Installing and using the Key9 Proxy server for Linux

Updated by Bryan Jones


This document covers the setup of the Telos Alliance Key9 License Server Proxy for Linux on a computer in your facility. Many Telos products require this for licensing; however, no individual product support is covered in this document.

If you need a Windows version, please see our Installing and using the Key9 Proxy server for Windows document.


Some Telos Alliance products require a license to operate. These licenses activate (or deactivate) features allowing flexibility in your operating model and allowing for software updates, priority support, etc. These licenses are controlled by a cloud-located activation server, meaning your products must have access to this server.

Often the networks to which these products are connected are purposely not connected to the internet. For this reason, Telos Alliance offers this proxy server which can reside on a computer that DOES have access to the internet.

Here's a diagram of a typical configuration.


Some Linux installations may require the use of the sudo command ahead of any other commands.

The sudo command in Linux is used to execute commands with elevated privileges or as a different user, typically the superuser (root). The word "sudo" stands for "superuser do." When you prefix a command with sudo and enter your password, it allows you to perform administrative tasks that require higher privileges than your current user account provides.
  1. Click here to download the Key9 Proxy and save it. If you are in a Linux terminal interface using a wget command, you can use;
  2. Ensure the file is executable by using the command
     $ chmod +x key9proxy
  3. Create a configuration file.
    $ ./key9proxy --config
    To continue, you must type YES to agree to the EULA (End User License Agreement).
    1. Specify the Listen Interface and port. The default is [] which means listening for license requests on any network interface. Press Enter to accept the default.
    2. Specify the server address or press Enter to accept the default.
    3. Specify the service user. It can be left blank.
Once complete, a key9proxy.json file is created. If the file is not created, check the permissions of the directory where key9proxy is located.
  1. Run the proxy in test mode.
$ ./key9proxy --test

You will see the message;

Telos Alliance License Server Proxy v1.0.3. Copyright (C) 2023 TLS Corp.

I: 16:27:02 Started on linux-systemd
I: 16:27:02 Waiting client connections on

  1. Press Control+C to exit.
  2. Install as a service so the proxy server starts when the system is rebooted.
     $ ./key9proxy --install
  3. Start the service
     $ ./key9proxy --start


After the proxy server is installed, configured, and tested, you need to configure all telos alliance products to point to the proxy server instead of the cloud license server.

The product configuration depends on the product. For example, VXs does this through an unlinked web page.

If you modify the configuration file, you must restart the service before the new options take effect.

When configuring the service, you may leave the username blank.

It is safe to briefly take the proxy server down even if the products use it. The license refresh mechanism will retry later.

key9proxy offers additional command line options. Executing the program without arguments will display help texts with the available options.


  • Use ping to see if the cloud license server responds. The primary cloud server address is
  • Use traceroute to determine if the server is reachable.
  • Use telnet to find out if a TCP connection may be established on the license server on the proxy server: telnet <ip-address> <port> where <ip-address> is the address of the machine and <port> is usually 42131. For example, telnet to should allow you to connect.

When a firewall is present, the only requirement is to allow outgoing TCP connections to on port 42131. There is no need to open incoming ports since the products and the proxy always reach outward to the license server. The license server will never make an inbound connection. While most firewalls allow outgoing connections by default, for some customers, this has to be explicitly allowed.

How did we do?