Hey @ibrahim1 , tough spot with that network seg - seen it before! Your Site B HF def needs Enterprise license cuz its parsing/processing data. UFs are free but HFs gotta phone home to LM. Here's what actually works:

Option 1: UF Intermediate Forwarder (cleanest - my rec)
Generally most of the time we follow "ntermediate Forwarder" setup to route logs form multiple network sites,  Replace Site B HF with Universal Forwarder. Always free, no LM contact EVER needed.

## Example conf for New Site B UF, change as per your details
inputs.conf:
[splunktcp://9997]
disabled = 0

outputs.conf:
[tcpout]
defaultGroup = sitea_hf

[tcpout:sitea_hf]
server = siteA_HF_IP:9997

Source UFs point to new Site B UF:9997. Site A HF does all parsing. Data flows: UF (Site B)→UF(Site B)→HF(Site A)→indexers(Site A). Worked perfect in my DMZ setup.

Lose Deployment Server role tho - move that elsewhere or use UF phonehome.

Option 2: Selective 8089 firewall rule (if u must keep HF)
Ask netsec for just SiteB_HF_IP → SiteA_LM_IP:8089. License heartbeat only (every 30min). Security teams usually approve - low risk vs full mgmt ports.

# server.conf at Site B HF
[license]
master_uri = https://siteA_LM:8089

Option 3: License pooling (if 8089 opens up)
Create "forwarders" pool on LM, add Site B HF as slave. Still needs 8089 tho.

What I'd do: Go UF intermediate. Zero license drama, lighter resource use, same data flow. Test on one source first 

Please give karma 👍 for support 😁 happly splunking .... 😎

Hi @ibrahim1 ,

there is a Forwarder License that you can enable on your HFs instead of the connection to the License Master.

But there's a restriction: if on the HF you must use DB-Connect or and Add-Ons that use APIs (e.g. Azure or AWS) or use it as a Deployment Server, you cannot use this kind of license.

So, the solution could be one of the following:

• open the connection between the HF/DS/B and the License Master,
• Create a new DS on Site B and open the connection (both 8089 and 9997 ports) with the LM/A only for this server,
• Use the DS on the Site A to manage UFs and HFs on Site B, but in this case you should open more connections!
• use the HF/A as License Master: but you can use this solution only if the License Master has less than 50 clients, but anyway, you have to open the connection between the HF/LM/A and the HF/DS/B also on the 8089 Port, that's the required port for management and that usually closed, in addition to the 9997 data port,
• add a minimal License (also 500 MB/day) on the HF/DS/B.

Ciao.

Giuseppe

Hi @ibrahim1 

There are a couple of ways you could combat this, both of which I have seen at other customers.

1) Request a 0-byte license from Splunk Support - Explain your situation that you cannot connect from Site B to Site A and that you have Splunk components in Site B which require a license. Because Site B isn't actually indexing anything, it's only forwarding the data. You don't actually need a licence with a particular volume limit, therefore a 0-byte licence will be sufficient. 

2) you could install the same licence on site A and B, however you may want to double-check with your Splunk account team. I have seen this done before, and Splunk did not have an issue with this, so long as no data was being ingested in Site B. I think the only time that you would get a warning within Splunk is if you had multiple index clusters pointing to different licence servers with the same licence key. But for HF, you should not have this problem. 

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing