NTP - Time server or time client
The Smoothwall can serve both as an NTP server and as an NTP client. Time synchronization is important when connecting to an Active Directory because time skew needs to be less than five minutes for user authentication to work. Here we look at best practices when using the Smoothwall system as a UTM (firewall and web filter) and when using the Smoothwall as a web filter only.
Web filter and general recommendation
When using the Smoothwall as a web filter we recommend that you set up the NTP service as a client. To achieve this:
- In the Smoothwall, on the SYSTEM menu, under the Preferences submenu, click Time.
- Use these settings:
- For the User defined single public or local server enter an internal Windows AD controller IP. Using an Active Directory server ensures that the Smoothwall is always in sync with the local time seen by servers and clients in the Active Directory. The interval setting can be set higher or lower based on reliability of the NTP updates.
- Do NOT enable any of the ports in the "Network time service interfaces" because that switches NTP mode from client to NTP server on the Smoothwall.
In general, you should use NTP as a client in most cases. This is a simple setup and works well in all cases.
UTM and advanced setup
A more advanced setup is to use the Smoothwall as the time service for your internal Windows servers and have the Smoothwall synchronize using public time servers. When the Smoothwall is deployed as a firewall, this mode optimizes time synchronization as internal systems only need to talk to the Smoothwall:
Enabling one or more interfaces in the "Network time service interfaces" switches mode on the Smoothwall into NTP service mode. Again the interval can be set to whatever value is the most fitting. Internally, windows servers should be set to use the Smoothwall as NTP servers. Clients will still use the Windows servers. On BYOD networks, the Smoothwall interface there can be enabled and clients can be set to use the Smoothwall as NTP server using the DHCP scope settings.
This setup keeps all NTP traffic internal on your network, only time updates and checks from the Smoothwall system talks to external addresses.