JP2013021423A - Vpn connection system and connection method thereof and program thereof - Google Patents

Abstract

PROBLEM TO BE SOLVED: To generate routing information appropriately between terminals using VPN in a virtual environment and a network to which VPN-connected, thereby ensuring that the terminals are VPN-connected.SOLUTION: Following are included: an IP segment table which stores therein information on definitions of the network addresses to which client terminals are connected and those to which services are offered, the client terminals being granted a plurality of specific default gateway IP addresses which can be acquired when a plurality of client terminals are connected to a virtual terminal group; a routing table which holds routing information therein; an IP address information acquisition unit which acquires the IP address information on a plurality of virtual terminals; a routing command generation unit which generates a command to create a routing table on the basis of the IP segment table; a routing table generation unit which generates as routing table by using the generated command; and a VPN connection processing unit which VPN-connects virtual terminals by using information in the routing table.

Description

  The present invention relates to a VPN connection system, a connection method therefor, and a program therefor, and in particular, in a network system that connects a user terminal and a remote base constructed in a virtual environment using VPN (Virtual Private Network) technology. The present invention relates to a technique for generating optimal routing information between a terminal and a connection destination network and performing VPN connection.

  A network system in which a terminal such as a user's PC (personal computer) is connected to a server or the like at a remote site using VPN technology and various services are provided from the server has been put into practical use. Recently, due to the advantages of increased availability and operational costs, a virtual PC (or virtual terminal) environment that allows remote desktop access to a virtual machine with a client OS (guest OS) set up on a physical server has been built. It has been proposed to use a virtual PC in a virtual environment through a VPN connection from a terminal.

  Various proposals have been made regarding techniques for setting a network for a server to which a virtualization technique is applied. For example, Patent Document 1 discloses a connection policy that is set in advance when a guest OS is started from a user's operation terminal to a virtual machine environment with regard to reducing the burden of network setting work on a virtual operation system (OS). Referring to the business table in which the table and business program are set, the connection destination server that communicates with the host server on which the guest OS is started is determined according to the business program executed on the host server, and performs virtual network communication A network setting method and apparatus for acquiring and setting connection information necessary for the above are disclosed.

  Recently, the types of terminals used by users have also diversified. For example, a screen transfer method such as a general PC operating on a local HDD (hard disk), a server base, a blade PC, or a virtual PC is adopted. Thin clients that use the network boot method are used. For this reason, even in a network system using VPN technology, it is important to construct a common VPN environment corresponding to various types of terminals.

JP 2010-39626 A

When constructing a common VPN environment corresponding to various types of terminals, the following problems exist.
In the local HDDPC, installation of software (for example, a program such as a virus scan) used in daily work affects the operating environment of the VPN software, and in some cases, the VPN software may not start. This is a problem in VPN connection.
Also, in a thin client environment that employs the network boot method, VPN software may not be installed depending on the specifications of the system that hosts the client OS. This makes VPN connection impossible.

  Also, when using VPN software on a client OS in a thin client environment that employs a screen transfer function, routing information between the thin client terminal that is the screen receiving device and the system hosting the client OS is changed. There is a problem that the client OS cannot be used. Also in this case, since the VPN software on the client OS is not activated, VPN connection becomes difficult.

  Accordingly, an object of the present invention is to appropriately generate routing information between a terminal using a VPN in a virtual environment and a VPN connection destination network, and securely connect the terminal to the VPN.

The VPN connection system according to the present invention is preferably a VPN connection system including a VPN management server that performs VPN connection with an external base via a VPN interface in accordance with access from a plurality of client terminals,
A virtual terminal group including a plurality of virtual terminals constructed by the VPN management server, wherein the virtual terminal group includes a plurality of unique terminals that can be acquired when the plurality of client terminals are connected to the virtual terminal group. Default gateway IP address is given,
An IP segment table storing information defining a service providing target, an address of a network to which the client terminal is connected, and a virtual terminal to which the virtual terminal can connect;
A routing table that holds the generated routing information;
An IP address information acquisition unit for acquiring IP address information of the plurality of virtual terminals;
A routing command generator for generating a command for creating a routing table based on the IP segment table;
A routing table generation unit that generates the routing table using the command generated by the routing command generation unit;
A VPN connection system including a VPN connection processing unit that VPN-connects the virtual terminal using the information of the routing table generated by the routing table generation unit is configured.

In a preferred example, the IP address information acquisition unit issues an OS (Operating System) IP address confirmation command used by the virtual terminal every time the virtual terminal is activated, and receives a response from the virtual terminal. Determine whether the default gateway IP address exists,
When it is determined that the default gateway IP address is correctly set in the response result, the VPN connection system obtains the default gateway IP address as a parameter value of the default gateway IP address and holds it in the memory.

Further preferably, the routing command generation unit uses the default gateway IP address acquired by the processing of the IP address information acquisition unit and the information of the IP segment table to generate a “network address to which the client terminal is connected, mask”. , Subnet mask, default gateway IP address, metric "
A WORK file for storing the command generated by the processing of the routing command generation unit;
The routing table generation unit is the VPN connection system that generates the routing table using a command stored in the WORK file.

Preferably, the routing table generation unit executes a command to determine whether or not a response acquired from the virtual terminal has a default gateway IP address,
If a value is returned to the default gateway IP address as a result of the determination, a default gateway communication confirmation process is performed, a PING command is issued to the target IP address, and it is determined whether the communication response from the virtual terminal is normal If the result of the determination is normal, the VPN connection system determines that the generation of the routing table has been performed normally.

The VPN connection method according to the present invention is preferably a VPN connection method in a system including a VPN management server that performs VPN connection with an external base via a VPN interface in accordance with access from a plurality of client terminals,
A virtual terminal group including a plurality of virtual terminals constructed by the VPN management server, wherein the virtual terminal group includes a plurality of unique terminals that can be acquired when the plurality of client terminals are connected to the virtual terminal group. Default gateway IP address is given,
An IP address information acquisition step of acquiring IP address information of the plurality of virtual terminals;
A routing table that holds routing information based on the IP segment table that stores information defining a service providing target and an address of a network to which the client terminal is connected, to which the virtual terminal can make a VPN connection A routing command generation step for generating a command to be created;
A routing table generation step for generating the routing table using the command generated by the routing command generation unit;
The VPN connection method includes a VPN connection processing step of VPN connection of the virtual terminal using the information of the routing table generated by the routing table generation unit.

The VPN connection program according to the present invention is preferably a VPN connection program executed by a VPN management server that performs VPN connection with an external base through a VPN interface in accordance with access from a plurality of client terminals. ,
A virtual terminal group including a plurality of virtual terminals constructed by the VPN management server, wherein the virtual terminal group includes a plurality of unique terminals that can be acquired when the plurality of client terminals are connected to the virtual terminal group. Default gateway IP address is given,
An IP address information acquisition unit for acquiring IP address information of the plurality of virtual terminals;
A routing table that holds routing information based on the IP segment table that stores information defining a service providing target and an address of a network to which the client terminal is connected, to which the virtual terminal can make a VPN connection A routing command generator for generating a command to be created;
A routing table generation unit that generates the routing table using the command generated by the routing command generation unit;
A VPN connection program is provided that includes a VPN connection processing unit that VPN-connects the virtual terminal using the routing table information generated by the routing table generation unit.

ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to generate | occur | produce appropriately the routing information between the terminal which uses VPN in a virtual environment, and a VPN connection destination network, and to make a VPN connection reliably.
In addition, even if the form and operating environment of the physical terminal are different, a plurality of terminals are virtualized and managed centrally in the VPN environment, and routing information for the virtual terminal is generated and used for VPN connection each time a VPN connection is made. Regardless of the form and state of the physical terminal, a VPN connection can be reliably established.

The figure which shows the whole structure of the VPN connection system in one Example. The figure which shows the structure of the routing information processing system in the VPN management server of one Example. The figure which shows the structural example of the IP segment table in one Example. The figure which shows the structural example of the WORK file in one Example. The figure which shows the structural example of the routing table in one Example. The flowchart which shows the processing operation of the IP address information acquisition part in one Example. The flowchart which shows the processing operation of the routing command production | generation part in one Example. The flowchart which shows the processing operation of the routing table production | generation part in one Example.

An embodiment of the present invention will be described below with reference to the drawings.

FIG. 1 shows the overall configuration of a VPN connection system.
In this system, a VPN client virtual terminal group 11 composed of a number of VPN client virtual terminals (hereinafter simply referred to as virtual terminals) 111 to 11n (generally collectively shown as 111) is constructed on the VPN service management server 107. Each virtual terminal 111 can connect to a remote site using VPN technology.
The terminals 101 to 103 (generally indicated as 10) which are physical client terminals include, for example, a thin client OS environment 101 that supports the use of the thin client 1011, a network PC 102 operating in the net boot PC storage 1021, a local HDD PC 103, and the like. These physical terminals 10 may be connected to any of the virtual terminals in the virtual terminal group 11 using the default gateway IP address assigned to the gateways 121 to 123 as connection points via the network. it can. Each virtual terminal 111 is virtualized using a guest OS (Operating System) formed on the host OS included in the VPN management server 2.
Each virtual terminal 111 of the virtual terminal group 11 can connect to a VPN gateway such as a server at a remote business site using the VPN virtual interface 13 and receive various services from the server.

  By the way, conventionally, there is no concept of the virtual terminal group 11, and when realizing VPN connection of a terminal (physical terminal), VPN software is installed in each terminal, and depending on the network environment, individual setting of the terminal may be required. Yes, it was a factor that increased the number of man-hours for users. In addition, the thin client terminal has a problem that the VPN cannot be used due to its characteristics. Further, in the local HDDPC, an event may occur in which connection is not possible due to incompleteness at the time of installation of the VPN software of each user. It was. In order to solve such a problem, according to the present invention, the VPN connection of the virtual terminal 11 is centrally managed, and the VPN virtual interface routing for the VPN connection is generated for each virtual terminal 111, and the type of the terminal 10 It is possible to solve the problem that makes the VPN connection impossible due to the state. As a result, it is possible to reduce the burden of the VPN connection work of the user as in the conventional case and realize stable operation of the VPN connection.

Next, the internal configuration of the VPN management server 2 will be described with reference to FIG.
The VPN management server 2 includes, as hardware, a processor that handles programs, a memory that stores various programs and data, and a storage device. A guest OS for each terminal is formed on the host OS activated by the VPN management server 7. For example, the guest OS of each terminal is a common OS such as Windows (registered trademark of Micro Soft).

The following functions are realized in each virtual terminal 111 by the operation of the guest OS. That is, an IP address information acquisition unit 201 that acquires IP address information of each virtual terminal 111, a routing command generation unit 202 that generates a routing table edit command based on the IP segment table 212, and a routing table using the WORK file 214 And a VPN connection processing unit 204 that activates VPN software and makes a VPN connection based on the information of the generated routing table.
In addition, the storage device stores the acquired IP address information and the IP segment table 212 that stores information defining the service provision target, the WORK file 213 that stores commands for generating routing tables, and the generated routing information. The routing table 214 to be held is managed.

In order to use the virtual terminal group 11 of the VPN terminal, a remote desktop connection is performed from the guest OS in each client environment to the VPN client virtual terminal group 11, and account authentication is performed using LDAP. At this time, a function (201 to 203) for generating a routing table that can use the VPN virtual interface 13 as a part of the login script is activated. By using this function, various setting operations of the client PC environment (installation of VPN software, profile setting, version upgrade, etc.) performed by each user in the conventional VPN connection system become unnecessary, and the VPN management server 2 Can be collectively managed.
The processing operations of the functional units 201 to 203 will be described later with reference to FIGS.

Next, various tables and files will be described with reference to FIGS.
An IP segment table, a WORK file, and a routing table are formed for each virtual terminal.
FIG. 3 shows the configuration of the IP segment table.
The IP segment table 212 identifies and registers a network to which the virtual terminal 111 can make a VPN connection, and includes a network address for identifying the networks 141 to 143 to which the client terminals 101 to 103 are connected, Each entry item includes a subnet mask for identifying the host address portion and a metric indicating the number of networks that pass through to reach the corresponding network.

FIG. 4 shows the structure of a WORK file.
The WORK file stores a command for generating a routing table for each virtual terminal. That is, it consists of a routing command route add, a network address for identifying the networks 141 to 143, a subnet mask, a gateway address (default gateway IP address) acquired by an IP address confirmation command, and each entry item of the metric. The

FIG. 5 shows the configuration of the routing table.
The routing table includes a network address for identifying the networks 141 to 143 excluding the routing command (Route add) from the WORK file, the subnet mask, and the gateway address (default gateway IP address) acquired by the IP address confirmation command. , Each entry item of the metric.

FIG. 6 is a flowchart showing the processing operation of the IP address information acquisition unit 201.
This process is executed when each virtual terminal 111 is activated. The virtual terminal 111 connects from the client terminal 10 using a remote desktop. When each client terminal 10 logs in to the virtual terminal 111, an IP address confirmation command (eg, ipconfig) of the OS (guest OS used by the virtual terminal) is issued to the assigned virtual terminal 111 ( S202). When receiving the IP address confirmation command, the virtual terminal 111 returns the response result (S203). The response result usually includes the IP address of the own virtual terminal 111 and the default gateway IP address, but there may not be a default gateway IP address in an abnormal case. If it is abnormal, the client terminal 10 is not connected to the virtual terminal group 11, so VPN connection is difficult.

When receiving the response result (S204), the IP address information acquisition unit 201 determines whether there is a default gateway IP address (S206). This determination is to determine whether the IP address parameter is normally set in the virtual terminal 111 and whether it is correctly recognized. If it is determined that the default gateway IP address value is correctly set in the address of the response result, that value is acquired as the default gateway IP address parameter value and stored in the memory (S207). In this case, the virtual terminal 111 can be connected to the VPN.
On the other hand, if there is no value in the default gateway IP address in the address of the response result, there is a problem in the IP address setting in the virtual terminal 111 (VPN connection is impossible), and the process is terminated.

FIG. 7 is a flowchart showing the processing operation of the routing command generator 202.
The value of the default gateway IP address has been acquired by the processing of the IP address information acquisition unit 201. The network address acquisition 301 acquires access permission segment information, that is, network address, subnet mask, and metric data from the IP segment table 212 (S702). Then, a command for generating the routing table 214 is created using this IP segment information and the default gateway IP address acquired in the above process (FIG. 6) (S704). The generated routing command is generated in the format of “route add, network address, mask, subnet mask, gateway address, metric 1”, for example. The generated command is stored one record at a time in the WORK file 213 (S706). This process is repeated until the record registered in the IP segment table is completed (S708).

FIG. 8 is a flowchart showing the processing operation of the routing table generation unit.
The WORK file 213 stores a routing command generated by the processing of the routing command generation unit 110.
First, the contents of the WORK file 213 are read (S801), and a route command is issued to the virtual terminal 111 (S802). The virtual terminal 111 transmits a response result (S803). The response result includes the contents of the routing table 214.

  When receiving the response result (S804), the routing table generating unit 203 determines whether or not there is a default gateway IP address included in the routing table (S805). As a result of the determination, if a value is returned to the default gateway IP address (S805, Yes), a PING command is issued to the target IP address in the default gateway communication confirmation process (S806).

The virtual terminal 111 returns a response result of the PING command (S807). When receiving the response result, the routing table generation unit 203 determines whether the communication response is normal (“OK”) (S809). When the determination result is “OK”, the processing is terminated because the generation of the routing table is normally performed. On the other hand, when the determination result is “NO”, it is determined that the record addition to the routing table of the virtual terminal 111 has not been normally performed in the routing command issuance process (S802), and the addition process is performed. The record of routing information is deleted (S810), and the process is terminated.
In addition, when the determination result in the presence / absence determination (S805) of the default gateway IP address is “NO”, the record of the routing table is deleted as in the case where the determination result of the communication response is “NO”. The process ends.

  Through the above processing, normal routing information is stored in the routing table 214. Thereafter, the VPN connection processing unit 204 uses the routing information in the routing table 214 of the virtual terminal 111 linked from the client terminal 10 to identify a server or the like (identified by the subnet mask) at the remote business site via the VPN virtual interface 13. Can be connected).

In addition, this invention is not limited to the said Example, A various deformation | transformation and application can be implemented.
For example, in the above embodiment, it has been described that the various functions 201 to 204 of the VPN service management server 2, the IP segment table 212, the WORK file 213, the routing table 214, and the like are provided for each virtual terminal. However, according to another example, these functions and tables can be set for each VPN client virtual terminal group without providing them for each virtual terminal. Absent.

DESCRIPTION OF SYMBOLS 10, 101-103: Client terminal 111-11n: Virtual terminal 11: Virtual terminal group 2: VPN management server 121-123: Gateway 13: VPN virtual interface 201: IP address information acquisition part 202: Routing command generation part 203: Routing Table generation unit 204: VPN connection processing unit 212: IP segment table 213: Work file 214: Routing table

Claims (6)

A VPN connection system including a VPN management server that performs VPN connection with an external base through a VPN interface in accordance with access from a plurality of client terminals,
A virtual terminal group including a plurality of virtual terminals constructed by the VPN management server, wherein the virtual terminal group includes a plurality of unique terminals that can be acquired when the plurality of client terminals are connected to the virtual terminal group. Default gateway IP address is given,
An IP segment table that stores addresses of networks to which the client terminals are connected, to which the virtual terminals can make VPN connections;
A routing table that holds the generated routing information;
An IP address information acquisition unit for acquiring IP address information of the plurality of virtual terminals;
A routing command generator for generating a command for creating a routing table based on the IP segment table;
A routing table generation unit that generates the routing table using the command generated by the routing command generation unit;
A VPN connection system comprising: a VPN connection processing unit that VPN-connects the virtual terminal using information of the routing table generated by the routing table generation unit. The IP address information acquisition unit issues an OS (Operating System) IP address confirmation command used by the virtual terminal every time the virtual terminal is activated, and receives the default gateway IP during a response received from the virtual terminal. Determine if there is an address,
2. The VPN connection system according to claim 1, wherein when it is determined that the default gateway IP address is correctly set in the response result, the default gateway IP address is acquired as a parameter value of the default gateway IP address and stored in the memory. The routing command generation unit uses the default gateway IP address acquired by the processing of the IP address information acquisition unit and the information of the IP segment table to generate a “network address to which the client terminal is connected, mask, subnet mask, Generate a command that includes "default gateway IP address, metric"
A WORK file for storing the command generated by the processing of the routing command generation unit;
The VPN connection system according to claim 1 or 2, wherein the routing table generation unit generates the routing table using a command stored in the WORK file. The routing table generation unit executes a command to determine whether a response acquired from the virtual terminal has a default gateway IP address,
If a value is returned to the default gateway IP address as a result of the determination, a default gateway communication confirmation process is performed, a PING command is issued to the target IP address, and it is determined whether the communication response from the virtual terminal is normal 4. The VPN connection system according to claim 1, wherein if the result of the determination is normal, it is determined that the generation of the routing table has been performed normally. 5. A VPN connection method in a system including a VPN management server that performs VPN connection with an external base via a VPN interface in accordance with access from a plurality of client terminals,
A virtual terminal group including a plurality of virtual terminals constructed by the VPN management server, wherein the virtual terminal group includes a plurality of unique terminals that can be acquired when the plurality of client terminals are connected to the virtual terminal group. Default gateway IP address is given,
An IP address information acquisition step of acquiring IP address information of the plurality of virtual terminals;
A routing table that holds routing information based on the IP segment table that stores information defining a service providing target and an address of a network to which the client terminal is connected, to which the virtual terminal can make a VPN connection A routing command generation step for generating a command to be created;
A routing table generation step for generating the routing table using the command generated by the routing command generation unit;
A VPN connection method comprising: a VPN connection processing step for VPN connection of the virtual terminal using information of the routing table generated by the routing table generation unit. A VPN connection program executed by a VPN management server that performs VPN connection with an external base through a VPN interface in accordance with access from a plurality of client terminals,
A virtual terminal group including a plurality of virtual terminals constructed by the VPN management server, wherein the virtual terminal group includes a plurality of unique terminals that can be acquired when the plurality of client terminals are connected to the virtual terminal group. Default gateway IP address is given,
An IP address information acquisition unit for acquiring IP address information of the plurality of virtual terminals;
A routing table that holds routing information based on the IP segment table that stores information defining a service providing target and an address of a network to which the client terminal is connected, to which the virtual terminal can make a VPN connection A routing command generator for generating a command to be created;
A routing table generation unit that generates the routing table using the command generated by the routing command generation unit;
A VPN connection program comprising: a VPN connection processing unit that VPN-connects the virtual terminal using information of the routing table generated by the routing table generation unit.

Images