X
118 Rate this article:
No rating

(INTERNAL) Connecting to a license server through a firewall using an ssh tunnel

Anonym

IDL users often need to access IDL on a work machine from home or another remote location. However, the license manager may be behind a firewall. This tech tip explains how to connect to a license server through a firewall using an ssh tunnel for the license manager (FlexLM) without opening up a hole in the firewall.

Note: This technique has been tested under LINUX and Mac OSX by a customer well versed in IDL, but should work for other systems as well.
If you need to connect to a license server through a firewall, for instance in order to access IDL from a remote site (other institution, home, etc.), it is preferable to avoid having a hole through the firewall. This is because the connection to the license server through a hole would be unauthenticated. Holes that are totally open present a security risk, and holes that are restricted to only certain IP addresses require periodic maintenance to keep up with address changes.

An alternative solution is to only allow access on a per-user basis. In other words, a well-defined local user may use their password to access the server from any location rather than on a network/node basis. An ssh tunnel is generally a good way to provide this type of connection. Using ssh to provide an encrypted, authorized tunnel minimizes additional security risk. It is much more secure than opening up a port for unrestricted access.

It is possible to open up a tunnel on port 1700 between the machines, but it is necessary to get both sides to agree on hostnames. One might expect to have a license file similar to this on the client:

   SERVER localhost -some-mac-address- 1700
   USE_SERVER

and then open a tunnel with something like this to connect to the license server:

   ssh -f -N -L 1700:localhost:1700 username@idlserver

However, this will produce an error. The problem is that IDL actually requires two connections to get a license. The first is to the FlexLM license manager, which is normally on port 1700. The second required connection is to the VENDOR daemon, which in this case is RSI's idl_lmgrd. The port for this connection normally falls to some unused default value, but it can be specified on the license server in the license file on the DAEMON line (aka the VENDOR line in the FlexLM docs).

So to work from home or a remote location (behind a NAT system) to connect through a firewall to the license server at work, do the following as a one-time set-up:
  • On the server, license.foo.edu, modify the license file so that it starts out something like this:

    SERVER license 001122334455 1700
    DAEMON idl_lmgrd /usr/local/rsi/idl_5.6/bin PORT=31700
  • On your home system, home.bar.com, first modify your
    /etc/hosts file so that "license" is the loopback address:

    127.0.0.1 localhost.localdomain localhost home license

    This is required because the FlexLM license server knows who it is supposed to be (from the SERVER line).
  • Next, you have a "basic" license.dat file with:

    SERVER localhost 001122334455 17000
    USE_SERVER

To run IDL locally, first start up two ssh tunnels to your license server with a script that has:

ssh -f -N -L 17000:localhost:1700 license.foo.edu
ssh -f -N -L 31700:localhost:31700 license.foo.edu

Then, use the "idl" command as normal. As long as those tunnels are up, everything should work. Note that you use the ports "17000" and "31700" just because they are free (high numbers) and may be more memorable.