CN103067417A - Web service mapping method and system of security agent in virtual private network (VPN) - Google Patents
Web service mapping method and system of security agent in virtual private network (VPN) Download PDFInfo
- Publication number
- CN103067417A CN103067417A CN2011103190555A CN201110319055A CN103067417A CN 103067417 A CN103067417 A CN 103067417A CN 2011103190555 A CN2011103190555 A CN 2011103190555A CN 201110319055 A CN201110319055 A CN 201110319055A CN 103067417 A CN103067417 A CN 103067417A
- Authority
- CN
- China
- Prior art keywords
- security agent
- web
- web service
- tsm security
- vpn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention relates to the field of communications, and discloses a web service mapping method and a system of a security agent in a virtual private network (VPN). Web response analysis and rewriting processes are simplified, achieving is easy, and stability and efficiency are high. In the web service mapping method and the system of the security agent in the VPN, the mapping relation of a domain name or a port which supplies web services and security agents is preset by the security agent in the VPN, wherein different web services correspond to different domain names or different ports. When the security agent receives a web service request from a client terminal, a corresponding web service is found from the mapping relation according to the domain name in the request or the port which receives the request, and the request is forwarded to a web server which supplies the web service. When the security agent receives a web response from the web server, according to the mapping relation, chaining which points to the web service in the web response is replaced by chaining which points to a corresponding domain name or a corresponding port of the security agent, and then the replaced web response is forwarded to the client terminal.
Description
Technical field
The present invention relates to the communications field, particularly the Web service mapping techniques of TSM Security Agent among the VPN.
Background technology
Virtual Private Network (Virtual Private Networking, abbreviation " VPN ") the main agreement that adopts has Internet Protocol Security (InternetProtocol Security, abbreviation " IPSec "), Point to Point Tunnel Protocol (Point to Point Tunneling Protocol, abbreviation " PPTP "), Level 2 Forwarding (agreement) (Layer 2Forwarding, be called for short " L2F ") and Level 2 Tunnel Protocol (Layer 2Tunnel Protocol is called for short " L2TP ") etc.; SSL VPN refers to adopt security socket layer (Secure Socket Layer is called for short " SSL ") agreement to realize a kind of VPN technologies of long-range access.Ssl protocol is a kind of security protocol that Netscape proposes, and it comprises: the data integrity on server authentication, client certificate (can exempt from), the SSL link and data security authentication.Domain name mapping is that domain name is pointed to web space IP, allows people can have access to easily a kind of service in website by the domain name of registration, and domain name sensing, Servers installed, domain name configuration and oppositely IP registration etc. are also named in domain name mapping.Be about to domain name mapping easy to remember and become IP, service is finished by dns server, is domain name mapping to an IP address, then on the main frame of this IP address a subdirectory and domain name is bound.
The reverse proxy mode refers to accept connection request on the Internet with acting server, then request is transmitted to the server on the internal network, and will return to from the result that server obtains the client that the Internet request connects, this moment, acting server externally just showed as a server.Acting server is to use very general a kind of a kind of mode of the local area network (LAN) main frame being linked the Internet, use proxy surfing can save IP address resource in short supply, and can block external host to the access of internal host, make the in-house network main frame avoid the attack of extranets main frame.But if want to allow the host resource of the host access in-house network on the Internet, for example the Web website wants again to make the in-house network main frame to avoid the extranets host machine attack, and general agency service is irrealizable, need to realize with reverse proxy.Reverse proxy namely usually said Web server is accelerated, it be a kind of be the load that the Web Reverse Proxy reduces actual Web server by the Web buffer server that between busy Web server and Internet, increases a high speed.
Open systems interconnection reference model (Open System Interconnection Reference Model, abbreviation " OSI-RM ") VPN of application layer is SSL VPN in, accesses with the SSL escape way by equipment such as PC, smart mobile phone, iPad with browser.
The present inventor finds, traditional application layer VPN needs to analyze, understand the content that Web uses, pass through VPN by the request that the rewriting to its content is sent user browser, thereby realize the SSL TSM Security Agent, can there be following problem in this mode, because the code of writing with Javascirpt becomes increasingly complex, cause the parsing difficulty of Web response increasing, the Web technology is constantly updated simultaneously, such as RSS etc., must constantly increase the support to these new technologies, therefore, be necessary to develop the technology of a kind of Web of simplification response parsing and the process of rewriting, to address the above problem.
Summary of the invention
The object of the present invention is to provide Web service mapping method and the system thereof of TSM Security Agent among a kind of VPN, maintenance cost is less in actual applications, and when the Web response that the backstage Web service is returned is rewritten, (perhaps being called " rewriting ") simply searched and replaced to head and content to HTTP, having simplified the Web response resolves and the rewriting process, its realization is simple and stable and efficient is higher, avoided the parsing to HTML and the loaded down with trivial details code of Javascript in the Web response, very fast to the access speed of Web service.
For solving the problems of the technologies described above, embodiments of the present invention disclose the Web service mapping method of TSM Security Agent among a kind of VPN, TSM Security Agent among the VPN sets in advance domain name or the mapping relations of port, wherein corresponding different domain name or the ports of different Web services that Web service and TSM Security Agent are provided;
Method may further comprise the steps:
When TSM Security Agent is received Web service request from client, from described mapping relations, find corresponding Web service according to the domain name in this request or the port that receives request, and this request is transmitted to the Web server that this Web service is provided;
When TSM Security Agent is received from the Web of Web server response, according to described mapping relations, the link of pointing to this Web service in the Web response is replaced to the corresponding domain name of this TSM Security Agent of sensing or the link of port, again the Web response through replacing is transmitted to client.
Embodiments of the present invention also disclose the Web service mapped system of TSM Security Agent among a kind of VPN, TSM Security Agent among the VPN sets in advance domain name or the mapping relations of port, wherein corresponding different domain name or the ports of different Web services that Web service and TSM Security Agent are provided;
System comprises with lower module:
The first receiver module is used in the Web service request of TSM Security Agent reception from client;
Mapping block, the port that is used for the domain name of the request that receives according to described the first receiver module or receives this request finds corresponding Web service from described mapping relations;
The first forwarding module is used for the Web service request that described the first receiver module receives is forwarded to the Web server of the described Web service of finding by described mapping block;
The second receiver module is used for receiving the Web response of returning from described Web server at TSM Security Agent;
Rewrite module, the link that this Web service is pointed in the Web response that is used for that described the second receiver module is received replaces to the corresponding domain name of this TSM Security Agent of sensing or the link of port;
The second forwarding module is used for and will be transmitted to described client through the Web response that described rewriting module is replaced.
Embodiment of the present invention compared with prior art, the main distinction and effect thereof are:
The Web service mapping method that SSL VPN TSM Security Agent is connected with domain name in the mapping of SSL VPN middle port carries out " connect fast " technology, maintenance cost is less in actual applications, and when the Web response that the backstage Web service is returned is rewritten, (perhaps being called " rewriting ") simply searched and replaced to head and content to HTTP, having simplified the Web response resolves and the rewriting process, its realization is simple and stable and efficient is higher, and avoided the parsing to HTML and the loaded down with trivial details code of Javascript in the Web response, very fast to the access speed of Web service.
Further, for port mode, need the client to open on its fire compartment wall of restriction to(for) this port on the VPN equipment.For the domain name pattern, need the client in domain name of public network DNS registration, this domain name mapping is to the IP of VPN equipment.
Application Wild-Card certificate is used for SSL VPN in TSM Security Agent, and the TSM Security Agent virtual site domain name among the VPN and with Web service have mapping relations TSM Security Agent domain name at same father field under one's name, can be so that Web asks and responds when pattern is switched between SSL VPN TSM Security Agent " fast connection " pattern and other patterns, perhaps can be so that Web request and response be when pattern is switched between TSM Security Agent port or the domain name mapping in SSL VPN TSM Security Agent " connect fast " pattern, avoid being trusted in the situation that certificate management authority issues at certificate of certification, again eject warning.
Further, in the domain name mapped mode that SSL VPN TSM Security Agent " connects " fast, TSM Security Agent is encoded to the territory among the Cookie of Web server of receiving, and adds the territory of father field name wildcard form in Cookie, more modified Cookie is transmitted to client; Perhaps TSM Security Agent is decoded to the territory among the Cookie of browser of receiving, and replaces the territory of father field name wildcard form with the territory of decoding gained, more modified Cookie is transmitted to the Web server that Web service is provided.In the time of can guaranteeing that pattern is switched between SSL VPN TSM Security Agent " fast connection " pattern and other patterns, perhaps can guarantee between SSL VPN TSM Security Agent virtual site, to switch the time, these Cookie can both be dealt on the VPN TSM Security Agent by viewed device, the Cookie that has encapsulated domain name and path is decoded, then determine send out which Cookie to background service, like this, the Cookie of Web service can be because of not cross-domain and lost by client or browser.
Further, replacing with of Web response replaced the URL among HTTP and the HTTPS protocol header scheme, so that SSL VPN TSM Security Agent " connects " realization of domain name mapped mode fast more simply with direct, request and response speed and the efficient of Web service in the SSL VPN TSM Security Agent have been improved.
Description of drawings
Fig. 1 is the schematic flow sheet of the Web service mapping method of TSM Security Agent among a kind of VPN in the first embodiment of the invention;
Fig. 2 is the schematic flow sheet of the Web service mapping method of TSM Security Agent among a kind of VPN in the second embodiment of the invention;
Fig. 3 is the Web service mapping principle schematic diagram of TSM Security Agent among a kind of VPN in the second embodiment of the invention;
Fig. 4 is the schematic flow sheet of the Web service mapping method of TSM Security Agent among a kind of VPN in the second embodiment of the invention;
Fig. 5 is the schematic flow sheet of the Web service mapping method of TSM Security Agent among a kind of VPN in the second embodiment of the invention;
Fig. 6 is the structural representation of the Web service mapped system of TSM Security Agent among a kind of VPN in the third embodiment of the invention;
Fig. 7 (a) is the structural representation of the Web service mapped system of TSM Security Agent among a kind of VPN in the four embodiment of the invention;
Fig. 7 (b) is the structural representation of the Web service mapped system of TSM Security Agent among a kind of VPN in the four embodiment of the invention.
Embodiment
In the following description, in order to make the reader understand the application better many ins and outs have been proposed.But, persons of ordinary skill in the art may appreciate that even without these ins and outs with based on many variations and the modification of following each execution mode, also can realize each claim of the application technical scheme required for protection.
For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing embodiments of the present invention are described in further detail.
First embodiment of the invention relates to the Web service mapping method of TSM Security Agent among a kind of VPN.Fig. 1 is the schematic flow sheet of the Web service mapping method of TSM Security Agent among this VPN.The Web service mapping method of TSM Security Agent among this VPN, the TSM Security Agent among the VPN sets in advance the mapping relations that Web service and domain name or port are provided, wherein corresponding different domain name or the ports of different Web services.In the embodiments of the present invention, the TSM Security Agent of VPN refers to a VPN equipment.
As shown in Figure 1, method may further comprise the steps:
In step 101, TSM Security Agent is received the Web service request from client;
In other execution modes of the present invention, also need to the fire compartment wall in the Intranet of sending the Web service request on, open this fire compartment wall to the restrict access of this VPN port.And on the DNS on the public network, the VPN TSM Security Agent is carried out domain name registration, make its domain name mapping to the IP of VPN TSM Security Agent virtual site.Carry out domain name registration by opening to the firewall restriction of SSL VPN TSM Security Agent port with to VPN, can be implemented on the SSL VPN TSM Security Agent, to port or domain name request and the response of Web service.On the DNS of public network to SSL VPN TSM Security Agent registered domain name, make its domain name mapping in the step of the IP of VPN TSM Security Agent virtual site, also can in DNS A record, add second level domain, and in DNS A record, add and include but are not limited to second level domain, can also be three grades of domain names, level Four domain name, Pyatyi domain name etc., subdomain name by DNS A record, VPN TSM Security Agent virtual site is carried out IP to be pointed to, when mapped mode is changed, avoided the problem of domain name pattern authentication management, be not easy to make mistakes, and carry out easily the IP location.
After this enter step 102, from described mapping relations, find corresponding Web service according to the domain name in this request or the port that receives this request.
For the port mapping pattern, a backstage Web service is mapped to a unique port, and the VPN TSM Security Agent judges by the port in the HTTP request request is to issue which backstage Web service.
For the domain name mapped mode, a backstage Web service is mapped to a unique domain name, and the VPN TSM Security Agent judges by the domain name in the HTTP request request is to issue which backstage Web service.
After this enter step 103, this request is transmitted to the Web server that this Web service is provided, according to the domain name in this request or receive the port of this request, in the one by one mapping relations of different Web services that TSM Security Agent arranges and corresponding domain name or port, find corresponding Web service domain name;
For the domain name mapped mode, the different Web services that arrange at TSM Security Agent in advance and the one by one mapping relations of corresponding domain name, so that a backstage Web service is mapped to a unique public network domain name, the VPN TSM Security Agent judges by the Host territory in the HTTP request Web service request is to issue which backstage Web service.
In other execution modes of the present invention, TSM Security Agent is to client Web service request and server Web response, mapping and transmit, and can be undertaken by the domain name mapped mode, also can port and domain name mapping group syntype carry out.
After this enter step 104, TSM Security Agent is received the Web response from Web server.
After this enter step 105, TSM Security Agent replaces to the corresponding domain name of this TSM Security Agent of sensing or the link of port according to described mapping relations with the link of pointing to this Web service in the Web response.
In other execution modes of the present invention, the Web response can comprise head and the content thereof of response.
After this enter step 106, TSM Security Agent is according to TSM Security Agent and one by one mapping relations corresponding domain name or port, the link of pointing to this Web service in the Web response is replaced to corresponding domain name or the link of port, the after this process ends of pointing to this TSM Security Agent;
" connecting fast " technology that SSL VPN TSM Security Agent is realized in SSL VPN, maintenance cost is less in actual applications, and when the Web response that the backstage Web service is returned is rewritten, (perhaps being called " rewriting ") simply searched and replaced to head and content to HTTP, having simplified the Web response resolves and the rewriting process, its realization is simple and stable and efficient is higher, and avoided HTML that Web response is comprised and the parsing of the loaded down with trivial details code of Javascript, very fast to the access speed of Web service.
By the Web service that arranges at SSL VPN TSM Security Agent and this mapping relations of domain name or port, port is carried out Web service request or corresponding this technology called after quicklink (perhaps being called " connecting fast ") with the domain name mapped mode.
In other execution modes of the present invention, the domain name that SSL VPN TSM Security Agent port numbers or Web service are issued at public network is as the entrance of user's request.
In other execution modes of the present invention, each Web server provides one or more Web services.
In other execution modes of the present invention, described service also comprises WAP service etc.
Second embodiment of the invention relates to the Web service mapping method of TSM Security Agent among a kind of VPN.Fig. 2 is the schematic flow sheet of the Web service mapping method of TSM Security Agent among this VPN.
The second execution mode improves on the basis of the first execution mode, and main improvements are: use the VPN of SSL, can realize the TSM Security Agent of VPN, guaranteed like this transfer of data selectivity of Virtual Private Network, increased fail safe and integrality.Application Wild-Card certificate, so that the quicklink domain name of the virtual site domain name of VPN and one or more domain name patterns all at same father field under one's name, like this, just avoid being trusted in the situation that certificate management authority issues at certificate of certification, when switching between virtual site and the switching of quicklink pattern and a plurality of quicklink pattern, again eject warning.The territory of the Cookie that Web service is arranged, path and title are encapsulated as a new cookie according to certain format, the form with quicklink domain name father field name wildcard is arranged in the territory of this new cookie, when between virtual site and the switching of quicklink pattern and a plurality of quicklink pattern, switching, these new Cookie are arranged to can both be dealt on the VPN TSM Security Agent by viewed device with the mechanism of the father field name wildcard of quicklink domain name by its territory, the VPN TSM Security Agent is resolved the Cookie that has encapsulated domain name and path more again, then determine send out which Cookie to background service, the Cookie of Web service can be because of not cross-domain and lost by client or browser, just so that user's Web service request can be passed through SSL VPN, realize secure network access.Specifically:
VPN is SSL VPN, and client is browser.
Browser is the client browser of web services, can send various requests to Web server, and hypertext information and the various multimedia data format of sending from server made an explanation, shows and play.The browser of main flow mainly comprises Chrome, safari, Firefox, Internet Explorer, opera, proud trip browser etc. at present.Support HTML (Hypertext Markup Language) (Hyper Text Transfer Protocol, be called for short " HTTP ") and hypertext transfer protocol secure agreement (Hyper Text Transfer Protocal Secure, be called for short " HTTPS "), HTML (Hyper Text Makeup Language, be called for short " HTML "), Extensible Markup Language (extensible Markup Language, be called for short " XML "), extendible HTML (eXtensible HTML, be called for short " XHTML "), support Graphic Documentation form such as BIIF (Graphics Interchange Format, be called for short " GIF "), JPEG (joint photographic experts group) (Joint Photographic Experts Group, be called for short " JPEG ") form, scalable vector figure (Scalable Vector Graphics, be called for short " SVG ") form, CSS (Cascading Style Sheets, be called for short " CSS ") form, dynamic web page DHTML, Cookie allows the website can follow the trail of the viewer, digital certificates, Macromedia Flash, Java applet, Favicons and WAP (wireless application protocol) etc. can realize the bookmark management, download management, the web page contents cache, see through third party's plug-in unit (plugins) and support multimedia, network address and list data are finished automatically, Tabbed browsing, forbid pop-up ad and advertisement filter etc.
In other embodiments of the invention, TSM Security Agent includes but not limited to SSL VPN TSM Security Agent among the VPN, also comprise the TSM Security Agent based on other network security protocol, such as Internet Protocol Security (InternetProtocol Security, be called for short " IPSec "), Point to Point Tunnel Protocol (Point to Point Tunneling Protocol, be called for short " PPTP "), Level 2 Forwarding (agreement) (Layer 2Forwarding, be called for short " L2F ") and Level 2 Tunnel Protocol (Layer 2Tunnel Protocol is called for short " L2TP ") etc. be used for the realization server authentication, client certificate (can exempt from), data security authentication on data integrity on the SSL link and the SSL link.
Among the Web among the VPN as shown in Figure 2 in the Web service mapping method workflow diagram of TSM Security Agent, specifically:
In step 201, TSM Security Agent application wild-card certificate so that the TSM Security Agent virtual site domain name among the VPN and with Web service have mapping relations TSM Security Agent domain name at same father field under one's name.
After this enter step 202, TSM Security Agent is received the Web service request from client;
In other execution modes of the present invention, TSM Security Agent virtual site domain name among the VPN can be shone upon for Internet resources (Web Resource Mapping, abbreviation " WRM ") the VPN TSM Security Agent virtual site domain name under the pattern can also be the VPN TSM Security Agent virtual site domain name of domain name mapped mode under " connecting fast " pattern.
After this enter step 203, from described mapping relations, find corresponding Web service according to the domain name in this request or the port that receives request.
After this enter step 204, this request is transmitted to the Web server that this Web service is provided.
After this enter step 205, TSM Security Agent is received the Web response from Web server.
After this enter step 206, according to described mapping relations, replace to the corresponding domain name of this TSM Security Agent of sensing or the URL link of port with pointing to the HTTP of this Web service and the URL link of HTTPS agreement in the Web response.
After this enter step 207, the Web that TSM Security Agent is transmitted through replacing responds to client, after this returns step 202;
In other embodiments of the invention, Fig. 3 is the Web service mapping principle schematic diagram of TSM Security Agent among a kind of VPN in the second embodiment of the invention; As shown in Figure 3, background service www.app1.com:8000 is mapped to domain name vapp1.company.com, and background service www.app2.com is mapped to 10000 ports of VPN (vpn.company.com).VPN in the front of two-server as a Reverse Proxy.The reverse proxy mode refers to accept connection request on the Internet with acting server, then request is transmitted to the server on the internal network, and will return to from the result that server obtains the client that the Internet request connects, this moment, acting server externally just showed as a server.
The Web service of sending for the TSM Security Agent forwarding server responds to the client, Fig. 4 be this present invention about the flow chart of the Web service mapping method of VPN TSM Security Agent, as shown in Figure 4,
In step 401, form with father field name wildcard is arranged in the territory of the corresponding Cookie of Web service, can guarantee that client passes through the safe and efficient request Web service of SSL VPN TSM Security Agent.
After this enter step 402, TSM Security Agent is received the Cookie from Web server;
After this enter step 403, this Cookie is encoded, territory (domain), path (path) and title (name) encapsulate as a new Cookie according to certain form;
After this enter step 404, the territory of Cookie is arranged to the form of the father field name wildcard of quicklink domain name;
After this enter step 405, modified Cookie is transmitted to client, after this return step 402.
Transmit Web service request that client sends to the server for TSM Security Agent, Fig. 5 is that the present invention is about the flow chart of the Web service mapping method of VPN TSM Security Agent, after form with father field name wildcard is arranged in the territory of step 401 corresponding Cookie with Web service, as shown in Figure 5
In step 501, TSM Security Agent is received the Cookie from browser;
After this enter step 502, TSM Security Agent is decoded to the territory among this Cookie;
After this enter step 503, TSM Security Agent is replaced the territory of father field name wildcard form with the territory of decoding gained;
After this enter step 504, TSM Security Agent is transmitted to Web service with modified Cookie, after this returns step 501;
In the domain name mapped mode that SSL VPN TSM Security Agent " connects " fast, TSM Security Agent encapsulates the Cookie from Web server that receives, and its territory is arranged to the form of the father field name wildcard of " connecting fast ", more modified Cookie is transmitted to client; Perhaps TSM Security Agent is decoded to the territory among the Cookie of browser of receiving, and replaces the territory of father field name wildcard form with the territory of decoding gained, more modified Cookie is transmitted to the Web server that Web service is provided.In the time of can guaranteeing that pattern is switched between SSL VPN TSM Security Agent " fast connection " pattern and other patterns, perhaps can guarantee between SSL VPN TSM Security Agent virtual site, to switch the time, these Cookie can both be dealt on the VPN TSM Security Agent by viewed device, the Cookie that has encapsulated territory and path is decoded, then determine send out which Cookie to background service, like this, the Cookie of Web service can be because of not cross-domain and lost by client or browser.
Each method execution mode of the present invention all can be realized in modes such as software, hardware, firmwares.No matter the present invention realizes with software, hardware or firmware mode, instruction code can be stored in the memory of computer-accessible of any type (for example permanent or revisable, volatibility or non-volatile, solid-state or non-solid-state, fixing or removable medium etc.).Equally, memory can for example be programmable logic array (Programmable Array Logic, be called for short " PAL "), random access memory (Random Access Memory, be called for short " RAM "), programmable read only memory (Programmable Read Only Memory, be called for short " PROM "), read-only memory (Read-Only Memory, be called for short " ROM "), Electrically Erasable Read Only Memory (Electrically Erasable Programmable ROM, be called for short " EEPROM "), disk, CD, digital versatile disc (Digital Versatile Disc is called for short " DVD ") etc.
Third embodiment of the invention relates to the Web service mapped system of TSM Security Agent among a kind of VPN.Fig. 6 is the structural representation of the Web service mapped system of TSM Security Agent among this VPN.TSM Security Agent among this VPN among the Web service mapped system VPN of TSM Security Agent sets in advance the mapping relations that Web service and domain name or port are provided, wherein corresponding different domain name or the ports of different Web services.
System comprises with lower module:
The first receiver module is used in the Web service request of TSM Security Agent reception from client;
Mapping block, the port that is used for the domain name of the request that receives according to described the first receiver module or receives request finds corresponding Web service from described mapping relations;
The first forwarding module is used for the Web service request that described the first receiver module receives is forwarded to the Web server of the described Web service of finding by described mapping block;
The second receiver module is used for receiving the Web response of returning from described Web server at TSM Security Agent;
Rewrite module, the link that this Web service is pointed in the Web response that is used for that described the second receiver module is received replaces to the link of pointing to the corresponding domain name of this Web service or port;
The second forwarding module is used for and will be transmitted to described client through the Web response that described rewriting module is replaced.
The first execution mode is the method execution mode corresponding with present embodiment, present embodiment can with the enforcement of working in coordination of the first execution mode.The correlation technique details of mentioning in the first execution mode is still effective in the present embodiment, in order to reduce repetition, repeats no more here.Correspondingly, the correlation technique details of mentioning in the present embodiment also can be applicable in the first execution mode.
Four embodiment of the invention relates to the Web service mapped system of TSM Security Agent among a kind of VPN.The Web service of sending for the TSM Security Agent forwarding server responds to the client, and Fig. 7 (a) is the structural representation of the Web service mapped system of TSM Security Agent among this VPN; Transmit Web service request that client sends to the server for TSM Security Agent, Fig. 7 (b) is the structural representation of the Web service mapped system of TSM Security Agent among this VPN.
The 4th execution mode improves on the basis of the 3rd execution mode, and main improvements are: VPN is SSL VPN, and client is browser.
The Cookie receiver module is used at the Cookie of TSM Security Agent reception from Web server or browser;
Coding module, be used for TSM Security Agent to described Cookie receiver module receive from the territory among the Cookie of Web server, path and title are packaged into a new Cookie;
The first package module, the Cookie that is used for encapsulating at described coding module adds the domain name of father field name wildcard form;
The one Cookie forwarding module is used for the Cookie that described the first package module is revised is transmitted to client;
Decoder module is used for decoding in the domain name among the Cookie of browser that TSM Security Agent is received described Cookie receiver module;
The second package module is used for the territory with the territory replacement father field name wildcard form of described decoder module decoding gained;
The 2nd Cookie forwarding module is used for modified Cookie is transmitted to the Web server that Web service is provided.
The second execution mode is the method execution mode corresponding with present embodiment, present embodiment can with the enforcement of working in coordination of the second execution mode.The correlation technique details of mentioning in the second execution mode is still effective in the present embodiment, in order to reduce repetition, repeats no more here.Correspondingly, the correlation technique details of mentioning in the present embodiment also can be applicable in the second execution mode.
Need to prove, each module of mentioning in each equipment execution mode of the present invention all is logic module, physically, a logic module can be a physical module, it also can be the part of a physical module, can also realize that the physics realization mode of these logic modules itself is not most important with the combination of a plurality of physical modules, the combination of the function that these logic modules realize is the key that just solves technical problem proposed by the invention.In addition, for outstanding innovation part of the present invention, above-mentioned each the equipment execution mode of the present invention will not too close module not introduced with solving technical problem relation proposed by the invention, and this does not show that there is not other module in the said equipment execution mode.
Although pass through with reference to some of the preferred embodiment of the invention, the present invention is illustrated and describes, but those of ordinary skill in the art should be understood that and can do various changes to it in the form and details, and without departing from the spirit and scope of the present invention.
Claims (10)
1. the Web service mapping method of TSM Security Agent among the VPN is characterized in that, the TSM Security Agent among the VPN sets in advance domain name or the mapping relations of port, wherein corresponding different domain name or the ports of different Web services that Web service and TSM Security Agent are provided;
Said method comprising the steps of:
When TSM Security Agent is received Web service request from client, from described mapping relations, find corresponding Web service according to the domain name in this request or the port that receives this request, and this request is transmitted to the Web server that this Web service is provided;
When TSM Security Agent is received from the Web of Web server response, according to described mapping relations, the link of pointing to this Web service in the Web response is replaced to the domain name of the corresponding TSM Security Agent of this Web service of sensing or the link of port, again the Web response through replacing is transmitted to client.
2. the Web service mapping method of TSM Security Agent among the VPN according to claim 1 is characterized in that, described VPN is SSL VPN, and client is browser.
3. the Web service mapping method of TSM Security Agent among the VPN according to claim 2, it is characterized in that, the domain name that different Web services is corresponding different, the certificate that is used for SSL VPN in the TSM Security Agent is the wild-card certificate, the TSM Security Agent virtual site domain name among the VPN and with Web service have mapping relations TSM Security Agent domain name at same father field under one's name.
4. the Web service mapping method of TSM Security Agent among the VPN according to claim 3 is characterized in that, and is further comprising the steps of:
When described TSM Security Agent was received from the Cookie of Web server, the territory of this Cookie, path and title were packaged into a new Cookie, and the form of father field name wildcard is arranged in the territory of new Cookie, more modified Cookie is transmitted to client;
When described TSM Security Agent is received from the Cookie of browser, decoded in the territory among this Cookie, and replace the territory of father field name wildcard form with the territory of decoding gained, more modified Cookie is transmitted to the Web server that Web service is provided.
5. the Web service mapping method of TSM Security Agent among each described VPN in 4 according to claim 1 is characterized in that described replacement Web response is replaced for the URL to HTTP and HTTPS agreement.
6. the Web service mapped system of TSM Security Agent among the VPN is characterized in that, the TSM Security Agent among the VPN sets in advance domain name or the mapping relations of port, wherein corresponding different domain name or the ports of different Web services that Web service and TSM Security Agent are provided;
Described system comprises with lower module:
The first receiver module is used in the Web service request of TSM Security Agent reception from client;
Mapping block, the port that is used for the domain name of the request that receives according to described the first receiver module or receives this request finds corresponding Web service from described mapping relations;
The first forwarding module is used for the Web service request that described the first receiver module receives is forwarded to the Web server of the described Web service of finding by described mapping block;
The second receiver module is used for receiving the Web response of returning from described Web server at TSM Security Agent;
Rewrite module, the link that this Web service is pointed in the Web response that is used for that described the second receiver module is received replaces to the corresponding domain name of this TSM Security Agent of sensing or the link of port;
The second forwarding module is used for and will be transmitted to described client through the Web response that described rewriting module is replaced.
7. the Web service mapped system of TSM Security Agent among the VPN according to claim 6 is characterized in that, described VPN is SSL VPN, and client is browser.
8. the Web service mapped system of TSM Security Agent among the VPN according to claim 7, it is characterized in that, the domain name that different Web services is corresponding different, the certificate that is used for SSL VPN in the TSM Security Agent is the wild-card certificate, the TSM Security Agent virtual site domain name among the VPN and with Web service have mapping relations TSM Security Agent domain name at same father field under one's name.
9. the Web service mapped system of TSM Security Agent among the VPN according to claim 8 is characterized in that, also comprises with lower module:
The Cookie receiver module is used at the Cookie of TSM Security Agent reception from Web server or browser;
Coding module, be used for TSM Security Agent to described Cookie receiver module receive from the territory among the Cookie of Web server, path and title are packaged into a new Cookie;
The first package module, the Cookie that is used for encapsulating at described coding module adds the domain name of father field name wildcard form;
The one Cookie forwarding module is used for the Cookie that described the first package module is revised is transmitted to client;
Decoder module is used for decoding in the territory among the Cookie of browser that TSM Security Agent is received described Cookie receiver module;
The second package module is used for the territory with the territory replacement father field name wildcard form of described decoder module decoding gained;
The 2nd Cookie forwarding module is used for modified Cookie is transmitted to the Web server that Web service is provided.
10. the Web service mapped system of TSM Security Agent to 9 each described VPN according to claim 6 is characterized in that described replacement Web response is replaced for the URL to HTTP and HTTPS agreement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110319055.5A CN103067417B (en) | 2011-10-19 | 2011-10-19 | The Web service mapping method of TSM Security Agent and system thereof in VPN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110319055.5A CN103067417B (en) | 2011-10-19 | 2011-10-19 | The Web service mapping method of TSM Security Agent and system thereof in VPN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103067417A true CN103067417A (en) | 2013-04-24 |
| CN103067417B CN103067417B (en) | 2016-04-13 |
Family
ID=48109876
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110319055.5A Active CN103067417B (en) | 2011-10-19 | 2011-10-19 | The Web service mapping method of TSM Security Agent and system thereof in VPN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103067417B (en) |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103440143A (en) * | 2013-08-02 | 2013-12-11 | 安徽科大讯飞信息科技股份有限公司 | System and method for upgrading mobile web application |
| CN103475749A (en) * | 2013-09-11 | 2013-12-25 | 北京思特奇信息技术股份有限公司 | Cross-domain communication method and device |
| CN104580224A (en) * | 2015-01-14 | 2015-04-29 | 北京京东尚科信息技术有限公司 | Network connection method and device and computer system |
| CN105430108A (en) * | 2014-08-25 | 2016-03-23 | 腾讯科技(深圳)有限公司 | Test environment accessing method and proxy server |
| CN105610791A (en) * | 2015-01-06 | 2016-05-25 | 北京志翔科技股份有限公司 | Network access method and device |
| CN105847312A (en) * | 2015-01-14 | 2016-08-10 | 华为技术有限公司 | Resource visiting method and user terminal |
| CN106100963A (en) * | 2016-08-16 | 2016-11-09 | 重庆邮电大学 | A kind of software VPN realization method based on meaning conversion in full |
| CN106302590A (en) * | 2015-05-28 | 2017-01-04 | 上海汽车集团股份有限公司 | Cloud platform |
| CN106330867A (en) * | 2016-08-12 | 2017-01-11 | 武汉奥浦信息技术有限公司 | Method for analyzing HTTPS data in Ethernet |
| CN106888181A (en) * | 2015-12-15 | 2017-06-23 | 精硕科技(北京)股份有限公司 | The collecting method and system of a kind of energy defending DDoS (Distributed Denial of Service) |
| CN107209751A (en) * | 2015-08-13 | 2017-09-26 | 华为技术有限公司 | Method for processing business and device |
| CN108093098A (en) * | 2018-01-31 | 2018-05-29 | 杭州迪普科技股份有限公司 | A kind of domain name mapping request sending method and device |
| CN108965203A (en) * | 2017-05-18 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of resource access method and server |
| WO2019214054A1 (en) * | 2018-05-09 | 2019-11-14 | 网宿科技股份有限公司 | Domain name acquisition method, website access method and server |
| CN110602269A (en) * | 2019-10-22 | 2019-12-20 | 北京天融信网络安全技术有限公司 | Method for converting domain name |
| CN110855766A (en) * | 2019-11-06 | 2020-02-28 | 北京天融信网络安全技术有限公司 | Method and device for accessing Web resources and proxy server |
| CN111901218A (en) * | 2020-06-23 | 2020-11-06 | 北京天融信网络安全技术有限公司 | Message transmission method, SSLVPN proxy server, electronic device and storage medium |
| CN112073449A (en) * | 2019-06-11 | 2020-12-11 | 易保网络技术(上海)有限公司 | Kubernetes-based environment switching processing method and equipment |
| CN112260991A (en) * | 2020-09-16 | 2021-01-22 | 厦门网宿有限公司 | Authentication management method and device |
| CN112532666A (en) * | 2019-09-18 | 2021-03-19 | 北京国双科技有限公司 | Reverse proxy method, apparatus, storage medium, and device |
| CN113114794A (en) * | 2021-03-26 | 2021-07-13 | 上海万物新生环保科技集团有限公司 | Method and device for processing domain name based on secondary proxy |
| WO2022057000A1 (en) * | 2020-09-16 | 2022-03-24 | 厦门网宿有限公司 | Data proxy method and system and proxy server |
| CN114553821A (en) * | 2022-02-24 | 2022-05-27 | 杭州迪普科技股份有限公司 | VPN client proxy DNS analysis method and device |
| CN114553827A (en) * | 2022-02-24 | 2022-05-27 | 杭州迪普科技股份有限公司 | VPN client proxy DNS analysis method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1700682A (en) * | 2004-05-21 | 2005-11-23 | 迈普(四川)通信技术有限公司 | Virtual domain name resolution proxy method and system |
| US20060167972A1 (en) * | 2000-01-31 | 2006-07-27 | Zombek James M | System and method for re-directing requests from browsers for communications over non-IP based networks |
| CN101242336A (en) * | 2008-03-13 | 2008-08-13 | 杭州华三通信技术有限公司 | Method for remote access to intranet Web server and Web proxy server |
| US20090019515A1 (en) * | 2007-07-13 | 2009-01-15 | Sun Microsystems, Inc. | Method and system for secure access policy migration |
| CN101989909A (en) * | 2009-08-04 | 2011-03-23 | 西安交大捷普网络科技有限公司 | Access link overwriting method of SSL VPN |
-
2011
- 2011-10-19 CN CN201110319055.5A patent/CN103067417B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060167972A1 (en) * | 2000-01-31 | 2006-07-27 | Zombek James M | System and method for re-directing requests from browsers for communications over non-IP based networks |
| CN1700682A (en) * | 2004-05-21 | 2005-11-23 | 迈普(四川)通信技术有限公司 | Virtual domain name resolution proxy method and system |
| US20090019515A1 (en) * | 2007-07-13 | 2009-01-15 | Sun Microsystems, Inc. | Method and system for secure access policy migration |
| CN101242336A (en) * | 2008-03-13 | 2008-08-13 | 杭州华三通信技术有限公司 | Method for remote access to intranet Web server and Web proxy server |
| CN101989909A (en) * | 2009-08-04 | 2011-03-23 | 西安交大捷普网络科技有限公司 | Access link overwriting method of SSL VPN |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103440143A (en) * | 2013-08-02 | 2013-12-11 | 安徽科大讯飞信息科技股份有限公司 | System and method for upgrading mobile web application |
| CN103475749A (en) * | 2013-09-11 | 2013-12-25 | 北京思特奇信息技术股份有限公司 | Cross-domain communication method and device |
| CN105430108A (en) * | 2014-08-25 | 2016-03-23 | 腾讯科技(深圳)有限公司 | Test environment accessing method and proxy server |
| CN105430108B (en) * | 2014-08-25 | 2020-03-03 | 腾讯科技(深圳)有限公司 | Test environment access method and proxy server |
| CN105610791A (en) * | 2015-01-06 | 2016-05-25 | 北京志翔科技股份有限公司 | Network access method and device |
| CN104580224B (en) * | 2015-01-14 | 2018-06-01 | 北京京东尚科信息技术有限公司 | A kind of method for connecting network and device and computer system |
| CN104580224A (en) * | 2015-01-14 | 2015-04-29 | 北京京东尚科信息技术有限公司 | Network connection method and device and computer system |
| CN105847312A (en) * | 2015-01-14 | 2016-08-10 | 华为技术有限公司 | Resource visiting method and user terminal |
| CN105847312B (en) * | 2015-01-14 | 2019-05-10 | 华为技术有限公司 | A kind of resource access method and user terminal |
| CN106302590A (en) * | 2015-05-28 | 2017-01-04 | 上海汽车集团股份有限公司 | Cloud platform |
| CN107209751A (en) * | 2015-08-13 | 2017-09-26 | 华为技术有限公司 | Method for processing business and device |
| CN107209751B (en) * | 2015-08-13 | 2020-09-08 | 华为技术有限公司 | Service processing method and device |
| CN106888181A (en) * | 2015-12-15 | 2017-06-23 | 精硕科技(北京)股份有限公司 | The collecting method and system of a kind of energy defending DDoS (Distributed Denial of Service) |
| CN106330867A (en) * | 2016-08-12 | 2017-01-11 | 武汉奥浦信息技术有限公司 | Method for analyzing HTTPS data in Ethernet |
| CN106100963A (en) * | 2016-08-16 | 2016-11-09 | 重庆邮电大学 | A kind of software VPN realization method based on meaning conversion in full |
| CN108965203A (en) * | 2017-05-18 | 2018-12-07 | 腾讯科技(深圳)有限公司 | A kind of resource access method and server |
| CN108965203B (en) * | 2017-05-18 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Resource access method and server |
| CN108093098A (en) * | 2018-01-31 | 2018-05-29 | 杭州迪普科技股份有限公司 | A kind of domain name mapping request sending method and device |
| WO2019214054A1 (en) * | 2018-05-09 | 2019-11-14 | 网宿科技股份有限公司 | Domain name acquisition method, website access method and server |
| CN112073449A (en) * | 2019-06-11 | 2020-12-11 | 易保网络技术(上海)有限公司 | Kubernetes-based environment switching processing method and equipment |
| CN112073449B (en) * | 2019-06-11 | 2023-04-18 | 易保网络技术(上海)有限公司 | Kubernetes-based environment switching processing method and equipment |
| CN112532666A (en) * | 2019-09-18 | 2021-03-19 | 北京国双科技有限公司 | Reverse proxy method, apparatus, storage medium, and device |
| CN110602269B (en) * | 2019-10-22 | 2022-10-21 | 北京天融信网络安全技术有限公司 | Method for converting domain name |
| CN110602269A (en) * | 2019-10-22 | 2019-12-20 | 北京天融信网络安全技术有限公司 | Method for converting domain name |
| CN110855766A (en) * | 2019-11-06 | 2020-02-28 | 北京天融信网络安全技术有限公司 | Method and device for accessing Web resources and proxy server |
| CN111901218A (en) * | 2020-06-23 | 2020-11-06 | 北京天融信网络安全技术有限公司 | Message transmission method, SSLVPN proxy server, electronic device and storage medium |
| CN112260991A (en) * | 2020-09-16 | 2021-01-22 | 厦门网宿有限公司 | Authentication management method and device |
| WO2022057000A1 (en) * | 2020-09-16 | 2022-03-24 | 厦门网宿有限公司 | Data proxy method and system and proxy server |
| CN113114794A (en) * | 2021-03-26 | 2021-07-13 | 上海万物新生环保科技集团有限公司 | Method and device for processing domain name based on secondary proxy |
| CN114553821A (en) * | 2022-02-24 | 2022-05-27 | 杭州迪普科技股份有限公司 | VPN client proxy DNS analysis method and device |
| CN114553827A (en) * | 2022-02-24 | 2022-05-27 | 杭州迪普科技股份有限公司 | VPN client proxy DNS analysis method and device |
| CN114553821B (en) * | 2022-02-24 | 2023-06-27 | 杭州迪普科技股份有限公司 | VPN client proxy DNS analysis method and device |
| CN114553827B (en) * | 2022-02-24 | 2023-10-20 | 杭州迪普科技股份有限公司 | VPN client proxy DNS analysis method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103067417B (en) | 2016-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103067417A (en) | Web service mapping method and system of security agent in virtual private network (VPN) | |
| JP4949348B2 (en) | Method and client system for realizing secure payment online | |
| Hatzivasilis et al. | The Interoperability of Things: Interoperable solutions as an enabler for IoT and Web 3.0 | |
| CN101582856B (en) | Session setup method of portal server and BAS (broadband access server) device and system thereof | |
| CN102316094A (en) | The many service VPN networking clients that are used for mobile device with integrated acceleration | |
| CN102333306A (en) | The many service VPN networking clients that are used for mobile device | |
| Shang et al. | NDN. JS: A javascript client library for named data networking | |
| CN102316093A (en) | The double mode many service VPN networking clients that are used for mobile device | |
| CN102333075A (en) | The many service VPN networking clients that dynamic fault shifts that have that are used for mobile device | |
| CN102316153A (en) | To the local dynamically VPN networking client of structure demonstration that inserts of webpage mail | |
| CN102316092A (en) | The VPN networking client that connects again fast that has that is used for mobile device | |
| CN102694772A (en) | Apparatus, system and method for accessing internet web pages | |
| KR101520751B1 (en) | A method and server for monitoring users during their browsing within a communications network | |
| CN104202307B (en) | Data forwarding method and device | |
| CN101902482B (en) | Method and system for realizing terminal security admission control based on IPv6 (Internet Protocol Version 6) automatic configuration | |
| CN102783119A (en) | Access control method and system, and access terminal | |
| CN103220371A (en) | Method and system for conducting content adaptation | |
| CN103168450B (en) | The method of accesses virtual dedicated network, device and gateway device | |
| CN101902485A (en) | Rewriting method of reversal Web agent link | |
| CN105786952A (en) | Auto-configurable transport stack | |
| CN103269313B (en) | The implementation method of embedded Linux home gateway forced gate | |
| JP5347429B2 (en) | Uniform resource locator rewriting method and apparatus | |
| US10225358B2 (en) | Page push method, device, server and system | |
| CN110674436B (en) | Data processing method and device based on browser | |
| CN101662357A (en) | Method for accessing secure gateway client |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001, twenty-first Century Patentee after: Beijing Huayao Technology Co., Ltd Address before: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001, twenty-first Century Patentee before: Huayao (China) Technology Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |