grid, the Grid Master automatically functions as an NTP server to the Grid members. A Grid member can synchronize its time with the Grid Master, an external NTP server, or another Grid member. When Grid members synchronize their times with the Grid Master, the Grid Master and its members send NTP messages through an encrypted VPN tunnel, as shown in the following figure. When a Grid member synchronizes its time with another Grid member, the NTP messages are not sent through a VPN tunnel.

...

  1. From the Grid tab, select the Grid Manager tab, expand the Toolbar and click NTP -> NTP Grid Config.
  2. In the General tab of the Grid NTP Properties editor, select Synchronize the Grid with these External NTP Servers.
  3. Click the Add icon to add external NTP servers and enter the following information in the Add NTP Server dialog box:
    • NTP Server (FQDN or IP Address): Enter either the IP address or the resolvable host name of an NTP server. Entries may be an IPv4 or IPv6 address. You can view a list of public NTP servers at ntp.isc.org. To check whether the DNS server can resolve the NTP server host name, click Resolve Name. You must have a DNS name resolver configured. For information, see Enabling DNS Resolution.

    • Enable Authentication: Select this option to enable authentication of NTP communications between the external NTP server and the NIOS appliance (the Grid Master or Grid member in a Grid, an independent NIOS appliance, or the active node in an independent HA pair).
      Note that to prevent intruders from interfering with the time services on your network, you can authenticate communications between a Grid member and an external NTP server, as well as between a Grid member and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the Grid Master and Grid members.
      AuthenticationKey: Select a key that you previously entered from the drop-down list.

    • Click Add to add the NTP server to the list or Cancel to cancel the operation. In the table, you can configure some of the following settings:
      • Preferred: Select this to mark an external NTP server as the preferred NTP server. You can select only one server as the preferred NTP server. NIOS uses the responses from this preferred server over responses from other external NTP servers. A response from a preferred server will be discarded if it differs significantly from the responses of other servers. Infoblox recommends that you select an NTP server that is known to be highly accurate as the preferred server, such as one that has special time monitoring hardware. Note that this option is enabled only when you have selected the checkbox Synchronize the Grid with these External NTP Servers.
      • Server: Displays the FQDN or IP address of the NTP server that you added.
      • Authentication: When you enable authentication, this column displays Yes. Otherwise, it displays No.
      • Key Number: Displays the authentication key that you have selected.
      • BURST: Select this checkbox to configure the NTP client to send a burst of eight packets if the external NTP server is reachable and a valid source of synchronization is available. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this checkbox, the client sends a single packet only once to the server.
      • IBURST: Select this checkbox to configure the NTP client to send a burst of eight packets if the external NTP server is not reachable when the client sends the first packet to the server. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this checkbox, the client sends a single packet only once to the server.
        For information about adding NTP authentication keys, see the Adding NTP Authentication Keys section.
  4. Save the configuration and click Restart if it appears at the top of the screen.

...

  1. Grid: From the Grid tab, select the Grid Manager tab, expand the Toolbar and click NTP -> NTP Grid Config.
    Member: From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member checkbox. Expand the Toolbar and click NTP -> NTP Member Config.
    To override an inherited property, click Override next to it and complete the appropriate fields.
  2. In the Access Control tab of the Grid or Member NTP Properties editor, select one of the following to configure NTP access control:
    • None: Select this if you do not want to configure access control for NTP service. When you select None, the appliance allows all clients to access the NTP service. This is selected by default.
    • Use Named ACL for Time only: Select this and click Select Named ACL to select a named ACL that contains only IPv4 addresses and networks. NTP queries do not support TSIG key based ACEs. When you select this, the appliance allows clients that have the Allow permission in the named ACL to use its NTP service. NTP queries from the named ACL entries specified here are denied. You can click Clear to remove the selected named ACL and the appliance accepts ntpq queries from those NTP clients.
    • Use Named ACL for Time + NTP Control (NTPQ): Select this and click Select Named ACL to select a named ACL that contains only IPv4 addresses and networks. NTP queries do not support TSIG key based ACEs. When you select this, the appliance allows clients that have the Allow permission in the named ACL to use its NTP service, and for the appliance to accept ntpq queries from those clients as well. You can click Clear to remove the selected named ACL.
    • Use this set of ACEs: Select this to configure individual ACEs. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding, as follows:
      • IPv4 Address: Select this to add an IPv4 address. Click the Value field and enter the IPv4 address. The default permission is Allow, which means that the appliance allows access to and from this IPv4 client. You cannot change the default permission. In the Service field, select Time only to allow this client for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this client.
      • IPv4 Network: Select this to add an IPv4 network. Click the Value field and enter the IPv4 network. The default permission is Allow, which means that the appliance allows access to and from this IPv4 network. You cannot change the default permission. In the Service field, select Time only to allow this network for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this network.
      • IPv6 Address: Select this to add an IPv6 address. Click the Value field and enter the IPv6 address. The default permission is Allow, which means that the appliance allows access to and from this IPv6 client. You cannot change the default permission. In the Service field, select Time only to allow this client for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this client.
      • IPv6 Network: Select this to add an IPv6 network. Click the Value field and enter the IPv6 network. The default permission is Allow, which means that the appliance allows access to and from this IPv6 network. You cannot change the default permission. In the Service field, select Time only to allow this network for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this network.
      • Any Address/Network: Select this to allow access to all IPv4 and IPv6 addresses and networks. The default permission is Allow, which means that the appliance allows access to and from all IPv4 and IPv6 clients. You cannot change the default permission. In the Service field, select Time only to allow clients for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from all clients.
        After you have added access control entries, you can do the following:
        • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the Convert to Named ACL dialog box. The appliance creates a new named ACL and adds it to the Named ACL panel. Note that the ACEs you configure for this operation stay intact.
        • Reorder the list of ACEs using the up and down arrows next to the table.
        • Select an ACE and click the Edit icon to modify the entry.
        • Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.
      • Enable KoD: When you select this checkbox, the appliance (when acting as an NTP server) sends a KoD (Kiss-o'-Death) packet to the NTP client if the client has exceeded the rate limit. The KoD packet contains the stratum field set to zero and the ASCII string in the Reference Source Identifier field set to RATE, indicating the packets sent by the client have been dropped by the server. When you clear the checkbox, the NTP server drops the packets but does not send any KoD packet to the client. This checkbox is deselected by default. For more information about KoD, see the Enabling Kiss-o'-Death for NTP section.
  3. Save the configuration and click Restart if it appears at the top of the screen.

...