Having had some fun trying to set up Materials Studio to communicate with a licence server behind a firewall, I thought perhaps it would be worth putting my notes online. This should ensure I don't lose them at least, and might prove useful to someone else. In fact I think this should be relevant to anyone using a FlexLM (Flexnet) licence server, not just Materials Studio users.
These notes refer to setting up a licence server, i.e. using a floating licence. If you have a node-locked licence then you should just install it on the relevant machine, and no communications should be needed.
If you know what you're doing, the basic summary is:
N.B. whilst my particular area of interest is Castep, I am not going to address running a remote Gateway to spawn Castep jobs on other machines.
When programs on one machine communicate with those on another, they need to specify a particular port to communicate on; for example the world-wide web uses port 80 for its HTTP communications. If the program on your machine gives the wrong port, it won't be heard by the correct program on the remote machine.
In principle any port a program on your computer is listening on could be communicated with by anyone in the world. For this reason it is a security risk, since anyone in the world can try to work out what program might be listening, and attempt to subvert it.
Firewalls are designed to block all communications except those on certain, authorised ports. A typical university or company firewall might block everything except the ports relevant for the world-wide web, email, encrypted secure logins (ssh) and perhaps secure file-transfer (sftp). This helps to reduce the security risk, since all of these programs (should) have been well-tested and any security flaws fixed.
Firewalls can take the form of special programs, computers or other devices (such as routers) that look at which port a program wants, and decides whether or not to accept it based on various rules that the administrator can control. The more recent versions of Windows have all had firewall software included, and other third-party firewalls are commonly available from companies such as NVidia, Norton and Check Point. Routers, such as those used for wireless network access, also run firewalls.
The problem with firewalls and licence servers is fairly obvious -- in order for your computer to contact a licence server, it needs to communicate with the server on a particular port; if this port is blocked by a firewall, it cannot succeed. If the firewalls are under your control, then it is usually straightforward to add a firewall rule that allows these requests through.
Checking out a licence generally requires two ports to be open (that is, allowed through any intervening firewalls). The licence server itself runs two programs (called daemons), the first is a generic FlexLM one called lmgrd, and the second is vendor-specific. In the case of Materials Studio this second daemon is called msi (Accelrys' former name). These two daemons listen on different ports -- by default these are ports 1715 and 1716 respectively. These ports are specified in your FlexLM licence file, and you can change them to whatever you like. Your own machine will need to know the port for the FlexLM daemon, so make sure this is correct using the License Administrator tool.
The general procedure then is to tell any firewall between your machine and the licence server to let these two ports through. Remember that your machine may be running a firewall, the server may (and probably should) be running a firewall, and any routers in between also act as firewalls. Provided you (or a friendly administrator) have access to all these firewalls, this should work fine; however if the machine and the licence server are on different networks the communication may well go through a firewall that is not under your control. What can we do then?
Most firewalls will allow secure shell (ssh) through on port 22, since the program is supposed to be secure and it encrypts its data. However most ssh programs also allow you to forward other ports as well, by listening to extra ports on your computer, and sending any communications to particular ports on the remote computer. We will exploit this to transfer our licence requests over the ssh connection. Please note that you will need to be able to log into the licence server for this to work. If you know what you're doing you could work around this, but I'm not going to go into that here.
You may need to consult your documentation to see how to do port forwarding from your ssh client program. However on many implementations you can use:
ssh -L port1:localhost:port1 -L port2:localhost:port2 server
where "port1" and "port2" are the ports you want to forward, and "server" is the licence server.
If you're using Putty, create a new session and name it something appropriate. Type in the IP address of the server you want to connect to - it must be IP address and not the name, for reasons that will become clear later - and ensure that the protocol is set to "ssh".
Now scroll down the left-hand pane until you find the "ssh" parent menu, and expand it if it isn't already. Select "Tunnel". Enter the FlexLM port under "Source" (e.g. "1715") and under "Destination" put "localhost:" followed by the FlexLM port (e.g. "localhost:1715"). Make sure the port type is set to "local" and click "add" to add this port to the forwarding list. Now repeat this process to add the port for the msi daemon (e.g. "1716" Source and "localhost:1716" as Destination).
Now if we log into the licence server using this ssh connection, the ssh client will forward any communication on our FlexLM port to the license server.
Now that we have port-forwarding enabled, we need to tell Materials Studio that the licence server is on the local machine - it isn't of course, but communications with the local machine will be spotted by our ssh and carried over to the licence server for us. Unfortunately in a bid to be helpful, Accelrys' licence manager won't actually let you do this. If you try adding "1715@localhost" as your server, a little window will pop up saying something about needing a floating licence on your machine. Fear not! Open up the License Administrator and simply remove all server connections, then quit.
Once you've removed all licence server connections that Materials Studio knows about, you need to run regedit as Administrator. The program regedit doesn't usually appear on the Start Menu so select "Run..." and type it in. If you aren't Administrator (or equivalent) you might need "runas /u:administrator regedit" or something to that effect.
When the regedit window appears, look at the left-hand pane and expand "HKEY_LOCAL_MACHINE", then "Software" and finally highlight "Flexlm License Manager". You should see some things appear in the right-hand pane, one of which is "MSI_LICENSE_FILE". Double-click on this, and enter your port at localhost (e.g. "1715@localhost"). Exit regedit.
If the "Flexlm License Manager" section doesn't exist, you need to run Accelrys' License Administrator and add a server connection. You can just put nonsense in here, because as soon as you've added it you want to remove it again - you just want it to add the proper bits to the Windows registry! After you've quit the License Administrator you should be able to run regedit again and set everything up.
We are now almost there, we just need to edit one more file. Go to the "Windows" directory, then "system32" then "drivers" and finally "etc". You should see a file there called "hosts" - you need to edit this, so right-click and choose "open with..." and select "Notepad". You will probably see a line like:
127.0.0.1 localhost
and possibly other lines too. Simply add this line at the end:
127.0.0.1 servername.domain servername
where "servername" is the name of your licence server (e.g. "philsserver") and "domain" is the internet domain of your machine (e.g. "york.ac.uk"). So if my licence server is "philsserver" at "york.ac.uk" then I would add
127.0.0.1 philsserver.york.ac.uk philsserver
Once you've added this line, save the file and exit. For those who
don't know, 127.0.0.1 is a special internet address which is code for
"this machine". We've just told Windows that "philsserver" is actually
the machine we're on, so not to bother using the network.
Please note that we've just told Windows that the machine called "philsserver" is in fact the local machine, even though it isn't. This means if I really do want to connect to "philsserver", I'll have to enter its IP address directly or I'll be trying to connect to myself. This is why in the Putty configuration we entered the server's IP address, not its name.
You should now be able to check a licence out! It's worth making sure, so run Accelrys' License Administrator and check that the server status is reported as "up". Provided that's OK, you can go to the License Test and try to check a license out. If the server is reported as "up" but you can't check a licence out, make sure the licence server is not restricted by user and/or machine (or if it is, make sure your user and machine are allowed!).
To summarise the process:
From experimenting with our licence server and firewall, it appears that the general communication pattern for a FlexLM request is something like this: