Materials Studio and Firewalls

Having had some fun trying to set up Materials Studio to communicate with a licence server behind a firewall, I thought perhaps it would be worth putting my notes online. This should ensure I don't lose them at least, and might prove useful to someone else. In fact I think this should be relevant to anyone using a FlexLM (Flexnet) licence server, not just Materials Studio users.

These notes refer to setting up a licence server, i.e. using a floating licence. If you have a node-locked licence then you should just install it on the relevant machine, and no communications should be needed.

If you know what you're doing, the basic summary is:

  1. Create an ssh tunnel to forward the FlexLM and vendor daemon ports from the local machine to the server
  2. Edit your Windows HOSTS file to pretend that your servername is in fact the local machine (127.0.0.1)

Don't worry if this is all gibberish to you, read on and hopefully things will become clear(er).

N.B. whilst my particular area of interest is Castep, I am not going to address running a remote Gateway to spawn Castep jobs on other machines.

FlexLM/Flexnet Licence Server

If you aren't sure what ports or firewalls are, you might find it useful to read this short explanation first.

Checking out a licence generally requires two ports to be open (that is, allowed through any intervening firewalls). The licence server itself runs two programs (called daemons), the first is a generic FlexLM one called lmgrd, and the second is vendor-specific. In the case of Materials Studio this second daemon is called msi (Accelrys' former name). These two daemons listen on different ports -- by default these are ports 1715 and 1716 respectively. These ports are specified in your FlexLM licence file, and you can change them to whatever you like. Your own machine will need to know the port for the FlexLM daemon, so make sure this is correct using the License Administrator tool.

The general procedure then is to tell any firewall between your machine and the licence server to let these two ports through. Remember that your machine may be running a firewall, the server may (and probably should) be running a firewall, and any routers in between also act as firewalls. Provided you (or a friendly administrator) have access to all these firewalls, this should work fine; however if the machine and the licence server are on different networks the communication may well go through a firewall that is not under your control. What can we do then?

Tunnelling with ssh

Most firewalls will allow secure shell (ssh) through on port 22, since the program is supposed to be secure and it encrypts its data. However most ssh programs also allow you to forward other ports as well, by listening to extra ports on your computer, and sending any communications to particular ports on the remote computer. We will exploit this to transfer our licence requests over the ssh connection. Please note that you will need to be able to log into the licence server for this to work. If you know what you're doing you could work around this, but I'm not going to go into that here.

The ssh command

You may need to consult your documentation to see how to do port forwarding from your ssh client program. However on many implementations you can use:

ssh -L port1:localhost:port1 -L port2:localhost:port2  server

where "port1" and "port2" are the ports you want to forward, and "server" is the licence server.

Putty

If you're using Putty, create a new session and name it something appropriate. Type in the IP address of the server you want to connect to - it must be IP address and not the name, for reasons that will become clear later - and ensure that the protocol is set to "ssh".

Now scroll down the left-hand pane until you find the "ssh" parent menu, and expand it if it isn't already. Select "Tunnel". Enter the FlexLM port under "Source" (e.g. "1715") and under "Destination" put "localhost:" followed by the FlexLM port (e.g. "localhost:1715"). Make sure the port type is set to "local" and click "add" to add this port to the forwarding list. Now repeat this process to add the port for the msi daemon (e.g. "1716" Source and "localhost:1716" as Destination).

Now if we log into the licence server using this ssh connection, the ssh client will forward any communication on our FlexLM port to the license server.

Windows HOSTS file

Because any direct requests to the licence server will be blocked by the firewall, we need to trick Windows into sending these requests to the local machine instead. To do this, we just need to edit Windows' HOSTS file.

Go to the "Windows" directory, then "system32" then "drivers" and finally "etc". You should see a file there called "hosts" - you need to edit this, so right-click and choose "open with..." and select "Notepad". You will probably see a line like:

127.0.0.1    localhost

and possibly other lines too. Simply add this line at the end:

127.0.0.1    servername.domain   servername

where "servername" is the name of your licence server (e.g. "philsserver") and "domain" is the internet domain of your machine (e.g. "york.ac.uk"). So if my licence server is "philsserver" at "york.ac.uk" then I would add

127.0.0.1    philsserver.york.ac.uk philsserver

Once you've added this line, save the file and exit. If you encounter problems with saving the file, you will need to run Notepad as Administrator - you can usually right-click on the Notepad icon and select "Run as administrator" from the menu. Failing that, try selecting "Run..." from the Start Menu and typing:

runas /u:administrator notepad

For those who don't know, 127.0.0.1 is a special internet address which is code for "this machine". We've just told Windows that "philsserver" is actually the machine we're on, so not to bother using the network. Please note that this means if I really do want to connect to "philsserver", I'll have to enter its IP address directly or I'll be trying to connect to myself. This is why in the Putty configuration we entered the server's IP address, not its name.

Accelrys License Administrator

Now that we have port-forwarding enabled, we need to check it's all working. Launch Accelrys' License Administrator. If there aren't any license server connections set up, then you'll need to do this: go to "License Server" in the left-hand pane, then "Connections" and click "Add..." in the right-hand pane. You will be prompted to enter the server name and port - this is the FlexLM port, not the one for the vendor daemon (msi).

NB to change the licence server settings, the license administrator will need to be run as Administrator.

You should now be able to check a licence out! Check that the server status is reported as "up" by the License Administrator. Provided that's OK, you can go to the "License Test" on the left-hand pane and try to check a license out. If the server is reported as "up" but you can't check a licence out, make sure the licence server is not restricted by user and/or machine (or if it is, make sure your user and machine are allowed!).

To summarise the process:

  1. Create an ssh tunnel to forward the FlexLM and vendor daemon ports from the local machine to the server
  2. Edit your Windows HOSTS file to pretend that your servername is in fact the local machine (127.0.0.1)

Why does this work?

From experimenting with our licence server and firewall, it appears that the general communication pattern for a FlexLM request is something like this:

  1. Client contacts the FlexLM daemon on the server using the relevant port
  2. The FlexLM server returns its hostname and the port number of the vendor daemon
  3. Client contacts the vendor daemon on the server using this port

The first part is fine redirecting licence requests to "localhost" and using ssh to forward the ports. The problem is that the server will return "port@server" in the second stage, not "port@localhost" so we need to cheat by adding the server to the HOSTS file so Windows thinks it has to contact the local machine again. As soon as it does this, the ssh program grabs this request too and delivers it to the right licence server.