Network and Security Manager - command line tool

You can use the Network and Security Manager command line tool, lr_agent_settings, to update and configure agent-related settings on local and remote machines.

Using a single command, you can update and configure agent ports, agent settings, and authentication.

You can also use this tool to automate your test and run it through the command line.

Launching the Network and Security Manager tool

To launch the tool, open a command line window and run the following:


For LoadRunner Professional, Standalone Load Generator, Standalone MI Listener, and Monitor Over Firewall:

<LoadRunner Professional root>\bin\lr_agent_settings.exe

Note: You must have write permissions to the LoadRunner Professional installation folder.


For Standalone Load Generator:

<LG path>\bin\lr_agent_settings.exe


Guidelines for Linux machines:

  • You must have administrator privileges to run this on a Linux machine.
  • In Amazon cloud environments (AWS), you need to set the M_LROOT environment variable, as shown in the following example:

    ~$ sudo M_LROOT=/opt/MF/MF_LoadGenerator /opt/MF/MF_LoadGenerator/bin/lr_agent_settings -check_client_cert 0

Back to top

Command line arguments for the Network and Security Manager tool

The following command line arguments are supported by this tool:


  • To retrieve the list of available arguments, on the LoadRunner Professional machine type lr_agent_settings.exe -usage or lr_agent_settings with no arguments.
  • LoadRunner Professional currently supports basic and NTLM proxy authentication.

  • You can update the certificates on a remote machine only if:

    • A secure connection was established using TLS (SSL) authentication.
    • The client (the machine the tool is running on) was authenticated by the CA certificate on the remote load generator.
    • Both of the above items were achieved by using certificates other than the defaults.
Option Arguments Description
Remote Update Options
remote host name or IP

The names of the hosts to update with the new settings.

To access the local machine, specify localhost or

For multiple machines, repeat the command: For example,

-remote_host host1 - remote_host host2.

file name

The name of a file containing the host names or IP addresses. Separate multiple host names with a line break. For hosts over a firewall, specify a port. For example,




Agent Port Options

The Load Generator m_agent listening port.

Default: 54345


The Load Generator al_agent listening port.

Default: 54245


MIL listening port from Controller. This option is not available on Linux.

Default: 50500


MIL listening port from Load Generator over firewall.

If you change this port value, you should also change the port for the Load Generator over firewall machine using -mil_port. This option is not available on Linux.

Default: 443

Load Generator Over Firewall Options
0 | 1

Indicates whether to communicate over a firewall.

Host name or IP address

Changes the MI listener name or IP address from the side of the load generator over a firewall.

port number

Changes the port for the MI listener from the side of the load generator over a firewall.

Default: 443

Local machine key

Changes the host symbol (or local machine key) for load generator over a firewall, to establish a unique connection from behind the firewall.

MILname:local machine key

Changes the MI Listener name and the local machine key in one string separated by a colon, ":".

-mil_username, -mil_passwd, -mil_domain
username, password, domain

Changes the user name and password with which to connect to the MI Listener machine, and the domain for the MI Listener machine (required only if NTLM is used).

sampling interval in seconds

Changes the sampling interval in seconds—the time the agent waits before retrying to connect to the MI Listener machine.

The Over Firewall load generator machine polls the MI Listener regularly to see if any Controller needs to use it for a test run. If no request is found, it closes the connection and waits this specified timeout period, before polling it again.


Changes the connection type: HTTP or TCP.

-proxy_name, -proxy_port
hostname, port

Changes the name and port of proxy server when using HTTP connection.

proxy name:proxy port

Changes the proxy name and port in one string separated by a colon, ":",

-proxy_username, -proxy_passwd, -proxy_domain
username, password, domain

Changes the user name and password with which to connect to the proxy server.

0 | 1

Changes the flag to connect using the TLS (formally SSL) protocol.

username, password, domain
Changes the password that is optionally required during TLS (SSL) certificate authentication.
Certificate Authentication Options


0 | 1

Use 0 to allow both TLS (SSL) and non-TLS connections.

Use 1 to enforce TLS (SSL) connections only and check if the client certificate is trusted by the CA installed on the agent machine.

Note: When monitoring over firewall, set this flag to 1 on the server machine. For guidelines on determining which machine is considered the server, see Two-way TLS (SSL) authentication.

None | Medium | High

Indicates how to authenticate TLS (SSL) certificates that are sent by the server.

None. Does not authenticate the certificate.

Medium. Verifies that the server certificate is signed by a trusted Certification Authority.

High. Verifies that the sender IP matches the certificate information.

CA certificate file name

Installs a CA certificate locally. It overwrites the dat\cert\verify\cacert.cer file, but does not affect any configuration file.

Note: You need to generate a CA certificate before installing it. To generate the CA certificate, run gen_ca_cert -common_name <your_selected_common_name, e.g. LoadRunner > from the bin folder.

Two files, cacert.cer and capvk.cer. are generated in the current directory, for the CA certificate and private key.

Store capvk.cer securely in a designated folder.

Install cacert.cer as a CA certificate on all of your LR/LoadRunner Enterprise installations.

full path of certificate file

Installs authentication certificate locally. It overwrites the dat\cert\verify\cacert.cer file, but does not affect any configuration file.

Note: This step assumes you already generated a TLS certificate ahead of time. To generate a TLS certificate, run the following from the bin folder:

gen_cert -common_name <your_selected_common_name, e.g. LoadRunner> -CA_cert_file_name <CA_cert_file_full_path> -CA_pk_file_name <CA_private_key_file_full_path>.

-generate_new_cert_file -CA_private_key_file_name

Generates a new authentication certificate and installs it in dat\cert\cert.cer.

Note: A CA private key is mandatory to generate a self-signed certificates. The CA certificate will be read from dat\cert\verify\cacert.cer from the current machine.

private key file name

Sets the matching private key of the TLS (SSL) certificate you installed with gen_ca_cert -common_name (see above). If you generate a TLS certificate using gen_cert or using the -generate_new_cert_file option in this tool, you can skip this step. You only need to do this step if you use a certificate which does not include a private key in the certificate file, such as the openssl tool.

Restart Agent Options

Restarts the magent or alagent. It automatically detects whether it is running as a service or process.

Note: If the agent is running as a process and you want to use the command line to restart it as a service, first use the Agent Configuration Settings dialog box to change between the Process and Service mode for the agent.

Read Input Parameters
parameter file

Retrieves the value of input parameters listed in a file. The prm file should have the following format:

-mil_name MyHost1 -local_machine_key my_ofw_win -channel_type HTTP -proxy_name -proxy_port 8080.


  • When using the -prm argument in the command line, all other arguments are ignored.
  • The parameter file should only contain arguments for changing settings. It should not contain the Remote Update arguments, -remote_host and -remote_file, which will be ignored.

Back to top

Common Examples

Below are some examples for using the Network and Security Manager command line tool to change settings for agent ports, load generator over firewall settings, host security settings, certificate authentication, and so on.

Note: To use this utility on Linux load generators on an Amazon cloud environment (AWS), you need to set the M_LROOT environment variable as shown in the following example:

~$ sudo M_LROOT=/opt/MF/MF_LoadGenerator /opt/MF/MF_LoadGenerator/bin/lr_agent_settings -check_client_cert 0

Set the agent proxy and port, and the MI Listener over a firewall

lr_agent_settings.exe -proxy_name -proxy_port 8080

lr_agent_settings.exe -m_agent_port 54888

lr_agent_settings.exe -proxy_string (The string before ":" is proxy name, the string after ":" is proxy port)

lr_agent_settings.exe -mil_string MyServer2:my_ofw_unix (The string before ":" is MIL name, the string after ":" is the local machine key)

Read parameters from a file

lr_agent_settings.exe -prm C:\my_settings.prm

where the parameter file is a text file with the parameters you want to use to change the settings, for example:

-mil_name MyServer3 -local_machine_key my_ofw_win -channel_type HTTP -proxy_name -proxy_port 8080

Remote updates

lr_agent_settings.exe -remote_host MyServer1 -proxy_string

lr_agent_settings.exe -remote_host MyServer1 -prm C:\my_settings.prm

lr_agent_settings.exe -remote_host MyServer2:my_ofw_unix -prm C:\my_settings.prm (MyServer2:my_fow_unix says the remote host is OFW, the name before ":" is MIL name, the string after ":" is local machine key)

lr_agent_settings.exe -remote_host localhost/ -proxy_string (Updates local host)

Remote updates - multiple

lr_agent_setttings.exe -remote_host MyServer1 -remote_host vmlrrnd192 -use_ssl 1

lr_agent_settings.exe -remote_host localhost -remote_host vmlrrnd192 -use_ssl 1

lr_agent_settings.exe -remote_host MyServer1 -remote_host MyServer2:my_ofw_unix -prm C:\my_settings.prm

Remote updates - multiple from file

lr_agent_settings.exe -remote_file C:\remote_hosts.txt -proxy_string

lr_agent_settings.exe -remote_file C:\remote_hosts.txt -prm C:\my_settings.prm

The file contains the hosts separated by line breaks:


Restarting the agent

lr_agent_settings.exe -restart_agent

lr_agent_settings.exe -is_ofw 1 -mil_string MyServer2:my_ofw_win -restart_agent

lr_agent_settings.exe -remote_host MyServer1 -remote_host MyServer2:my_ofw_unix -restart_agent

Note: If you encounter Access Denied warnings when restarting the service, see Agent Configuration dialog box for details.

Back to top