Link to home
Start Free TrialLog in
Avatar of operationsIT
operationsIT

asked on

Time Clock with Proxy Configuration capability

Hello EE,
We do not allow direct internet and have a new need for a network timeclock, but I am struggling to find a manufacturer to provide configurability of a proxy.  Any ideas?
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image

How about a NTP/SNTP server that gets it's time via the official US radio signal? No network connection required.

http://www.meinberg-usa.com/products/network-time-server/wwvb-ntp-time-server.htm

I am not sure what kind of proxy you are thinking of, but you just need one device to be able to reach an NTP server on the Internet on UDP 123. A router or firewall could do that, or maybe your proxy server can be your local NTP server if it has a general OS that can be configured.
I think the OP needs a device his co-workers can punch in/out on.  I may be wrong.  

May I ask why the time clock would need to access the Internet?
would suggest to use a UTM (Firewall) as NTP Proxy.
Firewall get the internet-time, internal Hosts use Firewall as NTP-Server.
if your Firewall not provide this function, you may place a sophos utm within the dmz.
The most "straightforward" solution would be some NTP time server appliance, as suggested earlier.

The second most simple idea would be to use the firewall as "NTP proxy". If it gets its time from the internet, you'll just have to allow client access to the firewall's NTP on the "inner" network interface.

Probably that's already open ... let's check that:

Download the tool NTPMonitor from here. Configure it to watch your firewall. Run it. Wait 5 minutes ...

  • If you get data from the firewall's NTP: Bingo !
  • If not, try to enable access to the firewall's NTP server.
  • If the firewall didn't have NTP service, install it.
  • As an alternative you could config a demilitarized zone (DMZ) on the firewall (a zone that has (usually limited to the bare need) access to the internet and could be accessed from the interior zone. The place a NTP server in it (a RasberryPI would perfectly do), let it sync to some pool.ntp.org servers (see
  • my article on NTP
  • ...) and point your clients to it.
  • If you already have a DMZ, i.e. for a company web server, just hook the NTP server on it. The ressource footprint is as small as an ant's ...

BTW: That NTPMonitor tool is nice to monitor the time sync state for a bunch of machines very easily.
If you're talking time clock as in employees to punch in and out from, I'd be inquiring what company you're using for payroll. They should be able to recommend clocks for you, as those companies tend to have clocks that they prefer and recommend.

Another idea, if it's an option, is to have the timeclocks bypass the proxy. You're limited to the capability of the clock itself, and a payroll company is only going to recommend so many options.

@paul - A number of timeclocks need to be on the network so that the information can get into the payroll system. Some companies now have all the punch data go a cloud-based service, so the clocks must be able to get onto the internet. ADP is one company that does this.
Avatar of operationsIT
operationsIT

ASKER

Hello,  yes it is a payroll company and they deal with third party for punch clocks and only have two offerings of which none are proxy.  I have heard there are people behind proxy so wanted to see if anyone knows of any time/punch clock that has proxy configuration as bypass is not an option
Which payroll company? And what models did they offer?
I've never seen any NTP configuration that works thru a proxy ... and I've seen articles explaining why it won't work. Besides of that the principle of a proxy would cripple NTP's precision.

My best guesses now would be

  • a time server appliance with NTP service (Meinberg, Hopf, etc.
  • an old PC on linux equipped with some radio clock card a classic NTP client syncing to the card (cheaper)
  • some old PC on linux, running NTP, located in the DMZ, restricted by the firewall to allow NTP traffic only.

If you don't need precision down to milliseconds, you probably could use htpdate (which would go thru proxies and take the timestamp of a http document, which is fairly accurate if the web server carries correct time).
I am writing this to help the discussion move the right direction...

This has NOTHING to do with NTP, so let's please kill that part of the discussion. Think of an office timeclock (or punch clock if you prefer that term) in an office, where people punch in and out so that the time they worked has been reported. The clocks sends records of those punch to a payroll system.

The proxy comes into play because of the way the network is set up. However, the OP has mentioned that bypassing the proxy isn't an option.
ADP
Intouch
ASKER CERTIFIED SOLUTION
Avatar of masnrock
masnrock
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What kind of proxy? Does it require authentication? Does it allow a way to bypass authentication for certain endpoints or destinations?

If you can't manipulate the proxy to do what you want, or find a punch clock to work with your proxy, there's always running a separate physical network for the punch clocks...
I would've sooner created a VLAN that doesn't go through the proxy for the hassle that this is causing. Because asking the company to change payroll vendors is not exactly a piece of cake, and you'll probably get squeezed by finance/accounting to just make the clocks work.

This type of situation is a valid business case to have the clocks bypass the proxy or to create a separate network. All those clocks do is collect the punch data from employees and transmit to ADP.

If you've ever dealt with ADP support, you'll understand very fast why it is easier to modify things on the network side than it will be to get their help. ADP's sales staff and tech support staff aren't on the same page, and even not all of their tech support staff are on the same page. I had a situation where a client had clocks that allowed Quickbooks to grab data directly, then when an additional clock was needed, ADP sent a clock that transmitted directly to ADP (but did not close this fact). So after a protracted battle with ADP on multiple fronts, they replaced all of the existing clocks and the process of data collection changed. Basically, it took over a month to get everything sorted out.
They do!  That is awesome!
Great, hope everything works out the way you're looking for! I had noticed they claim to work with ADP, so figured those would be the units for you
HTTP proxy is not symmetric, it is not valid for any sort of timekeeping. One can get clock from e.g. active directory, or pool.ntp.org