Setting up an SSH tunnel to get an IDL license from an IDL (flexlm) license server
Stefan Hippler, Heidelberg
May 15, 2008
Tip #1

Creating ssh tunnels (aka port forwarding) is fairly simple. Below I describe a more complex scheme that allows to run RSI's IDL program at home with a license from your workplace. Both, your home computer and your IDL license server at work are behind firewalls (with or without NAT).

In the following I assume that your home computer is called compHome, your workplace machine is called compWork, and the IDL license server runs on a machine called serverWork. To make things a bit more complicated I assume that you cannot directly connect via ssh from compHome to compWork or serverWork instead you have to tunnel through a dedicated machine called tunnelWork. For example compWork could be in reality sleepy.universe.com.

Let's see how things start. First we establish a tunnel from our home machine to the dedicated "tunnel" machine at work. Inside a terminal shell we enter:

ssh -N -L 12345:compWork:22 tunnelAccount@tunnelWork

Enter your password after the "Password:" prompt (the password for account tunnelAccount on machine tunnelWork).
The option -N means "do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only)."
This tunnel allows to connect to my work computer via ssh port 12345 (you can use any free port number, preferably above 1024), e.g. to login I can type in a new terminal shell:

ssh -p 12345 myAccount@127.0.0.1

With the right password for account myAccount on machine compWork I can login and start working ... but that's not what we want here.

However, just for fun and as you will see later for some good reason, I can start idl on my work computer. At the idl prompt I type a command to find out on which extra port the idl license server communicates:

IDL> $netstat | grep serverWork
tcp4 0 0 compWork.50334 serverWork.32905 ESTABLISHED
The output indicates that the extra port has port number 32905. This can change depending on your license server set-up. If you have problems to find out this port number you can compare the outputs of the netstat command with and without an idl process running.

We have now all the necessary information to create the "license" tunnel --- our goal --- to the IDL license server. At the home machine, inside a new terminal shell we enter (the -g option may or may not be needed):

ssh -g -p 12345 -g -L 1700:serverWork:1700 \
-L 1701:serverWork:1701 -L 32905:serverWork:32905 myAccount@127.0.0.1

You may ask where the hell do these numbers 1700 and 1701 come from? Well, these numbers are very often (but not always!) used in the license server startup file. If you have access to the IDL license server license file you can check whether 1700/1701 is ok by looking at the "server" entry in license.dat.
This line could look like: "SERVER myserver 00b012345678 1700", which shows that the license server will use ports 1700/1701 for communication with IDL clients.

One more thing to do and we can run idl at our home computer. In another terminal shell we set the environment variable LM_LICENSE_FILE with the (csh, tcsh) command to:

setenv LM_LICENSE_FILE 1700@127.0.0.1

Finally, we start idl and should receive a license from the license server.

Just for fun, here's a copy of the old RSI tech tip #3466, which is no longer available on the company's new web pages.
End of Stefan's tip #1.