WO2018149342A1 - Public network accessing method and device and computer storage medium for user terminal of mobile private network - Google Patents

Public network accessing method and device and computer storage medium for user terminal of mobile private network Download PDF

Info

Publication number
WO2018149342A1
WO2018149342A1 PCT/CN2018/075548 CN2018075548W WO2018149342A1 WO 2018149342 A1 WO2018149342 A1 WO 2018149342A1 CN 2018075548 W CN2018075548 W CN 2018075548W WO 2018149342 A1 WO2018149342 A1 WO 2018149342A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
enterprise
public network
http
protocol
Prior art date
Application number
PCT/CN2018/075548
Other languages
French (fr)
Chinese (zh)
Inventor
翟来国
池海祥
池柏祥
李睿
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018149342A1 publication Critical patent/WO2018149342A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Definitions

  • the present invention relates to the field of mobile communication technologies, and in particular, to a method and device for accessing a public network by a user terminal of an enterprise mobile private network.
  • Enterprise networks are generally divided into internal networks (referred to as intranets) and DMZs (Demilitarized Zones, also known as quarantine areas).
  • the internal computer of the enterprise (hereinafter referred to as the internal network host) is located in the intranet of the enterprise.
  • the intranet host accesses the Internet (also known as the public network or the external network)
  • HTTP proxy server is used.
  • WEB proxy server HTTP proxy server is generally deployed in the DMZ zone.
  • the HTTP proxy server is used to proxy external network access of HTTP and HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer). Both the HTTP and HTTPS protocols are based on the TCP (Transmission Control Protocol) protocol and are distinguished by port numbers.
  • HTTP and HTTPS protocols are based on the TCP (Transmission Control Protocol) protocol and are distinguished by port numbers.
  • the intranet host accesses the public network of HTTP and HTTPS, and establishes a connection directly with different public network servers. Instead, it establishes an HTTP connection with the HTTP proxy server, and the HTTP proxy server establishes a specific protocol connection with the public network server, as shown in FIG.
  • the intranet host establishes an HTTP connection with the proxy server, and the proxy server establishes an HTTP connection with the target public network WEB server.
  • the intranet host establishes an HTTP connection with the proxy server and uses the CONNECT method to request the proxy server to establish an SSL (Secure Socket Layer) connection with the public network server.
  • SSL Secure Socket Layer
  • the mobile operator's base station can also build a virtual mobile private network for enterprises, and internal users can access the enterprise through this virtual network.
  • Network here is called enterprise mobile private network.
  • these base stations may also be referred to as enterprise mobile private network base stations.
  • the enterprise mobile private network base station here is actually a public base station, which is different from the ordinary public base station and can be used to construct an enterprise mobile private network. .
  • the mobile terminal of the enterprise internal user of the enterprise mobile private network that is, the user equipment (UE, User Equipment), can access the internal network of the enterprise on the base station side, but when accessing the public network, the APN (Access Point Name) , access point) can not set the proxy, need to go through the carrier's mobile network base station, backhaul network (Backhaul) and core network EPC (Evolved Packet Core, evolved packet core network) to the Internet, and then route to the public network server, As shown in FIG. 4, the consumed mobile network has a large bandwidth and a large transmission delay.
  • the APN Access Point Name
  • Backhaul Backhaul
  • core network EPC Evolution Packet Core, evolved packet core network
  • the technical problem that the solution provided by the embodiment of the present invention is to solve is that the mobile terminal of the internal user of the enterprise cannot access the public network by using the HTTP proxy server of the enterprise network on the access side of the mobile network.
  • the packet type of the uplink public network packet is determined
  • the base station side of the enterprise mobile private network establishes a protocol connection of the corresponding packet type between the mobile terminal and the mobile terminal of the enterprise according to the determined packet type of the uplink public network packet, and obtains the connection through the protocol connection.
  • the base station side of the enterprise mobile private network routes the uplink protocol packet to the HTTP proxy server, so that the mobile terminal of the internal user of the enterprise accesses the public network via the HTTP proxy server;
  • the base station side of the enterprise mobile private network When receiving the downlink protocol packet returned by the HTTP proxy server, the base station side of the enterprise mobile private network sends the downlink protocol packet to the mobile terminal of the internal user of the enterprise through the established protocol connection.
  • the determining module is configured to determine the packet type of the uplink public network packet when receiving the uplink public network packet sent by the mobile terminal of the internal user of the enterprise;
  • Establishing a protocol connection module configured to establish, according to the determined packet type of the uplink public network packet, a protocol connection of a corresponding packet type between the mobile terminal and the mobile terminal of the enterprise, and obtain the protocol connection through the protocol connection An uplink protocol packet sent by the mobile terminal of the internal user of the enterprise;
  • a sending module configured to route the uplink protocol packet to an HTTP proxy server, so that the mobile terminal of the internal user of the enterprise accesses the public network via the HTTP proxy server, and receives the downlink protocol returned by the HTTP proxy server The packet is sent to the mobile terminal of the internal user of the enterprise through the established protocol connection.
  • the embodiment of the present invention provides a computer storage medium, where the computer storage medium stores computer executable instructions. After the computer executable instructions are executed, the method for accessing the public network by the user terminal of the enterprise mobile private network can be implemented.
  • the user mobile terminal in the local network determines that the packet sent by the internal mobile terminal of the enterprise is the uplink public network packet, based on the type of the packet. And establishing a protocol connection of the user mobile terminal that is adapted to the type of the message, and using the protocol to connect and receive the packet sent by the internal user mobile terminal, and forwarding the packet to the local network HTTP proxy server, and using the packet
  • the local network HTTP proxy server accesses the public network service.
  • the internal mobile terminal of the enterprise accesses the public network, it does not need to pass back to the EPC through the base station (such as the eNB) and then access the public network through the router.
  • the wired transmission bandwidth originally leased by the enterprise network is fully utilized, and the mobile network is not occupied.
  • the additional bandwidth saves the cost; on the other hand, the routing of packets in the radio eNB and the EPC can reduce the time consumed for packet transmission as a whole, thus reducing the packet delay; in addition, it is also convenient for the local network to control its internal The behavior of the user mobile network terminal accessing the public network.
  • FIG. 1 is a schematic diagram of an intranet host indirectly accessing a public network
  • FIG. 2 is a schematic diagram of an intranet host HTTP accessing a website
  • FIG. 3 is a schematic diagram of an intranet host HTTPS accessing a website
  • FIG. 4 is a schematic diagram of a mobile network terminal of an internal user of an enterprise accessing a public network
  • FIG. 5 is a flowchart of a method for a user terminal of an enterprise mobile private network to access a public network according to an embodiment of the present disclosure
  • FIG. 6 is a schematic diagram of an apparatus for accessing a public network by a user terminal of an enterprise mobile private network according to an embodiment of the present invention
  • FIG. 7 is a schematic diagram of an internal user mobile network terminal using an HTTP proxy server according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of an internal user mobile network terminal using an HTTP proxy server according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a new module provided by an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of the deployment of the new module in FIG. 9 according to an embodiment of the present invention.
  • FIG. 11 is a flowchart of processing an HTTP internal network uplink request packet of an internal user of the enterprise according to an embodiment of the present invention
  • FIG. 12 is a flowchart of processing an HTTP internal network access downlink packet of an internal user of the enterprise according to an embodiment of the present disclosure
  • FIG. 13 is a flowchart of processing an internal user HTTPS public network access uplink message according to an embodiment of the present invention.
  • FIG. 14 is a flowchart of processing an HTTPS public network access downlink packet of an internal user of the enterprise according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of a method for a user terminal of an enterprise mobile private network to access a public network according to an embodiment of the present invention. As shown in FIG. 5, the method includes:
  • Step S501 The base station side of the enterprise mobile private network determines the packet type of the uplink public network packet when receiving the uplink public network packet sent by the mobile terminal of the internal user of the enterprise;
  • Step S502 The base station side of the enterprise mobile private network establishes a protocol connection of the corresponding packet type between the mobile terminal and the mobile terminal of the enterprise according to the determined packet type of the uplink public network packet, and the protocol is connected through the protocol.
  • the protocol connection established here is that the compliance between the base station side of the enterprise mobile private network and the mobile terminal of the internal user of the enterprise is adapted to the packet type The connection of the agreement.
  • Step S503 The base station side of the enterprise mobile private network routes the uplink protocol packet to the HTTP proxy server, so that the mobile terminal of the internal user of the enterprise accesses the public network via the HTTP proxy server.
  • Step S504 The base station side of the enterprise mobile private network sends the downlink protocol packet to the mobile terminal of the internal user of the enterprise through the established protocol connection when receiving the downlink protocol packet returned by the HTTP proxy server.
  • the uplink public network packet includes destination address information for identifying a public network address and TCP port number information for identifying a packet type.
  • the packet type includes an HTTP packet type and an HTTPS packet type.
  • the base station side of the enterprise mobile private network includes the base station of the mobile private network; the base station of the mobile private network refers to the public base station of the mobile operator that can provide the function of constructing the enterprise mobile private network, and the enterprise mobile private network only It is used for mobile terminal access of internal users of the enterprise.
  • the packet type of the uplink public network packet is determined to be: the base station side of the enterprise mobile private network receives the internal user of the enterprise.
  • the destination address and the TCP port number of the uplink public network packet are obtained by parsing the uplink public network packet; and the base station side of the enterprise mobile private network uses the preset
  • the public network address library, the HTTP port list library, and the HTTPS port list library perform matching processing on the obtained destination address and the TCP port number; if the obtained destination address and TCP port number are obtained, the public network address library and the HTTP port list library are obtained.
  • the base station side of the enterprise mobile private network determines that the uplink public network packet is an HTTP packet type; if the obtained destination address and the TCP port number match the public network address pool and the HTTPS port list database, the enterprise The mobile private network base station side determines that the uplink public network packet is an HTTPS packet type.
  • the base station side of the enterprise mobile private network establishes a protocol connection of a corresponding packet type between the mobile terminal and the mobile terminal of the enterprise according to the determined packet type of the uplink public network packet, and connects through the protocol.
  • Obtaining an uplink protocol packet sent by the mobile terminal of the enterprise internal enterprise includes: when the base station side of the enterprise mobile private network determines that the uplink public network packet is an HTTP packet type, establishing a mobile terminal with the internal user of the enterprise The HTTP protocol is connected, and the uplink HTTP protocol packet sent by the mobile terminal of the enterprise internal user is obtained through the HTTP protocol connection.
  • the mobile terminal that sends the downlink protocol packet to the internal user of the enterprise through the established protocol connection includes: When receiving the downlink HTTP protocol packet returned by the HTTP proxy server, the mobile private network base station side encapsulates the downlink HTTP protocol packet into a downlink user packet for the mobile terminal sent to the internal user of the enterprise. And sending the downlink user packet to the mobile terminal of the internal user of the enterprise by using the established HTTP protocol connection.
  • the base station side of the enterprise mobile private network establishes, according to the determined packet type of the uplink public network packet, a protocol connection of a corresponding packet type between the mobile terminal and the mobile terminal of the enterprise, and And the establishing, by the protocol connection, the uplink protocol packet sent by the mobile terminal of the enterprise: the base station side of the enterprise mobile private network determines that the uplink public network packet is an HTTPS packet type, and establishes the internal user with the enterprise The SSL protocol connection between the mobile terminals is obtained, and the uplink SSL protocol packet sent by the mobile terminal of the internal user of the enterprise is obtained through the SSL protocol connection.
  • the mobile terminal that sends the downlink protocol packet to the internal user of the enterprise through the established protocol connection includes: When receiving the downlink SSL protocol packet returned by the HTTP proxy server, the base station side of the mobile private network encapsulates the downlink SSL protocol packet into a downlink user packet for the mobile terminal sent to the internal user of the enterprise. And sending the downlink user packet to the mobile terminal of the internal user of the enterprise by using the established SSL protocol connection.
  • the routing information is established, and the routing information is connected to the received information sent by the UE through the protocol, and is routed to the HTTP server, and is The information sent by the HTTP server to the UE is sent to the UE through the protocol connection.
  • FIG. 6 is a schematic diagram of a device for accessing a public network of a user mobile private network in an enterprise mobile private network according to an embodiment of the present invention, which can be applied to an enterprise mobile private network base station, as shown in FIG. 6, including: a determining module 601 configured to receive When the uplink public network packet sent by the mobile terminal of the internal user is sent, the packet type of the uplink public network packet is determined; and the protocol connection module 602 is configured to be configured according to the determined packet type of the uplink public network packet.
  • a determining module 601 configured to receive When the uplink public network packet sent by the mobile terminal of the internal user is sent, the packet type of the uplink public network packet is determined; and the protocol connection module 602 is configured to be configured according to the determined packet type of the uplink public network packet.
  • the uplink public network packet includes a destination address information for identifying a public network address and a TCP port number for identifying a packet type.
  • the packet type includes an HTTP packet type and an HTTPS packet type.
  • the determining module 601 includes: a parsing unit, configured to parse the uplink public network packet to obtain the uplink public network packet when receiving the uplink public network packet sent by the mobile terminal of the internal user of the enterprise The destination address and the TCP port number of the text; the matching unit is configured to perform matching processing on the obtained destination address and the TCP port number by using the preset public network address library, the HTTP port list library, and the HTTPS port list library; When the destination address and the TCP port number are matched with the public network address pool and the HTTP port list, the uplink public network packet is determined to be an HTTP packet type, and the destination address and the TCP port are obtained. The number is matched with the public network address pool and the HTTPS port list, and the uplink public network packet is determined to be an HTTPS packet type.
  • the establishing protocol connection module 602 includes:
  • Establishing a first protocol connection unit configured to establish an HTTP protocol connection between the uplink public network packet and the mobile terminal of the enterprise internal user when the uplink public network packet is determined to be an HTTP packet type, and connect through the HTTP protocol Obtaining an uplink HTTP protocol packet sent by the mobile terminal of the internal user of the enterprise.
  • the establishing the protocol connection module 602 further includes:
  • Establishing a second protocol connection unit configured to establish an SSL protocol connection between the uplink public network packet and the mobile terminal of the enterprise internal user when the uplink public network packet is determined to be an HTTPS packet type, and connect through the SSL protocol. Obtain an uplink SSL protocol packet sent by the mobile terminal of the internal user of the enterprise.
  • the sending module 603 is configured to, when receiving the downlink HTTP protocol packet returned by the HTTP proxy server, encapsulate the downlink HTTP protocol packet into a downlink user report for sending to the mobile terminal of the enterprise internal user.
  • the downlink user message is sent to the mobile terminal of the internal user of the enterprise by using the established HTTP protocol connection.
  • the sending module 603 is further configured to, when receiving the downlink SSL protocol packet returned by the HTTP proxy server, encapsulate the downlink SSL protocol packet into a mobile terminal for sending to the internal user of the enterprise.
  • the downlink user packet is sent to the mobile terminal of the internal user of the enterprise by using the established SSL protocol connection.
  • FIG. 7 is a schematic diagram of an internal user mobile network terminal using an HTTP proxy server according to an embodiment of the present invention.
  • the new device simulates a public network server. Establish an HTTP protocol connection with the user terminal to collect user protocol packets; the new device simulates the Internet host agent online behavior and accesses the public network through an HTTP proxy server.
  • the new device simulates that the public network server establishes an HTTP connection with the user terminal, and receives the HTTP request message of the user terminal; then the new device simulates the intranet host, establishes an HTTP connection with the HTTP proxy server, and receives the user terminal HTTP message.
  • the URL Uniform resource locator
  • it is sent to the HTTP proxy server, and the HTTP proxy server is sent to the public network server through an HTTP connection with the public network server.
  • the URL in the HTTP packet of the user terminal is a relative URL
  • the HTTP packet sent by the intranet host to the proxy server is an absolute URL.
  • the relative URL in the HTTP packet of the user terminal is corrected to an absolute URL, and HTTP is received.
  • the HTTP response message returned by the proxy server, the new device simulates the public network server, and sends it to the user terminal through an HTTP connection with the user terminal.
  • the absolute URL is a storage path of the target information, and can be used to directly access the target information.
  • the relative URL includes a path relationship of a storage path of the target information with respect to a storage path of the reference information.
  • the storage file of the target information may be a target file; the storage file of the reference information may be a reference file; and the relative URL includes: a path relationship of a storage path of the target file with respect to a storage path of the reference file. Therefore, if you need to access the target file, you need to import the storage path of the reference file.
  • by processing the URL it is possible to convert the relative URL into an absolute URL.
  • FIG. 8 is a schematic diagram of an internal user mobile network terminal using an HTTP proxy server according to an embodiment of the present invention.
  • the new device simulates a public network server. Establish an SSL protocol connection with the user terminal to collect user protocol packets; the new device simulates the online host agent's online behavior and accesses the public network through an HTTP proxy server.
  • the new device simulates the public network server to establish an SSL connection with the user terminal to receive the SSL message; then the new device simulates the intranet host, establishes an HTTP connection with the HTTP proxy server, and uses the connect method to request the HTTP proxy server to establish with the public network server.
  • the SSL connection sends the received user terminal SSL message to the HTTP proxy server, and the HTTP proxy server sends the SSL connection to the public network server through the SSL connection with the public network server.
  • the SSL packet returned by the HTTP proxy server is received, and the new device simulates the public network server and sends it to the user terminal through an SSL connection with the user terminal.
  • the new device analyzes the user uplink packets of the mobile network base station on a packet-by-packet basis, identifies the public HTTP/HTTPS access packets of the internal users, and establishes the public network server and the user terminal according to the proxy configuration rules.
  • HTTP or SSL connection receiving the HTTP message or SSL message of the user terminal; simulating the intranet host, establishing an HTTP connection with the HTTP proxy server according to the proxy configuration rule, and sending the user HTTP or SSL protocol packet to the HTTP proxy server;
  • the user message returned by the proxy server is received, and the public network server is simulated, and is sent to the user terminal through the mobile network base station through the HTTP or SSL protocol connection previously established with the user terminal.
  • Simulate the public network server to send and receive SSL packets simulate the public network server to establish an SSL connection with the user terminal, and receive the SSL protocol packet sent by the user terminal.
  • the user SSL protocol packet received from the HTTP proxy server is sent to the user terminal through an SSL connection with the user terminal.
  • Simulate HTTP messages between the internal host transceiver and the HTTP proxy server simulate internal host behavior and establish an HTTP connection with the HTTP proxy server.
  • the HTTP protocol packet of the user terminal to be received is processed by the URL, and then sent to the HTTP proxy server; and the HTTP protocol packet returned by the HTTP proxy server is received.
  • Simulate the SSL message between the internal host transceiver and the HTTP proxy server simulate the internal host behavior, establish an HTTP connection with the HTTP proxy server, and use the CONNECT method to request the proxy server to establish an SSL connection with the public network server.
  • the user terminal SSL protocol packet to be received is sent to the HTTP proxy server through an HTTP connection with the proxy server; and the SSL protocol packet returned by the HTTP proxy server is received.
  • FIG. 9 is a schematic diagram of a newly added module according to an embodiment of the present invention. As shown in FIG. 9, the method includes: a rule configuration module, a user message proxy module, an uplink packet processing module, and a downlink packet processing module.
  • the rule configuration module provides public network address rules, HTTP port lists, HTTPS port lists, and HTTP proxy server rules.
  • Public network address rules which configure address information. These addresses will access the public network through an HTTP proxy server.
  • a configuration method similar to the internal network host may be adopted, that is, the exception address list is configured, and otherwise, it is regarded as a public network address; the display indication method may also be adopted, that is, which subnets are explicitly indicated as public network addresses.
  • the HTTP port list configures which TCP ports are HTTP ports.
  • the HTTPS port list configures which TCP ports are HTTPS ports.
  • the HTTP proxy server rules configure the HTTP proxy server address and port number, allowing multiple HTTP proxy server configuration records to be configured for dynamic selection or load sharing.
  • the uplink packet processing module analyzes the S1-U uplink packet of the internal user, analyzes the destination address and the TCP port number in the user packet, and identifies the public network address rule, the HTTP port list rule, and the HTTPS port list rule.
  • the HTTP/HTTPS packet of the public network is forwarded, and the user packet (IP packet) is extracted and sent to the user packet proxy module.
  • the user message proxy module is divided into an HTTP message proxy module and an HTTPS message proxy module. After receiving the packet sent by the uplink packet processing module, the HTTP packet proxy module and the HTTPS packet proxy module are dynamically created according to the type.
  • the HTTP message proxy module simulates the public network server to establish an HTTP connection with the user terminal, collects the HTTP packet of the user terminal, simulates the behavior of the intranet host, configures an HTTP connection with the HTTP proxy server according to the proxy rule configuration, and receives the user terminal HTTP. After the message is processed, it is sent to the HTTP proxy server. The HTTP response packet returned by the HTTP proxy server is received, and the public network server is simulated, and is sent to the user terminal through an HTTP connection with the user terminal, and the packet is packaged and sent to the downlink packet processing module.
  • the HTTPS message proxy module simulates the public network server to establish an SSL connection with the user terminal, collects the SSL message of the user terminal, simulates the behavior of the intranet host, configures an HTTP connection with the HTTP proxy server according to the proxy rule configuration, and requests the HTTP by using the CONNECT method.
  • the proxy server establishes an SSL connection with the public network server, and sends the received user terminal SSL message to the HTTP proxy server through an HTTP connection with the HTTP proxy server.
  • the SSL packet returned by the HTTP proxy server is received, and the public network server is simulated and sent to the user terminal through an SSL connection with the user terminal.
  • the packet is packaged and sent to the downlink packet processing module.
  • the HTTP message proxy module and the HTTPS message proxy module are released when receiving the TCP connection release message from the user terminal, and notify the user of the message proxy module.
  • the downlink packet processing module is configured to package the user packet sent by the user packet proxy module into an S1-U packet and send it to the mobile network base station to send to the user terminal.
  • FIG. 10 is a schematic diagram of the deployment of the new module in FIG. 9 according to the embodiment of the present invention.
  • the method includes two deployment modes: deployment mode 1, which is deployed together with the mobile network base station.
  • deployment mode 1 which is deployed together with the mobile network base station.
  • the new module deployment is integrated with the mobile network base station for easy management.
  • deployment mode 2 the separate device deployment includes new devices added to the new module.
  • the separate deployment has no impact on the mobile network base station and is easy to deploy.
  • FIG. 11 is a flowchart of processing an HTTP public network access uplink message of an internal user of an enterprise according to an embodiment of the present invention.
  • S1 is a logical link between a mobile network base station eNB and a core network EPC, and the S1-U report is used.
  • the text refers to the user packet on the S1 link.
  • the S1-U packet encapsulates the IP packet of the user terminal, also called the user packet.
  • the technical solution of the present invention receives the S1-U uplink packet from the mobile network base station eNB, identifies the uplink HTTP public network access message of the internal user, simulates the public proxy server charging, and performs the URL processing to simulate the internal network host. Send to the HTTP proxy server to access the public network.
  • the method for the HTTP public network to access the uplink packet of the internal user of the enterprise may include:
  • Step 1101 The UE sends an air interface packet carrying a user packet (user HTTP packet);
  • Step 1102 The mobile network base station extracts a user packet (user HTTP packet), and packages it into an S1-U transmission.
  • Step 1103 The uplink packet processing module analyzes the S1-U uplink packet of the internal user by packet, parses the destination address and the TCP port number in the internal user packet, and identifies the uplink HTTP public network packet.
  • Step 1104 The uplink packet processing module sends the user packet (user HTTP packet) to the user packet proxy module.
  • Step 1105 The user message proxy module checks whether there is an HTTP message proxy module connected to the user, and if not, creates an HTTP packet proxy module connected to the user;
  • Step 1106 The user message proxy module is forwarded to the HTTP message proxy module for processing
  • Step 1107 The HTTP message proxy module simulates a public network server, and creates an HTTP connection with the UE.
  • Step 1108 The HTTP connection between the UE and the HTTP message proxy module is successfully created. The message between the UE and the HTTP message proxy module will be sent through this HTTP connection;
  • Step 1109 The HTTP message proxy module initiates establishing an HTTP connection with the HTTP proxy server.
  • Step 1110 The HTTP message proxy module receives the user HTTP packet.
  • Step 1111 The HTTP message proxy module collects the user HTTP packet and performs URL processing, and then sends the HTTP packet to the HTTP proxy server.
  • FIG. 12 is a flowchart of processing an internal user HTTP public network access downlink packet according to an embodiment of the present invention. As shown in FIG. 12, after receiving an HTTP packet returned by an HTTP proxy server, simulating a public network server, and communicating with the UE The HTTP connection is sent to the user terminal, and the user packet is packaged into an S1-U downlink packet and sent to the mobile network base station, which may include:
  • Step 1201 The HTTP connection between the UE and the HTTP message proxy module is established.
  • Step 1202 An HTTP connection between the HTTP message proxy module and the HTTP proxy server is established.
  • Step 1203 The HTTP proxy server sends an HTTP response message to the HTTP message proxy module.
  • Step 1204 The HTTP message proxy module receives the HTTP response packet.
  • Step 1205 The HTTP message proxy module encapsulates the received HTTP response packet into a user packet (user IP packet) sent to the UE.
  • Step 1206 The HTTP message proxy module sends the user packet to the downlink processing module.
  • Step 1207 The downlink processing module is packaged into an S1-U downlink packet and sent to the mobile network base station.
  • Step 1208 The mobile network base station extracts the user packet and carries it to the UE through the air interface packet.
  • FIG. 13 is a flowchart of processing an internal user HTTPS public network access uplink packet according to an embodiment of the present invention.
  • the mobile network base station eNB receives an S1-U uplink packet, and identifies an uplink HTTPS public of the internal user.
  • the network message is simulated by the public proxy server, and then the intranet host is sent to the HTTP proxy server to access the public network.
  • Step 1301 The UE sends an air interface packet carrying a user packet (a user SSL packet);
  • Step 1302 The mobile network base station extracts user packets (user SSL packets), and packages them into S1-U transmissions.
  • Step 1303 The uplink packet processing module analyzes the S1-U uplink packet of the internal user by packet, parses the destination address and the TCP port number in the internal user packet, and identifies the uplink HTTPS public network packet.
  • Step 1304 The uplink packet processing module sends the user packet (the user SSL packet) to the user packet proxy module.
  • Step 1305 The user message proxy module checks whether there is an HTTPS message proxy module connected to the user, and if not, creates an HTTPS message proxy module connected to the user;
  • Step 1306 The user message proxy module is forwarded to the HTTPS message proxy module for processing
  • Step 1307 The HTTPS message proxy module simulates the public network server and creates an SSL connection with the UE.
  • Step 1308 The SSL connection between the UE and the HTTPS message proxy module is successfully created. The message between the UE and the HTTPS message proxy module will be sent through this SSL connection;
  • Step 1309 The HTTPS message proxy module initiates an HTTP connection with the HTTP proxy server, and requests the HTTP proxy server to establish an SSL connection with the public network server by using the CONNECT method.
  • Step 1310 The HTTPS message proxy module receives the user SSL packet.
  • Step 1311 The HTTPS message proxy module sends the received user SSL packet to the HTTP proxy server.
  • FIG. 14 is a flowchart of processing an internal user HTTPS public network access downlink packet according to an embodiment of the present invention.
  • an SSL packet returned by an HTTP proxy server is received, and a public network server is simulated.
  • the SSL connection is sent to the user terminal, and the user message is packaged into an S1-U downlink message and sent to the mobile network base station.
  • Step 1401 The SSL connection between the UE and the HTTPS message proxy module is established.
  • Step 1402 an HTTP connection between the HTTPS message proxy module and the HTTP proxy server is established
  • Step 1403 The HTTP proxy server sends an SSL packet to the HTTPS packet proxy module.
  • Step 1404 The HTTPS message proxy module receives the SSL packet.
  • Step 1405 The HTTPS message proxy module encapsulates the received SSL packet into a user packet (user IP packet) sent to the UE.
  • Step 1406 The HTTPS message proxy module sends the user packet to the downlink processing module.
  • Step 1407 The downlink processing module is packaged into an S1-U downlink packet and sent to the mobile network base station.
  • Step 1408 The mobile network base station extracts the user packet and carries it to the UE through the air interface packet.
  • the user mobile terminal in the enterprise network accesses the public network service by using the enterprise network HTTP proxy server on the mobile network base station side, and fully utilizes the wired transmission bandwidth originally rented by the enterprise network, thereby saving cost and also saving cost. It is convenient for the enterprise network to control the behavior of its internal user mobile network terminal to access the public network.
  • the embodiment of the present invention provides a computer storage medium, where the computer storage medium stores computer executable instructions; after the computer executable instructions are executed, the user of the enterprise mobile private network provided by any one or more of the foregoing technical solutions is provided.
  • the method for the terminal to access the public network for example, one or more of the methods shown in FIG. 5 and FIG. 11 to FIG.
  • the computer storage medium may be various types of storage media, such as random storage media, read-only storage media, flash memory, optical disks, mobile hard disks, USB flash drives, or magnetic tapes, and the like, optionally non-instantaneous Storage medium.
  • the computer-executable instructions stored on the computer storage medium provided in the embodiment can be implemented by the processor to implement the method for the user terminal of the enterprise mobile private network provided by the one or more technical solutions to access the public network.
  • the embodiment further provides a base station, where the base station can be the foregoing enterprise mobile mobile private network base station, including:
  • the transceiver may include a transceiver antenna configured to send and receive information
  • a processor connected to the transceiver, for implementing a method for accessing a public network of a user terminal of an enterprise mobile private network provided by one or more technical solutions by executing the computer executable instructions such as a computer program, for example, as shown in FIG. 5 and one or more of the methods shown in Figures 11-14.
  • the protocol connection between the base station and the user mobile terminal is established.
  • the protocol is used to connect and receive packets to and from the user terminal to access the public network, and the packets sent by the user mobile terminal to the public network are forwarded to the public network through the HTTP server, and the packets sent to the mobile terminal are received from the HTTP server.
  • the bandwidth of the HTTP server is borrowed instead of routing the packet to the public network through the EPC, thereby reducing the bandwidth consumption in the mobile network.
  • the HTTP server is usually directly connected to the public network, which reduces packet transmission.
  • the number of hops can improve the efficiency of message transmission; therefore, it has a positive industrial effect, and at the same time has the characteristics of realizing the construction, so it can be widely promoted in industry.

Abstract

The present invention discloses a public network accessing method and device and a storage medium for a user terminal of an enterprise mobile private network. The method comprises: an enterprise mobile private network base station side determining, upon receiving an uplink public network packet transmitted from a mobile terminal of an enterprise internal user, a packet type of the uplink public network packet; the enterprise mobile private network base station side establishing, according to the determined packet type of the uplink public network packet, a protocol connection corresponding to the packet type with the mobile terminal of the enterprise internal user, and acquiring an uplink protocol packet transmitted via the protocol connection from the mobile terminal of the enterprise internal user; the enterprise mobile private network base station side routing the uplink protocol packet to an HTTP proxy server; and the enterprise mobile private network base station side transmitting, upon receiving a downlink protocol packet returned from the HTTP proxy server, the downlink protocol packet via the established protocol connection to the mobile terminal of the enterprise internal user.

Description

移动专用网的用户终端访问公网的方法、装置和存储介质Method, device and storage medium for user terminal of mobile private network to access public network
相关申请的交叉引用Cross-reference to related applications
本申请基于申请号为201710081308.7、申请日为2017年02月15日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。The present application is filed on the basis of the Chinese Patent Application No. PCT Application No.
技术领域Technical field
本发明涉及移动通讯技术领域,特别涉及一种企业移动专用网的用户终端访问公网的方法及装置。The present invention relates to the field of mobile communication technologies, and in particular, to a method and device for accessing a public network by a user terminal of an enterprise mobile private network.
背景技术Background technique
企业网络,一般分为内部网络(简称企业内网)和DMZ区(Demilitarized Zone,非军事化区,也称隔离区)。企业内部计算机(下文简称内网主机)位于企业内网,内网主机访问因特网(Internet,也称为公网、外网)时,通过超文本传输协议((Hyper Text Transfer Protocol,HTTP)代理服务器(也称为WEB代理服务器)访问,HTTP代理服务器一般部署在DMZ区。Enterprise networks are generally divided into internal networks (referred to as intranets) and DMZs (Demilitarized Zones, also known as quarantine areas). The internal computer of the enterprise (hereinafter referred to as the internal network host) is located in the intranet of the enterprise. When the intranet host accesses the Internet (also known as the public network or the external network), the hypertext transfer protocol (HTTP) proxy server is used. (also known as WEB proxy server) access, HTTP proxy server is generally deployed in the DMZ zone.
HTTP代理服务器用于代理HTTP和HTTPS(Hyper Text Transfer Protocol over Secure Socket Layer,超文本传输安全协议)的外网访问。HTTP和HTTPS协议都基于TCP(Transmission Control Protocol,传输控制协议)协议,并通过端口号区分。The HTTP proxy server is used to proxy external network access of HTTP and HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer). Both the HTTP and HTTPS protocols are based on the TCP (Transmission Control Protocol) protocol and are distinguished by port numbers.
内网主机对HTTP和HTTPS的公网访问,并不同公网服务器直接建立连接,而是与HTTP代理服务器建立HTTP连接,HTTP代理服务器再与公网服务器建立具体协议连接,如图1所示。The intranet host accesses the public network of HTTP and HTTPS, and establishes a connection directly with different public network servers. Instead, it establishes an HTTP connection with the HTTP proxy server, and the HTTP proxy server establishes a specific protocol connection with the public network server, as shown in FIG.
可选地,对于HTTP访问,如图2所示,内网主机与代理服务器建立 HTTP连接,代理服务器与目标公网WEB服务器建立HTTP连接。Optionally, for HTTP access, as shown in FIG. 2, the intranet host establishes an HTTP connection with the proxy server, and the proxy server establishes an HTTP connection with the target public network WEB server.
对于HTTPS访问,如图3所示,内网主机与代理服务器建立HTTP连接并使用连接(CONNECT)方法请求代理服务器与公网服务器建立SSL(Secure Socket Layer,安全套接层)连接,内网主机与HTTP代理服务器之间的HTTP连接,透明转发内网主机和公网服务器之间的SSL报文,通常称为WEB隧道。For HTTPS access, as shown in Figure 3, the intranet host establishes an HTTP connection with the proxy server and uses the CONNECT method to request the proxy server to establish an SSL (Secure Socket Layer) connection with the public network server. An HTTP connection between the HTTP proxy server and transparent forwarding of SSL packets between the intranet host and the public network server, usually called a WEB tunnel.
移动运营商的基站(eNB,evolved Node B,演进节点B)除了为公众用户提供公共移动网服务外,还可为企业构建虚拟的移动专用网,企业内部用户通过这个虚拟网络可以访问到企业内网,这里称为企业移动专用网。相应的,这些基站也可称为企业移动专用网基站,需要说明的是,这里的企业移动专用网基站实际上也是公共基站,它和普通公共基站不同的是,可以用于构建企业移动专用网。In addition to providing public mobile network services for public users, the mobile operator's base station (eNB, evolved Node B, and evolved Node B) can also build a virtual mobile private network for enterprises, and internal users can access the enterprise through this virtual network. Network, here is called enterprise mobile private network. Correspondingly, these base stations may also be referred to as enterprise mobile private network base stations. It should be noted that the enterprise mobile private network base station here is actually a public base station, which is different from the ordinary public base station and can be used to construct an enterprise mobile private network. .
使用企业移动专用网的企业内部用户的移动终端,即用户终端(UE,User Equipment,用户设备),在基站侧就可以访问到企业内部网络,但在访问公网时,由于APN(Access Point Name,接入点)不能设置代理,需要经过运营商移动网络的基站、回传网络(Backhaul)和核心网EPC(Evolved Packet Core,演进的分组核心网)后到因特网,再路由到公网服务器,如图4所示,消耗的移动网络的带宽大且传输时延大。The mobile terminal of the enterprise internal user of the enterprise mobile private network, that is, the user equipment (UE, User Equipment), can access the internal network of the enterprise on the base station side, but when accessing the public network, the APN (Access Point Name) , access point) can not set the proxy, need to go through the carrier's mobile network base station, backhaul network (Backhaul) and core network EPC (Evolved Packet Core, evolved packet core network) to the Internet, and then route to the public network server, As shown in FIG. 4, the consumed mobile network has a large bandwidth and a large transmission delay.
发明内容Summary of the invention
本发明实施例提供的方案期望解决的技术问题是企业内部用户的移动终端在移动网接入侧无法使用企业网络HTTP代理服务器访问公网的问题。The technical problem that the solution provided by the embodiment of the present invention is to solve is that the mobile terminal of the internal user of the enterprise cannot access the public network by using the HTTP proxy server of the enterprise network on the access side of the mobile network.
本发明实施例提供的一种企业移动专用网的用户终端访问公网的方法,包括:A method for a user terminal of an enterprise mobile private network to access a public network according to an embodiment of the present invention includes:
企业移动专用网基站侧收到企业内部用户的移动终端发送的上行公网 报文时,确定所述上行公网报文的报文类型;When the base station side of the enterprise mobile private network receives the uplink public network packet sent by the mobile terminal of the internal user of the enterprise, the packet type of the uplink public network packet is determined;
企业移动专用网基站侧根据所确定的上行公网报文的报文类型,建立其与所述企业内部用户的移动终端之间的相应报文类型的协议连接,并经由所述协议连接获取所述企业内部用户的移动终端发送的上行协议报文;The base station side of the enterprise mobile private network establishes a protocol connection of the corresponding packet type between the mobile terminal and the mobile terminal of the enterprise according to the determined packet type of the uplink public network packet, and obtains the connection through the protocol connection. An uplink protocol packet sent by a mobile terminal of an internal user of the enterprise;
企业移动专用网基站侧将所述上行协议报文路由到HTTP代理服务器,以便所述企业内部用户的移动终端经由所述HTTP代理服务器访问公网;The base station side of the enterprise mobile private network routes the uplink protocol packet to the HTTP proxy server, so that the mobile terminal of the internal user of the enterprise accesses the public network via the HTTP proxy server;
企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行协议报文时,通过所建立的协议连接将所述下行协议报文发送给所述企业内部用户的移动终端。When receiving the downlink protocol packet returned by the HTTP proxy server, the base station side of the enterprise mobile private network sends the downlink protocol packet to the mobile terminal of the internal user of the enterprise through the established protocol connection.
本发明实施例提供的一种企业移动专用网的用户终端访问公网的装置,包括:An apparatus for accessing a public network by a user terminal of an enterprise mobile private network according to an embodiment of the present invention includes:
确定模块,配置为收到企业内部用户的移动终端发送的上行公网报文时,确定所述上行公网报文的报文类型;The determining module is configured to determine the packet type of the uplink public network packet when receiving the uplink public network packet sent by the mobile terminal of the internal user of the enterprise;
建立协议连接模块,配置为根据所确定的上行公网报文的报文类型,建立其与所述企业内部用户的移动终端之间的相应报文类型的协议连接,并经由所述协议连接获取所述企业内部用户的移动终端发送的上行协议报文;Establishing a protocol connection module, configured to establish, according to the determined packet type of the uplink public network packet, a protocol connection of a corresponding packet type between the mobile terminal and the mobile terminal of the enterprise, and obtain the protocol connection through the protocol connection An uplink protocol packet sent by the mobile terminal of the internal user of the enterprise;
发送模块,配置为将所述上行协议报文路由到HTTP代理服务器,以便所述企业内部用户的移动终端经由所述HTTP代理服务器访问公网,并在收到所述HTTP代理服务器返回的下行协议报文时,通过所建立的协议连接将所述下行协议报文发送给所述企业内部用户的移动终端。a sending module, configured to route the uplink protocol packet to an HTTP proxy server, so that the mobile terminal of the internal user of the enterprise accesses the public network via the HTTP proxy server, and receives the downlink protocol returned by the HTTP proxy server The packet is sent to the mobile terminal of the internal user of the enterprise through the established protocol connection.
本发明实施例提供一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被执行后,能够实现前述的企业移动专用网的用户终端访问公网的方法。The embodiment of the present invention provides a computer storage medium, where the computer storage medium stores computer executable instructions. After the computer executable instructions are executed, the method for accessing the public network by the user terminal of the enterprise mobile private network can be implemented.
在本发明实施例提供的方案中,本地网络内部用户移动终端,在移动网基站侧,若确定出接收到企业内部用户移动终端发送的报文为上行公网报文,基于该报文的类型,建立自身与报文的类型相适配的用户移动终端的协议连接,并利用该协议连接接收企业内部用户移动终端发送的报文, 并将该报文转发给本地网络HTTP代理服务器,并使用本地网络HTTP代理服务器访问公网业务。一方面,企业内部用户移动终端访问公网时,不再需要经过基站(如eNB)回传到EPC再经过路由器访问公网,故充分利用企业网络原来租用的有线传输带宽,不在占用移动网络的额外带宽,节约了成本;另一方面,无线eNB、EPC内进行报文的路由,可以整体上减少报文传输所消耗的时间,故减少了报文延迟;此外,也便于本地网络管控其内部用户移动网终端访问公网的行为。In the solution provided by the embodiment of the present invention, the user mobile terminal in the local network, on the mobile network base station side, determines that the packet sent by the internal mobile terminal of the enterprise is the uplink public network packet, based on the type of the packet. And establishing a protocol connection of the user mobile terminal that is adapted to the type of the message, and using the protocol to connect and receive the packet sent by the internal user mobile terminal, and forwarding the packet to the local network HTTP proxy server, and using the packet The local network HTTP proxy server accesses the public network service. On the one hand, when the internal mobile terminal of the enterprise accesses the public network, it does not need to pass back to the EPC through the base station (such as the eNB) and then access the public network through the router. Therefore, the wired transmission bandwidth originally leased by the enterprise network is fully utilized, and the mobile network is not occupied. The additional bandwidth saves the cost; on the other hand, the routing of packets in the radio eNB and the EPC can reduce the time consumed for packet transmission as a whole, thus reducing the packet delay; in addition, it is also convenient for the local network to control its internal The behavior of the user mobile network terminal accessing the public network.
附图说明DRAWINGS
图1是一种内网主机间接访问公网的示意图;1 is a schematic diagram of an intranet host indirectly accessing a public network;
图2是一种内网主机HTTP访问网站的示意图;2 is a schematic diagram of an intranet host HTTP accessing a website;
图3是一种内网主机HTTPS访问网站的示意图;3 is a schematic diagram of an intranet host HTTPS accessing a website;
图4是一种企业内部用户的移动网终端访问公网的示意图;4 is a schematic diagram of a mobile network terminal of an internal user of an enterprise accessing a public network;
图5是本发明实施例提供的一种企业移动专用网的用户终端访问公网的方法流程图;FIG. 5 is a flowchart of a method for a user terminal of an enterprise mobile private network to access a public network according to an embodiment of the present disclosure;
图6是本发明实施例提供的一种企业移动专用网的用户终端访问公网的装置示意图;6 is a schematic diagram of an apparatus for accessing a public network by a user terminal of an enterprise mobile private network according to an embodiment of the present invention;
图7是本发明实施例提供的企业内部用户移动网终端使用HTTP代理服务器的示意图;7 is a schematic diagram of an internal user mobile network terminal using an HTTP proxy server according to an embodiment of the present invention;
图8是本发明实施例提供的企业内部用户移动网终端使用HTTP代理服务器的示意图;FIG. 8 is a schematic diagram of an internal user mobile network terminal using an HTTP proxy server according to an embodiment of the present invention; FIG.
图9是本发明实施例提供的新增模块的示意图;9 is a schematic diagram of a new module provided by an embodiment of the present invention;
图10是本发明实施例提供的图9中的新增模块部署的示意图;FIG. 10 is a schematic diagram of the deployment of the new module in FIG. 9 according to an embodiment of the present invention; FIG.
图11是本发明实施例提供的企业内部用户HTTP公网访问上行报文处理流程图;11 is a flowchart of processing an HTTP internal network uplink request packet of an internal user of the enterprise according to an embodiment of the present invention;
图12是本发明实施例提供的企业内部用户HTTP公网访问下行报文处理流程图;FIG. 12 is a flowchart of processing an HTTP internal network access downlink packet of an internal user of the enterprise according to an embodiment of the present disclosure;
图13是本发明实施例提供的内部用户HTTPS公网访问上行报文处理流程图;FIG. 13 is a flowchart of processing an internal user HTTPS public network access uplink message according to an embodiment of the present invention;
图14是本发明实施例提供的企业内部用户HTTPS公网访问下行报文处理流程图。FIG. 14 is a flowchart of processing an HTTPS public network access downlink packet of an internal user of the enterprise according to an embodiment of the present invention.
具体实施方式detailed description
以下结合附图对本发明的优选实施例进行详细说明,应当理解,以下所说明的优选实施例仅用于说明和解释本发明,并不用于限定本发明。The preferred embodiments of the present invention are described in detail below with reference to the accompanying drawings.
图5是本发明实施例提供的一种企业移动专用网的用户终端访问公网的方法流程图,如图5所示,包括:FIG. 5 is a flowchart of a method for a user terminal of an enterprise mobile private network to access a public network according to an embodiment of the present invention. As shown in FIG. 5, the method includes:
步骤S501:企业移动专用网基站侧收到企业内部用户的移动终端发送的上行公网报文时,确定所述上行公网报文的报文类型;Step S501: The base station side of the enterprise mobile private network determines the packet type of the uplink public network packet when receiving the uplink public network packet sent by the mobile terminal of the internal user of the enterprise;
步骤S502:企业移动专用网基站侧根据所确定的上行公网报文的报文类型,建立其与所述企业内部用户的移动终端之间的相应报文类型的协议连接,并经由所述协议连接获取所述企业内部用户的移动终端发送的上行协议报文;此处建立的协议连接为企业移动专用网基站侧与企业内部用户的移动终端之间的遵守与所述报文类型相适配的协议的连接。Step S502: The base station side of the enterprise mobile private network establishes a protocol connection of the corresponding packet type between the mobile terminal and the mobile terminal of the enterprise according to the determined packet type of the uplink public network packet, and the protocol is connected through the protocol. Connecting to obtain an uplink protocol packet sent by the mobile terminal of the internal user of the enterprise; the protocol connection established here is that the compliance between the base station side of the enterprise mobile private network and the mobile terminal of the internal user of the enterprise is adapted to the packet type The connection of the agreement.
步骤S503:企业移动专用网基站侧将所述上行协议报文路由到所述HTTP代理服务器,以便所述企业内部用户的移动终端经由所述HTTP代理服务器访问公网;Step S503: The base station side of the enterprise mobile private network routes the uplink protocol packet to the HTTP proxy server, so that the mobile terminal of the internal user of the enterprise accesses the public network via the HTTP proxy server.
步骤S504:企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行协议报文时,通过所建立的协议连接将所述下行协议报文发送给所述企业内部用户的移动终端。Step S504: The base station side of the enterprise mobile private network sends the downlink protocol packet to the mobile terminal of the internal user of the enterprise through the established protocol connection when receiving the downlink protocol packet returned by the HTTP proxy server.
其中,所述上行公网报文包括用于标识公网地址的目的地址信息和用于标识报文类型的TCP端口号信息。所述报文类型包括HTTP报文类型和 HTTPS报文类型。The uplink public network packet includes destination address information for identifying a public network address and TCP port number information for identifying a packet type. The packet type includes an HTTP packet type and an HTTPS packet type.
在本发明实施例中,企业移动专用网基站侧包括业移动专用网基站;所述业移动专用网基站是指可提供构建企业移动专用网功能的移动运营商的公共基站,企业移动专用网只供企业内部用户的移动终端接入。In the embodiment of the present invention, the base station side of the enterprise mobile private network includes the base station of the mobile private network; the base station of the mobile private network refers to the public base station of the mobile operator that can provide the function of constructing the enterprise mobile private network, and the enterprise mobile private network only It is used for mobile terminal access of internal users of the enterprise.
所述企业移动专用网基站侧收到企业内部用户的移动终端发送的上行公网报文时,确定所述上行公网报文的报文类型包括:企业移动专用网基站侧收到企业内部用户的移动终端发送的上行公网报文时,通过对所述上行公网报文进行解析,得到所述上行公网报文的目的地址和TCP端口号;企业移动专用网基站侧利用预置的公网地址库、HTTP端口列表库以及HTTPS端口列表库,对所得到的目的地址和TCP端口号进行匹配处理;若得到的目的地址和TCP端口号与所述公网地址库和HTTP端口列表库相匹配,则企业移动专用网基站侧确定所述上行公网报文为HTTP报文类型;若得到的目的地址和TCP端口号与所述公网地址库和HTTPS端口列表库相匹配,则企业移动专用网基站侧确定所述上行公网报文为HTTPS报文类型。When the base station side of the enterprise mobile private network receives the uplink public network packet sent by the mobile terminal of the enterprise internal user, the packet type of the uplink public network packet is determined to be: the base station side of the enterprise mobile private network receives the internal user of the enterprise. When the uplink public network packet is sent by the mobile terminal, the destination address and the TCP port number of the uplink public network packet are obtained by parsing the uplink public network packet; and the base station side of the enterprise mobile private network uses the preset The public network address library, the HTTP port list library, and the HTTPS port list library perform matching processing on the obtained destination address and the TCP port number; if the obtained destination address and TCP port number are obtained, the public network address library and the HTTP port list library are obtained. If the matching is performed, the base station side of the enterprise mobile private network determines that the uplink public network packet is an HTTP packet type; if the obtained destination address and the TCP port number match the public network address pool and the HTTPS port list database, the enterprise The mobile private network base station side determines that the uplink public network packet is an HTTPS packet type.
所述企业移动专用网基站侧根据所确定的上行公网报文的报文类型,建立其与所述企业内部用户的移动终端之间的相应报文类型的协议连接,并经由所述协议连接获取所述企业内部用户的移动终端发送的上行协议报文包括:企业移动专用网基站侧确定所述上行公网报文为HTTP报文类型时,建立其与所述企业内部用户的移动终端之间的HTTP协议连接,并经由所述HTTP协议连接获取所述企业内部用户的移动终端发送的上行HTTP协议报文。所述企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行协议报文时,通过所建立的协议连接将所述下行协议报文发送给所述企业内部用户的移动终端包括:企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行HTTP协议报文时,将所述下行HTTP协议报文封装成用于发送给所述企业内部用户的移动终端的下行用户报文,并通过所建立的HTTP协议连接将所述下行用户报文发送给所述企业内部用户的移动终端。The base station side of the enterprise mobile private network establishes a protocol connection of a corresponding packet type between the mobile terminal and the mobile terminal of the enterprise according to the determined packet type of the uplink public network packet, and connects through the protocol. Obtaining an uplink protocol packet sent by the mobile terminal of the enterprise internal enterprise includes: when the base station side of the enterprise mobile private network determines that the uplink public network packet is an HTTP packet type, establishing a mobile terminal with the internal user of the enterprise The HTTP protocol is connected, and the uplink HTTP protocol packet sent by the mobile terminal of the enterprise internal user is obtained through the HTTP protocol connection. When the base station side of the enterprise mobile private network receives the downlink protocol packet returned by the HTTP proxy server, the mobile terminal that sends the downlink protocol packet to the internal user of the enterprise through the established protocol connection includes: When receiving the downlink HTTP protocol packet returned by the HTTP proxy server, the mobile private network base station side encapsulates the downlink HTTP protocol packet into a downlink user packet for the mobile terminal sent to the internal user of the enterprise. And sending the downlink user packet to the mobile terminal of the internal user of the enterprise by using the established HTTP protocol connection.
可选地,所述企业移动专用网基站侧根据所确定的上行公网报文的报文类型,建立其与所述企业内部用户的移动终端之间的相应报文类型的协 议连接,并经由所述协议连接获取所述企业内部用户的移动终端发送的上行协议报文包括:企业移动专用网基站侧确定所述上行公网报文为HTTPS报文类型时,建立其与所述企业内部用户的移动终端之间的SSL协议连接,并经由所述SSL协议连接获取所述企业内部用户的移动终端发送的上行SSL协议报文。所述企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行协议报文时,通过所建立的协议连接将所述下行协议报文发送给所述企业内部用户的移动终端包括:企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行SSL协议报文时,将所述下行SSL协议报文封装成用于发送给所述企业内部用户的移动终端的下行用户报文,并通过所建立的SSL协议连接将所述下行用户报文发送给所述企业内部用户的移动终端。Optionally, the base station side of the enterprise mobile private network establishes, according to the determined packet type of the uplink public network packet, a protocol connection of a corresponding packet type between the mobile terminal and the mobile terminal of the enterprise, and And the establishing, by the protocol connection, the uplink protocol packet sent by the mobile terminal of the enterprise: the base station side of the enterprise mobile private network determines that the uplink public network packet is an HTTPS packet type, and establishes the internal user with the enterprise The SSL protocol connection between the mobile terminals is obtained, and the uplink SSL protocol packet sent by the mobile terminal of the internal user of the enterprise is obtained through the SSL protocol connection. When the base station side of the enterprise mobile private network receives the downlink protocol packet returned by the HTTP proxy server, the mobile terminal that sends the downlink protocol packet to the internal user of the enterprise through the established protocol connection includes: When receiving the downlink SSL protocol packet returned by the HTTP proxy server, the base station side of the mobile private network encapsulates the downlink SSL protocol packet into a downlink user packet for the mobile terminal sent to the internal user of the enterprise. And sending the downlink user packet to the mobile terminal of the internal user of the enterprise by using the established SSL protocol connection.
在本发明实施例中若企业移动专用网基站在建立与UE的协议连接之后,会建立路由信息,该路由信息会通过该协议连接接收的UE发送的信息,路由到所述HTTP服务器,并从HTTP服务器接收的发送给UE的信息,通过该协议连接发送给UE。In the embodiment of the present invention, if the enterprise mobile private network base station establishes a protocol connection with the UE, the routing information is established, and the routing information is connected to the received information sent by the UE through the protocol, and is routed to the HTTP server, and is The information sent by the HTTP server to the UE is sent to the UE through the protocol connection.
图6是本发明实施例提供的一种企业移动专用网的用户终端访问公网的装置示意图,可应用于企业移动专用网基站中,如图6所示,包括:确定模块601,配置为收到企业内部用户的移动终端发送的上行公网报文时,确定所述上行公网报文的报文类型;建立协议连接模块602,配置为根据所确定的上行公网报文的报文类型,建立其与所述企业内部用户的移动终端之间的相应报文类型的协议连接,并经由所述协议连接获取所述企业内部用户的移动终端发送的上行协议报文;发送模块603,用于将所述上行协议报文路由到所述HTTP代理服务器,以便所述企业内部用户的移动终端经由所述HTTP代理服务器访问公网,并在收到所述HTTP代理服务器返回的下行协议报文时,通过所建立的协议连接将所述下行协议报文发送给所述企业内部用户的移动终端。FIG. 6 is a schematic diagram of a device for accessing a public network of a user mobile private network in an enterprise mobile private network according to an embodiment of the present invention, which can be applied to an enterprise mobile private network base station, as shown in FIG. 6, including: a determining module 601 configured to receive When the uplink public network packet sent by the mobile terminal of the internal user is sent, the packet type of the uplink public network packet is determined; and the protocol connection module 602 is configured to be configured according to the determined packet type of the uplink public network packet. Establishing a protocol connection of a corresponding packet type between the mobile terminal and the mobile terminal of the enterprise, and obtaining an uplink protocol packet sent by the mobile terminal of the enterprise internal user via the protocol connection; the sending module 603, Routing the uplink protocol packet to the HTTP proxy server, so that the mobile terminal of the internal user of the enterprise accesses the public network via the HTTP proxy server, and receives the downlink protocol packet returned by the HTTP proxy server. The downlink protocol packet is sent to the mobile terminal of the internal user of the enterprise through the established protocol connection.
所述上行公网报文包括用于标识公网地址的目的地址信息和用于标识报文类型的TCP端口号信息;所述报文类型包括HTTP报文类型和HTTPS报文类型。The uplink public network packet includes a destination address information for identifying a public network address and a TCP port number for identifying a packet type. The packet type includes an HTTP packet type and an HTTPS packet type.
其中,所述确定模块601包括:解析单元,配置为收到企业内部用户的移动终端发送的上行公网报文时,通过对所述上行公网报文进行解析,得到所述上行公网报文的目的地址和TCP端口号;匹配单元,用于利用预置的公网地址库、HTTP端口列表库以及HTTPS端口列表库,对所得到的目的地址和TCP端口号进行匹配处理;确定单元,配置为当得到的目的地址和TCP端口号与所述公网地址库和HTTP端口列表库相匹配,则确定所述上行公网报文为HTTP报文类型,以及当得到的目的地址和TCP端口号与所述公网地址库和HTTPS端口列表库相匹配,则确定所述上行公网报文为HTTPS报文类型。The determining module 601 includes: a parsing unit, configured to parse the uplink public network packet to obtain the uplink public network packet when receiving the uplink public network packet sent by the mobile terminal of the internal user of the enterprise The destination address and the TCP port number of the text; the matching unit is configured to perform matching processing on the obtained destination address and the TCP port number by using the preset public network address library, the HTTP port list library, and the HTTPS port list library; When the destination address and the TCP port number are matched with the public network address pool and the HTTP port list, the uplink public network packet is determined to be an HTTP packet type, and the destination address and the TCP port are obtained. The number is matched with the public network address pool and the HTTPS port list, and the uplink public network packet is determined to be an HTTPS packet type.
所述建立协议连接模块602包括:The establishing protocol connection module 602 includes:
建立第一协议连接单元,配置为当确定所述上行公网报文为HTTP报文类型时,建立其与所述企业内部用户的移动终端之间的HTTP协议连接,并经由所述HTTP协议连接获取所述企业内部用户的移动终端发送的上行HTTP协议报文。Establishing a first protocol connection unit, configured to establish an HTTP protocol connection between the uplink public network packet and the mobile terminal of the enterprise internal user when the uplink public network packet is determined to be an HTTP packet type, and connect through the HTTP protocol Obtaining an uplink HTTP protocol packet sent by the mobile terminal of the internal user of the enterprise.
其中,所述建立协议连接模块602还包括:The establishing the protocol connection module 602 further includes:
建立第二协议连接单元,配置为当确定所述上行公网报文为HTTPS报文类型时,建立其与所述企业内部用户的移动终端之间的SSL协议连接,并经由所述SSL协议连接获取所述企业内部用户的移动终端发送的上行SSL协议报文。Establishing a second protocol connection unit, configured to establish an SSL protocol connection between the uplink public network packet and the mobile terminal of the enterprise internal user when the uplink public network packet is determined to be an HTTPS packet type, and connect through the SSL protocol. Obtain an uplink SSL protocol packet sent by the mobile terminal of the internal user of the enterprise.
所述发送模块603配置为在收到所述HTTP代理服务器返回的下行HTTP协议报文时,将所述下行HTTP协议报文封装成用于发送给所述企业内部用户的移动终端的下行用户报文,并通过所建立的HTTP协议连接将所述下行用户报文发送给所述企业内部用户的移动终端。The sending module 603 is configured to, when receiving the downlink HTTP protocol packet returned by the HTTP proxy server, encapsulate the downlink HTTP protocol packet into a downlink user report for sending to the mobile terminal of the enterprise internal user. The downlink user message is sent to the mobile terminal of the internal user of the enterprise by using the established HTTP protocol connection.
其中,所述发送模块603还配置为在收到所述HTTP代理服务器返回的下行SSL协议报文时,将所述下行SSL协议报文封装成用于发送给所述企业内部用户的移动终端的下行用户报文,并通过所建立的SSL协议连接将所述下行用户报文发送给所述企业内部用户的移动终端。The sending module 603 is further configured to, when receiving the downlink SSL protocol packet returned by the HTTP proxy server, encapsulate the downlink SSL protocol packet into a mobile terminal for sending to the internal user of the enterprise. The downlink user packet is sent to the mobile terminal of the internal user of the enterprise by using the established SSL protocol connection.
图7是本发明实施例提供的企业内部用户移动网终端使用HTTP代理服务器的示意图,如图7所示,企业网络的内部用户,使用移动网终端访 问公网时,新设备模拟公网服务器,与用户终端建立HTTP协议连接,收取用户协议报文;新设备再模拟内网主机代理上网行为,通过HTTP代理服务器访问公网。7 is a schematic diagram of an internal user mobile network terminal using an HTTP proxy server according to an embodiment of the present invention. As shown in FIG. 7, when an internal user of an enterprise network accesses a public network by using a mobile network terminal, the new device simulates a public network server. Establish an HTTP protocol connection with the user terminal to collect user protocol packets; the new device simulates the Internet host agent online behavior and accesses the public network through an HTTP proxy server.
对于HTTP访问,新设备模拟公网服务器与用户终端建立HTTP连接,收取用户终端的HTTP请求报文;而后新设备模拟内网主机,与HTTP代理服务器建立HTTP连接,将收取的用户终端HTTP报文,进行URL(Uniform resource locator,统一资源定位符)处理后,发往HTTP代理服务器,HTTP代理服务器通过与公网服务器之间的HTTP连接发给公网服务器。用户终端HTTP报文中URL为相对URL,而内网主机发往代理服务器的HTTP报文为绝对URL,在进行URL处理中,将用户终端HTTP报文中相对URL修正为绝对URL,并收取HTTP代理服务器返回的HTTP响应报文,新设备再模拟公网服务器,通过与用户终端之间的HTTP连接发给用户终端。所述绝对URL为目标信息的存储路径,可以用于直接访问目标信息。所述相对URL包括:目标信息的存储路径相对于参考信息的存储路径的路径关系。例如,目标信息的存储文件可为目标文件;参考信息的存储文件可为参考文件;则所述相对URL包括:目标文件的存储路径相对于参考文件的存储路径的路径关系。故若需要访问到目标文件,还需要引入参考文件的存储路径。在本实施例中通过URL的处理,可以实现将相对URL转换为绝对URL。For HTTP access, the new device simulates that the public network server establishes an HTTP connection with the user terminal, and receives the HTTP request message of the user terminal; then the new device simulates the intranet host, establishes an HTTP connection with the HTTP proxy server, and receives the user terminal HTTP message. After the URL (Uniform resource locator) is processed, it is sent to the HTTP proxy server, and the HTTP proxy server is sent to the public network server through an HTTP connection with the public network server. The URL in the HTTP packet of the user terminal is a relative URL, and the HTTP packet sent by the intranet host to the proxy server is an absolute URL. In the URL processing, the relative URL in the HTTP packet of the user terminal is corrected to an absolute URL, and HTTP is received. The HTTP response message returned by the proxy server, the new device simulates the public network server, and sends it to the user terminal through an HTTP connection with the user terminal. The absolute URL is a storage path of the target information, and can be used to directly access the target information. The relative URL includes a path relationship of a storage path of the target information with respect to a storage path of the reference information. For example, the storage file of the target information may be a target file; the storage file of the reference information may be a reference file; and the relative URL includes: a path relationship of a storage path of the target file with respect to a storage path of the reference file. Therefore, if you need to access the target file, you need to import the storage path of the reference file. In the present embodiment, by processing the URL, it is possible to convert the relative URL into an absolute URL.
图8是本发明实施例提供的企业内部用户移动网终端使用HTTP代理服务器的示意图,如图8所示,企业网络的内部用户,使用移动网终端访问公网时,新设备模拟公网服务器,与用户终端建立SSL协议连接,收取用户协议报文;新设备再模拟内网主机代理上网行为,通过HTTP代理服务器访问公网。8 is a schematic diagram of an internal user mobile network terminal using an HTTP proxy server according to an embodiment of the present invention. As shown in FIG. 8, when an internal user of an enterprise network accesses a public network by using a mobile network terminal, the new device simulates a public network server. Establish an SSL protocol connection with the user terminal to collect user protocol packets; the new device simulates the online host agent's online behavior and accesses the public network through an HTTP proxy server.
对于HTTPS访问,新设备模拟公网服务器与用户终端建立SSL连接,收取SSL报文;而后新设备模拟内网主机,与HTTP代理服务器建立HTTP连接并使用connect方法请求HTTP代理服务器与公网服务器建立SSL连接,将收取的用户终端SSL报文发往HTTP代理服务器,由HTTP代理服务器通过与公网服务器之间的SSL连接发给公网服务器。收取HTTP代理 服务器返回的SSL报文,新设备再模拟公网服务器,通过与用户终端之间的SSL连接发给用户终端。For HTTPS access, the new device simulates the public network server to establish an SSL connection with the user terminal to receive the SSL message; then the new device simulates the intranet host, establishes an HTTP connection with the HTTP proxy server, and uses the connect method to request the HTTP proxy server to establish with the public network server. The SSL connection sends the received user terminal SSL message to the HTTP proxy server, and the HTTP proxy server sends the SSL connection to the public network server through the SSL connection with the public network server. The SSL packet returned by the HTTP proxy server is received, and the new device simulates the public network server and sends it to the user terminal through an SSL connection with the user terminal.
如图7和图8所示,新设备逐包分析移动网基站的用户上行报文,识别出内部用户的公网HTTP/HTTPS访问报文,根据代理配置规则,模拟公网服务器与用户终端建立HTTP或者SSL连接,收取用户终端的HTTP报文或者SSL报文;模拟内网主机,根据代理配置规则,与HTTP代理服务器建立HTTP连接,并把用户HTTP或者SSL协议报文发往HTTP代理服务器;收取代理服务器返回的用户报文,模拟公网服务器,通过之前与用户终端建立的HTTP或者SSL协议连接通过移动网基站发给用户终端。As shown in Figure 7 and Figure 8, the new device analyzes the user uplink packets of the mobile network base station on a packet-by-packet basis, identifies the public HTTP/HTTPS access packets of the internal users, and establishes the public network server and the user terminal according to the proxy configuration rules. HTTP or SSL connection, receiving the HTTP message or SSL message of the user terminal; simulating the intranet host, establishing an HTTP connection with the HTTP proxy server according to the proxy configuration rule, and sending the user HTTP or SSL protocol packet to the HTTP proxy server; The user message returned by the proxy server is received, and the public network server is simulated, and is sent to the user terminal through the mobile network base station through the HTTP or SSL protocol connection previously established with the user terminal.
可选地,包括以下步骤:Optionally, the following steps are included:
1)识别HTTP/HTTPS公网访问报文:目的地址符合公网地址配置规则,并且TCP端口号符合HTTP端口列表规则或者HTTPS端口列表规则的上行报文。1) Identify HTTP/HTTPS public network access messages: The destination address complies with the public network address configuration rule, and the TCP port number conforms to the HTTP port list rule or the HTTPS port list rule.
2)模拟公网服务器收发HTTP报文:模拟公网服务器与用户终端建立HTTP连接,收取用户终端发来的HTTP协议报文。将从HTTP代理服务器收取的用户HTTP协议报文,通过与用户终端的HTTP连接发给用户终端。2) Simulate the public network server to send and receive HTTP packets: simulate the public network server to establish an HTTP connection with the user terminal, and receive the HTTP protocol packet sent by the user terminal. The user HTTP protocol packet received from the HTTP proxy server is sent to the user terminal through an HTTP connection with the user terminal.
3)模拟公网服务器收发SSL报文:模拟公网服务器与用户终端建立SSL连接,收取用户终端发来的SSL协议报文。将从HTTP代理服务器收取的用户SSL协议报文,通过与用户终端的SSL连接发给用户终端。3) Simulate the public network server to send and receive SSL packets: simulate the public network server to establish an SSL connection with the user terminal, and receive the SSL protocol packet sent by the user terminal. The user SSL protocol packet received from the HTTP proxy server is sent to the user terminal through an SSL connection with the user terminal.
4)模拟内部主机收发与HTTP代理服务器之间的HTTP报文:模拟内部主机行为,与HTTP代理服务器建立HTTP连接。将收取的用户终端HTTP协议报文,进行URL处理后,发送给HTTP代理服务器;收取HTTP代理服务器返回的HTTP协议报文。4) Simulate HTTP messages between the internal host transceiver and the HTTP proxy server: simulate internal host behavior and establish an HTTP connection with the HTTP proxy server. The HTTP protocol packet of the user terminal to be received is processed by the URL, and then sent to the HTTP proxy server; and the HTTP protocol packet returned by the HTTP proxy server is received.
5)模拟内部主机收发与HTTP代理服务器之间SSL报文:模拟内部主机行为,与HTTP代理服务器建立HTTP连接并使用CONNECT方法请求代理服务器与公网服务器建立SSL连接。将收取的用户终端SSL协议报文,通过与代理服务器的HTTP连接发送给HTTP代理服务器;收取HTTP代理服务器返回的SSL协议报文。5) Simulate the SSL message between the internal host transceiver and the HTTP proxy server: simulate the internal host behavior, establish an HTTP connection with the HTTP proxy server, and use the CONNECT method to request the proxy server to establish an SSL connection with the public network server. The user terminal SSL protocol packet to be received is sent to the HTTP proxy server through an HTTP connection with the proxy server; and the SSL protocol packet returned by the HTTP proxy server is received.
图9是本发明实施例提供的新增模块的示意图,如图9所示,包括:规则配置模块、用户报文代理模块、上行报文处理模块以及下行报文处理模块。FIG. 9 is a schematic diagram of a newly added module according to an embodiment of the present invention. As shown in FIG. 9, the method includes: a rule configuration module, a user message proxy module, an uplink packet processing module, and a downlink packet processing module.
规则配置模块,提供公网地址规则、HTTP端口列表、HTTPS端口列表和HTTP代理服务器规则。公网地址规则,配置地址信息,这些地址将通过HTTP代理服务器访问公网。具体实施时,可采用类似内网主机的配置方法,即配置例外地址列表,除此之外,均视为公网地址;也可以采用显示指明的方法,即明确指明哪些子网为公网地址。HTTP端口列表配置哪些TCP端口为HTTP端口。HTTPS端口列表配置哪些TCP端口为HTTPS端口。HTTP代理服务器规则配置HTTP代理服务器地址和端口号,允许配置多条HTTP代理服务器配置记录,用于动态选择或者负荷分担。The rule configuration module provides public network address rules, HTTP port lists, HTTPS port lists, and HTTP proxy server rules. Public network address rules, which configure address information. These addresses will access the public network through an HTTP proxy server. In the specific implementation, a configuration method similar to the internal network host may be adopted, that is, the exception address list is configured, and otherwise, it is regarded as a public network address; the display indication method may also be adopted, that is, which subnets are explicitly indicated as public network addresses. . The HTTP port list configures which TCP ports are HTTP ports. The HTTPS port list configures which TCP ports are HTTPS ports. The HTTP proxy server rules configure the HTTP proxy server address and port number, allowing multiple HTTP proxy server configuration records to be configured for dynamic selection or load sharing.
上行报文处理模块,逐包分析内部用户的S1-U上行报文,解析用户报文中的目的地址和TCP端口号,根据公网地址规则和HTTP端口列表规则、HTTPS端口列表规则,识别出上行公网HTTP/HTTPS报文,提取出用户报文(IP报文)发给用户报文代理模块。The uplink packet processing module analyzes the S1-U uplink packet of the internal user, analyzes the destination address and the TCP port number in the user packet, and identifies the public network address rule, the HTTP port list rule, and the HTTPS port list rule. The HTTP/HTTPS packet of the public network is forwarded, and the user packet (IP packet) is extracted and sent to the user packet proxy module.
用户报文代理模块,分为HTTP报文代理模块和HTTPS报文代理模块。收到上行报文处理模块发来的报文后,根据类型,动态创建HTTP报文代理模块和HTTPS报文代理模块。The user message proxy module is divided into an HTTP message proxy module and an HTTPS message proxy module. After receiving the packet sent by the uplink packet processing module, the HTTP packet proxy module and the HTTPS packet proxy module are dynamically created according to the type.
HTTP报文代理模块,模拟公网服务器与用户终端建立HTTP连接,收取用户终端的HTTP报文,模拟内网主机行为,根据代理规则配置,与HTTP代理服务器建立HTTP连接,将收取的用户终端HTTP报文,进行URL处理后,发往HTTP代理服务器。收取HTTP代理服务器返回的HTTP响应报文,模拟公网服务器,通过与用户终端之间的HTTP连接发给用户终端,报文打包后发往下行报文处理模块。The HTTP message proxy module simulates the public network server to establish an HTTP connection with the user terminal, collects the HTTP packet of the user terminal, simulates the behavior of the intranet host, configures an HTTP connection with the HTTP proxy server according to the proxy rule configuration, and receives the user terminal HTTP. After the message is processed, it is sent to the HTTP proxy server. The HTTP response packet returned by the HTTP proxy server is received, and the public network server is simulated, and is sent to the user terminal through an HTTP connection with the user terminal, and the packet is packaged and sent to the downlink packet processing module.
HTTPS报文代理模块,模拟公网服务器与用户终端建立SSL连接,收取用户终端的SSL报文,模拟内网主机行为,根据代理规则配置,与HTTP代理服务器建立HTTP连接,并使用CONNECT方法请求HTTP代理服务器与公网服务器建立SSL连接,将收取的用户终端SSL报文,通过与HTTP代理服务器的HTTP连接发往HTTP代理服务器。收取HTTP代理服务器 返回的SSL报文,模拟公网服务器,通过与用户终端之间的SSL连接发给用户终端,报文打包后发往下行报文处理模块。The HTTPS message proxy module simulates the public network server to establish an SSL connection with the user terminal, collects the SSL message of the user terminal, simulates the behavior of the intranet host, configures an HTTP connection with the HTTP proxy server according to the proxy rule configuration, and requests the HTTP by using the CONNECT method. The proxy server establishes an SSL connection with the public network server, and sends the received user terminal SSL message to the HTTP proxy server through an HTTP connection with the HTTP proxy server. The SSL packet returned by the HTTP proxy server is received, and the public network server is simulated and sent to the user terminal through an SSL connection with the user terminal. The packet is packaged and sent to the downlink packet processing module.
HTTP报文代理模块和HTTPS报文代理模块,收到用户终端的TCP连接释放报文时释放,并通知用户报文代理模块。The HTTP message proxy module and the HTTPS message proxy module are released when receiving the TCP connection release message from the user terminal, and notify the user of the message proxy module.
下行报文处理模块,配置为将用户报文代理模块发来的用户报文,打包成S1-U报文发给移动网基站发往用户终端。The downlink packet processing module is configured to package the user packet sent by the user packet proxy module into an S1-U packet and send it to the mobile network base station to send to the user terminal.
图10是本发明实施例提供的图9中的新增模块部署的示意图,如图10所示,包括两种部署方式:部署方式1,与移动网基站部署在一起。新增模块部署与移动网基站集成,便于管理;部署方式2,单独设备部署包括新增模块的新增设备,单独部署对移动网基站没有影响,便于部署。FIG. 10 is a schematic diagram of the deployment of the new module in FIG. 9 according to the embodiment of the present invention. As shown in FIG. 10, the method includes two deployment modes: deployment mode 1, which is deployed together with the mobile network base station. The new module deployment is integrated with the mobile network base station for easy management. In deployment mode 2, the separate device deployment includes new devices added to the new module. The separate deployment has no impact on the mobile network base station and is easy to deploy.
图11是本发明实施例提供的企业内部用户HTTP公网访问上行报文处理流程图,如图11所示,S1是移动网基站eNB和核心网EPC之间的逻辑链路,S1-U报文指S1链路上的用户报文,S1-U报文中封装着用户终端的IP报文,也称为用户报文。在本示例中,本发明技术方案从移动网基站eNB收到S1-U上行报文,识别出内部用户的上行HTTP公网访问报文,模拟公共代理服务器收取,经过URL处理,模拟内网主机发往HTTP代理服务器访问公网。企业内部用户HTTP公网访问上行报文方法可包括:FIG. 11 is a flowchart of processing an HTTP public network access uplink message of an internal user of an enterprise according to an embodiment of the present invention. As shown in FIG. 11, S1 is a logical link between a mobile network base station eNB and a core network EPC, and the S1-U report is used. The text refers to the user packet on the S1 link. The S1-U packet encapsulates the IP packet of the user terminal, also called the user packet. In this example, the technical solution of the present invention receives the S1-U uplink packet from the mobile network base station eNB, identifies the uplink HTTP public network access message of the internal user, simulates the public proxy server charging, and performs the URL processing to simulate the internal network host. Send to the HTTP proxy server to access the public network. The method for the HTTP public network to access the uplink packet of the internal user of the enterprise may include:
步骤1101:UE发送空口报文,携带用户报文(用户HTTP报文);Step 1101: The UE sends an air interface packet carrying a user packet (user HTTP packet);
步骤1102:移动网基站提取用户报文(用户HTTP报文),打包成S1-U发送;Step 1102: The mobile network base station extracts a user packet (user HTTP packet), and packages it into an S1-U transmission.
步骤1103:上行报文处理模块逐包分析内部用户的S1-U上行报文,解析出内部用户报文中的目的地址和TCP端口号,识别出上行HTTP公网报文;Step 1103: The uplink packet processing module analyzes the S1-U uplink packet of the internal user by packet, parses the destination address and the TCP port number in the internal user packet, and identifies the uplink HTTP public network packet.
步骤1104:上行报文处理模块将用户报文(用户HTTP报文)发给用户报文代理模块;Step 1104: The uplink packet processing module sends the user packet (user HTTP packet) to the user packet proxy module.
步骤1105:用户报文代理模块检查是否存在该用户连接的HTTP报文代理模块,没有则创建该用户连接的HTTP报文代理模块;Step 1105: The user message proxy module checks whether there is an HTTP message proxy module connected to the user, and if not, creates an HTTP packet proxy module connected to the user;
步骤1106:用户报文代理模块转给HTTP报文代理模块处理;Step 1106: The user message proxy module is forwarded to the HTTP message proxy module for processing;
步骤1107:HTTP报文代理模块模拟公网服务器,创建与UE的HTTP连接;Step 1107: The HTTP message proxy module simulates a public network server, and creates an HTTP connection with the UE.
步骤1108:UE和HTTP报文代理模块间的HTTP连接创建成功。UE和HTTP报文代理模块之间的报文将通过这个HTTP连接发送;Step 1108: The HTTP connection between the UE and the HTTP message proxy module is successfully created. The message between the UE and the HTTP message proxy module will be sent through this HTTP connection;
步骤1109:HTTP报文代理模块发起建立与HTTP代理服务器的HTTP连接;Step 1109: The HTTP message proxy module initiates establishing an HTTP connection with the HTTP proxy server.
步骤1110:HTTP报文代理模块收取用户HTTP报文;Step 1110: The HTTP message proxy module receives the user HTTP packet.
步骤1111:HTTP报文代理模块将收取的用户HTTP报文,进行URL处理后,发送给HTTP代理服务器。Step 1111: The HTTP message proxy module collects the user HTTP packet and performs URL processing, and then sends the HTTP packet to the HTTP proxy server.
图12是本发明实施例提供的内部用户HTTP公网访问下行报文处理流程图,如图12所示,在收到HTTP代理服务器返回的HTTP报文,模拟公网服务器,通过与UE之间的HTTP连接发给用户终端,将用户报文打包成S1-U下行报文发往移动网基站,可包括:FIG. 12 is a flowchart of processing an internal user HTTP public network access downlink packet according to an embodiment of the present invention. As shown in FIG. 12, after receiving an HTTP packet returned by an HTTP proxy server, simulating a public network server, and communicating with the UE The HTTP connection is sent to the user terminal, and the user packet is packaged into an S1-U downlink packet and sent to the mobile network base station, which may include:
步骤1201:UE与HTTP报文代理模块的HTTP连接已建立;Step 1201: The HTTP connection between the UE and the HTTP message proxy module is established.
步骤1202:HTTP报文代理模块与HTTP代理服务器的HTTP连接已建立;Step 1202: An HTTP connection between the HTTP message proxy module and the HTTP proxy server is established.
步骤1203:HTTP代理服务器发送HTTP响应报文给HTTP报文代理模块;Step 1203: The HTTP proxy server sends an HTTP response message to the HTTP message proxy module.
步骤1204:HTTP报文代理模块收取HTTP响应报文;Step 1204: The HTTP message proxy module receives the HTTP response packet.
步骤1205:HTTP报文代理模块将收取的HTTP响应报文封装成发给UE的用户报文(用户IP报文);Step 1205: The HTTP message proxy module encapsulates the received HTTP response packet into a user packet (user IP packet) sent to the UE.
步骤1206:HTTP报文代理模块将用户报文发给下行处理模块;Step 1206: The HTTP message proxy module sends the user packet to the downlink processing module.
步骤1207:下行处理模块打包成S1-U下行报文发往移动网基站;Step 1207: The downlink processing module is packaged into an S1-U downlink packet and sent to the mobile network base station.
步骤1208:移动网基站提取用户报文,通过空口报文携带给UE。Step 1208: The mobile network base station extracts the user packet and carries it to the UE through the air interface packet.
图13是本发明实施例提供的内部用户HTTPS公网访问上行报文处理流程图,如图13所示,从移动网基站eNB收到S1-U上行报文,识别出内部用户的上行HTTPS公网报文,模拟公共代理服务器收取,再模拟内网主 机发往HTTP代理服务器访问公网。可包括:FIG. 13 is a flowchart of processing an internal user HTTPS public network access uplink packet according to an embodiment of the present invention. As shown in FIG. 13, the mobile network base station eNB receives an S1-U uplink packet, and identifies an uplink HTTPS public of the internal user. The network message is simulated by the public proxy server, and then the intranet host is sent to the HTTP proxy server to access the public network. Can include:
步骤1301:UE发送空口报文,携带用户报文(用户SSL报文);Step 1301: The UE sends an air interface packet carrying a user packet (a user SSL packet);
步骤1302:移动网基站提取用户报文(用户SSL报文),打包成S1-U发送;Step 1302: The mobile network base station extracts user packets (user SSL packets), and packages them into S1-U transmissions.
步骤1303:上行报文处理模块逐包分析内部用户的S1-U上行报文,解析出内部用户报文中的目的地址和TCP端口号,识别出上行HTTPS公网报文;Step 1303: The uplink packet processing module analyzes the S1-U uplink packet of the internal user by packet, parses the destination address and the TCP port number in the internal user packet, and identifies the uplink HTTPS public network packet.
步骤1304:上行报文处理模块将用户报文(用户SSL报文)发给用户报文代理模块;Step 1304: The uplink packet processing module sends the user packet (the user SSL packet) to the user packet proxy module.
步骤1305:用户报文代理模块检查是否存在该用户连接的HTTPS报文代理模块,没有则创建该用户连接的HTTPS报文代理模块;Step 1305: The user message proxy module checks whether there is an HTTPS message proxy module connected to the user, and if not, creates an HTTPS message proxy module connected to the user;
步骤1306:用户报文代理模块转给HTTPS报文代理模块处理;Step 1306: The user message proxy module is forwarded to the HTTPS message proxy module for processing;
步骤1307:HTTPS报文代理模块模拟公网服务器,创建与UE的SSL连接;Step 1307: The HTTPS message proxy module simulates the public network server and creates an SSL connection with the UE.
步骤1308:UE和HTTPS报文代理模块间的SSL连接创建成功。UE和HTTPS报文代理模块之间的报文将通过这个SSL连接发送;Step 1308: The SSL connection between the UE and the HTTPS message proxy module is successfully created. The message between the UE and the HTTPS message proxy module will be sent through this SSL connection;
步骤1309:HTTPS报文代理模块发起建立与HTTP代理服务器的HTTP连接,并通过CONNECT方法请求HTTP代理服务器建立与公网服务器的SSL连接;Step 1309: The HTTPS message proxy module initiates an HTTP connection with the HTTP proxy server, and requests the HTTP proxy server to establish an SSL connection with the public network server by using the CONNECT method.
步骤1310:HTTPS报文代理模块收取用户SSL报文;Step 1310: The HTTPS message proxy module receives the user SSL packet.
步骤1311:HTTPS报文代理模块将收取的用户SSL报文发送给HTTP代理服务器。Step 1311: The HTTPS message proxy module sends the received user SSL packet to the HTTP proxy server.
图14是本发明实施例提供的内部用户HTTPS公网访问下行报文处理流程图,如图14所示,在收到HTTP代理服务器返回的SSL报文,模拟公网服务器,通过与UE之间的SSL连接发给用户终端,将用户报文打包成S1-U下行报文发往移动网基站。可包括:FIG. 14 is a flowchart of processing an internal user HTTPS public network access downlink packet according to an embodiment of the present invention. As shown in FIG. 14 , an SSL packet returned by an HTTP proxy server is received, and a public network server is simulated. The SSL connection is sent to the user terminal, and the user message is packaged into an S1-U downlink message and sent to the mobile network base station. Can include:
步骤1401:UE与HTTPS报文代理模块的SSL连接已建立;Step 1401: The SSL connection between the UE and the HTTPS message proxy module is established.
步骤1402:HTTPS报文代理模块与HTTP代理服务器的HTTP连接已建立;Step 1402: an HTTP connection between the HTTPS message proxy module and the HTTP proxy server is established;
步骤1403:HTTP代理服务器发送SSL报文给HTTPS报文代理模块;Step 1403: The HTTP proxy server sends an SSL packet to the HTTPS packet proxy module.
步骤1404:HTTPS报文代理模块收取SSL报文;Step 1404: The HTTPS message proxy module receives the SSL packet.
步骤1405:HTTPS报文代理模块将收取的SSL报文封装成发给UE的用户报文(用户IP报文);Step 1405: The HTTPS message proxy module encapsulates the received SSL packet into a user packet (user IP packet) sent to the UE.
步骤1406:HTTPS报文代理模块将用户报文发给下行处理模块;Step 1406: The HTTPS message proxy module sends the user packet to the downlink processing module.
步骤1407:下行处理模块打包成S1-U下行报文发往移动网基站;Step 1407: The downlink processing module is packaged into an S1-U downlink packet and sent to the mobile network base station.
步骤1408:移动网基站提取用户报文,通过空口报文携带给UE。Step 1408: The mobile network base station extracts the user packet and carries it to the UE through the air interface packet.
根据本发明实施例提供的方案,企业网络内部用户移动终端,在移动网基站侧,使用企业网络HTTP代理服务器访问公网业务,充分利用企业网络原来租用的有线传输带宽,节约了成本,同时也便于企业网络管控其内部用户移动网终端访问公网的行为。According to the solution provided by the embodiment of the present invention, the user mobile terminal in the enterprise network accesses the public network service by using the enterprise network HTTP proxy server on the mobile network base station side, and fully utilizes the wired transmission bandwidth originally rented by the enterprise network, thereby saving cost and also saving cost. It is convenient for the enterprise network to control the behavior of its internal user mobile network terminal to access the public network.
本发明实施例提供一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被执行后,能够前述任意一个或多个技术方案提供的企业移动专用网的用户终端访问公网的方法,例如,如图5及图11至图14所示方法中的一个或多个。The embodiment of the present invention provides a computer storage medium, where the computer storage medium stores computer executable instructions; after the computer executable instructions are executed, the user of the enterprise mobile private network provided by any one or more of the foregoing technical solutions is provided. The method for the terminal to access the public network, for example, one or more of the methods shown in FIG. 5 and FIG. 11 to FIG.
所述计算机存储介质可为各种类型的存储介质,例如,随机存储介质、只读存储介质、闪存、光盘、移动硬盘、U盘或磁带等各种类型的存储介质,可选地为非瞬间存储介质。The computer storage medium may be various types of storage media, such as random storage media, read-only storage media, flash memory, optical disks, mobile hard disks, USB flash drives, or magnetic tapes, and the like, optionally non-instantaneous Storage medium.
本实施例中提供的计算机存储介质上存储的计算机可执行指令,被处理器执行后能够实现前述一个或多个技术方案提供的企业移动专用网的用户终端访问公网的方法。The computer-executable instructions stored on the computer storage medium provided in the embodiment can be implemented by the processor to implement the method for the user terminal of the enterprise mobile private network provided by the one or more technical solutions to access the public network.
本实施例还提供一种基站,该基站可为前述企业移动移动专用网基站,包括:The embodiment further provides a base station, where the base station can be the foregoing enterprise mobile mobile private network base station, including:
收发器,可包括收发天线,配置为收发信息;The transceiver may include a transceiver antenna configured to send and receive information;
处理器,与所述收发器连接,用于通过计算机程序等计算机可执行指 令的执行,实现前述一个或多个技术方案提供的企业移动专用网的用户终端访问公网的方法,例如,如图5及图11至图14所示方法中的一个或多个。a processor, connected to the transceiver, for implementing a method for accessing a public network of a user terminal of an enterprise mobile private network provided by one or more technical solutions by executing the computer executable instructions such as a computer program, for example, as shown in FIG. 5 and one or more of the methods shown in Figures 11-14.
尽管上文对本发明进行了详细说明,但是本发明不限于此,本技术领域技术人员可以根据本发明的原理进行各种修改。因此,凡按照本发明原理所作的修改,都应当理解为落入本发明的保护范围。Although the invention has been described in detail above, the invention is not limited thereto, and various modifications may be made by those skilled in the art in accordance with the principles of the invention. Therefore, modifications made in accordance with the principles of the invention are to be understood as falling within the scope of the invention.
工业实用性Industrial applicability
本发明实施例提供的技术方案,若企业内部用户移动终端需要访问公网时,若企业移动专用网基站侧接收到上行公网报文的报文类型之后,建立基站与用户移动终端的协议连接,利用该协议连接与用户终端进行访问公网的报文收发,并将用户移动终端发送的访问公网的报文通过HTTP服务器向公网转发,并从HTTP服务器接收发送给移动终端的报文,一方面借用了HTTP服务器的带宽,而不是将该报文通过EPC路由到公网,从而降低了移动网络内的带宽消耗,与此同时HTTP服务器通常直接连接到公网,减少了报文传输跳数,从而可以提升报文传输效率;故具有积极的工业效果,与此同时具有实现建便的特点,故可在工业上广泛推广。According to the technical solution provided by the embodiment of the present invention, if the internal mobile terminal of the enterprise needs to access the public network, if the base station side of the enterprise mobile private network receives the packet type of the uplink public network packet, the protocol connection between the base station and the user mobile terminal is established. The protocol is used to connect and receive packets to and from the user terminal to access the public network, and the packets sent by the user mobile terminal to the public network are forwarded to the public network through the HTTP server, and the packets sent to the mobile terminal are received from the HTTP server. On the one hand, the bandwidth of the HTTP server is borrowed instead of routing the packet to the public network through the EPC, thereby reducing the bandwidth consumption in the mobile network. At the same time, the HTTP server is usually directly connected to the public network, which reduces packet transmission. The number of hops can improve the efficiency of message transmission; therefore, it has a positive industrial effect, and at the same time has the characteristics of realizing the construction, so it can be widely promoted in industry.

Claims (13)

  1. 一种企业移动专用网的用户终端访问公网的方法,包括:A method for a user terminal of an enterprise mobile private network to access a public network includes:
    企业移动专用网基站侧收到企业内部用户的移动终端发送的上行公网报文时,确定所述上行公网报文的报文类型;When the base station side of the enterprise mobile private network receives the uplink public network packet sent by the mobile terminal of the internal user, the packet type of the uplink public network packet is determined;
    企业移动专用网基站侧根据所确定的上行公网报文的报文类型,建立所述企业移动专网基站侧与所述企业内部用户的移动终端之间的相应报文类型的协议连接,并经由所述协议连接获取所述企业内部用户的移动终端发送的上行协议报文;And establishing, by the base station side of the enterprise mobile private network, a protocol connection of a corresponding packet type between the base station side of the enterprise mobile private network and the mobile terminal of the enterprise internal user, according to the determined packet type of the uplink public network packet, and Obtaining an uplink protocol packet sent by the mobile terminal of the internal user of the enterprise by using the protocol connection;
    企业移动专用网基站侧将所述上行协议报文路由到超文本传输协议HTTP代理服务器,以便所述企业内部用户的移动终端经由所述HTTP代理服务器访问公网;The base station side of the enterprise mobile private network routes the uplink protocol packet to the hypertext transfer protocol HTTP proxy server, so that the mobile terminal of the internal user of the enterprise accesses the public network via the HTTP proxy server;
    企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行协议报文时,通过所建立的协议连接将所述下行协议报文发送给所述企业内部用户的移动终端。When receiving the downlink protocol packet returned by the HTTP proxy server, the base station side of the enterprise mobile private network sends the downlink protocol packet to the mobile terminal of the internal user of the enterprise through the established protocol connection.
  2. 根据权利要求1所述的方法,所述上行公网报文包括用于标识公网地址的目的地址信息和用于标识报文类型的传输控制协议TCP端口号信息;所述报文类型包括HTTP报文类型和超文本传输安全协议HTTPS报文类型。The method according to claim 1, wherein the uplink public network message includes destination address information for identifying a public network address and TCP control port protocol information for identifying a packet type; the packet type includes HTTP Message type and Hypertext Transfer Security Protocol HTTPS message type.
  3. 根据权利要求2所述的方法,所述企业移动专用网基站侧收到企业内部用户的移动终端发送的上行公网报文时,确定所述上行公网报文的报文类型包括:The method according to claim 2, when the base station side of the enterprise mobile private network receives the uplink public network message sent by the mobile terminal of the enterprise internal user, the packet type of the uplink public network packet is determined to include:
    企业移动专用网基站侧收到企业内部用户的移动终端发送的上行公网报文时,通过对所述上行公网报文进行解析,得到所述上行公网报文的目的地址和TCP端口号;When the base station side of the enterprise mobile private network receives the uplink public network packet sent by the mobile terminal of the internal user, the destination address and the TCP port number of the uplink public network packet are obtained by parsing the uplink public network packet. ;
    企业移动专用网基站侧利用预置的公网地址库、HTTP端口列表库以及HTTPS端口列表库,对所得到的目的地址和TCP端口号进行匹配处理;The base station side of the enterprise mobile private network uses the preset public address database, the HTTP port list library, and the HTTPS port list library to perform matching processing on the obtained destination address and the TCP port number;
    若得到的目的地址和TCP端口号与所述公网地址库和HTTP端口列表 库相匹配,则企业移动专用网基站侧确定所述上行公网报文为HTTP报文类型;If the obtained destination address and the TCP port number match the public network address pool and the HTTP port list, the base station side of the enterprise mobile private network determines that the uplink public network packet is an HTTP packet type.
    若得到的目的地址和TCP端口号与所述公网地址库和HTTPS端口列表库相匹配,则企业移动专用网基站侧确定所述上行公网报文为HTTPS报文类型。If the obtained destination address and the TCP port number match the public network address pool and the HTTPS port list, the enterprise mobile private network base station side determines that the uplink public network packet is an HTTPS packet type.
  4. 根据权利要求3所述的方法,所述企业移动专用网基站侧根据所确定的上行公网报文的报文类型,建立所述企业移动专网基站侧与所述企业内部用户的移动终端之间的相应报文类型的协议连接,并经由所述协议连接获取所述企业内部用户的移动终端发送的上行协议报文包括:The method according to claim 3, wherein the base station side of the enterprise mobile private network establishes the mobile terminal of the enterprise mobile private network base station side and the enterprise internal user according to the determined packet type of the uplink public network message. The protocol link of the corresponding packet type, and the uplink protocol packet sent by the mobile terminal of the internal user of the enterprise via the protocol connection includes:
    企业移动专用网基站侧确定所述上行公网报文为HTTP报文类型时,建立所述企业移动专网基站侧与所述企业内部用户的移动终端之间的HTTP协议连接,并经由所述HTTP协议连接获取所述企业内部用户的移动终端发送的上行HTTP协议报文。When the base station side of the enterprise mobile private network determines that the uplink public network packet is an HTTP packet type, establish an HTTP protocol connection between the base station side of the enterprise mobile private network and the mobile terminal of the internal user of the enterprise, and The HTTP protocol connection acquires an uplink HTTP protocol packet sent by the mobile terminal of the internal user of the enterprise.
  5. 根据权利要求3所述的方法,所述企业移动专用网基站侧根据所确定的上行公网报文的报文类型,建立所述企业移动专网基站侧与所述企业内部用户的移动终端之间的相应报文类型的协议连接,并经由所述协议连接获取所述企业内部用户的移动终端发送的上行协议报文包括:The method according to claim 3, wherein the base station side of the enterprise mobile private network establishes the mobile terminal of the enterprise mobile private network base station side and the enterprise internal user according to the determined packet type of the uplink public network message. The protocol link of the corresponding packet type, and the uplink protocol packet sent by the mobile terminal of the internal user of the enterprise via the protocol connection includes:
    企业移动专用网基站侧确定所述上行公网报文为HTTPS报文类型时,建立所述企业移动专网基站侧与所述企业内部用户的移动终端之间的安全套接层SSL协议连接,并经由所述SSL协议连接获取所述企业内部用户的移动终端发送的上行SSL协议报文。When the base station side of the enterprise mobile private network determines that the uplink public network packet is an HTTPS packet type, establishing a secure socket layer SSL protocol connection between the base station side of the enterprise mobile private network and the mobile terminal of the enterprise internal user, and And obtaining, by using the SSL protocol connection, an uplink SSL protocol packet sent by the mobile terminal of the internal user of the enterprise.
  6. 根据权利要求4所述的方法,所述企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行协议报文时,通过所建立的协议连接将所述下行协议报文发送给所述企业内部用户的移动终端包括:The method according to claim 4, when the base station side of the enterprise mobile private network receives the downlink protocol packet returned by the HTTP proxy server, the downlink protocol packet is sent to the Mobile terminals for internal users of the enterprise include:
    企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行HTTP协议报文时,将所述下行HTTP协议报文封装成用于发送给所述企业内部用户的移动终端的下行用户报文,并通过所建立的HTTP协议连接将所述下行用户报文发送给所述企业内部用户的移动终端。When receiving the downlink HTTP protocol packet returned by the HTTP proxy server, the base station side of the enterprise mobile private network encapsulates the downlink HTTP protocol packet into a downlink user packet for the mobile terminal sent to the internal user of the enterprise. And sending the downlink user message to the mobile terminal of the internal user of the enterprise by using the established HTTP protocol connection.
  7. 根据权利要求5所述的方法,所述企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行协议报文时,通过所建立的协议连接将所述下行协议报文发送给所述企业内部用户的移动终端包括:The method according to claim 5, when the base station side of the enterprise mobile private network receives the downlink protocol packet returned by the HTTP proxy server, the downlink protocol packet is sent to the Mobile terminals for internal users of the enterprise include:
    企业移动专用网基站侧在收到所述HTTP代理服务器返回的下行SSL协议报文时,将所述下行SSL协议报文封装成用于发送给所述企业内部用户的移动终端的下行用户报文,并通过所建立的SSL协议连接将所述下行用户报文发送给所述企业内部用户的移动终端。When receiving the downlink SSL protocol packet returned by the HTTP proxy server, the base station side of the enterprise mobile private network encapsulates the downlink SSL protocol packet into a downlink user packet for the mobile terminal sent to the internal user of the enterprise. And sending the downlink user message to the mobile terminal of the internal user of the enterprise by using the established SSL protocol connection.
  8. 一种企业移动专用网的用户终端访问公网的装置,包括:A device for accessing a public network by a user terminal of an enterprise mobile private network, comprising:
    确定模块,配置为收到企业内部用户的移动终端发送的上行公网报文时,确定所述上行公网报文的报文类型;The determining module is configured to determine the packet type of the uplink public network packet when receiving the uplink public network packet sent by the mobile terminal of the internal user of the enterprise;
    建立协议连接模块,配置为根据所确定的上行公网报文的报文类型,建立其与所述企业内部用户的移动终端之间的相应报文类型的协议连接,并经由所述协议连接获取所述企业内部用户的移动终端发送的上行协议报文;Establishing a protocol connection module, configured to establish, according to the determined packet type of the uplink public network packet, a protocol connection of a corresponding packet type between the mobile terminal and the mobile terminal of the enterprise, and obtain the protocol connection through the protocol connection An uplink protocol packet sent by the mobile terminal of the internal user of the enterprise;
    发送模块,配置为将所述上行协议报文路由到超文本传输协议HTTP代理服务器,以便所述企业内部用户的移动终端经由所述HTTP代理服务器访问公网,并在收到所述HTTP代理服务器返回的下行协议报文时,通过所建立的协议连接将所述下行协议报文发送给所述企业内部用户的移动终端。a sending module, configured to route the uplink protocol packet to a hypertext transfer protocol HTTP proxy server, so that the mobile terminal of the enterprise internal user accesses the public network via the HTTP proxy server, and receives the HTTP proxy server When the downlink protocol packet is returned, the downlink protocol packet is sent to the mobile terminal of the internal user of the enterprise through the established protocol connection.
  9. 根据权利要求8所述的装置,所述上行公网报文包括用于标识公网地址的目的地址信息和用于标识报文类型的传输控制协议TCP端口号信息;所述报文类型包括HTTP报文类型和超文本传输安全协议HTTPS报文类型。The apparatus according to claim 8, wherein the uplink public network message includes destination address information for identifying a public network address, and a transmission control protocol TCP port number information for identifying a packet type; the packet type includes HTTP Message type and Hypertext Transfer Security Protocol HTTPS message type.
  10. 根据权利要求8所述的装置,所述确定模块包括:The apparatus of claim 8, the determining module comprising:
    解析单元,配置为收到企业内部用户的移动终端发送的上行公网报文时,通过对所述上行公网报文进行解析,得到所述上行公网报文的目的地址和TCP端口号;The parsing unit is configured to: when receiving the uplink public network packet sent by the mobile terminal of the internal user, the destination address and the TCP port number of the uplink public network packet are obtained by parsing the uplink public network packet;
    匹配单元,配置为利用预置的公网地址库、HTTP端口列表库以及 HTTPS端口列表库,对所得到的目的地址和TCP端口号进行匹配处理;The matching unit is configured to perform matching processing on the obtained destination address and the TCP port number by using a preset public network address library, an HTTP port list library, and an HTTPS port list library;
    确定单元,配置为当得到的目的地址和TCP端口号与所述公网地址库和HTTP端口列表库相匹配,则确定所述上行公网报文为HTTP报文类型,以及当得到的目的地址和TCP端口号与所述公网地址库和HTTPS端口列表库相匹配,则确定所述上行公网报文为HTTPS报文类型。The determining unit is configured to: when the obtained destination address and the TCP port number match the public network address pool and the HTTP port list, determine that the uplink public network packet is an HTTP packet type, and the obtained destination address And the TCP port number is matched with the public network address pool and the HTTPS port list, and the uplink public network packet is determined to be an HTTPS packet type.
  11. 根据权利要求10所述的装置,所述建立协议连接模块包括:The apparatus according to claim 10, wherein the establishing a protocol connection module comprises:
    建立第一协议连接单元,配置为当确定所述上行公网报文为HTTP报文类型时,建立其与所述企业内部用户的移动终端之间的HTTP协议连接,并经由所述HTTP协议连接获取所述企业内部用户的移动终端发送的上行HTTP协议报文。Establishing a first protocol connection unit, configured to establish an HTTP protocol connection between the uplink public network packet and the mobile terminal of the enterprise internal user when the uplink public network packet is determined to be an HTTP packet type, and connect through the HTTP protocol Obtaining an uplink HTTP protocol packet sent by the mobile terminal of the internal user of the enterprise.
  12. 根据权利要求10所述的装置,所述建立协议连接模块包括:The apparatus according to claim 10, wherein the establishing a protocol connection module comprises:
    建立第二协议连接单元,配置为当确定所述上行公网报文为HTTPS报文类型时,建立其与所述企业内部用户的移动终端之间的安全套接层SSL协议连接,并经由所述SSL协议连接获取所述企业内部用户的移动终端发送的上行SSL协议报文。Establishing a second protocol connection unit, configured to establish a secure socket layer SSL protocol connection between the uplink public network packet and the mobile terminal of the enterprise internal user when the uplink public network packet is determined to be an HTTPS packet type, and The SSL protocol connection acquires an uplink SSL protocol packet sent by the mobile terminal of the internal user of the enterprise.
  13. 一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被执行后,能够实现权利要求1至7任一项提供企业移动专用网的用户终端访问公网的方法。A computer storage medium storing computer executable instructions; after the computer executable instructions are executed, the user terminal of the enterprise mobile private network according to any one of claims 1 to 7 can be accessed to access the public network. method.
PCT/CN2018/075548 2017-02-15 2018-02-07 Public network accessing method and device and computer storage medium for user terminal of mobile private network WO2018149342A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710081308.7 2017-02-15
CN201710081308.7A CN108696546B (en) 2017-02-15 2017-02-15 Method and device for accessing public network by user terminal of enterprise mobile private network

Publications (1)

Publication Number Publication Date
WO2018149342A1 true WO2018149342A1 (en) 2018-08-23

Family

ID=63169126

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/075548 WO2018149342A1 (en) 2017-02-15 2018-02-07 Public network accessing method and device and computer storage medium for user terminal of mobile private network

Country Status (2)

Country Link
CN (1) CN108696546B (en)
WO (1) WO2018149342A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113301106A (en) * 2021-03-23 2021-08-24 阿里巴巴新加坡控股有限公司 Operation and maintenance processing system, method and device
CN113364842A (en) * 2021-05-31 2021-09-07 河南光悦网络科技有限公司 Network data transmission method
CN113900978A (en) * 2021-10-27 2022-01-07 海光信息技术股份有限公司 Data transmission method, device and chip

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587204B (en) * 2017-09-29 2021-11-02 中兴通讯股份有限公司 Method and device for accessing public network and electronic equipment
CN111405615B (en) * 2020-03-19 2021-10-22 联想(北京)有限公司 Communication data transmission method, device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6397259B1 (en) * 1998-05-29 2002-05-28 Palm, Inc. Method, system and apparatus for packet minimized communications
US20030191935A1 (en) * 2002-04-05 2003-10-09 Ferguson Derek M. Pre-authenticated communication within a secure computer network
CN1567882A (en) * 2003-06-12 2005-01-19 华为技术有限公司 A method for accessing server group
CN103503419A (en) * 2011-03-11 2014-01-08 高通股份有限公司 System and method using a web proxy-server to access a device having an assigned network address
US20140189093A1 (en) * 2012-12-29 2014-07-03 Netronome Systems, Inc. Efficient intercept of connection-based transport layer connections
CN106101015A (en) * 2016-07-19 2016-11-09 广东药科大学 A kind of mobile Internet traffic classes labeling method and system

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101052022B (en) * 2006-04-05 2010-10-13 华为技术有限公司 System and method for virtual special net user to access public net
US8504818B2 (en) * 2010-04-15 2013-08-06 Microsoft Corporation Method and system for reliable protocol tunneling over HTTP
US8474035B2 (en) * 2010-06-30 2013-06-25 Juniper Networks, Inc. VPN network client for mobile device having dynamically constructed display for native access to web mail
EP2898652B1 (en) * 2012-09-18 2019-03-06 Citrix Systems Inc. Mobile device management and security
US8498626B1 (en) * 2012-12-10 2013-07-30 Verizon Patent And Licensing Inc. Service-based access for enterprise private network devices to service provider network services
CN103118147A (en) * 2013-01-24 2013-05-22 中国联合网络通信集团有限公司 Method, equipment and system for accessing intranet server
CN103475699A (en) * 2013-08-27 2013-12-25 北京创毅讯联科技股份有限公司 Enterprise network agent device and method for enterprise network to communicate with public network
KR101472964B1 (en) * 2013-12-11 2014-12-16 콘텔라 주식회사 Security system and security method for enterprise communication service using mobile communication network
CN106302839B (en) * 2015-05-12 2020-06-26 中兴通讯股份有限公司 Internet protocol IP address allocation method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6397259B1 (en) * 1998-05-29 2002-05-28 Palm, Inc. Method, system and apparatus for packet minimized communications
US20030191935A1 (en) * 2002-04-05 2003-10-09 Ferguson Derek M. Pre-authenticated communication within a secure computer network
CN1567882A (en) * 2003-06-12 2005-01-19 华为技术有限公司 A method for accessing server group
CN103503419A (en) * 2011-03-11 2014-01-08 高通股份有限公司 System and method using a web proxy-server to access a device having an assigned network address
US20140189093A1 (en) * 2012-12-29 2014-07-03 Netronome Systems, Inc. Efficient intercept of connection-based transport layer connections
CN106101015A (en) * 2016-07-19 2016-11-09 广东药科大学 A kind of mobile Internet traffic classes labeling method and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113301106A (en) * 2021-03-23 2021-08-24 阿里巴巴新加坡控股有限公司 Operation and maintenance processing system, method and device
CN113364842A (en) * 2021-05-31 2021-09-07 河南光悦网络科技有限公司 Network data transmission method
CN113364842B (en) * 2021-05-31 2022-12-16 深圳市光网世纪科技有限公司 Network data transmission method
CN113900978A (en) * 2021-10-27 2022-01-07 海光信息技术股份有限公司 Data transmission method, device and chip

Also Published As

Publication number Publication date
CN108696546B (en) 2021-08-24
CN108696546A (en) 2018-10-23

Similar Documents

Publication Publication Date Title
WO2018149342A1 (en) Public network accessing method and device and computer storage medium for user terminal of mobile private network
CN109889618B (en) Method and system for processing DNS request
Alghamdi et al. Security analysis of the constrained application protocol in the Internet of Things
CN108601043B (en) Method and apparatus for controlling wireless access point
US20130198266A1 (en) Facilitating communication between web-enabled devices
US10298616B2 (en) Apparatus and method of securing network communications
EP3243317A1 (en) Machine-to-machine protocol indication and negotiation
US11824685B2 (en) Method for implementing GRE tunnel, access point and gateway
US20150381563A1 (en) Relay system for transmitting ip address of client to server and method therefor
US8804716B2 (en) Methods, systems, and computer readable media for evolved general packet radio service (GPRS) tunneling protocol (eGTP) indirect tunneling in a voice over LTE (VoLTE) simulation
JP2014531866A (en) Test traffic interceptor
EP4319097A1 (en) Communication method, apparatus, computer-readable medium electronic device, and program product
CN106899500B (en) Message processing method and device for cross-virtual extensible local area network
US10476835B2 (en) Dynamically identifying and associating control packets to an application layer
CN102739684A (en) Portal authentication method based on virtual IP address, and server thereof
CN104184646B (en) VPN data interactive method and system and its network data exchange equipment
WO2017012089A1 (en) Communication method, device and system based on data link layer
WO2021135493A1 (en) Method and apparatus for accessing home gateway, system processor and storage medium
Bokor et al. Design and evaluation of host identity protocol (HIP) simulation framework for INET/OMNeT++
CN110784391B (en) Method, device, storage medium and terminal for communication between small base station and gateway
CN109587204B (en) Method and device for accessing public network and electronic equipment
WO2019242428A1 (en) Information transmission method and apparatus
US11968237B2 (en) IPsec load balancing in a session-aware load balanced cluster (SLBC) network device
WO2015096734A1 (en) Downlink transmission method for service data, and packet data gateway
TWI701925B (en) Method for providing network service through edge computing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18753967

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18753967

Country of ref document: EP

Kind code of ref document: A1