Solved

Time Clock with Proxy Configuration capability

Posted on 2016-11-03
16
104 Views
Last Modified: 2016-11-06
Hello EE,
We do not allow direct internet and have a new need for a network timeclock, but I am struggling to find a manufacturer to provide configurability of a proxy.  Any ideas?
0
Comment
Question by:operationsIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +4
16 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41873401
How about a NTP/SNTP server that gets it's time via the official US radio signal? No network connection required.

http://www.meinberg-usa.com/products/network-time-server/wwvb-ntp-time-server.htm

I am not sure what kind of proxy you are thinking of, but you just need one device to be able to reach an NTP server on the Internet on UDP 123. A router or firewall could do that, or maybe your proxy server can be your local NTP server if it has a general OS that can be configured.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 41873429
I think the OP needs a device his co-workers can punch in/out on.  I may be wrong.  

May I ask why the time clock would need to access the Internet?
0
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 41873578
would suggest to use a UTM (Firewall) as NTP Proxy.
Firewall get the internet-time, internal Hosts use Firewall as NTP-Server.
if your Firewall not provide this function, you may place a sophos utm within the dmz.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:frankhelk
ID: 41873707
The most "straightforward" solution would be some NTP time server appliance, as suggested earlier.

The second most simple idea would be to use the firewall as "NTP proxy". If it gets its time from the internet, you'll just have to allow client access to the firewall's NTP on the "inner" network interface.

Probably that's already open ... let's check that:

Download the tool NTPMonitor from here. Configure it to watch your firewall. Run it. Wait 5 minutes ...

  • If you get data from the firewall's NTP: Bingo !
  • If not, try to enable access to the firewall's NTP server.
  • If the firewall didn't have NTP service, install it.
  • As an alternative you could config a demilitarized zone (DMZ) on the firewall (a zone that has (usually limited to the bare need) access to the internet and could be accessed from the interior zone. The place a NTP server in it (a RasberryPI would perfectly do), let it sync to some pool.ntp.org servers (see
  • my article on NTP
  • ...) and point your clients to it.
  • If you already have a DMZ, i.e. for a company web server, just hook the NTP server on it. The ressource footprint is as small as an ant's ...

BTW: That NTPMonitor tool is nice to monitor the time sync state for a bunch of machines very easily.
0
 
LVL 27

Expert Comment

by:masnrock
ID: 41873764
If you're talking time clock as in employees to punch in and out from, I'd be inquiring what company you're using for payroll. They should be able to recommend clocks for you, as those companies tend to have clocks that they prefer and recommend.

Another idea, if it's an option, is to have the timeclocks bypass the proxy. You're limited to the capability of the clock itself, and a payroll company is only going to recommend so many options.

@paul - A number of timeclocks need to be on the network so that the information can get into the payroll system. Some companies now have all the punch data go a cloud-based service, so the clocks must be able to get onto the internet. ADP is one company that does this.
0
 

Author Comment

by:operationsIT
ID: 41873792
Hello,  yes it is a payroll company and they deal with third party for punch clocks and only have two offerings of which none are proxy.  I have heard there are people behind proxy so wanted to see if anyone knows of any time/punch clock that has proxy configuration as bypass is not an option
0
 
LVL 27

Expert Comment

by:masnrock
ID: 41873827
Which payroll company? And what models did they offer?
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 41873840
I've never seen any NTP configuration that works thru a proxy ... and I've seen articles explaining why it won't work. Besides of that the principle of a proxy would cripple NTP's precision.

My best guesses now would be

  • a time server appliance with NTP service (Meinberg, Hopf, etc.
  • an old PC on linux equipped with some radio clock card a classic NTP client syncing to the card (cheaper)
  • some old PC on linux, running NTP, located in the DMZ, restricted by the firewall to allow NTP traffic only.

If you don't need precision down to milliseconds, you probably could use htpdate (which would go thru proxies and take the timestamp of a http document, which is fairly accurate if the web server carries correct time).
0
 
LVL 27

Expert Comment

by:masnrock
ID: 41873928
I am writing this to help the discussion move the right direction...

This has NOTHING to do with NTP, so let's please kill that part of the discussion. Think of an office timeclock (or punch clock if you prefer that term) in an office, where people punch in and out so that the time they worked has been reported. The clocks sends records of those punch to a payroll system.

The proxy comes into play because of the way the network is set up. However, the OP has mentioned that bypassing the proxy isn't an option.
0
 

Author Comment

by:operationsIT
ID: 41874058
ADP
Intouch
0
 
LVL 27

Accepted Solution

by:
masnrock earned 500 total points
ID: 41874103
Check out uAttend clocks. From what I'm seeing, you can set proxy settings in them, but you need to figure out how much support you'll have from ADP, and whether they're even compatible with the service.

https://www.uattend.com/
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41874289
What kind of proxy? Does it require authentication? Does it allow a way to bypass authentication for certain endpoints or destinations?

If you can't manipulate the proxy to do what you want, or find a punch clock to work with your proxy, there's always running a separate physical network for the punch clocks...
0
 
LVL 27

Expert Comment

by:masnrock
ID: 41874310
I would've sooner created a VLAN that doesn't go through the proxy for the hassle that this is causing. Because asking the company to change payroll vendors is not exactly a piece of cake, and you'll probably get squeezed by finance/accounting to just make the clocks work.

This type of situation is a valid business case to have the clocks bypass the proxy or to create a separate network. All those clocks do is collect the punch data from employees and transmit to ADP.

If you've ever dealt with ADP support, you'll understand very fast why it is easier to modify things on the network side than it will be to get their help. ADP's sales staff and tech support staff aren't on the same page, and even not all of their tech support staff are on the same page. I had a situation where a client had clocks that allowed Quickbooks to grab data directly, then when an additional clock was needed, ADP sent a clock that transmitted directly to ADP (but did not close this fact). So after a protracted battle with ADP on multiple fronts, they replaced all of the existing clocks and the process of data collection changed. Basically, it took over a month to get everything sorted out.
0
 

Author Closing Comment

by:operationsIT
ID: 41875091
They do!  That is awesome!
0
 
LVL 27

Expert Comment

by:masnrock
ID: 41875105
Great, hope everything works out the way you're looking for! I had noticed they claim to work with ADP, so figured those would be the units for you
1
 
LVL 62

Expert Comment

by:gheist
ID: 41876047
HTTP proxy is not symmetric, it is not valid for any sort of timekeeping. One can get clock from e.g. active directory, or pool.ntp.org
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question