Background technology
In application proxy, user's the back that is placed on Application Launcher (Proxy Server) by acting server (locked resource), inner address resource is need to be keep secret.In order to visit protected WEB server, application proxy can be acted on behalf of or TSM Security Agent under the situation of not revealing the home address resource by the mode of port mapping.But work as the resource of being protected a more than WEB server is arranged, and exist under the situation about interlinking between each server, can't pass through port translation, transparent realization agency.
Existing (safety) application proxy solution, a kind of is the link on the related pages in the requirement user's modification WEB server, require link to point to some specific ports of opening for this WEB server of acting server or proxy terminal, to realize the mapping relations between port and the server.
Second method is the link on the related pages in the requirement user's modification WEB server, requires link to point to some specific I P addresses of server, with the mapping relations between the WEB server of realizing this address and quilt agency protection.
Two kinds of above-mentioned methods all require the page of user's modification WEB server, can not be transparent to using, two kinds of schemes can require the user that the internal security acting server is had a plurality of IP or opens a plurality of ports, especially require to have a plurality of IP, under the environment of practical IP resource anxiety, its practicality can be under some influence.
Summary of the invention
The technical problem to be solved in the present invention is, a kind of transparent TSM Security Agent method is provided, and can be implemented under the situation of not revising the user WEB server page, provides protection to server.
The present invention solve the technical problem the technical scheme that is adopted, provide a kind of virtual Domain Name to resolve Proxy Method, between the Intranet with server and remote terminal, be connected by outer net, be connected by the application proxy system between terminal and the Intranet, described application proxy system comprises acting server and agent client, described acting server connects Intranet and outer net, described agent client is connected with acting server by outer net, the packet of the internal network server visit of terminal marks its destination server by agent client, sends to destination server after proxy server parses.
Described acting server and agent client internal memory contain the Intranet server address---the mapping table of interior network server another name, the destination server that described agent client comes the packet of self terminal with the IP address or the another name mark of interior network server.Described acting server is according to the Intranet server address---and the mapping table of interior network server another name makes an explanation to visit, and related data is sent to corresponding interior network server.Agent client is opened the local port of respective numbers according to interior network server, and sets up interior network server---the mapping relations of local port.Agent client injects the PAC script with described mapping relations.Described agent client is obtained the Intranet server address from the acting server download---the mapping table of interior network server another name.
The present invention also provides a kind of virtual Domain Name to resolve agency plant, comprise acting server and agent client, described acting server is connected by public network with agent client, and described acting server connects Intranet and public network, has a server with interior net address in the described Intranet at least; Described agent client internal memory contains the Intranet server address---and the mapping table of interior network server another name, the data that the inside network server of terminal sends mark its purpose by interior network server another name in agent client; Described acting server internal memory contains the Intranet server address---and the mapping table of interior network server another name marks its purpose by the Intranet server address from the data of agent client in acting server.
The invention has the beneficial effects as follows:
(1) user's home address resource, DNS resource have been protected;
(2) reached can the secure access internal resource at outer net purpose;
(3) in (safety) application proxy, realized visiting certain WEB server separately, also can directly visit many WEB servers by link.
The present invention has used the method for virtual server and DNS, at the internal network that can not expose the user, in the time of protection user's internal resource, again can be transparent externally have access to these resources.
The present invention is further illustrated below in conjunction with specification drawings and specific embodiments.
Embodiment
In the network environment of this embodiment, the server with interior net address is called interior network server, or claims internal server.The WEB server that below relates to promptly is a kind of interior network server.
The present invention is that every WEB server being protected is provided with an another name, and sets up the corresponding relation of each server ip and another name.When agent client proposes visit to certain WEB server, be responsible for it is made an explanation by acting server, promptly serve as a virtual dns server by acting server.As shown in Figure 1, its step is as follows:
(1) agent client is acted on behalf of the connection request of terminal such as IE, and realizes the mapping of port and internal server.
(2) acting server provides the configuration feature of WEB server info, by the user information such as the IP of WEB server and another name is set, and is equivalent to realize the mapping relations of IP and domain name among the DNS.
(3) agent client is responsible for setting up one or more logic channel with acting server.
(4) after agent client is set up communication channel,, comprise the IP of WEB server, the corresponding relation of another name etc. from the information of the automatic Download Server of acting server to the WEB server.
(5) internal information of agent client by downloading to, the local port of respective numbers is opened in selection automatically, and these ports and WEB server are done mapping automatically, safeguards mapping table by agent client.
(6) agent client adopts the PAC script in this locality, the mapping relations (mapping relations of server address and local port) of this table are injected in the PAC script, so that IE etc. can be according to corresponding configuration, different port to agent client sends connection request, and this is one of important step that realizes virtual dns resolution.
(7) agent client is opened corresponding listening port in this locality, intercepts and captures the access request of terminal, and according to the relation of mapping table, recombination data message, and the logic channel transmission data by having set up.
(8) the acting server agent client transmission of receiving according to the protocol assembly data of coming, and according to the mapping relations table of same internal server, by acting server visit is made an explanation, and relevant transfer of data is arrived corresponding server, thereby realized virtual DNS function.
As mentioned above in the step (2); pass through configuration at the acting server end; generate the mapping relations of the IP of the server in the protected WEB server and another name etc., agent client is the important composition that the visit data stream destination address of internal server is resolved, and is the actuating station of virtual dns resolution.The all connection requests of described step (3) are initiated by agent client, between proxy terminal and acting server, set up one or more logic channel, so that can carry out the exchange of data.The WEB server info is to download to the local terminal automatically by proxy terminal in the described step (4).Agent client is opened the port of respective numbers automatically, and is monitored these ports according to the quantity of internal server in this locality in the described step (5), simultaneously the mapping table of maintenance port and corresponding internal server.Agent client generates the PAC script automatically according to the mapping table of the internal server of obtaining from the server download in the described step (6), so that can distinguish different access request, and is directed on the port of opening different this locality.Agent client is opened in this locality according to the mapping table of the internal server of obtaining from the server download in the described step (7), monitor corresponding ports, intercept and capture the access request of terminal, and according to the relation of mapping table, recombination data message, and logic channel transmission data by having set up.The data that the agent client transmission that acting server is received according to protocol assembly comes, and according to the mapping relations table of same internal server, by acting server visit is made an explanation, and relevant transfer of data is arrived corresponding interior network server, thereby realized virtual DNS.
" another name " of the present invention can be various types of characters, comprises letter, symbol, numeral etc., perhaps its combination.
As Fig. 2, embodiment is as follows more specifically.
Between protected Intranet and outer net, arrangement acting server 12, its outer net interface IP address is 202.115.72.23, extranet interfaces address 192.168.0.1; The information of configuration protected object on acting server comprises its inner IP and another name corresponding relation, and the information such as sign of the internal server of arranging in the communication protocol, and mapping table is as follows:
IP address another name
192.168.0.23——mis
192.168.0.25——erp
192.168.0.27——mrp
Installation, arrangement agent client on terminal, obtain the IP address by modes such as dialing, in present embodiment, the IP address of agent client is 202.115.2.4, because described logic channel is initiated by agent client, therefore require agent client to have access to acting server by public network (being outer net).In the IP address of agent client configuration server end outer net, in the present embodiment, the IP of acting server end outer net is 202.115.72.23.
Agent client is set up logic channel by public network and acting server, and from server end download configuration information, as the address of protected internal server---information such as domain name mapping table.Agent client is opened listening port; and generation PAC script; the visit data stream of these scripts match user application layers; different user request sent out redirect on the different port of local agent client; in the present embodiment; protected server always has three; therefore agent client is opened three ports; 3330; 3331; 3332; and will be mapped to the access request of three different WEB servers on these three ports, that is, will the access request of 192.168.0.23 or mis (importing http: // 192.168.0.23 or http://mis on the browser url) be redirected on local 3330 ports; the visit of 192.168.0.25 or erp is navigated on the local port 3331, the access request of 192.168.0.27 or mrp is redirected on local 3332 ports.Agent client receives the request from different port, and request data format is changed into the form of the communication protocol of prior agreement, and sends to acting server by logic channel.Acting server is explained the purpose WEB server of this visit according to the request msg that receives, and connects corresponding WEB server, realizes communication repeating, finishes the function of virtual server and dns resolution.