Zscaler App and NTP

Has anyone run into time drift issues with ZPA? Our domain controllers are our internal time source and a few computers are starting to see time drift. I’m trying to make sure I have NTP defined correctly. UDP 123 is available and I see that traffic in logs.

Basically, i have a computer using ZPA with the clock off by a few minutes. I have them disconnect from ZPA, and then connect to our legacy VPN and the clock instantly syncs to the correct time.

I came across this article referencing that kerberos and DNS are required in a domain environment. Kerberos (TCP 88) is also available to the domain controllers. But, I never configured UDP 53 for DNS.
https://support.microsoft.com/en-us/help/832017#method60

In fact it actually warns you when trying to add DNS to an app segment. Thoughts?
“Zscaler recommends excluding DNS traffic (port 53) from TCP and UDP port ranges”

I’ve not noticed any issues with NTP before.

Gordon You have the UDP 53 open, right?
I’m facing the same issue; UDP 123 open, TCP 88 open; UDP 53 closed; NTP doesn’t sync.

Yes I have UDP-53 open towards my internal DNS servers.

I’m trying on a test environment and i’ve set up my DCs in an application segment whit
TCP from 1 to 53000 and
UDP from 1 to 53000.
Result: no way to sync.

w32tm /resync
say: No sync cose no data to sync

w32tm /status
say: Not in sync.

On legacy VPN all green naturally.

Connector 20.51.3 and App 2.1.2.105

So has anyone been able to confirm the cause of the their time sync issues? My org is still having issues and people are thinking the Zscaler app is to blame. But, everything I find shows NTP is syncing correctly.

I have it working over just port UDP 123 plus all the various DC related ports. Be very careful though-- if you are referring to the ntp service by a cname for your DC, then you must specifically list that cname in your rule. For instance, for us our DC name is say DC01.mydomain.com, but for the purpose of NTP configuration by GPO, it’s defined as NTP.mydomain.com. Unless you have a specific rule for the latter, it will never get through. When we discovered this we really had to do a cname/service inventory and update all the rules accordingly (crl.mydomain.com, etc) .

P.S: For the person above who has UDP 53 open, Zscaler docs specifically state to not allow ANY DNS through, it’s all supposed to be handled by the connector and your defined search domains.

Hi…

Maybe Zscaler can correct me if wrong here…

Based on what I gather, excluding DNS (tcp and udp 53) is only necessary if you created ip range app segment. If you created ip range app segment, e.g. /24, /8, etc., and also include tcp and udp 53, that’ll result in the client getting the true IP of the server rather than the synthetic 100.64.0.0/16 IP address (bypassing ZPA).

Thanks,
Zul