IBM Support

What ports to open when License Key Server is behind a firewall

Technote (troubleshooting)


What ports do you open when the License Key Server (LKS) is behind a firewalll or a NAT (Network Address Translator) server?


The LKS is running correctly and the License Key Administrator displays licenses when started within a local network where the LKS is running.

When starting License Key Administrator outside the local network, it displays an error:

    No license features were found on server <server>.  FLEXlm Error -96, Server node is down or not responding.

However, the ping and telnet tools return correct results when running them on a machine outside the local network:
   % ping <license-server>
   % telnet <license-server> 27000

When running the AppScan Enterprise Configuration Wizard behind the firewall, it displays the following error:

    The following license server had a validation error:
    Server 'server_name', Port '27000' - Unable to validate server.
    Verify the server information is correct and check that the
    Rational License Server is running at that location.

    This error shows often when you have the License Key Server installed in the local network where AppScan Enterprise Server is connected, and then you add a new Dynamic Analysis Scanner on a machine behind a firewall.


By default, the LKS manager (lmgrd) operates on port 27000. However, this is only one of the ports used by the license server. The LKS uses another port for the (ibmratl) vendor daemon, which also needs to be open as well.

The vendor daemon (ibmratl) should get assigned a port in the 27001-27009 range; however, in some situations, it gets assigned a different number, for example 643.

Diagnosing the problem

Run telnet from the machine behind the firewall to connect to the license vendor ports (ibmratl):
     telnet <license-server> <port>

or run the portqry utility to see if you can connect to the vendor port:
     portqry -n <license-server>  -e <port>
     where <port> is the specific port number for the "ibmratl" or "lmgrd" process

Resolving the problem

To allow the traffic through the (network or Windows) firewall, the ports for the following servers:
   - lmgrd (License server manager) and
   - ibmratl (vendor daemon)
needs to be open to allow an inbound and outbound traffic (bidirectional, two-way communication).

The port number for the lmgrd server is set to a static number 27000 by default.
The ibmratl server by default should get a port number assigned from the 27001-27009 range, however in some specific cases it may be assigned from a different range. Then the best way is to set it to a static number, for example 27001, as described below.

Change port numbers using License Key Server GUI

If you have License Key Server version 8.1.4 or newer, you can change port numbers as follows:

  1. On the machine where the License Key Server is installed, start License Key Administrator with "Run as Administrator" .
  2. Open the Settings > Server Ports... dialog.
  3. Set Port for "lmgrd" to 27000
    and Port for "ibmratl" daemon to 27001

  4. Click OK
  5. Then open two bidirectional ports on the firewall (Windows or network):
    • port 27000 for the lmgrd process
    • port 27001 for the ibmratl daemon process

Change port numbers manually
  1. With an editor (e.g. notepad) open the LKS file that contains the SERVER and VENDOR line (rational_server_perm.dat or rational_server_temp.dat) and add port=27001 to the VENDOR line so the SERVER and VENDOR lines look like this:
         SERVER <hostname>  <hostid/disc_serial_num>  27000
         VENDOR ibmratl
    You will find the rational_server_perm.dat or rational_server_temp.dat files in the LKS installation folder (by default: C:\Program Files (x86)\IBM\RationalRLKS\common).
    You will need to have administrator permissions to save the file.
  2. After the change to the rational_server files, restart the Windows service FLEXlm License Manager to get the changes into the License Server.
  3. Then open two bidirectional ports on the firewall (Windows or network):
    • port 27000 for the license manager process
    • port 27001 for the ibmratl daemon process

VENDOR and DAEMON means the same to the LKS. Then this line:
   VENDOR ibmratl port=27001
is equivalent to:
   DAEMON ibmratl port=27001

Note: When running License Key Server version 8.0 or earlier, you need to specify the port number for the rational vendor as well:
    VENDOR rational port=27002
In version 8.1.2 or later, the rational vendor is obsolete.

Note: If your license server is on a Linux or Unix platform, locate the *.dat license file and use a text editor to modify the daemon lines to look as folows:
   SERVER <hostname> <hostid> 27000
   DAEMON ibmratl /usr/local/flexlm/sun4_solaris2/ibmratl port=27001

   DAEMON rational /usr/local/flexlm/sun4_solaris2/rational port=27002

Related information

Ports used by AppScan Enterprise
Ports used by AppScan Source
Ports used by AppScan Standard

Cross reference information
Segment Product Component Platform Version Edition
Security IBM Security AppScan Source Licensing
Security IBM Security AppScan Standard Licensing

Document information

More support for: IBM Security AppScan Enterprise

Software version: Version Independent

Operating system(s): Linux, Windows

Reference #: 1454410

Modified date: 12 August 2016

Translate this page: