Tasks Specific to Network Licenses

Owned by Copy Page Tree
Last updated: Oct 06, 2023 by W.Erber
7 min read

A license server can serve network licenses to other systems on the network.

Note that software licenses are always network licenses. Hardware license keys can be either local or network-enabled. The network-enabled hardware license keys are red.

There are configuration steps and settings that only apply to network licenses. These are described in this section:

Communication Between License Server and Client

The communication between license server and client systems uses the IP protocol. This means that IP connectivity must be established between client and server. If client and server are not on the same network, they need the correct routing entry (or default route) to enable this communication. Port 1947 is used as the destination port for the communication between the License Managers. The communication uses both UDP and TCP. These protocols are used for different purposes:

  • UDP: This protocol is used by the client hosts to discover a license server on the network. If the option Broadcast Search for Remote Licenses is enabled in ACC (Access to Remote License Managers tab), the Sentinel License Manager on the client host sends UDP broadcasts to port 1947 to discover a license server and the license server replies to the client from UDP port 1947. Alternatively, search parameters can be specified, in which case the Sentinel License Manager on the client will send UDP "pings" to the addresses listed. UDP is also used to notify connected License Managers in case the local License Manager is stopped.
  • TCP: This protocol is used to connect to the discovered license servers via port 1947 and to transfer license data from them.

The Sentinel License Manager can use both IPv4 and IPv6.

Firewall Considerations

When using a license server to provide Charon licenses to client hosts on the network, any firewall installed between client and server must be configured to permit the required communication. The following sections provide information about the requirements.

Ports Used for Communication


The following ports are used for the communication between license server and client hosts:

  • On the server side (where network license has been installed), port 1947 must be open for incoming TCP and UDP traffic to allow client access to the license.
  • On the client side, traffic is initiated using ports 30000 through 65535 as the source ports and port 1947 as the target port. If broadcast search for remote licenses is to be used, the client must also permit UDP traffic initiated from port 1947 of the license server to ports 30000 through 65535 of the client.

If a host on the network cannot find the license server even though the server is operational, you can temporarily disable the firewall to determine whether it blocks the traffic.

Firewall Example on Linux

Important: the firewall configuration examples provided in this section do not constitute a recommendation of how the firewall in a specific customer network should be configured. They are provided exclusively for illustration purposes. The reader is responsible for configuring any applicable firewalls in a way that is consistent with the security policy of his/her organization.

As firewall configurations differ depending on other requirements of the environment, the following serves purely as an example of how the above settings could be implemented on Linux.

By default, most Linux firewalls allow the return traffic for any communication started at the local host. So, on a client host, the default firewall configuration will most likely be sufficient for the communication with the server unless broadcast search for remote licenses is to be used. In this case, the traffic from the license server to the client UDP ports described above also must be permitted.


The following example shows how to add a firewall service for the Sentinel communication on a license server using firewalld as the firewall:

# firewall-cmd --permanent --new-service=sentinelsrv

# firewall-cmd --permanent --service=sentinelsrv --add-port=1947/tcp

# firewall-cmd --permanent --service=sentinelsrv --add-port=1947/udp

# firewall-cmd --get-active-zones

# firewall-cmd --zone=<zonename> --permanent --add-service=sentinelsrv

# firewall-cmd --reload

The example above creates a new service named sentinelsrv, adds the necessary ports to the service, and activates the service in the zone associated with the correct interface (this information retrieved via the --get-active-zones) parameter. A final reload of the firewall activates the configuration.

Please note: the example above does not restrict the access to the license server to specific client IP addresses. If this is needed, a more sophisticated configuration is required. Please refer to the firewall documentation of your system for more information.

The following example shows how to add permission on the client to accept the UDP packets from the license server. This is needed if the broadcast search for remote licenses is to be used:

# firewall-cmd --zone=<zonename> --permanent \

--add-rich-rule='rule family=ipv4 source address=<licenseserver-IP>/32 \

port protocol=udp port=30000-65535 accept'

# firewall-cmd --reload

The example above adds a rich firewall rule permitting traffic from the IP address licenseserver-IP to the UDP ports 30000-65535 on the client. The reload of the firewall activates the configuration.

Please note: the example above does not restrict the access by the license server IP address to a specific source port. If this is needed, a more sophisticated configuration is required. Please refer to the firewall documentation of your system for more information.

To verify that the service and the rich rule have been added, use the following command:
# firewall-cmd --zone=<zonename> --list-all

An alternative to the command-line example above is the GUI tool firewall-config for firewalld.

Firewall Example on Windows

Important: the firewall configuration example provided in this section does not constitute a recommendation of how the firewall in a specific customer network should be configured. It is provided exclusively for illustration purposes. The reader is responsible for configuring any applicable firewalls in a way that is consistent with the security policy of his/her organization.

After the installation of the Sentinel runtime software, the firewall on Windows is configured to allow the necessary connections to the License Manager. The configuration allows incoming connections to the hasplms.exe program via all ports and from all addresses (program specific rule). 

To verify and, if needed, to change the configuration perform the following steps:

  1. Log in as a user with administrator rights.
  2. Press WIN+R and enter the command WF.msc.
  3. Select Inbound Rules in the right-hand panel.
  4. Look for the entry Sentinel License Manager.
  5. Select the entry above and then click on Properties in the left-hand panel.

This will display the properties of the Sentinel License Manager rule. Please refer to the Windows documentation if you need to modify the rule.

Controlling Access to Network License on Server Side

The Sentinel license manager on the license server can be configured to allow or disallow access from remote clients to the network licenses installed on the license server. To access this configuration option, perform the following steps on the license server:

1. Open a web-browser and go to the URL http://localhost:1947/_int_/config_from.html (option: Configuration / Access from Remote Clients).

2. This opens a page similar to the following. Please note: newer Charon emulator products (e.g., Charon-AXP/VAX version 4.9 and Charon-PAR 1.10) have newer versions of Sentinel ACC. The pages of these versions look different, but the functionality remains mostly the same.

Old ACC version:

New ACC version:

Or for versions starting with 8.x:

3. Possible actions:

    • To allow access from remote clients, activate the check-box next to the field Allow Access from Remote Clients or Anyone and cloud licenses can be consumed without identity and press Submit at the bottom of the page.
      To allow access from remote clients, network visibility on the "Network" tab must be set to All Network Adapters.
    • To refuse access from remote clients, clear the check-box next to the field Allow Access from Remote Clients or select No one, and press Submit.
    • Access Restrictions allow refining access rules, e.g., by specifying IP addresses. Please refer to Sentinel ACC help for details.

Sentinel ACC versions 8.x and higher have additional configuration options on this screen (mostly cloud related). These options are not relevant to Charon emulator products.


Controlling Access to Network License on Client Side


The Sentinel ACC can be configured to enable or prevent that the client host discovers network licenses and to change the options used to discover and access network licenses provided by a license server.

1. Open a web-browser on the client host and go to the URL http://localhost:1947/_int_/config_to.html
 (option: Configuration / Access to Remote License Managers). 

2. This will open a configuration page similar to the following. Please note: newer Charon emulator products (e.g., Charon-AXP/VAX version 4.9 and Charon-PAR 1.10 and higher) have newer versions of the Sentinel license drivers. The Sentinel ACC pages of these versions look different, but the functionality remains mostly the same

Old ACC version:

New ACC version:


3. Possible actions:

    • Activate the check-box next to the field Allow Access to Remote Licenses to enable access to license servers. Press Submit to save the setting.
    • Clear the check-box next to the field Allow Access to Remote Licenses to disable access to license servers. Press Submit to save the setting.
    • The option Broadcast Search for Remote Licenses, when activated, enables a broadcast search for license servers on the local network without having to enter the address of a license server.

Please note:

  • If the option Broadcast Search for Remote Licenses is not enabled or cannot be used in the customer specific setting, you can enter specific IP addresses or host names that should be queried for network licenses in the Remote License Search Parameters field. Please refer to the Sentinel ACC help function for more information.
  • To allow access to remote license managers, network visibility on the "Network" tab must be set to All Network Adapters.
  • Starting with Charon-AXP/VAX 4.9 for Linux, Charon-AXP/VAX version 4.8 for Windows, and Charon-PAR 1.10, these Charon emulator products do not follow the settings in the Sentinel ACC with respect to querying remote license servers and network visibility. They perform a broadcast search for network licenses even if this has been disabled in the local Sentinel ACC configuration. If this behavior has to be prevented for specific reasons, the access of the system to the license server has to be temporarily restricted or disabled, for example by blocking the relevant traffic in a firewall. Another possibility would be to block access to the network license at the license server side. Note that such methods can negatively impact other functions of the system or, in the case of blocking access to a network license on the server, even the functions on other license clients.



© Stromasys, 1999-2024  - All the information is provided on the best effort basis, and might be changed anytime without notice. Information provided does not mean Stromasys commitment to any features described.