Ports and Firewalls

When programs on one machine communicate with those on another, they need to specify a particular port to communicate on; for example the world-wide web uses port 80 for its HTTP communications. If the program on your machine gives the wrong port, it won't be heard by the correct program on the remote machine.

In principle any port a program on your computer is listening on could be communicated with by anyone in the world. For this reason it is a security risk, since anyone in the world can try to work out what program might be listening, and attempt to subvert it.

Firewalls are designed to block all communications except those on certain, authorised ports. A typical university or company firewall might block everything except the ports relevant for the world-wide web, email, encrypted secure logins (ssh) and perhaps secure file-transfer (sftp). This helps to reduce the security risk, since all of these programs (should) have been well-tested and any security flaws fixed.

Firewalls can take the form of special programs, computers or other devices (such as routers) that look at which port a program wants, and decides whether or not to accept it based on various rules that the administrator can control. The more recent versions of Windows have all had firewall software included, and other third-party firewalls are commonly available from companies such as NVidia, Norton and Check Point. Routers, such as those used for wireless network access, also run firewalls.

Firewalls and Licence Servers

The problem with firewalls and licence servers is fairly obvious -- in order for your computer to contact a licence server, it needs to communicate with the server on a particular port; if this port is blocked by a firewall, it cannot succeed. If the firewalls are under your control, then it is usually straightforward to add a firewall rule that allows these requests through.

FlexLM/Flexnet Licence Server

Checking out a licence generally requires two ports to be open (that is, allowed through any intervening firewalls). The licence server itself runs two programs (called daemons), the first is a generic FlexLM one called lmgrd, and the second is vendor-specific. In the case of Materials Studio this second daemon is called msi (Accelrys' former name). These two daemons listen on different ports -- by default these are ports 1715 and 1716 respectively. These ports are specified in your FlexLM licence file, and you can change them to whatever you like. Your own machine will need to know the port for the FlexLM daemon, so make sure this is correct using the License Administrator tool.

The general procedure then is to tell any firewall between your machine and the licence server to let these two ports through. Remember that your machine may be running a firewall, the server may (and probably should) be running a firewall, and any routers in between also act as firewalls. Provided you (or a friendly administrator) have access to all these firewalls, this should work fine; however if the machine and the licence server are on different networks the communication may well go through a firewall that is not under your control. What can we do then? That's what we're trying to sort out here.