firewall | EDA Solutions

Published by Henry Frankland – Latest update: 31/08/2022

Relevant product(s): All FlexNet licensed products
Operating systems: Linux RHEL 7 and above
Versions affected: All
Relevant area(s): Licensing
ID: TN044

Summary

Normally licensing and clients are in the same LAN as each other. Sometimes it can be necessary to access a license server that is on a WAN network. When connecting to the licensing server, as shown in Figure 1, over WAN connection attention is needed to the ports used.

Figure 1: A diagram detailing off site licensing to license server that is based in another network

Details

The license server comprises of two daemons, the LMGRD daemon and MGCLD daemon. Typically the LMGRD daemon for the Mentor Graphics tools will use port 1717, then unless set in the server license file (PORT=) a random port for MGCLD.

Standard practice for connecting to license servers is to reference the lmgrd port, typically 1717. Doing so while connecting to a license server over WAN will trigger the client to use the wrong IP when it then contacts the mgcld daemon in subsequent communication. In this configuration, the client will get passed the internal network IP for the server machine rather than the ip of the WAN network, as such no traffic can be routed to the AWS network, as shown in Figure 2.

Figure 2: A summery of the connections made to the server when a license request is made.

Solution1 (VPN):

Configure a VPN to the remote network so that you appear on the same network as the server machine. This avoids problems with network namespace problems. But this might not be advisable if you want to give the connecting access to the entire network the license server sits in and the machines on that network.

Solution2 (point to mgcld port):

The problem with incorrect happens only when specifying the LMGRD port first. It is also possible to use the license port of the vendor daemon. Typically the vendor daemon will not be fixed to a specific IP unless forced to in the license server file as highlighted in Figure 3.

Figure 3: A snippet of the License file demonstrating the server and vendor daemon lines

Once the vendor daemon port is set on the server machine, ensure to restart or reread the license server file:

Options 1: Re reading license
`Lmreread -c $LM_LICENSE_FILE`

Options 2: restart the licensing service

None service based restart example:	Service based restart: [1]
`Lmdown -c $LM_LICENSE_FILE Lmgrd -c $LM_LICENSE_FILE -l $LM_LICENSE_LOG`	`Sudo systemctl stop mentlic.service Sudo systemctl start mentlic.service`

Finally use the license pointer with the mgcld daemon port with the following syntax 1718@<WAN_IP>

Solution3 (iptables NAT):

As the only effected software is Linux based a option on the client side machines is to set a iptables NAT translation that routes outbound traffic from the incorrect IP to the correct external IP. This can be done with the command shown in:

sudo iptables -t nat -A OUTPUT -p tcp -d 172.31.2.56 --dport 1718 -j DNAT --to-destination 3.9.57.68:1718

Useful references

[1] Henry Frankland, “Licensing as a service (systemd) on Linux,” Fareham, Feb. 2022. Accessed: Aug. 31, 2022. [Online]. Available: https://www.eda-solutions.com/tn028/

Attachments

N/A