Specific embodiment
The exemplary embodiment that the present invention will be described in more detail below with reference to accompanying drawings.Although showing the present invention in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the present invention without should be by embodiments set forth here
It is limited.It is to be able to thoroughly understand the present invention on the contrary, providing these embodiments, and can be by the scope of the present invention
It is fully disclosed to those skilled in the art.
Fig. 1 shows the structural schematic diagram of the management system of customer terminal equipment provided in an embodiment of the present invention, such as Fig. 1 institute
Show, the management system of customer terminal equipment include: subscriber terminal equipment (CPE) 10, subscriber terminal equipment management server 20 with
And subscriber terminal equipment controller 30.Subscriber terminal equipment 10 is located in Intranet, wherein being equipped with snap back agency (Fast
Reverse Proxy, frp) client software, it is pre-configured the information such as domain name, external mapped port of frp server-side and soft
Part defines the information of boundary (Softw are Defined Perimeter, SDP) controller.Subscriber terminal equipment management service
Device 20 and subscriber terminal equipment controller 30 are located in public network, and subscriber terminal equipment management server 20 is equipped with frp service
Software is held, the information of SDP controller is pre-configured.Between subscriber terminal equipment 10 and subscriber terminal equipment controller 30, Yi Jiyong
Family terminal equipment control 30 and subscriber terminal equipment management server 20 are provided with control channel with transmission of control signals, user
Control channel and data channel are provided between terminal device 10 and subscriber terminal equipment management server 20 to transmit control respectively
Signal and data information processed.
The architecture on software definition boundary (Softw are Defined Perimeter, SDP) consists of two parts:
SDP host and SDP controller.SDP host can star connection or receive connection, pass through the friendship of control channel and SDP controller
Mutually manage.In the boundary of software definition, controls plane and bigger retractility may be implemented in data planar separation.SDP control
Device processed can be authenticated and be authorized, and SDP host may be coupled to SDP controller and carry out authentication, and be taken from SDP controller
The list information of business host, SDP receives host and SDP host is communicated, and communicates with SDP controller, obtains service strategy.
Frp is that the Intranet of open source penetrates software, and the transmission control protocol (Transmission of Intranet and outer net may be implemented
Control Protocol, TCP), the network connection of User Datagram Protocol (User Datagram Protocol, UDP), lead to
The outer net port for crossing frp server-side may map to the internal services port of frp client, so as to by internal safety
The services such as shell agreement (Secure Shell, SSH), web are supplied to outside access.The embodiment of the present invention according to the characteristics of SDP and
CPE needs to penetrate the demand of Intranet, and the two is combined, and the safety of the external mapped port of CPE can be improved.
In embodiments of the present invention, subscriber terminal equipment (CPE) 10, subscriber terminal equipment management server 20 and user
Terminal equipment control 30 may include such as mobile phone, tablet computer, laptop, palm PC, personal digital assistant
(Personal Digital Assistant, PDA), portable media player (Portable Media Player, PMP),
The mobile terminals such as navigation device, wearable device, Intelligent bracelet, pedometer also may include the fixed terminals such as personal computer.
In embodiments of the present invention, subscriber terminal equipment 10 is by the network interface card media of its sequence number and Ethernet (ethernet)
Access control (Media Access Control, MAC), i.e. physical address, be sent to subscriber terminal equipment controller 30 into
Row certification.When subscriber terminal equipment 10 passes through certification, subscriber terminal equipment controller 30 certification by when current time stamp, should
The sequence number of CPE 10, this several information of MAC Address of Network Card character string be attached, by after connection character string use
BKDRHash method carries out Hash operation, and the obtain after Hash operation first number and preset number are carried out complementation, taken
Port numbers of the second number obtained after remaining operation as the external mapped port of the CPE 10, wherein externally mapped port is
The port of the 10 external mapping network (WEB) of CPE service.By certification by when current time stamp, the sequence of the CPE 10
Number, the character string of this several information of MAC Address of Network Card connect, MD5 coding is done to the character string after connection, MD5 is encoded
Token (token) as CPE and CPE management server.Subscriber terminal equipment controller 30 will return to externally reflecting for CPE 10
Penetrate port port numbers and token to CPE 10 frp client;And the port numbers of external mapped port and token are carried out
Record.The certification of CPE 10 does not pass through, and subscriber terminal equipment controller 30 will return to the information of 10 mistake of CPE.
CPE 10 requests connection subscriber terminal equipment management server 20, by the port numbers of token and external mapped port
It is sent to subscriber terminal equipment management server 20.After subscriber terminal equipment management server 20 receives request, token is sent out
Subscriber terminal equipment controller 30 is sent to be verified.Subscriber terminal equipment controller 30 is verified after token passes through, will and this
The matched security strategy rule of token returns to subscriber terminal equipment management server 20, if token authentication failed, will return
Authentication failed is returned, is disconnected.
Subscriber terminal equipment management server 20 receives the sound that token is verified from subscriber terminal equipment controller 30
Ying Hou, reception and the matched security strategy of the token, first determine whether the public network outlet ip of CPE 10, i.e., external mapped port is
It is no to meet security strategy, if do not met, it will be switched off the connection with CPE 10.If meeting security strategy, will be built with CPE 10
Vertical secure tunnel, and the mapped port of subscriber terminal equipment management server 20 and the external mapped port of CPE 10 are established and closed
Connection, penetrates to realize Intranet.
User accesses the mapped port of subscriber terminal equipment management server 20, is connected to by browser to be managed
In CPE 10, the configuration of CPE 10 is checked or modified, to realize the management to the CPE 10 of Intranet.As CPE 10
When connection network between subscriber terminal equipment management server 20 disconnects, needs to repeat abovementioned steps and obtain the new of CPE 10
External mapped port the safety of external mapped port is ensured, to improve by using dynamic external mapped port
The safety of 10 equipment management of CPE.
Fig. 2 shows the flow diagram of the management method of customer terminal equipment provided in an embodiment of the present invention, this method
Applied to subscriber terminal equipment controller 30 above-mentioned.As shown in Fig. 2, the management method of customer terminal equipment includes:
Step S11: the subscriber terminal equipment is authenticated according to the sequence number of subscriber terminal equipment and physical address.
After the certification of subscriber terminal equipment passes through, subsequent step S12 is executed.If the certification of subscriber terminal equipment is not led to
It crosses, then returns to the message of CPE mistake to subscriber terminal equipment.
Step S12: when the subscriber terminal equipment passes through certification, according to current time stamp, the sequence number and institute
Port numbers and token that physical address obtains the external mapped port of the subscriber terminal equipment are stated, and it is whole to be sent to the user
End equipment.
The current time stamp, the sequence number when the subscriber terminal equipment passes through certification, when will pass through certification
And the character string of the physical address is attached;The subscriber terminal equipment is obtained according to the character string after connection
The port numbers and token of the external mapped port.Specifically, the character string application hash algorithm after connection is obtained
One number;First number is subjected to complementation with preset number, the second obtained number is the subscriber terminal equipment
The external mapped port port numbers;By the character string after connection encoded to obtain the subscriber terminal equipment and
The token of the subscriber terminal equipment management server.
In embodiments of the present invention, Hash operation is carried out using BKDRHash method according to the character string after connection,
Obtain after Hash operation first number and preset number are subjected to complementation;The second number obtained after remainder is i.e. as use
The port numbers of the external mapped port of family terminal device.Wherein, the external mapped port of subscriber terminal equipment is user terminal
The port of the external mapping WEB service of equipment.The Hash operation method of the embodiment of the present invention is not limited to BKDRHash method, when
So it is also possible to other Hash operation methods;Similarly, preset number can be the number that user is set as needed, such as
10086, herein all with no restriction.MD5 coding is done to the character string after connection, regard MD5 coding as subscriber terminal equipment and institute
State the token (token) of subscriber terminal equipment management server.In other embodiments of the invention, after can also be to connection
Character string does other codings, herein also with no restriction.
After obtaining port numbers and the token of the external mapped port of subscriber terminal equipment, by the end of the external mapped port
Slogan and token are sent to the subscriber terminal equipment, and the port numbers and token that will record the external mapped port.
Step S13: receive subscriber terminal equipment management server transmission from the subscriber terminal equipment obtain described in
Token is simultaneously verified.
Subscriber terminal equipment receive the external mapped port port numbers and token after be sent to subscriber terminal equipment pipe
Server is managed to request to establish connection with subscriber terminal equipment management server.In step S13, received is subscriber terminal equipment
The token that management server is sended over from the subscriber terminal equipment, and the token is verified.
Step S14: when the token passes through verifying, Xiang Suoshu subscriber terminal equipment management server is returned and the order
The matched security strategy of board with according to the security strategy to the subscriber terminal equipment management server mapped port and institute
The external mapped port for stating subscriber terminal equipment establishes association.
When token passes through verifying, the security strategy with the token matched is back to subscriber terminal equipment management service
Device.Subscriber terminal equipment management server is when the external serve port of subscriber terminal equipment meets the security strategy to the use
The mapped port of family terminal unit management server is associated with the external mapped port foundation of the subscriber terminal equipment, real
Existing Intranet penetrates, and then the management to subscriber terminal equipment may be implemented, and improves the safety of cpe device management.User terminal
Device management server is disconnected when the external serve port of subscriber terminal equipment does not meet the security strategy and user terminal is set
Standby connection.
In embodiments of the present invention, when token is unverified, by return authentication failed as a result, disconnecting whole with user
The connection of end equipment management server.
When the connection network between subscriber terminal equipment management server and subscriber terminal equipment disconnects, need to repeat to walk
Rapid S11-S14, the new external mapped port of dynamic acquisition subscriber terminal equipment, ensures the external mapping end of subscriber terminal equipment
The safety of mouth dynamically loads security strategy, to improve the peace of cpe device management by dynamic external mapped port
Quan Xing.
The management method of the customer terminal equipment of the embodiment of the present invention includes;According to the sequence number and object of subscriber terminal equipment
Reason address authenticates the subscriber terminal equipment;When the subscriber terminal equipment passes through certification, according to current time stamp,
The sequence number and the physical address obtain the port numbers and token of the external mapped port of the subscriber terminal equipment, and
It is sent to the subscriber terminal equipment;Receive obtaining from the subscriber terminal equipment for subscriber terminal equipment management server transmission
The token and verified;When the token passes through verifying, Xiang Suoshu subscriber terminal equipment management server return with
The security strategy of the token matched is with the mapping end according to the security strategy to the subscriber terminal equipment management server
Mouth is associated with the external mapped port foundation of the subscriber terminal equipment, can be by dynamic serve port, dynamically
Security strategy is loaded to improve the safety of cpe device management.
Fig. 3 shows the flow diagram of the management method of customer terminal equipment provided in an embodiment of the present invention, this method
Applied to subscriber terminal equipment management server 20 above-mentioned.As shown in figure 3, the management method of customer terminal equipment includes:
Step S21: it obtains the connection that subscriber terminal equipment is sent and establishes request, it includes described that the connection, which is established in request,
The port numbers and token of the external mapped port of subscriber terminal equipment.
Before step S21, sequence number and physical address are sent to the user terminal device controller by customer terminal equipment,
Subscriber terminal equipment controller authenticates the subscriber terminal equipment, and certification by when generate subscriber terminal equipment pair
The port numbers and token of outer mapped port.In the step s 21, receive customer terminal equipment transmission includes the external mapped port
Port numbers and token connection establish request.
Step S22: the response connection, which is established, requests, and by the token be sent to the user terminal device controller with into
Row verifying.
Token is sent to the user terminal device controller, and by subscriber terminal equipment controller to received token into
Row verifying.
Step S23: the security strategy with the token matched that the subscriber terminal equipment controller returns is obtained.
When the token authentication passes through, subscriber terminal equipment controller returns to the security strategy with the token matched.At this
When token authentication does not pass through, subscriber terminal equipment controller return authentication failed as a result, and disconnecting.
Step S24: according to the security strategy to the external mapping end of mapped port and the subscriber terminal equipment
Mouth establishes association.
In step s 24, judge whether the external mapped port of the subscriber terminal equipment meets the safe plan
Slightly;If meeting the security strategy, to the external mapped port of the mapped port and the subscriber terminal equipment
Establish association;If not meeting the security strategy, the connection with the subscriber terminal equipment is disconnected.
After mapped port is associated with the external mapped port foundation of subscriber terminal equipment, the mapping can be passed through
The subscriber terminal equipment that port connection needs to manage;By the mapped port to the configuration of the subscriber terminal equipment into
Row is checked or is modified, to realize the management to the subscriber terminal equipment of Intranet.When the connection between subscriber terminal equipment
It when network disconnects, needs to repeat step S21-S24, using the new external mapped port of subscriber terminal equipment, ensures that user is whole
The safety of the external mapped port of end equipment dynamically loads security strategy, to mention by dynamic external mapped port
The safety of high cpe device management.
The management method of the customer terminal equipment of the embodiment of the present invention includes;The connection that subscriber terminal equipment is sent is obtained to build
It is vertical to request, it include the port numbers and token of the external mapped port of the subscriber terminal equipment in the connection foundation request;It rings
It answers the connection to establish request, and the token is sent to the user terminal device controller to verify;Obtain the use
The security strategy with the token matched that family terminal equipment control returns;According to the security strategy to mapped port and institute
The external mapped port for stating subscriber terminal equipment establishes association, can be by dynamic serve port, and dynamically load is pacified
Full strategy improves the safety of cpe device management.
Fig. 4 shows the structural schematic diagram of the managing device of the customer terminal equipment of the embodiment of the present invention, the client terminal
The managing device of equipment is applied as the subscriber terminal equipment controller 30 in Fig. 1.As shown in figure 4, the pipe of the customer terminal equipment
Managing device includes: authentication unit 41, token generation unit 42, token authentication unit 43 and strategy matching unit 44.
Authentication unit 41 be used for according to the sequence number of subscriber terminal equipment and physical address to the subscriber terminal equipment into
Row certification;Token generation unit 42 is used for when the subscriber terminal equipment passes through certification, according to current time stamp, the sequence
Number and the physical address obtain the subscriber terminal equipment external mapped port port numbers and token, and be sent to institute
State subscriber terminal equipment;Token authentication unit 43 is used to receive the whole from the user of subscriber terminal equipment management server transmission
The token of end equipment acquisition is simultaneously verified;Strategy matching unit 44 is used for the Xiang Suoshu when the token passes through verifying
Subscriber terminal equipment management server return with the security strategy of the token matched with according to the security strategy to the use
The mapped port of family terminal unit management server is associated with the external mapped port foundation of the subscriber terminal equipment.
In a kind of optional mode, token generation unit 52 is used for: by the current time stamp, the sequence number and
The character string of the physical address is attached;It is obtained described in the subscriber terminal equipment according to the character string after connection
The port numbers and token of external mapped port.
In a kind of optional mode, token generation unit 52 is used for: the character string application Hash after connection is calculated
Method obtains the first number;First number is subjected to complementation with preset number, the second obtained number is the user
The port numbers of the external mapped port of terminal device;The character string after connection is encoded to obtain user's end
The token of end equipment and the subscriber terminal equipment management server.
The embodiment of the present invention is by the sequence number and physical address according to subscriber terminal equipment to the subscriber terminal equipment
It is authenticated;When the subscriber terminal equipment passes through certification, according to current time stamp, the sequence number and it is described physically
Location obtains the port numbers and token of the external mapped port of the subscriber terminal equipment, and is sent to the subscriber terminal equipment;
It receives the token of subscriber terminal equipment management server transmission obtained from the subscriber terminal equipment and is verified;?
When the token passes through verifying, Xiang Suoshu subscriber terminal equipment management server return with the security strategy of the token matched with
According to the security strategy to the mapped port of the subscriber terminal equipment management server and the institute of the subscriber terminal equipment
It states external mapped port and establishes association, can dynamically load security strategy by dynamic serve port to improve cpe device
The safety of management.
Fig. 5 shows the structural schematic diagram of the managing device of the customer terminal equipment of the embodiment of the present invention, the client terminal
The managing device of equipment is applied as the subscriber terminal equipment management server 20 in Fig. 1.As shown in figure 5, the customer terminal equipment
Managing device include: that unit is established in request unit 51, request-response unit 52, tactful acquiring unit 53 and association
54。
Request is established in the connection that request unit 51 is used to obtain subscriber terminal equipment transmission, and request is established in the connection
In include the subscriber terminal equipment external mapped port port numbers and token;Request-response unit 52 is described for responding
Request is established in connection, and the token is sent to the user terminal device controller to verify;Tactful acquiring unit 53 is used
In the security strategy with the token matched for obtaining the subscriber terminal equipment controller return;Association is established unit 54 and is used for
Mapped port is associated with the external mapped port foundation of the subscriber terminal equipment according to the security strategy.
In a kind of optional mode, association is established unit 54 and is used for: judging the described external of the subscriber terminal equipment
Whether mapped port meets the security strategy;If meeting the security strategy, to the mapped port and the user
The external mapped port of terminal device establishes association;If not meeting the security strategy, disconnect whole with the user
The connection of end equipment.
In a kind of optional mode, the managing device of customer terminal equipment further includes device management unit, equipment management
Unit 55 is also used to: the subscriber terminal equipment for needing to manage by mapped port connection;Pass through the mapped port
The configuration of the subscriber terminal equipment is checked or modified.
The embodiment of the present invention establishes request by obtaining the connection that subscriber terminal equipment is sent, and the connection is established in request
The port numbers and token of external mapped port including the subscriber terminal equipment;It responds the connection and establishes request, and by institute
It states token and is sent to the user terminal device controller to be verified;Obtain that the subscriber terminal equipment controller returns with institute
State the security strategy of token matched;Mapped port and the described of the subscriber terminal equipment are externally reflected according to the security strategy
It penetrates port and establishes association, can dynamically load security strategy by dynamic serve port to improve the peace of cpe device management
Quan Xing.
The embodiment of the invention provides a kind of nonvolatile computer storage media, the computer storage medium is stored with
The customer terminal equipment in above-mentioned any means embodiment can be performed in an at least executable instruction, the computer executable instructions
Management method.
Executable instruction specifically can be used for so that processor executes following operation:
The subscriber terminal equipment is authenticated according to the sequence number of subscriber terminal equipment and physical address;
When the subscriber terminal equipment passes through certification, according to current time stamp, the sequence number and it is described physically
Location obtains the port numbers and token of the external mapped port of the subscriber terminal equipment, and is sent to the subscriber terminal equipment;
The token obtained from the subscriber terminal equipment for receiving the transmission of subscriber terminal equipment management server is gone forward side by side
Row verifying;
When the token passes through verifying, Xiang Suoshu subscriber terminal equipment management server is returned and the token matched
Security strategy is with whole to the mapped port of the subscriber terminal equipment management server and the user according to the security strategy
The external mapped port of end equipment establishes association.
In a kind of optional mode, the executable instruction makes the processor execute following operation:
The character string of the current time stamp, the sequence number and the physical address is attached;
The port numbers of the external mapped port of the subscriber terminal equipment are obtained according to the character string after connection
And token.
In a kind of optional mode, the executable instruction makes the processor execute following operation:
The character string application hash algorithm after connection is obtained into the first number;
First number is subjected to complementation with preset number, the second obtained number is the subscriber terminal equipment
The external mapped port port numbers;
The character string after connection is encoded to obtain the subscriber terminal equipment and the subscriber terminal equipment pipe
Manage the token of server.
The management method of the customer terminal equipment of the embodiment of the present invention includes;According to the sequence number and object of subscriber terminal equipment
Reason address authenticates the subscriber terminal equipment;When the subscriber terminal equipment passes through certification, according to current time stamp,
The sequence number and the physical address obtain the port numbers and token of the external mapped port of the subscriber terminal equipment, and
It is sent to the subscriber terminal equipment;Receive obtaining from the subscriber terminal equipment for subscriber terminal equipment management server transmission
The token and verified;When the token passes through verifying, Xiang Suoshu subscriber terminal equipment management server return with
The security strategy of the token matched is with the mapping end according to the security strategy to the subscriber terminal equipment management server
Mouth is associated with the external mapped port foundation of the subscriber terminal equipment, can be by dynamic serve port, dynamically
Security strategy is loaded to improve the safety of cpe device management.
The embodiment of the invention provides another nonvolatile computer storage media, the computer storage medium storage
There is an at least executable instruction, which can be performed the customer terminal equipment in above-mentioned any means embodiment
Management method.
Executable instruction specifically can be used for so that processor executes following operation:
It obtains the connection that subscriber terminal equipment is sent and establishes request, it includes the user terminal in request that the connection, which is established,
The port numbers and token of the external mapped port of equipment;
It responds the connection and establishes request, and the token is sent to the user terminal device controller to verify;
Obtain the security strategy with the token matched that the subscriber terminal equipment controller returns;
It is established and is closed according to the external mapped port of the security strategy to mapped port and the subscriber terminal equipment
Connection.
In a kind of optional mode, the executable instruction makes the processor execute following operation:
Judge whether the external mapped port of the subscriber terminal equipment meets the security strategy;
The external mapping if meeting the security strategy, to the mapped port and the subscriber terminal equipment
Association is established in port;
If not meeting the security strategy, the connection with the subscriber terminal equipment is disconnected.
In a kind of optional mode, the executable instruction makes the processor execute following operation:
The subscriber terminal equipment for needing to manage by mapped port connection;
The configuration of the subscriber terminal equipment is checked or modified by the mapped port.
The embodiment of the present invention establishes request by obtaining the connection that subscriber terminal equipment is sent, and the connection is established in request
The port numbers and token of external mapped port including the subscriber terminal equipment;It responds the connection and establishes request, and by institute
It states token and is sent to the user terminal device controller to be verified;Obtain that the subscriber terminal equipment controller returns with institute
State the security strategy of token matched;Mapped port and the described of the subscriber terminal equipment are externally reflected according to the security strategy
It penetrates port and establishes association, can dynamically load security strategy by dynamic serve port to improve the peace of cpe device management
Quan Xing.
Fig. 6 shows the structural schematic diagram of the calculating equipment of the embodiment of the present invention, and the specific embodiment of the invention is not to setting
Standby specific implementation limits.
As shown in fig. 6, the calculating equipment may include: processor (processor) 602, communication interface
(Communications Interface) 604, memory (memory) 606 and communication bus 608.
Wherein: processor 602, communication interface 604 and memory 606 complete mutual lead to by communication bus 608
Letter.Communication interface 604, for being communicated with the network element of other equipment such as client or other servers etc..Processor 602 is used
In executing program 610, the correlation step in the management method embodiment of above-mentioned customer terminal equipment can be specifically executed.
Specifically, program 610 may include program code, which includes computer operation instruction.
Processor 602 may be central processor CPU or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road.The one or more processors that equipment includes can be same type of processor, such as one or more CPU;It is also possible to
Different types of processor, such as one or more CPU and one or more ASIC.
Memory 606, for storing program 610.Memory 606 may include high speed RAM memory, it is also possible to further include
Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 610 specifically can be used for so that processor 602 executes following operation:
The subscriber terminal equipment is authenticated according to the sequence number of subscriber terminal equipment and physical address;
When the subscriber terminal equipment passes through certification, according to current time stamp, the sequence number and it is described physically
Location obtains the port numbers and token of the external mapped port of the subscriber terminal equipment, and is sent to the subscriber terminal equipment;
The token obtained from the subscriber terminal equipment for receiving the transmission of subscriber terminal equipment management server is gone forward side by side
Row verifying;
When the token passes through verifying, Xiang Suoshu subscriber terminal equipment management server is returned and the token matched
Security strategy is with whole to the mapped port of the subscriber terminal equipment management server and the user according to the security strategy
The external mapped port of end equipment establishes association.
In a kind of optional mode, described program 610 makes the processor execute following operation:
The character string of the current time stamp, the sequence number and the physical address is attached;
The port numbers of the external mapped port of the subscriber terminal equipment are obtained according to the character string after connection
And token.
In a kind of optional mode, described program 610 makes the processor execute following operation:
The character string application hash algorithm after connection is obtained into the first number;
First number is subjected to complementation with preset number, the second obtained number is the subscriber terminal equipment
The external mapped port port numbers;
The character string after connection is encoded to obtain the subscriber terminal equipment and the subscriber terminal equipment pipe
Manage the token of server.
The embodiment of the present invention is by the sequence number and physical address according to subscriber terminal equipment to the subscriber terminal equipment
It is authenticated;When the subscriber terminal equipment passes through certification, according to current time stamp, the sequence number and it is described physically
Location obtains the port numbers and token of the external mapped port of the subscriber terminal equipment, and is sent to the subscriber terminal equipment;
It receives the token of subscriber terminal equipment management server transmission obtained from the subscriber terminal equipment and is verified;?
When the token passes through verifying, Xiang Suoshu subscriber terminal equipment management server return with the security strategy of the token matched with
According to the security strategy to the mapped port of the subscriber terminal equipment management server and the institute of the subscriber terminal equipment
It states external mapped port and establishes association, can dynamically load security strategy by dynamic serve port to improve cpe device
The safety of management.
Fig. 7 shows the structural schematic diagram of another calculating equipment of the embodiment of the present invention, and the specific embodiment of the invention is not
The specific implementation of equipment is limited.
As shown in fig. 7, the calculating equipment may include: processor (processor) 702, communication interface
(Communications Interface) 704, memory (memory) 706 and communication bus 708.
Wherein: processor 702, communication interface 704 and memory 706 complete mutual lead to by communication bus 708
Letter.Communication interface 704, for being communicated with the network element of other equipment such as client or other servers etc..Processor 702 is used
In executing program 710, the correlation step in the management method embodiment of above-mentioned customer terminal equipment can be specifically executed.
Specifically, program 710 may include program code, which includes computer operation instruction.
Processor 702 may be central processor CPU or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or be arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road.The one or more processors that equipment includes can be same type of processor, such as one or more CPU;It is also possible to
Different types of processor, such as one or more CPU and one or more ASIC.
Memory 706, for storing program 710.Memory 706 may include high speed RAM memory, it is also possible to further include
Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 710 specifically can be used for so that processor 702 executes following operation:
It obtains the connection that subscriber terminal equipment is sent and establishes request, it includes the user terminal in request that the connection, which is established,
The port numbers and token of the external mapped port of equipment;
It responds the connection and establishes request, and the token is sent to the user terminal device controller to verify;
Obtain the security strategy with the token matched that the subscriber terminal equipment controller returns;
It is established and is closed according to the external mapped port of the security strategy to mapped port and the subscriber terminal equipment
Connection.
In a kind of optional mode, described program 710 makes the processor execute following operation:
Judge whether the external mapped port of the subscriber terminal equipment meets the security strategy;
The external mapping if meeting the security strategy, to the mapped port and the subscriber terminal equipment
Association is established in port;
If not meeting the security strategy, the connection with the subscriber terminal equipment is disconnected.
In a kind of optional mode, described program 710 makes the processor execute following operation:
The subscriber terminal equipment for needing to manage by mapped port connection;
The configuration of the subscriber terminal equipment is checked or modified by the mapped port.
The embodiment of the present invention establishes request by obtaining the connection that subscriber terminal equipment is sent, and the connection is established in request
The port numbers and token of external mapped port including the subscriber terminal equipment;It responds the connection and establishes request, and by institute
It states token and is sent to the user terminal device controller to be verified;Obtain that the subscriber terminal equipment controller returns with institute
State the security strategy of token matched;Mapped port and the described of the subscriber terminal equipment are externally reflected according to the security strategy
It penetrates port and establishes association, can dynamically load security strategy by dynamic serve port to improve the peace of cpe device management
Quan Xing.
Algorithm or display are not inherently related to any particular computer, virtual system, or other device provided herein.
Various general-purpose systems can also be used together with teachings based herein.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the embodiment of the present invention is also not for any particular programming language.It should be understood that can benefit
Summary of the invention described herein is realized with various programming languages, and the description done above to language-specific is to drape over one's shoulders
Reveal preferred forms of the invention.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the present invention and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the embodiment of the present invention is grouped together into individually sometimes
In embodiment, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: being wanted
Ask protection the present invention claims features more more than feature expressly recited in each claim.More precisely, such as
As following claims reflect, inventive aspect is all features less than single embodiment disclosed above.
Therefore, it then follows thus claims of specific embodiment are expressly incorporated in the specific embodiment, wherein each right is wanted
Ask itself all as a separate embodiment of the present invention.
In addition, it will be appreciated by those of skill in the art that although some embodiments in this include institute in other embodiments
Including certain features rather than other feature, but the combination of the feature of different embodiment means in the scope of the present invention
Within and form different embodiments.For example, in the following claims, embodiment claimed it is any it
One can in any combination mode come using.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.Step in above-described embodiment should not be construed as the restriction to execution sequence in addition to having specified otherwise.