Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 2119 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do my NTP settings make a difference when authenticating via SSL VPN with MFA?

newbie_IT

Hello everyone,

I apologize ahead of time in case none of this makes sense. I'll start with some background info.

We implemented MFA not too long ago on our SSL VPN connections. Our Sophos XG is configured to use AD credentials to authenticate.

A common issue with Sophos SSL VPN with MFA is that if the client needs to reauthenticate due to a disconnect (for whatever reason), the client will fail to reconnect.

Without MFA, it would reconnect just fine. But since MFA requires an active token to be entered, our logs show that the client failed to connect due to wrong credentials since the OTP used to authenticate initially is no longer valid. This kind of happens in the background and the user has no idea what went wrong. 

Why would the VPN connection disconnect and force the client to reauthenticate thus failing because the OTP has likely changed since the initial login?

Well, I'm still working on that issue. However, something I thought about was whether or not the NTP settings made a difference or not.

Our Sophos XG uses a public NTP server "pool.ntp.org"

Our AD Domain Controller uses "us.pool.ntp.org", which our clients also use.

Would it then make sense to point both my Sophos XG and Domain Controller to the same NTP server? This would help me reduce the chances of there being an issue with time syncronization. I tried comparing the differences between the two NTP servers outlined above using the following command:

C:> w32tm /monitor /computers:us.pool.ntp.org,pool.ntp.org

Output:

us.pool.ntp.org[154.16.245.246:123]:
ICMP: 89ms delay
NTP: -0.0623971s offset from local clock
RefID: t2.time.bf1.yahoo.com [72.30.35.88]
Stratum: 3


pool.ntp.org[64.79.100.197:123]:
ICMP: 69ms delay
NTP: -0.0555927s offset from local clock
RefID: ntp.your.org [204.9.54.119]
Stratum: 2

But it doesn't look like there would be any significant differences that would have an impact on user connectivity.

In short, does NTP matter at all? Does having a different NTP server on my domain controller (thus my clients) and my Sophos XG firewall make a difference with authenticating via SSL VPN with MFA?



This thread was automatically locked due to age.
Parents
  • +1

    pool.ntp.org is a group of many ntp servers around the world.  us.pool.ntp.org is a group of ntp servers located in the United States.  us.pool.ntp.org is a subset of pool.ntp.org.  each time your client connects to one of those, it will get a new real ntp server to set the time.  All of the servers should pretty much have the same time.

Reply
  • +1

    pool.ntp.org is a group of many ntp servers around the world.  us.pool.ntp.org is a group of ntp servers located in the United States.  us.pool.ntp.org is a subset of pool.ntp.org.  each time your client connects to one of those, it will get a new real ntp server to set the time.  All of the servers should pretty much have the same time.

Children
  • 0 in reply to Brian1941

    Thanks for your help! I guess I can rule that out then.

  • 0 in reply to newbie_IT

    Just for some context. NTP Server works with UTC+0. Therefore all appliances around the world have the same time. So you have to tell the appliance "I am in Germany" for example, which does the trick of "showing a different time on public facing resources". 

    So to speak, products like Windows or other OS simply adding the timezones to UTC+0 to reflect the time, the user is currently seeing but all products use UTC+0 as a baseline. 

    Time and DNS is the running joke of IT in the past decades. If you have a problem, its DNS. If its not DNS, its is DNS. 
    Same is for Time. Because if you time is not correct, there could be a lot of drama going on. For example, certificates could be not valid anymore or not valid already (certificates starts and expires some day). OTP the same, you have a time, you are currently asking for a token, the time has to be the same on both devices. 

    __________________________________________________________________________________________________________________

Unfiltered HTML