• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 202
  • Last Modified:

Time Clock with Proxy Configuration capability

Hello EE,
We do not allow direct internet and have a new need for a network timeclock, but I am struggling to find a manufacturer to provide configurability of a proxy.  Any ideas?
0
operationsIT
Asked:
operationsIT
  • 6
  • 3
  • 2
  • +4
1 Solution
 
kevinhsiehCommented:
How about a NTP/SNTP server that gets it's time via the official US radio signal? No network connection required.

http://www.meinberg-usa.com/products/network-time-server/wwvb-ntp-time-server.htm

I am not sure what kind of proxy you are thinking of, but you just need one device to be able to reach an NTP server on the Internet on UDP 123. A router or firewall could do that, or maybe your proxy server can be your local NTP server if it has a general OS that can be configured.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
I think the OP needs a device his co-workers can punch in/out on.  I may be wrong.  

May I ask why the time clock would need to access the Internet?
0
 
Dirk KotteSECommented:
would suggest to use a UTM (Firewall) as NTP Proxy.
Firewall get the internet-time, internal Hosts use Firewall as NTP-Server.
if your Firewall not provide this function, you may place a sophos utm within the dmz.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
frankhelkCommented:
The most "straightforward" solution would be some NTP time server appliance, as suggested earlier.

The second most simple idea would be to use the firewall as "NTP proxy". If it gets its time from the internet, you'll just have to allow client access to the firewall's NTP on the "inner" network interface.

Probably that's already open ... let's check that:

Download the tool NTPMonitor from here. Configure it to watch your firewall. Run it. Wait 5 minutes ...

  • If you get data from the firewall's NTP: Bingo !
  • If not, try to enable access to the firewall's NTP server.
  • If the firewall didn't have NTP service, install it.
  • As an alternative you could config a demilitarized zone (DMZ) on the firewall (a zone that has (usually limited to the bare need) access to the internet and could be accessed from the interior zone. The place a NTP server in it (a RasberryPI would perfectly do), let it sync to some pool.ntp.org servers (see
  • my article on NTP
  • ...) and point your clients to it.
  • If you already have a DMZ, i.e. for a company web server, just hook the NTP server on it. The ressource footprint is as small as an ant's ...

BTW: That NTPMonitor tool is nice to monitor the time sync state for a bunch of machines very easily.
0
 
masnrockCommented:
If you're talking time clock as in employees to punch in and out from, I'd be inquiring what company you're using for payroll. They should be able to recommend clocks for you, as those companies tend to have clocks that they prefer and recommend.

Another idea, if it's an option, is to have the timeclocks bypass the proxy. You're limited to the capability of the clock itself, and a payroll company is only going to recommend so many options.

@paul - A number of timeclocks need to be on the network so that the information can get into the payroll system. Some companies now have all the punch data go a cloud-based service, so the clocks must be able to get onto the internet. ADP is one company that does this.
0
 
operationsITAuthor Commented:
Hello,  yes it is a payroll company and they deal with third party for punch clocks and only have two offerings of which none are proxy.  I have heard there are people behind proxy so wanted to see if anyone knows of any time/punch clock that has proxy configuration as bypass is not an option
0
 
masnrockCommented:
Which payroll company? And what models did they offer?
0
 
frankhelkCommented:
I've never seen any NTP configuration that works thru a proxy ... and I've seen articles explaining why it won't work. Besides of that the principle of a proxy would cripple NTP's precision.

My best guesses now would be

  • a time server appliance with NTP service (Meinberg, Hopf, etc.
  • an old PC on linux equipped with some radio clock card a classic NTP client syncing to the card (cheaper)
  • some old PC on linux, running NTP, located in the DMZ, restricted by the firewall to allow NTP traffic only.

If you don't need precision down to milliseconds, you probably could use htpdate (which would go thru proxies and take the timestamp of a http document, which is fairly accurate if the web server carries correct time).
0
 
masnrockCommented:
I am writing this to help the discussion move the right direction...

This has NOTHING to do with NTP, so let's please kill that part of the discussion. Think of an office timeclock (or punch clock if you prefer that term) in an office, where people punch in and out so that the time they worked has been reported. The clocks sends records of those punch to a payroll system.

The proxy comes into play because of the way the network is set up. However, the OP has mentioned that bypassing the proxy isn't an option.
0
 
operationsITAuthor Commented:
ADP
Intouch
0
 
masnrockCommented:
Check out uAttend clocks. From what I'm seeing, you can set proxy settings in them, but you need to figure out how much support you'll have from ADP, and whether they're even compatible with the service.

https://www.uattend.com/
0
 
kevinhsiehCommented:
What kind of proxy? Does it require authentication? Does it allow a way to bypass authentication for certain endpoints or destinations?

If you can't manipulate the proxy to do what you want, or find a punch clock to work with your proxy, there's always running a separate physical network for the punch clocks...
0
 
masnrockCommented:
I would've sooner created a VLAN that doesn't go through the proxy for the hassle that this is causing. Because asking the company to change payroll vendors is not exactly a piece of cake, and you'll probably get squeezed by finance/accounting to just make the clocks work.

This type of situation is a valid business case to have the clocks bypass the proxy or to create a separate network. All those clocks do is collect the punch data from employees and transmit to ADP.

If you've ever dealt with ADP support, you'll understand very fast why it is easier to modify things on the network side than it will be to get their help. ADP's sales staff and tech support staff aren't on the same page, and even not all of their tech support staff are on the same page. I had a situation where a client had clocks that allowed Quickbooks to grab data directly, then when an additional clock was needed, ADP sent a clock that transmitted directly to ADP (but did not close this fact). So after a protracted battle with ADP on multiple fronts, they replaced all of the existing clocks and the process of data collection changed. Basically, it took over a month to get everything sorted out.
0
 
operationsITAuthor Commented:
They do!  That is awesome!
0
 
masnrockCommented:
Great, hope everything works out the way you're looking for! I had noticed they claim to work with ADP, so figured those would be the units for you
1
 
gheistCommented:
HTTP proxy is not symmetric, it is not valid for any sort of timekeeping. One can get clock from e.g. active directory, or pool.ntp.org
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 6
  • 3
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now