Secure SHell (SSH)

SSH for License Server Port Forwarding

[Nov 23, 2009 14:09] Web access to Microsoft Live@edu accounts now works.

Port Forwarding

Port forwarding uses the capabilities of SSH software on client and server systems to make it appear that specific network tasks are originating from the remote server instead of the user's local machine. The most common use at the University of Virginia is when access to license servers is needed on a machine where running a Virtual Private Network (VPN) is not practical. When possible, using a VPN connection instead of just port forwarding will result in a more reliable solution with fewer modifications to your system.

How to Do Port Forwarding

The conceptual steps involved in port forwarding to divert traffic for specific tasks take advantage of the standard in TCP/IP of assigning specific numerical “ports” for network activity related to a specific tasks.

When setting up an SSH connection for port forwarding from a Windows system, use SecureCRT's port forwarding capabilities. For Mac OS X, Linux and UNIX you will use the ssh command from a terminal window. These connections must be left running for the port forwarding to continue.

Port Forwarding with Software from the ITC Software Licensing Database

Most of the software available from our UNIX license server makes use of the FlexLM license manager. This requires that two ports be specified.

The appropriate ports to use for licensed software downloaded from the ITC Software Licensing Database server are included in the information available on that server, and may vary by software used. Log in to the database, select the product, then click on "access license codes and program files" to find the port numbers that must be tunneled. Usually these numbers will be at the top of the page that is revealed when the license codes are accessed.

Follow the instructions below for your operating system to create an ssh tunnel for a particular software package.

SecureCRT Port Forwarding Instructions

To use Port Forwarding on Windows systems, you need to modify the hosts file on the machine, then install SecureCRT and add connection profile as follows. Because of the modification of the hosts file you will need to use port forwarding even on Grounds when using programs requiring access to the license servers.

  1. Edit the file C:\windows\system32\drivers\etc\hosts with a plain text editor like Notepad. You will need Administrator privileges to do this.
    Use with the ITC Software Licensing Database: In order to check out a license for certain research software, you must add the name of the license servers for that software to your hosts file. The names of the license servers may be found in the ITC Software Licensing Database. In Windows XP, for example, it is in the C:\Windows\system32\drivers\etc directory. Open the file in a text editor such as Notepad. (Do not use Word or another word processor.) The file should contain a line
    127.0.0.1 localhost
    Immediately below this line, add three lines
    127.0.0.1 localhost lm1.license.virginia.edu
    127.0.0.1 localhost lm2.license.virginia.edu
    127.0.0.1 localhost lm3.license.virginia.edu
    Note: The three lines in this example use the names of three servers. There may be fewer server names for your particular software and they may have different names.
  2. Start SecureCRT.
  3. In the Connect window choose the New Session icon.
  4. Name the new session tunnel1.
  5. Enter blue.unix.virginia.edu as the host to connect to.
  6. Select properties for the connection and expand to Connection property to see Port Forwarding.
  7. Select Port Forwarding.
  8. For each port you need to forward to the license server, repeat the following:
    1. Click Add.
    2. For Name: enter portx where you replace x with a unique number.
    3. Leave the local IP address the default.
    4. Enter the license server port number to forward.
    5. Select Destination host if different from the SSH server.
    6. Enter the license server host name lm1.license.virginia.edu.
    7. Enter the destination port (note that the same number should be entered in this step and step 4.)
    8. Click OK.
  9. When you want to use an application requiring the license servers, start the tunnel1 profile in SecureCRT and log in. Leave it running until you are finished using the licensed application.
  10. Because ITC has more than one license server, you may want to set up a second connection profile named tunnel2 substituting lm2.license.virginia.edu for lm1.license.virginia.edu, for instance.

Mac OS X, Linux and UNIX Configuration Instructions

To set up port forwarding for Mac OS X you use the underlying UNIX operating system. As a result, Linux, Mac OS X and other UNIX systems use the same instructions to establish port forwarding.

  1. Using a text editor edit the file /etc/hosts. This is a protected file and you will need to edit the file as root or an appropriate administrator account. These changes will divert all traffic to the machines named to the local computer. As a result, even on Grounds, you will need to use port forwarding to connect to licensed software after these changes.
    1. Locate a line starting 127.0.0.1
    2. Below that line add the following two lines:
    3. 127.0.0.1 localhost lm1.license.virginia.edu lm1.license.Virginia.EDU
      127.0.0.1 localhost lm2.license.virginia.edu lm2.license.Virginia.EDU
  2. Obtain the appropriate port and license server numbers to reach the licensed software. For the remainder of this example, we will assume one of the applications you use needs ports 9999 and 9997, a second one port 9995.
  3. Again using a text editor, create a new file named tunnel.sh in your home directory on the local machine. (If created on the Desktop in Mac OS X, open a Terminal window and issue the command mv Desktop/tunnel.sh)
  4. In tunnel.sh enter the following information (either as a single line or with the \ at the end of lines other than the last line.) 
    ssh -L 9999:lm1.license.virginia.edu:9999\
       9997:lm1.license.virginia.edu:9997\
       9995:lm1.license.virginia.edu:9995\
        YourUserID@blue.unix.virginia.edu  
		 
(Substitute your assigned ID, e.g. mst3k, for YourUserID in the line above)
    If there are additional license servers or ports, use the lines above as a guide, with an additional entry for each port and server. If a particular piece of software uses the same port and server as an existing one, do not create duplicate entries, as it will not work and there is no need for the duplicate.
  5. Save the file.
  6. Issue the following command to make the file executable chmod u+x tunnel.sh.
  7. To run the command start a terminal window on your computer and issue the command ./tunnel.sh and you will be prompted for your password on blue.unix.virginia.edu.
  8. Leave the terminal window and ./tunnel.sh running while using the software requiring access to the license servers.
  9. You can create a tunnel2.sh command similar to the tunnel.sh command, substituting lm2.license.virginia.edu for lm1.license.virginia.edu to take advantage of lm2 should lm1 be down.

© 2009 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.