How do you serve NX FLEXlm licenses through a firewall?

A majority of the support calls that come into our queue are issues related to NX licensing. It isn’t that NX licensing is that hard to accomplish, but that the steps to accomplish it in YOUR environment aren’t so obvious.  There are many questions that help isolate the solution. Here are a few:

• Are you setting up a server/client environment?
• Do you only intend to run NX on one and only one computer?
• Do you have a valid license file?
• Have you edited your license file to include your server’s (computer) Composite Host ID (CID)?
• Have you edited the proper environment variable value to the correct server name and added the correct port assignment?
• Are you changing servers to a new/different computer?
• If you’re configuring a client/server environment, have you turned off the firewalls on BOTH machines?

Swoosh has created a number of ready reference documents when customers contact us needing help in this area. A number of those “How To” articles have been posted elsewhere on this blog site. But that last question on the list is what we’ll address in this article.

Starting the NX Install process

The typical NX customer has received the software installation files either by downloading from the Siemens website or our Swoosh Customer Portal website or they received them on DVD from Siemens. Then they’ve also received the customized/configured license file from either Siemens or Swoosh. That’s all there is.

Whether the NX installation files are copied into the specific directory where NX is to be installed or run from another location such as the DVD drive or from the “temp” download directory, the customer runs the “Launch.exe” file and off they go.

• Install NX
• Install the License Server
• Try to run the program

And, depending on what the problem is, what OS they are on, and what kind of network or wifi environment they’re in, a myriad of errors can occur…

Floating License Solutions

When trying to install and configure licensing for a floating license, where a license server computer allows access for many different client computers, one of the biggest obstacles that block our poor customers’ good intentions is the Windows firewall.

Even if the license file has been edited to include the server name, CID, and proper port identification, the license file has been renamed appropriately, if both the lmgrd service has been started and the license file read successfully, the Windows firewall will disallow any other device/user to access that precious license authorization. And dropping the firewalls on both the server machine and the client machines is a bad practice due to the risks/exposure to all those nasty computer viruses, phishing, stealing of personal identities, corruption, pillaging, and who knows what else?

The solution? Windows can create a “tunnel” through the firewall for the server/client connection.

Firstly, we have to establish clearly that the following is to be done on the server machine (computer where the license file resides) and not the client(s).

Setting up the “tunnel” in the Firewall

From this point, there are 2 methodologies, one a bit harder than the other. Let’s start with the easier of the two. This method, however, seems to be less successful according to Siemens.

Method 1

• The control settings for the firewall must be accessed. To access to the Windows Firewall settings on your computer, go to the Control Panel and at the bottom, choose Windows Firewall.

• Choose “Allow an app or feature through Windows Firewall”.

From this point the process is dependent on your OS and environment, such as, whether or not you are running within a domain or if you want to control only the Private or Public Network options to allow the app to run through the firewall.

Here’s an example of a Windows 8 OS in a domain environment. Notice there are toggle options for the domain, public, and private networks.

• Select the software you want to create the tunnel for, i.e. NX, and then choose “Change settings”.

• Then it simply allows you to select check boxes for which environment you want to tunnel through.

Assigning the specific ports to tunnel through

Method 2

With this option, the harder of the two, there are two general tasks:

• Edit the splm license file.
• Edit the firewall rules on the license server.
• Stop the FLEXlm license server process.

This is accomplished with the LMTOOLS utility . Once started, go to the Start/Stop/Read tab, turn on the “Force Server Shutdown” option, and choose the “Stop Server” button.

Close the LMTOOLS window.

• Now, in the license file, you must set the port for the uglmd process to a static port number.

Do this by editing the VENDOR line in the license file.

The VENDOR line should have the following format:

VENDOR uglmd port=26999

Make sure that you do not use a port number that is required by any other application.  Unigraphics’ lmgrd may use 28000 to 28009 (27000 to 27009 prior to NX 5), so do not use any of these numbers. Siemens recommends using port 26999; this port number is not normally in use.

• Start the FLEXlm license server process.

Just reverse what you did in Step 1 by choosing the “Start Server” button.

Now this is the task where we edit the firewall rules on the server…

• On the firewall, you must open up the ports for ugslmd and lmgrd.

Start as you did above, by going to the Control Panel and selecting “Windows Firewall”. In the Windows Firewall window, select the option for “Advanced settings”…

From there, the option of “Inbound Rules” should be selected:

Disregard the list of existing rules in the middle and select “New Rule” on the right:

In the Rule Type step, select “Port” and then Next.

By default, FLEXlm uses port 27000 for lmgrd, but we recommend using port 28000.  Also, if you followed the example above, you have set the uglmd port to 26999 in the license file.  Therefore, the two ports you should open on the firewall or router would be ports 28000 and 26999.  The exact steps for doing this will depend on what operating system and firewall is in place. Refer to the OS help or third-party firewall instructions for guidance.

Make sure the options for “TCP” and “Specific local ports:” are selected and enter in “26999, 28000” in the entry field.

You can verify that the ports are open by trying a telnet session to the port. If it connects (it doesn’t actually have to fully open a session), then it is open.

On UNIX, in a terminal window or on Windows, in a Command Prompt, you can test this with the command:

   telnet {hostname} {port number}        (i.e.       # telnet {server name} 28000)

• You may want to consider creating a FLEXlm options file to make sure that unauthorized users aren’t connecting to the license server since the ports are open on the firewall.

Chapter 13 of the Acresso License Administration Guide gives information on creating an options file; however, GTAC does not give support for creating options files.