FI120614B - Establishing a remote management connection to a managed terminal - Google Patents

Abstract

A remote connection between a second terminal device and a remote connection device is established by using a relay device and a first terminal device. The first terminal device sends a remote control connection request to the relay device, with a reference to the remote connection device. The relay device sends to the first terminal device an answer-back message containing a login password to the remote connection device. Furthermore, the relay device sends to the remote connection device a control message containing a reference to at least one application port to be opened in the remote connection device as well as the aforementioned login password. The connection is established between the second terminal device and the remote connection device by using the information sent by the relay device. Also disclosed is a local connection establishment by using a DHCP technology.

Description

ESTABLISHING A REMOTE CONTROL TO A CONTROLLED TERMINAL

FIELD OF THE INVENTION

The present invention relates to telecommunication 5 technology. The present invention relates to a method, a computer program and a device for establishing and receiving a remote management connection to a remote communication device.

BACKGROUND OF THE INVENTION

Various objects, such as real estate, can be controlled in many ways, for example, for burglaries and fires. One type of control is the so-called. remote monitoring, where an object, such as a property, has 15 automatic surveillance systems that transmit alarm information in the event of a burglary or fire.

Alarms are transmitted, for example, in a message transmission system (ISJ), which has traditionally been based on a landline (subscriber cable). Other public communications networks, such as the Internet, may also be used as the transmission path for the alarm 20.

The Internet network comprises a global network for data transmission and services. It comes with a variety of functions above the transport layer (Layer 4), such as name service, email, network management protocols, VoIP (Voice over IP), and countless applications and protocols. In all of the above cases, the transmission network itself, which routes and connects at L1, L2 and L3, does not comment on the applications to be transported. Applications use various markup languages and protocols to communicate information.

One problem with the Internet is security. It is possible to access the information transmitted at the application level in certain ways. Generally speaking, there are actors from different backgrounds who 2 want to access information controlled or transmitted by other parties. One such entity is called "hackers". Their main purpose is to cause destruction and problems to the target of 5 hacking. Another entity includes, for example, industrial spies; they try to get the information they want online.

Another component of the security problem is the vulnerabilities of operating systems and applications 10. There may be security holes in operating systems and application operations that allow third parties to access information that was not originally intended for them.

To enhance security, there are 15 security methods for the transmission network, such as VPN (Virtual Private Network), MPLS (Multiprotocol Label Switching), intranet, tunneling, private access point, and device-related methods such as 20 for example, firewall techniques, access lists, virus protection, etc. What is common to all of the above methods is that malicious activity is generally directed to and above L4, especially if the L4 (Transport Layer) protocol 25 is TCP (Transmission Control Protocol).

The monitoring devices which monitor various objects and which, in the event of an alarm, transmit information to the monitoring center are functionally relatively simple devices. However, the use of equipment should be absolutely safe. In other words, an unauthorized third party may never gain access to control of the device, for example, via a data network. Due to the above-mentioned security factor, a large part of the monitors operate over 35 telephone networks. In the telephone network, the sender and the recipient have unique identifiers, which are virtually impossible to falsify.

3

On the other hand, surveillance devices can be made more sophisticated and secure to connect to a public information network (such as the Internet). Such a device typically has an operating system 5 and a plurality of applications that enable a security-free way of transmitting and receiving control information from a public data network. But as mentioned earlier, operating systems and applications almost invariably have some security issues 10. In addition, operating systems and applications need to be constantly updated in practice to maintain a high level of security.

Another problem with the various operating systems and applications used in the recording devices is that they are "cumbersome" and give rise to additional costs and maintenance problems for the recording device, which itself is relatively simple to operate.

On the other hand, there is often a need to access the user interface by directly connecting to the device, for example, performing commissioning, maintenance, testing, trial operation, temporary process display or the like. A common practice is to use, for example, a serial port through which, mainly as a text editor, functions are performed. Commonly used as communication programs are HyperTerm, Telix, Procomm and similar communication protocols such as serial communication. A physical connection is most commonly a serial interface RS-232 or other 30 wired or wireless connection that supports serial communication, such as USB, Ir-

Da, Bluetooth, ZigBee or similar. However, the problem with the above solution is that the device to be connected to the managed device, such as a computer, can access the enterprise network through the managed device. On the other hand, a connected device may pose a security risk to the corporate network where the managed device is attached.

4

It is possible to control or remotely control various alarm and / or monitoring devices by utilizing the security methods described above. However, the presented methods are complex and typically require an operating system such as Microsoft Windows ™ or Linux to operate.

PURPOSE OF THE INVENTION

The object of the invention is to eliminate or at least significantly alleviate the aforementioned disadvantages. In particular, it is an object of the invention to enable remote management of a device having an IP address, such as an alarm relay, by means of a browser, avoiding the use, maintenance and updating of common security software and devices normally required for use.

SUMMARY OF THE INVENTION

The present invention relates to methods and terminals for establishing a remote management connection to a remote communication device.

According to a first aspect of the invention, there is provided a method of establishing a remote management connection to a remote communication device. The invention is characterized in that the transmission device receives an electronic message from the first terminal containing a reference to the device to which the remote management connection is to be established. The switching device sends a response message to the first terminal containing the login-30 password to the remote access device. The switching device further transmits to the remote access device a control message including a reference to at least one application sport to be opened on the remote access device and said login password.

35 When the transmission device receives an electronic message, it can determine the identity of the sender. If the identity of the sender of the electronic message has not been pre-stored in the relay device, sending of the reply message to the first terminal may be prevented. The identifier of the sender 5 of the electronic message is, for example, the sender identifier of the short message in the mobile network.

Said electronic message may further comprise information on at least one application port of the remote device to be opened. In other words, the sender of the electronic message 10 may request the remote communication device to open one or more application ports of its choice. Further, said response message may comprise a reference to at least one application port to be opened by the remote device and / or the address of the remote device. For example, if the response message does not contain a reference to the application port to be opened on the remote device, it can be assumed, for example, that the user will use commonly used application ports, such as TCP ports 80 or 443.

The response message and / or the control message sent by the relay device may further comprise at least one change password. The switching device may have previously stored different access levels on the remote access devices for different users. For example, one user may only have 25 login credentials to a particular remote device. The other user may also have the right to change, for example, the settings or information of the remote device. For example, using multiple change passwords allows users to define different levels of access rights.

The invention also relates to a computer program for establishing a remote management connection to a remote communication device arranged to perform the above method steps.

According to another aspect of the invention, there is provided a method of establishing a remote management connection to a remote communication device. The method is characterized in that a control message including a reference to at least one application port to be opened and a login password is received from the switching device. The remote access device opens said at least one application port for a predetermined period of time. The remote access device further receives a connection setup from the other terminal to said at least one application port during said predetermined period of time and requests a login password. Connection establishment is accepted if mi-10 provided that the login password received from the other terminal corresponds to the login password received from the control device in the control message.

Said application port may be closed if said predetermined period of time has expired and the second terminal 15 has not established a connection to the remote communication device. The application port can also be closed if the login password provided by the other terminal is incorrect.

The control message sent by the relay device 20 may further comprise at least one change password. For example, one user may only have login rights to a particular remote device. Another user may also have permission to change the settings or information on the remote device. For example, by using multiple change passwords for users, different levels of change rights can be defined.

Once the second terminal has logged on to the remote access device and issued remote management commands through the established remote management connection, the other terminal 30 may be requested to provide a change password to execute the provided remote management commands. The remote management commands are finally executed only after receiving a change password from another terminal corresponding to the change password previously received by the remote access device from the relay device.

The invention also relates to a computer program for establishing a remote management connection to a remote communication device 7 arranged to perform the above method steps.

According to a third aspect of the invention, there is provided a method of establishing a management connection to a managed device locally. The method is characterized by establishing a local connection from the first terminal to the managed device. The connection between the terminals may be wireless or wired. The first terminal requests connection parameters for the IP traffic from the managed device and, in response to the request made, receives the connection parameters from the managed terminal. In other words, the first terminal establishes, for example, a Point to 15 Point (PPP) connection to the managed device. The first terminal thinks that the managed terminal is a network server from which it requests connection parameters for IP traffic. The managed terminal preferably operates like a Dynamic Host Configuration Protocol (DHCP) server and the first terminal 20 imagines that it is logging on to the network. The first terminal accepts the connection between the devices and establishes a browser connection to the managed device by selecting a predefined network address.

The invention also relates to a computer program for establishing a remote management connection to a remote communication device arranged to perform the above method steps.

According to a fourth aspect of the invention, there is provided a method of establishing a management connection to a managed device locally. The method is characterized in that the managed terminal receives a connection request from the first terminal. The managed terminal further receives a connection parameter request from the first terminal for IP traffic and, in response to the received request, transmits the connection parameters to the first 8 terminal. The managed terminal accepts the connection between the devices and receives a browser connection request from the first terminal to a predetermined network address.

The invention also relates to a computer program for establishing a remote management connection to a remote communication device arranged to perform the above method steps.

The invention also relates to terminals 10 for carrying out the above methods. The features of the terminals are defined in the claims.

Due to the present invention, the remote device or the managed device can be managed or remotely managed without compromising security at the end of the managed device and at the end of the managed device. Furthermore, the present invention eliminates the need to ever connect a management computer to a corporate network or any other network 20 that it would not like to have access to.

In addition, the solution of the invention is easy and simple to implement.

LIST OF FIGURES

In the following, the invention will be described in detail by way of exemplary embodiments, wherein: Figure 1 illustrates an embodiment of the operation of the method of the invention, Figure 2 illustrates another embodiment of the method of the invention; application according to the invention.

35 9

DETAILED DESCRIPTION OF THE INVENTION

Figure 1 illustrates an embodiment of the operation of the method according to the invention. Figure 1 shows three actual monitoring devices (devices 1 (100), 3 5 (104) and 4 (106)) which monitor various objects, such as real estate, entrances, etc. Device 2 acts as a receiving device for monitoring information. In other words, for example, in an alarm situation, alarm information from devices 1, 3 and 4 is transmitted to device 2. The devices mentioned above can be connected to a public telecommunication network 116, such as the Internet, directly or e.g.

Here, for example, it is desired to configure device 1 (100). The static IP address must be configured for the remotely managed device. This allows the device to be uniquely identified from any other device connected to the Internet. In a preferred embodiment of the invention, device 1 (100) is remotely controlled via a browser interface. For remote management, your device will be able to act as a browser server. In other words, it has the required protocol stack or protocol stacks (e.g., http or https) that use a specific application port or application ports. In the case of the Http protocol, the application port is typically TCP port 25 80 or, in the case of https, typically TCP port 443. It is obvious that any other port number may be used in addition to or instead of the above ports.

Prior to the actual establishment of the remote management connection 30 to the device 1 (100), the service technician 112 sends the message 110, for example a short message in the mobile network, to the receiving center 112. The message format is preferably predefined. The message includes a reference to the device on which the browser connection 35 is to be established. If the message is a short message from a mobile network, the reception center 102 has predefined user telephone numbers.

10 In this example, a reliable A-subscriber identifier for the mobile network is used.

The device 2 (102) sends back to the terminal 110 of the service technician 112 a message containing ai-5 logon password to the remote access device. The message may further include the address of the remote access device and / or one or more change passwords. Passwords can be disposable and thus change each time. The device 2 (102) also sends a control message with the same content to the device 1 (100). The message to be sent to device 1 (100) defines the port to be opened, preferably the TCP port (port 80 or 443), and the login password. The message may also contain one or more change passwords. The message may further specify a time how long the device 1 (100) will keep said port open after receiving the message.

The message exchange between the devices 1 (100) and 2 (102) is preferably implemented using the solution disclosed in patent application FI20051148. The method disclosed in patent application FI20051148 is characterized in that an IP address is assigned to the terminal. In addition, at least one predetermined suitable sport is opened from the terminal towards the telecommunication network. Anyone can send messages to this port. For example, messages do not need to be filtered by a special firewall. The terminal receives the first message to the application port. The first message received includes a sender identifier, which is a separate identifier from the sender's IP address. The receiving terminal extracts the sender identifier from the message and compares the extracted sender identifier with the pre-stored identifiers in the terminal. If the retrieved sender identifier corresponds to a pre-stored identifier in the terminal 35, based on the retrieved sender identifier, an acknowledgment message is sent in response to the first message comprising the terminal's own associated sender identifier.

Further, the solution disclosed in patent application FI20051148 can be used to encrypt the inter-device message exchange. The message or part of it can be encrypted with an encryption key, which is formed, for example, by utilizing the transmit-time value of the device's time counter. It is possible to synchronize the devices to the same time with a special procedure. Correspondingly, the encrypted message 10 may be decrypted utilizing, for example, the value of the time received by the device's time counter.

The device 1 (100) holds the port open, for example, for a predetermined time (for example, 30 seconds) or for 15 times indicated by a message received from the device 2 (102). Service technician 112 connects to their computer 108 via a secure connection to http://193.3.66.9/ or a secure connection to https://193.3.66.9/, to which device 1 (100) responds by requesting a remote device access password from the communicating device. Once the connection has been successfully opened, operation continues normally, i.e. device 1 (100) can be remotely controlled through the established connection.

When the remote management session ends, device 1 (100) closes its application port. Similarly, if the login-25 does not occur within the timeout or the password is incorrect, the port can be closed.

As described above, it is possible to use the browser even if the application port (or ports) itself are normally closed. In addition, the presented 30 procedures originate in various media (e.g., mobile messaging via messaging), making it impossible to trace the management event itself.

If the operation is performed from a corporate network, for example, it is quite possible that someone will be able to "hijack" the connection and thus operate the interface and make changes. In this case, the original login no longer controls the situation. Because of this, the method uses a separate change password, a command that takes effect changes made during a remote administration connection. As a result, the Grabber is virtually unable to change anything during the remote control connection because he does not know the required change password. In other words, parameters and other settings can be changed in the user interface, but they do not take effect until you enter the change password. In one embodiment of Figure 1, multiple passwords may be used to ensure transition from one level of change to another.

Figure 2 illustrates another embodiment of the operation of the method of the invention. In the embodiment of Figure 1, a remote control connection was established to the managed device. In the embodiment of Figure 2, a local management connection is directly established to the managed device.

The method shown in Fig. 2 also allows serial communication to operate on a browser-based basis 20, either through a standard http connection or a secure https connection. In this application, the managed device appears to the communicating computer as a 'network', even though the devices communicate only with each other.

A software 208 is installed on the computer 208 of the service technician 210 to establish, for example, a point to point protocol (PPP) connection to the device 206. The computer 208 imagines that the device 206 is a network server from which it requests parameters for IP-30 traffic. In other words, the device 206 functions, for example, as a Dynamic Host Configuration Protocol (DHCP) server and the computer 208 imagines that it is logging on to the network. Once logged in, the user will be notified so he can launch the browser and select a pre-agreed network address (IP address). The user initiates the procedure using the standard http / https procedure using certain 13 port numbers (for example, TCP port 80 or 443). There is normal browser traffic between the device 206 and the computer 208 that has passed this way. When the management is complete, the connection is disconnected.

5 Although device 206 appears as a server, it cannot route. This ensures that the computer 208 cannot access the corporate network 212 and the corporate network 212 does not gain access to the computer 208. The above solution provides browser access 10 so that the computer 208 is not physically or logically on the network where the self-managed device 206 is.

Due to the present invention, only one interface tool is needed to control 15 or remotely control the devices. There is no need to provide a separate physical-level network interface (for example, an RJ45 interface) to the managed device or other part of the network. An essential advantage of the invention is that the computer by which management is performed does not need to be connected to the customer's corporate network. Further, the public network solution (Figure 1, device 1 (100) and computer 108) likewise does not require any network-level interface (e.g., RJ45), and most importantly, the computer performing management operations does not need to be protected by mil-25 even though the device itself is connected to a public telecommunications network.

The use of serial communication in the solution of Figure 2 above is also advantageous since the device usually has a serial port (or 30 ports) and the computer has either a COM port or a USB port, which can be easily converted by cable to RS-232. On the other hand, wireless methods such as IrDa, Bluetooth, ZigBee, etc. can be used. Although Bluetooth and 35 ZigBee, for example, are 802.xxx compliant, this is irrelevant since this connection is used only for "virtual cable" between browser and device. ".

Fig. 3a shows an embodiment showing a more specific structure of the relay device 302 and the remote access device 304 5. The switching device 302 is connected to the Internet 300 (connection 316) and the mobile communication network 308 (connection 319) via the connection interface 310. Through the connection interface 310, the switching device 302 is arranged to receive from the mobile communication network 308 an electronic message containing a reference to the device on which the remote management connection is to be established. The electronic message may further include one or more application port information to be opened from the remote communication device. In other words, the user can request to open a particular port-15 or certain ports. The electronic message preferably refers to a short message from the mobile communication network 308. However, it may be any other message on the communications network that identifies the user as reliable.

The connection interface 310 is arranged to send a response message to the sender of the electronic message containing the login password to the remote access device 304. A number of sender identifiers can be pre-arranged in the memory of the relay device 302 and compared with the sender identifier of the electronic message. If the sender of the message cannot be found in the memory, the reply message will be blocked. In one embodiment, the response message further includes a reference to at least one application port to be opened by the remote device and the address of the remote device 304 (e.g., the IP address of the remote device). The application port to be opened may be the same as requested in the electronic message. If an application port is not identified in the electronic message, the switching device 302 may specify a port to open or 35 to open.

The senders of electronic messages may have been pre-assigned different access rights to different remote communication devices. A given user may only have logon access to one remote device and no modification rights at all. The other user may have both login and change access to the same remote device. Therefore, in one embodiment, the response message further includes one or more change passwords. If multiple change passwords are used, multiple levels of change access rights can be defined. In other words, the pro-10 processing means 306 is arranged to generate the content of the response message to the first terminal 110 in response to identifying the sender of said electronic message.

The connection interface 310 is further arranged 15 to send a control message to the remote access device 304 including a reference to at least one unlockable application port on the remote access device 304 and said login password. The application port to open is preferably a TCP (Transmission Control p Proto-20 inch) port. In one embodiment, the control message further includes one or more change passwords, the functionality of which was described above.

For example, the remote access device 304 is only connected to the Internet 300 (connection 318). The remote access device 304 comprises a communication interface 312 arranged to receive from the relay device 302 a control message including a reference to at least one application port to be opened and a login password. The processing means 314 is arranged to open said at least one application port for a predetermined period of time. The processing means 314 is arranged to close said application port if said predetermined period of time has expired and no message has been received at the application port.

The connection interface 312 is further arranged to receive from the second terminal a connection establishment to the at least one application port 16 during said predetermined time period. The second terminal refers to, for example, a computer used by a service technician and connected to the Internet. The processing means 314 is arranged to request a login password from another terminal and to accept the connection establishment if the login password received from the other terminal corresponds to the login password received from the relay device 302 in the control message. In one embodiment, the processing means 10 314 is further arranged to close said application port if the login password provided by the other terminal is incorrect.

The control message sent by the transmission device 302 may also include at least one change password. The Kir-15 passcode password gives you access to the existing data, but only the change passcode can take effect. Therefore, the connection interface 312 is arranged to receive remote management commands through the remote management connection established from the second terminal, the processing means 314 is arranged to request the second terminal to change the remote management commands issued by the device and to remotely respond to the remote the change password previously received from the transmission device 302. As stated earlier, a given user can only have logon privileges to one remote device, and no change-30 rights at all. Another user may have both logon and copy access to the same remote device. If more than one change domain word is used, you can define multiple levels of change rights.

Figure 3b shows an embodiment showing a more detailed structure of the terminal 320 and the remote access device 322. 3b, the connection 330 between the terminal 320 and the remote connection 322 is a local connection.

The terminal 320 comprises processing means 324 arranged to establish a local connection to the remote access device 322. The physical interface between the devices may be wired or wireless. The processing means 324 is further arranged to request connection parameters for IP traffic from the remote connection device 322, and the connection interface 328 receives from the remote access device 322 connection parameters in response to the request made. If the terminal 320 is a serviceman's laptop, a program is installed on it that establishes, for example, a PPP (Point to Point) connection to a remote access device. The laptop bone-15 determines that the remote access device is a network server from which it requests connection parameters for IP traffic. The processing means 324 is arranged to accept the establishment of a connection between the terminal 320 and the remote connection device 322 and establish a browser connection to the remote connection device 322 by selecting a predetermined network address.

Although the remote access device 322 is shown to the terminal 320 as a server, the remote access device 322 is not able to route IP packets. Therefore, the terminal-253 device 320 cannot connect to the local area network where the remote access device 322 may be connected.

The remote access device 322 comprises a connection interface 332 configured to receive a connection set-up request and a connection parameter request for IP traffic 30 from the terminal 320. The connection interface 332 is further arranged to transmit the connection parameters to the terminal 320 in response to the received request. The processing means 336 are arranged to accept the establishment of a connection between the remote access device 322 and the terminal 35 device 320, and the connection interface 332 is arranged to receive a browser connection request from the terminal 320 to a predetermined network address.

The processing means 306, 314, 324, 336 comprise, for example, a processor and a memory 5 attached thereto. The memory may refer to a single memory or memory area, or to memory or memory areas that may include Random Access Memory, ROM, Read-Only Memory, etc. The memory may further comprise other applications or software components not included herein. describe in more detail. The memory may further include a computer program (or portion thereof) which, when executed in the processor, performs at least a portion of the method steps disclosed in the invention. The processor may further include a memory that may include a computer program (or portion thereof) that, when executed in the processor, performs at least a portion of the method steps disclosed in the invention.

The invention is not limited only to the above exemplary embodiments, but many variations are possible within the scope of the inventive idea defined by the claims.

Claims (38)

19 A method for establishing a remote access connection to a remote access device, characterized in that the method further comprises the steps of: receiving, via the relay device, an electronic message including a reference to the device to which the remote access connection is to be established; 10 transmitting from the switching device to the first terminal device a response message including a login credential to the remote access device; and transmitting, on the relay device, a control message including a reference to at least one of the 15 open application ports on the remote device and said login password. Method according to claim 1, characterized in that the method further comprises the steps of: determining, from the electronic message, the identity of the sender of the message; and preventing the response message from being sent to the first terminal if no identification of the sender of the electronic message is pre-stored in the relay. Method according to claim 1 or 2, characterized in that the identifier of the sender of the electronic message is the sender identifier of the short message in the mobile communication network. Method according to one of the preceding claims 1 to 3, characterized in that said electronic message comprises information on at least one application port to be opened. Method according to one of the preceding claims 1 to 35 4, characterized in that said reply message comprises a reference to at least one 20 open application ports and / or the address of a remote access device. A method according to any one of the preceding claims 1 to 5, characterized in that said response message and / or control message comprises at least one change password. Method according to one of the preceding claims 1 to 6, characterized in that said opening application port is a predetermined TCP-10 port. A method according to any one of claims 1 to 7, characterized in that the method further comprises the steps of: determining, from said electronic message 15, the identity of the sender of the message; and generating the contents of the response message to the first terminal in response to identifying the sender of said electronic message. A computer program for establishing a remote management connection to a remote communication device, characterized in that the computer program is arranged to perform the method set forth in claims 1-8. A method for establishing a remote management connection to a remote access device, characterized in that the method further comprises the steps of: receiving from the relay a control message including a reference to at least one application port to be opened and a login password; 30 opening said at least one application port for a predetermined time period; receiving from the second terminal a connection set-up to said at least one application port during said predetermined period; 35 requesting a login password from the other terminal; and 21 accepting a connection set up if the login password received from the other terminal matches the login password received from the relay in the control message. The method of claim 10, characterized in that the method further comprises the step of: closing said application port if said predetermined period of time expires. The method of claim 10, characterized in that the method further comprises the step of: closing said application port if the login password provided by the second terminal is incorrect. A method according to any one of the preceding claims 10 to 12, characterized in that said control message comprises at least one changeover password. A method according to claim 13, characterized in that the method further comprises the steps of: receiving remotely command commands via a remote management connection established from another terminal; Requesting from the second terminal a change password to execute the given remote management commands; and executing the remote management commands definitively only after receiving a change password from another terminal corresponding to the change password previously received by the remote access device from the relay device. A computer program for establishing a remote management connection to a remote communication device, characterized in that the computer program is arranged to perform the method set forth in claims 35 to 10. A method of establishing a management connection to a managed device, characterized in that the method further comprises the steps of: establishing a local serial communication connection from the first terminal to the managed device; 5 requesting connection parameters for IP traffic from the managed device on the first terminal in the same manner as in the case where the managed device would act as a network server; 10 receiving connection parameters in response to a request made over a serial communication connection from the terminal managed by the first terminal; accepting a connection between the first terminal and the managed terminal; and 15 establishing a browser connection from the first terminal to the managed device by selecting a predetermined network address. A computer program for establishing a management connection to a managed device, characterized in that the computer program is arranged to perform the method set forth in claim 16. 18. A method for establishing a management connection to a managed device, characterized in that the method further comprises the steps of: receiving, on a local serial communication link, a connection request to the managed device from the first terminal; receiving a connection parameter request for IP traffic from the first terminal via a serial communication managed terminal, in the same manner as in the case where the managed device would act as a network server; transmitting, from the managed terminal, connection point parameters 35 over a serial connection to the first terminal in response to a received request; 23 approving the establishment of a connection between the first terminal and the managed terminal; and receiving, at the managed terminal, a browser connection request 5 from the first terminal to the predetermined network address. A computer program for establishing a management connection to a managed device, characterized in that the computer program is arranged to perform the method set forth in claim 18. A relay device for establishing a remote access connection to a remote access device (304), characterized in that the relay device (302) comprises: receiving means (310) configured to receive from the first terminal (110) an electronic message including a reference to the device (304) it is desired to form; transmitting means (310) configured to transmit to the first terminal (110) a response message including a login password to the remote device (304); and transmitting means (310) configured to send to the remote access device (304) a control message including a reference to at least one unlockable application sport in the remote access device (304) and said login password. A relay device according to claim 20, characterized in that the relay device (302) 30 further comprises: processing means (306) arranged to determine from the electronic message the identity of the sender of the message; and processing means (306) arranged 35 to prevent the response message from being sent to the first terminal (110) if the identity of the sender of the electronic message is not pre-stored in the relay device (302). A switching device according to claim 20 or 21, characterized in that the identifier of the sender of the electronic message 5 is the sender identifier of the short message in the mobile communication network. A switching device according to any one of the preceding claims 20 to 22, characterized in that said electronic message comprises information on at least one application port to be opened and / or the address of a remote access device (304). A relay device according to any one of the preceding claims 20 to 23, characterized in that said response message comprises a reference to at least one application port to be opened. A relay device according to any one of claims 20 to 24, characterized in that said response message and / or control message comprises at least one change password. A switching device according to any one of the preceding claims 20 to 25, characterized in that the openable port referred to by the control message is a predetermined TCP port. A relay device according to any one of the preceding claims 20 to 26, characterized in that the relay device (302) comprises: processing means (306) arranged to determine, from said electronic message, the identity of the sender of the message; and 30 processing means (306) arranged to generate the content of the response message to the first terminal (110) in response to identifying the sender of said electronic message. A remote access device for receiving remote connection 35, characterized in that the remote access device (304) comprises: 25 receiving means (312) arranged to receive from the relay device (302) a control message including a reference to at least one application port to be opened and a login password; Processing means (314) arranged to open said at least one application port for a predetermined period of time; receiving means (312) configured to receive from the second terminal (110) a connection to said at least one application port during said predetermined time period; processing means (314) arranged to request a login password from the second terminal (110); and 15 processing means (314) arranged to accept the connection establishment if the login password obtained from the second terminal (110) corresponds to the login password obtained from the control device (302). The remote communication device of claim 28, characterized in that the processing means (314) is arranged to close said application sport if said predetermined period of time expires. The remote access device of claim 28, characterized in that the processing means (314) is arranged to close said application sport if the login password provided by the second terminal (110) is incorrect. A remote access device according to any one of claims 28 to 30, characterized in that said control message comprises at least one change password. The remote communication device according to claim 31, characterized in that the remote communication device (304) comprises: 26 receiving means (312) arranged to receive remote management commands via a remote management connection established from the second terminal (110); processing means (314) configured to request from the second terminal (110) a change password to execute remote management commands; and processing means (314) configured to perform remote administration commands definitively only after receiving from the second terminal (110) a change password corresponding to the change password previously received from the relay device (302) by the remote access device (304). 33. A terminal for establishing a remote management connection to a remote communication device (322), characterized in that the terminal (320) comprises: processing means (324) arranged to establish a local serial communication connection to the remote communication device (322); processing means (324) arranged over a serial connection to request connection parameters for IP traffic from the remote communication device (322); receiving means (328) arranged to receive connection parameters over a serial communication connection from the remote communication device (322) in response to a request; processing means (324) configured to accept connection establishment between the terminal (320) and the remote communication device (322); and processing means (324) arranged to establish a browser connection to the remote access device (322) by selecting a predetermined network address. The terminal device of claim 33, characterized in that the processing means (324) is arranged to establish a local connection 27 to the remote access device (322) via a wireless communication interface. The terminal of claim 33, characterized in that the processing means 5 (324) is arranged to establish a local connection to the remote access device (322) via a wired connection interface. 36. A remote access device for receiving a remote access connection, characterized in that the remote access device (322) comprises: receiving means (332) configured to receive a connection request from the terminal (320) via a local serial communication connection; Receiving means (332) configured to receive a connection parameter request for IP traffic from the terminal (320) over a serial communication connection; transmitting means (332) configured to transmit connection parameters over a serial connection to the terminal (320) in response to a received request; processing means (336) arranged to accept connection establishment between the remote communication device (322) and the terminal device (320); and receiving means (332) arranged to receive from the terminal (320) a browser connection request to a predetermined network address. A remote access device according to claim 36, characterized in that the processing means (336) is arranged to establish a local connection to the remote communication device (322) via the wireless communication interface. A remote access device according to claim 36, characterized in that the processing means (336) are arranged to establish a local connection to the remote communication device (322) via a wired connection interface. 28