Ports and Firewalls
[Last updated 06/03/2023 JJS]
Although disabling the firewall will restore the license server, it is not necessary to disable the entire firewall and leave your server vulnerable. Instead, just open the TCP/IP ports and programs needed by the Intergraph/Hexagon license server to the firewall exceptions list.
The Intergraph license server consists of two components; the license broker (lmgrd) and the vendor daemon (INGRTS). The client workstation sends a license request to the license broker, which queries the vendor daemon whether or not there is a valid license. The vendor daemon checks the license validity based on its own algorithm, and then sends the return back to the license broker, which lets license broker communicate with the client.
By default, the license broker uses TCP port 27000. If port 27000 is used by another program, the license broker will use another port available from range 27001-27009. Usually TCP port 27000 is open on most firewalls, but ports 27001-27009 are often blocked.
The vendor daemon also uses one random TCP port (e.g., port 1205) to communicate with the license broker, so that both the license broker and the vendor daemon have a distinct TCP port. The TCP port used by the vendor daemon can change every time the license server is restarted, and some firewalls block the ports which the vendor daemon uses.
You can specify which ports you wish to use in the License Administration tool:
You can find out what ports are currently being used by looking at the IntergraphLicensingService.log file found at C:\Users\Public\Intergraph\Licenses
To unblock the communication between the client, license broker, and vendor daemon, you must add the license broker, the vendor daemon, and their TCP ports to the Windows firewall exceptions list.
How to allow the Geospatial Licence Administrator through the Windows firewall
- Go to the Windows Control Panel, and double click on “Windows Defender Firewall”.
- Click on the link named “Advanced Settings” on the left of the Windows Firewall page, this will open a new dialog called “Windows Defender Firewall with Advanced Security”.
- Click > Inbound Rules
Now you need to add 2 programs and their 2 ports to the inbound rules. Programs to add - “lmgrd.exe” and “INGRTS.exe”:
How to add a program Rule
To add “lmgrd.exe” to program inbound rules:
- Choose “New Rule...”, this will start “New Inbound Rule Wizard
- From “Rule Type” step page, click on “Program”, and click “Next”.
- From “Program” step page, choose “This program path:”, Then click "Browse” button, which opens a file chooser. Go to C:\Program Files (x86)\Hexagon\Geospatial Licensing 2022\program\' and select “lmgrd.exe” from the list and then click “Open”. Click “Next”.
- Choose “Allow the connection”
- From “Profile” step page, choose all three options (e.g., “Domain”, “Private”, and “Public”)
- From “Name” step page, type a name for this new rule, for example “lmgrd”.
Repeat the steps above for “INGRTS.exe” also located in C:\Program Files (x86)\Hexagon\Geospatial Licensing 2022\program\'
Now you need to find out the ports that you need to allow through the firewall. Open your licence log file ‘C:\Users\Public\Intergraph\Licenses\IntergraphLicensingService.log’ read as a text file using a notepad application, such as notepad++. Search this log file for the ports used. As seen in the examples below:
- (lmgrd) INGRTS using TCP-port 49807
- (lmgrd) lmgrd tcp-port 27000
How to add a port Rule
- Choose “New Rule...”, this will start “New Inbound Rule Wizard”.
- From “Rule Type” step page, click on “Port”, and click “Next”.
- From “Protocol and Ports” step page, choose “TCP”, then choose “Specific local ports:”. Enter the port number (e.g., 27000). Click “Next”.
- From “Action” step page, choose “Allow the connection”
- From “Profile” step page, choose all three options (e.g., “Domain”, “Private”, and “Public”),
- From “Name” step page, type a name for this new rule, for example “lmgrd tcp port”. Click “Finish”.
Repeat steps above for INGRTS port value – e.g. 62236
Now you should be able to load your licence file or connect to the licence server.