Configure ArcGIS Desktop 10.x through a firewall

Summary

Many of today's networks use a firewall for enhanced security from outside threats. Because the license manager uses the TCP/IP protocols, implementing such a firewall can pose problems between the license manager server and the clients connecting to it.

The problem is caused by the firewall often closing or blocking access to the ports the license manager uses to communicate. By default, the lmgrd daemon starts on port 27000 if the port is available, or else it starts on the next open port within the range 27000–27009. The ARCGIS daemon is not confined to a particular port range. It is dynamic, meaning that it can listen on any available port.

To secure the license management environment and allow implementation a firewall, the ARCGIS daemon can be locked to a specific port. The lmgrd daemon may also be changed from the default 27000 to another port between 27000 and 27009. This range was pre-specified for license manager use by the Internet Assigned Numbers Authority

Procedure

Machines running ArcGIS on Windows XP Service Pack 2 and later versions of Windows with ICF enabled, including the License Manager server, must run these steps while logged into the computer with administrative privileges. If the user account does not have administrative rights, contact a system administrator.

1. Click Start > Programs > ArcGIS > License Manager > License Server Administrator.
2. Select Start/Stop License Server in the table of contents and click Stop.
3. Open Windows Explorer and navigate to the license manager installation location (C:\Program Files\ArcGIS\License10.x\bin by default), in which there is a service.txt file.
4. The file should look similar to this:

Note:
At the end of line one, a port number can be specified immediately after ANY.

On the VENDOR line, add PORT=#####, where ##### is a specific port number designated (it is best to use from ports 27001-27009), to lock the vendor daemon to that specific port , for example, 27001. After making the changes, the service.txt file should look something like this:

5. Save the .txt file.
6. From the License Server Administrator, click Start.
7. The vendor daemon is now static, locked to the port specified.
8. These ports can now be saved as exceptions in the firewall to allow communication between the license server and the client. Add the ports as in-bound and out-bound TCP exceptions.