License Proxy - SSH Tunnel

A step-by-step guide for Rescale customers to setup a license proxy using SSH tunnel mode on Rescale admin page

SSH Tunnel Mode is used when a user opts to use their existing software licenses on Rescale’s platform by establishing an SSH tunnel. Rescale provisions an exclusive proxy server for that user and the proxy server forwards license polling requests from software on Rescale’s platform to a user’s local license server. This is the quickest method to setup a license proxy. It also provides free encryption service; all license requests are passed through an encrypted SSH tunnel. There will be a recurring monthly charge for the connectivity to the Rescale proxy server that has to be paid by the user

Here are the prerequisites to set up license proxy in SSH Tunnel mode:

  • The user should have an account in Rescale
  • The user should have an account in Rescale with company administrator rights
  • Hostname for on-premise license server
  • The user's computer should allow outbound ssh access on port 22
  • List of software and associated license and vendor ports
  • Ensure that vendor ports are fixed in license files
  • The user should have access to the on-premises license server with admin privileges to debug any issues

This section lists the steps to be followed on your local on-premises workstation where the license server is hosted

Obtain Port and Host Name Information

  • Ensure that FlexLM (Flex License Manager) or RLM (Reprise License Manager) is running

  • Obtain the hostname and the ports (license and the vendor) from the license file

  • The port the license server listens on can be obtained from the license logs

  • For both FlexLM and RLM there are 2 processes that handle license access: the License Server (lmgrd or rlm) and the Vendor Daemon

  • For FlexLM, look at the part of the log when the license server was started. It will display information in the following format. You will need to obtain the ports from this part of the log:

00:00:00 (lmgrd) FlexNet Licensing (<license manager version>) started on <hostname>
00:00:00 (lmgrd) lmgrd tcp-port <license server port>
00:00:00 (lmgrd) Started <vendor daemon> (pid <pid>)
00:00:00 (lmgrd) <vendor daemon> using TCP-port <vendor port>

Similarly, the ports as well as the hostnames for the Reprise License Manager can be parsed from the license logs. The format of the logs will look something like this:

1/1 00:00 (rlm) License server started on <hostname>
1/1 00:00 (rlm) Using TCP/IP port <license server port>
1/1 00:00 (rlm) Starting ISV server <vendor daemon> on port <vendor port>

Update Vendor Ports

  • Before making changes to the vendor ports, make sure you temporarily shutdown the License server and there are no jobs running
  • Open the license file in text editor with admin privileges and edit (fix) the vendor ports
  • Each time the license server restarts, the vendor port might change. Therefore, it is important that the vendor port is fixed

Restart the License Server and Verify Changes

  • In order to apply the changes, the license server should be restarted
  • Look for the flexnet license log file and verify if the vendor port is correctly updated

Once the license server has restarted, please follow the steps mentioned below:

For Windows Users

Download open-source SSH bundle from the link containing the following:

  • Plink - to be used to run the executable
  • PuTTY - to be used as SSH terminal
  • PuTTYgen - to generate the (private/public) key pair
  • Pageant - to enable private key for connection

Directory Files

Make sure you have moved all of the files from download folder to a specified location

Example: My computer > C:> Documents > Rescale tunnel

Generate (private/public) Key Pair using puTTYgen

To generate the private/public key pair, follow the steps as mentioned below:

  • Open puTTYgen, generate the private/public key pair and save it to same folder where all the files were saved in the previous step

See screenshot below to generate the key pair:


Import Keys into Pageant

To import keys into Pageant follow the steps mentioned below:

  • Open pageant.exe to launch the key manager, it might launch in the Windows taskbar
  • Look for the pageant.exe icon in the taskbar, right click on it and select Add Key


  • Select the private key that you generated in the above step to import it into pageant and click Open


For Linux Users

On Mac OSX and Linux, SSH key generation utilities can be run from the command line of a terminal. To open the Mac OSX Terminal, open the Finder and choose Utilities from the Go menu. Find the Terminal application in the Utilities window and double-click it. The Terminal window opens with the command line prompt displaying the name of your machine and your username

First check for existing keys on your computer. From the command line of the terminal type:

$ ls -al ~/.ssh

This lists the files in your .ssh directory, however, if you have a new Mac OSX or Linux installation, the .ssh directory may not yet exist

The default public key file names are:


If you wish to use an existing key file for your Rescale account, you can skip to the next step - Copy contents of your public key

Generate a New SSH Key

By default, keys for all identities are added to the directory:

  • /Users/_yourname_/.ssh on Mac OSX
  • /home/_yourname_/.ssh on Linux

If you have an existing identity (public/private key pair) in this directory that you want to use on Rescale, skip this step. To create a new default identity:

  1. Open a terminal session on your local system
  2. Enter ssh-keygen at the command line in the terminal
  3. The command prompts you for a file to save the key in. If the .ssh directory doesn't exist, the system creates one for you
  4. Accept the default location

The ssh-keygen command creates your default identity with its public and private keys. The whole interaction will look like this:

[mairi@centos ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mairi/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mairi/.ssh/id_rsa.
Your public key has been saved in /home/mairi/.ssh/
The key fingerprint is:
ed:88:95:91:38:e4:5e:ff:d6:73:70:f7:43:3e:f6:3b mairi@centos
The key's randomart image is:
+--[ RSA 2048]----+
|      .          |
|     o . .       |
|      + +        |
|     . o =       |
|      . S o   ..o|
|       o o . .ooo|
|      . . . o o=o|
|           .  .E+|
|               .+|
  • You can, of course, save your new key pair to an alternative, i.e. non-default, location in your file system if you wish. By default, ssh-keygen generates 2048-bit RSA keys

  • ssh-keygen generates a public key and a private key. If not specified, the default public key will be saved as and the private key as id_rsa in your ~/ssh folder. Ensure that the ~/ssh is only accessible by you by setting the proper permissions to that folder:

chmod 700 ~/.ssh

This section lists the steps to setup a license proxy on the Rescale admin page. The license proxy setup on the Company Administration Page can be accessed at license proxy page. The page will look similar to the screenshot below:


  • Navigate to the Rescale Administrator page from your accounts to start the setup of license proxy

  • Navigate to Integrations >> License Proxies

  • Select Add New

  • Give an identifiable name for the license proxy

  • Select SSH Tunnel as the "License Proxy Mode"

  • Do not make any changes to the "Enable High Availability" option. The default value is No

  • Put in your public SSH keys for authorized connection to the license proxy server You can obtain your public keys from the file that was generated using puTTYgen and was saved in the folder created in step (How to generate (private/public) key pair using puTTYgen) or if you have puTTYgen open, you can directly copy the keys from the window and paste. If you are unsure on how to do this, please check out this page on SSH Keys Setting up your SSH Key pair

  • Click on Add an Access Rule (These are the CIDR rules for SSH access of the license proxy server)

To set the Access Rules, follow the steps mentioned below):

  • Open a web browser (Google Chrome or Internet Explorer) and search "my IP"
  • Copy and paste the IP address with /32 mask (e.g and add a description (e.g "Office IP") that you want to describe it as.
  • You should make sure the IP you would like to access the proxy from should fall within the specified range.

The CIDR rule is required because this will enable the SSH tunnel execution from that location to the Rescale proxy. Every user in the company will be able to use Rescale and submit jobs as long as this tunnel connection is UP, regardless of the physical location. If the license server(s) are in the same network, then there has to be a public IP of that physical location added in the Access Rules.

  • After adding the CIDR, add the license port information. Select a "Unique Hostname" for your license proxy. This is the hostname of the machine that hosts the license server. The hostname can be obtained from the license logs


  • Add the license server ports for the proxy to route traffic. It can be obtained from the FlexLM logs file. For example, if you are running Abaqus your FlexLM logs will look like this:


You should then fill in two Port numbers (license port and vendor port) and select the correct Software from the dropdown under software section on the proxy page as shown below:

License ports new

  • Please note: For Example, if you are using ANSYS software, it has 3 ports (2 license server ports (1055 and 2325) and 1 vendor port (49281)), as shown:


  • The port information for the software you are using can be obtained from your license file (FlexLM or RLM)
  • After making the above mentioned changes, click on the Launch License Proxy button
  • Once your proxy has launched, you should see the following information on the page:

Proxy Sync

Follow the steps outlined below in order to complete the SSH tunnel settings on your on-premises server:

For Windows Users
  • Download and save the batch script to a directory containing the plink.exe executable as mentioned in section Set up system settings for SSH

  • Make sure your private key (.ppk) is stored in the same directory as pageant.exe


  • Now, use windows explorer to go to the directory where all the files are, go to the search bar, and type “cmd”

  • This will open a command prompt at the directory you are in, so you don’t need to change the directory and navigate to the particular directory from the command prompt

  • Open the (<company>_license_proxy.bat) file (script) in a text editor


  • Copy everything starting from plink and paste on the command prompt window

(E.g plink.exe -ssh -R 1055:on-prem-license-server-1:1055 -R 2325:on-prem-license-server-2:2325 -R 49281:on-prem-license-server-3:49281 -v -N)

  • Run the batch script to establish the ssh tunnel

The command window will print out a log which shows something like this:

Looking up host "<company>"
Authenticating with public key "<key>" from agent Sending Pageant's response
Access granted
Requesting remote port 27000 forward to my-server:27000
Requesting remote port 28000 forward to my-server:28000
Remote debug message: Forwarding listen address "localhost" overridden by server GatewayPorts Remote port forwarding from 27000 enabled
Remote debug message: Forwarding listen address "localhost" overridden by server
Remote port forwarding from 28000 enabled

For Linux Users
  • Download the script, as shown below:


  • Open the <company>_license_proxy.bat file (script) in a text editor, copy everything starting from ssh and paste in the terminal

(E.g ssh -R 1055:on-prem-license-server-1:1055 -R 2325:on-prem-license-server-2:2325 -R 49281:on-prem-license-server-3:49281 -R -v -N &)

  • Run the shell script in your terminal to establish the ssh tunnel


To test your connection and verify if the settings made were properly configured:

After following the above steps you should get a successful SSH Tunnel connection and you should be able to see the tunnel status as Green and UP on the company license proxy page as shown below:


  1. Back on the License Proxy Company Administration page the Listening Ports section should be updated to indicate whether your tunnel is working or not:


  1. Click on the Radio Button under actions options on the company license proxy page as shown below:


Please note that the radio button only displays the status of the FlexLM license servers. If you have a RLM license the radio button will not display any information

  1. Submit a dummy job by logging into your Rescale account.
  • Create a new job by clicking the +New job button in the top left of the page. Select the Software you want in the software section and select Provide Existing License option as shown below:

Provide Existing License

  • In the appropriate field type in the <license server port>@<hostname>, in our example case 27000@my-server, then click the Check Availability button. The license prompt provides customers immediate feedback for whether the license server address specified is reachable from the Rescale platform by clicking the blue Check Availability button. The connection information should be printed to the screen as shown below:


If you see the tunnel status to be "Down" and not running it can be because of the following reasons:


  • On-premises workstation got restarted where the tunnel is running from
  • Pageant is not loaded while running the license server
  • Private keys are deleted
  • License server is put down for any reason
  • The license server is disconnected from the internet
  • The license service (i.e lmgrd) has exited
  • The license has expired