ILMT in air gapped and restricted networks.
Isolated networks make ILMT harder to deploy and operate, but the sub-capacity rules do not bend for them. If you run IBM software behind an air gap and cannot evidence continuous measurement, IBM defaults you to full-capacity charging just as it would anywhere else.
Air gapped, classified, and otherwise restricted networks are common in defense, finance, and critical infrastructure, and they create a real operational problem for the IBM License Metric Tool. The tool was designed to discover hosts, pull a catalog, and produce reports, and isolation interrupts each of those steps. The mistake that costs money is concluding that because measurement is hard, the obligation is relaxed. It is not. Sub-capacity is earned by continuous measurement regardless of how isolated the environment is.
The catalog update problem
ILMT depends on a current software catalog to recognize products correctly. In a connected environment the catalog updates routinely. Behind an air gap, the catalog has to be transferred and applied manually, and a catalog that drifts out of date will miscategorize newer products. A stale catalog inside a restricted network is one of the most common reasons an otherwise diligent team finds its isolated estate charged at full capacity, because the products were never recognized correctly in the first place.
Running a self contained instance
The defensible approach is to operate ILMT entirely inside the boundary rather than reaching across it. That means a dedicated server inside the enclave, agents deployed to every eligible host within it, and a manual but disciplined process for importing catalog updates and exporting nothing that the security policy forbids. The reports are generated inside the boundary and retained inside it. The point is that isolation changes the logistics of measurement, not the requirement to measure.
- Deploy a self contained ILMT server inside the restricted boundary
- Establish a controlled procedure to import catalog updates on a schedule
- Confirm every eligible host inside the enclave carries a reporting agent
- Generate and retain the quarterly reports within the boundary itself
- Document the isolation and the measurement procedure as part of the evidence
When the security policy forbids an agent
Some enclaves will not permit the standard agent at all. IBM accepts approved alternatives such as HCL BigFix Inventory and Flexera One ITAM for sub-capacity reporting, and one of these may fit a restricted environment where the native tool cannot. Where no automated measurement is permitted by policy, the honest position is that sub-capacity may not be defensible for those hosts, and the licensing decision should be made deliberately and documented, not discovered in an audit.
Documenting the constraint
Restricted networks reward documentation. If you can show the auditor a self contained ILMT instance, a catalog import log, agent coverage inside the enclave, and retained reports, the isolation becomes a managed fact rather than a gap. The exposure appears when the team assumes the air gap excuses the obligation and has nothing to show for the periods in question.
An air gap changes how you measure, not whether you must. IBM applies the same sub-capacity rules to isolated environments, so a self contained ILMT instance, a current catalog, full agent coverage inside the boundary, and retained reports are what stand between you and full-capacity charging on your most sensitive estate.
Running IBM software behind an air gap?
Our ILMT Remediation engagement builds a defensible measurement and reporting process for restricted and isolated environments, so your sub-capacity position holds even where the network does not connect.
See ILMT Remediation →The IBM Audit Brief
Audit triggers, ILMT pitfalls, and settlement tactics for IBM software buyers.
Independent, buyer side IBM software audit defense and negotiation. Not affiliated with IBM Corporation.