JP2010233169A - Monitoring system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a monitoring system capable of simplifying a configuration when connecting between terminals in the monitoring system through a VPN (Virtual Private Network). <P>SOLUTION: In a monitoring system 1, a first terminal includes a VPN server unit and a second terminal includes a VPN client unit. Both the terminals exchange connection setup information and then set up a VPN connection. When the second terminal transmits the connection setup information to the first terminal, a first VPN connection request condition is established by receiving the connection setup information from the first terminal and the second terminal sends a VPN connection request to the first terminal. When the second terminal receives the connection setup information from the first terminal as an exchange request destination, a second VPN connection request condition is established by redirecting the connection setup information to the first terminal and receiving an acknowledgement from the first terminal, and the second terminal sends a VPN connection request to the first terminal. Since the second terminal makes the VPN connection request to the first terminal in both the cases, it is enough for the first terminal to include a VPN server function. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a monitoring system for communicating monitoring information between a plurality of terminals, and more particularly to a technique for communicating monitoring information using a VPN.

  2. Description of the Related Art Conventionally, a monitoring system has been put to practical use in which a monitoring camera is installed on a monitoring target in a store, a factory, etc., and a monitoring video is monitored remotely. The monitoring video is transmitted to a remote monitoring center, and is also transmitted to the office of the owner (owner) to be monitored. A general public line such as ISDN is used for transmission of the monitoring video (for example, Patent Document 1).

  In recent years, with the widespread use of broadband lines such as ADSL and FTTH, there is an increasing need for transmission / reception of monitoring video and the like in a monitoring system on the Internet. The use of the Internet can be expected to save costs and improve system flexibility.

  Ensuring security is important when sending monitoring information over the Internet. Thus, it has been proposed to establish a VPN (virtual private network) between the monitoring center and the monitoring terminal to ensure communication security (for example, Patent Document 2).

JP 2001-54102 A JP 2006-203313 A

  Conventionally, when a VPN is applied to a monitoring system, a VPN is constructed between the monitoring center and the terminal, and the VPN is constantly maintained. Apart from such always-on VPN, it is also conceivable to perform VPN connection between terminals when necessary. However, when trying to make such a VPN connection between terminals, a VPN server function is required for all the terminals as described below, which causes a problem that the configuration becomes complicated.

  The plurality of terminals are typically a monitoring terminal installed in a monitoring target and a user terminal that uses a monitoring service. As a specific example, the monitoring target is a store, the monitoring terminal is arranged in the store, and the user terminal is arranged in the office of the store owner or the like.

  In such a case, when an alarm or the like occurs in the monitoring terminal, the monitoring terminal requests connection to the user terminal. On the other hand, when the owner wants to see the video to be monitored, the user terminal requests connection to the monitoring terminal. Thus, in the VPN connection between terminals, both terminals may request connection to the other terminal.

  However, in the VPN connection, a VPN connection request is made from the VPN client to the VPN server, and the subsequent VPN communication is managed in response to the connection request by the VPN server. Therefore, in order to make a connection request from the monitoring terminal to the user terminal, it is necessary to provide a VPN server function in the user terminal. Further, in order to make a VPN connection request from the user terminal to the monitoring terminal, it is necessary to provide the monitoring terminal with a VPN server function. Eventually, it becomes necessary to provide a VPN server function in all terminals, and the configuration becomes complicated.

  The present invention has been made under the above-described background, and an object thereof is to provide a monitoring system capable of simplifying the configuration when the terminals of the monitoring system are connected by VPN.

  The present invention is a monitoring system having first and second terminals connected by VPN and communicating monitoring information between the first and second terminals, wherein the first terminal is a VPN A VPN server unit that realizes the server function, and a first storage unit that holds server-side connection establishment information to be transmitted to the second terminal in order to establish a VPN connection. The terminal holds a VPN client unit that realizes a VPN client function, and client-side connection establishment information to be transmitted to the first terminal in order to establish a VPN connection, and from the VPN client unit to the VPN A second storage unit that stores a VPN connection request condition that is a condition for requesting a VPN connection to the server unit, and the second storage unit uses the second terminal as the VPN connection request condition. A first VPN connection request condition that is satisfied when the server side connection establishment information is received from the first terminal when the client side connection establishment information is transmitted to the first terminal as an exchange request source. And when the second terminal receives the server side connection establishment information from the first terminal as an exchange request destination, the client side connection establishment information is returned to the first terminal, and A second VPN connection request condition established upon receipt of the receipt confirmation from the first terminal, and the VPN client unit of the second terminal stores the first or second VPN connection request condition. When established, a VPN connection request is made to the VPN server unit of the first terminal.

  As described above, according to the present invention, the first terminal is provided with the VPN server function, and the second terminal is provided with the VPN client function. The first and second terminals exchange connection establishment information necessary for VPN connection as pre-processing for VPN connection. The connection establishment information is, for example, an IP address and an electronic certificate. In the present invention, the two VPN connection request conditions are stored in the second terminal as described above in relation to the exchange order of the connection establishment information, and when one of the VPN connection request conditions is satisfied, The second terminal makes a VPN connection request to the first terminal. When the second terminal desires a connection and becomes a connection establishment information exchange request source, the first connection request condition is satisfied. On the other hand, when the first terminal wishes to connect and the second terminal is the connection establishment information exchange request destination, the second connection request condition is satisfied. Whichever terminal desires to connect, the second terminal makes a VPN connection request from the first terminal. Therefore, it is not necessary to provide a VPN server function in both terminals, and the configuration is simplified.

  In the present invention, the first and second terminals may exchange SIP messages. When the second terminal transmits an invitation message including connection establishment information on the client side to the first terminal, an OK message including connection establishment information on the server side is received from the first terminal. The first VPN connection request condition may be satisfied. When the second terminal receives an invitation message including connection establishment information on the server side from the first terminal, an OK message including connection establishment information on the client side is returned to the first terminal. The second VPN connection request condition may be satisfied by receiving an ACK message from the first terminal.

  In this configuration, attention is paid to SIP (Session Initiation Protocol), which is a communication control protocol used in Internet telephones, as a means for exchanging connection establishment information for VPN connection. In SIP signaling, an INVITE message and an OK message are exchanged between terminals. Connection establishment information is added to these SIP messages. As a result, connection establishment information can be exchanged in the SIP signaling process. That is, the present invention combines SIP and VPN well, exchanges information necessary for VPN connection by SIP, and establishes a VPN connection using the exchanged information. Furthermore, the present invention not only combines SIP and VPN, but also sets the first and second VPN connection request conditions as described above. Thereby, regardless of which of the first and second terminals issues the SIP invitation message, the VPN connection request is made from the second terminal to the first terminal. Therefore, it is not necessary to provide a VPN server function in both terminals, and the configuration is simplified.

  The monitoring system of the present invention may include a communication management device connected to the first and second terminals, and the first and second terminals receive the SIP message via the communication management device. May be exchanged. The communication management device includes a SIP server, an authorization information storage unit that stores connection authorization information that represents a combination of a connection source and a connection destination terminal to be authorized for connection, and a connection between the terminals with reference to the connection authorization information. An authorization processing unit for judging whether or not to authorize the connection. When an invitation message is received from the first or second terminal, the SIP server supplies identification information of the connection destination terminal included in the invitation message to the authorization processing unit, and the authorization processing unit The SIP server may supply an invitation message from the connection source terminal to the connection destination terminal when the connection server and the connection destination terminal are authorized.

  This configuration can further improve security when SIP is applied to the monitoring system. According to the present invention, a plurality of terminals of a monitoring system are connected to a communication management device provided with a SIP server. The communication management device, in addition to the SIP server, whether or not to authorize the connection between the terminals with reference to the authorization information storage unit that stores the connection authorization information representing the combination of the terminals that should be authorized for connection, and the connection authorization information. And an authorization processing unit for determining In SIP signaling, an invitation message is sent from the connection source terminal to the SIP server. At this time, in the present invention, the authorization processing unit determines whether to authorize the connection. When the authorization processing unit authorizes the connection, the SIP server sends an invitation message from the connection source terminal to the connection destination terminal, and SIP signaling succeeds.

  As described above, according to the present invention, information on the combination of terminals to be permitted to connect is stored in advance, and the connection between the terminals is permitted at the time of SIP signaling. Accordingly, not only authentication between the terminal and the SIP server, but authorization between terminals via the SIP server, that is, P2P can be performed, and the number of users of the monitoring information can be suitably limited. In this way, security can be improved when SIP is applied to the monitoring system.

  In the monitoring system of the present invention, the first terminal may be a user device that uses a monitoring service, and the second terminal may be a monitoring device installed on a monitoring target. When monitoring information is transmitted from the monitoring device to the user device according to a predetermined setting, the monitoring device serves as the exchange request source and sends a VPN to the user device when the first VPN connection request condition is satisfied. A connection request may be made. When the user device requests the monitoring device to transmit the monitoring information, the monitoring device becomes the exchange request destination and establishes a VPN connection to the user device when the second VPN connection request condition is satisfied. You may make a request.

  With this configuration, when the monitoring device transmits monitoring information to the user device according to a predetermined setting, the monitoring device makes a VPN connection request to the user device. This situation is, for example, when a regular transmission timing comes, and when a visitor comes to the monitoring target. Also, when the user device requests the monitoring information to transmit the monitoring information, the monitoring device makes a VPN connection request to the user device. Therefore, when the monitoring device and the user device are connected by VPN, the VPN server function only needs to be provided in the user device, and the configuration can be simplified.

  The present invention is not limited to the aspect of the monitoring system. Another aspect of the present invention is, for example, a terminal device or a communication management device. Further, the present invention may be realized in the form of a method, a program, or a computer-readable recording medium that records the program.

  For example, another aspect of the present invention is a terminal device that is provided in a monitoring system including a plurality of terminal devices that communicate monitoring information, and that communicates with a VPN server terminal that constitutes the monitoring system and has a VPN server function. The terminal device holds a VPN client unit that realizes a VPN client function, client-side connection establishment information to be transmitted to the VPN server terminal in order to establish a VPN connection, and from the VPN client unit A storage unit that stores a VPN connection request condition that is a condition for requesting a VPN connection to a VPN server terminal, and the storage unit uses the VPN server as a connection request source of the connection establishment information as the VPN connection request condition A first VPN connection request condition that is established when the server side connection establishment information is received from the VPN server terminal when the client side connection establishment information is transmitted to the terminal, and the connection establishment information exchange request When the server side connection establishment information is received from the VPN server terminal as a destination The client side connection establishment information is returned to the VPN server terminal, and a second VPN connection request condition established upon receipt of the receipt confirmation from the VPN server terminal is stored. When the first or second VPN connection request condition is satisfied, a VPN connection request is made to the VPN server terminal. This configuration also provides the advantages of the present invention described above.

  As described above, the present invention can simplify the configuration when the terminals of the monitoring system are connected by VPN.

It is a figure which shows the whole structure of the monitoring system of this invention. It is a block diagram which shows the structure of a monitoring system more concretely. It is a block diagram which shows the main structures in the monitoring system of this invention. It is a figure which shows the example of the table of the connection authorization information memorize | stored in the authorization information storage part. It is a figure which shows the 1st and 2nd VPN connection requirement conditions. It is a figure which shows operation | movement when a monitoring apparatus becomes communication request | requirement exchange of connection establishment information, and communicates between terminals. It is a figure which shows operation | movement when the monitoring apparatus becomes communication request | requirement destination of connection establishment information, and communicates between terminals. It is a figure which shows operation | movement of the IP line unit for VPN connection establishment. It is a figure which shows operation | movement when a monitoring apparatus becomes communication request | requirement exchange of connection establishment information, and communicates between terminals. It is a figure which shows operation | movement when the monitoring apparatus becomes communication request | requirement destination of connection establishment information, and communicates between terminals.

  Hereinafter, a monitoring system according to an embodiment of the present invention will be described with reference to the drawings.

  FIG. 1 shows the overall configuration of the monitoring system of the present invention. As illustrated, in the monitoring system 1, communication is performed among the monitoring center 3, the monitoring target 5, and the user base 7. Here, the user means a user of the monitoring service of the monitoring target 5 by the monitoring system 1. In the example of the present embodiment, the monitoring target 5 is a store, and the user base 7 is an office of the store owner.

  The monitoring center 3 includes a communication management device 11 and a plurality of center devices 13, and these are connected so as to be communicable. The communication management device 11 and the plurality of center devices 13 may be arranged at geographically distant locations. The plurality of center devices 13 may be respectively arranged in a plurality of assigned areas. Further, the plurality of center devices 13 may share functions. For example, one center device 13 may function as a control center device that processes a security-related signal, and another center device 13 may function as an image center device that mainly processes monitoring video. One center device 13 may be used within the scope of the present invention.

  A monitoring device 15 and a user device 17 are provided in the monitoring target 5 and the user base 7, respectively. The monitoring device 15 and the user device 17 correspond to the terminal of the present invention. The monitoring device 15 sends monitoring information to the center device 13 and the user device 17. The monitoring information is, for example, an image of a monitoring camera and a monitoring signal detected by the monitoring target 5. The monitoring signal is, for example, a guard signal indicating that an abnormality has occurred, and the guard signal is generated based on a detection signal from a sensor installed in the monitoring target 5 or generated when an alarm button (switch) is operated. Is done. In addition, the user device 17 sends a control signal and an audio signal to the monitoring device 15. Such a signal from the user device 17 to the monitoring device 15 is also included in the monitoring information.

  In FIG. 1, one monitoring target 5 and one user base 7 are shown. However, actually, the monitoring center 3 communicates with a plurality of monitoring targets 5 and a plurality of user bases 7. Accordingly, the communication management device 11 also communicates with the plurality of monitoring devices 15 and the plurality of user devices 17. Each monitoring device 15 communicates with an associated user device 17 (store owner's terminal).

  In the monitoring system 1 of FIG. 1, for example, it is assumed that the monitoring device 15 detects an abnormality by a sensor signal or the like. In this case, a guard signal is transmitted as monitoring information to the monitoring center 3 together with the video of the monitoring target 5. In the monitoring center 3, the operator confirms the security signal and video on the monitor of the center device 13, and gives necessary instructions to the security guard. The guard who received the instruction rushes to the monitoring object 5 and deals with the abnormality.

  Further, for example, the monitoring device 15 sends the image of the monitoring target 5 to the user device 17 periodically or according to other settings. For example, when a visitor is detected by the sensor, an image or the like is sent to the user device 17. In addition, transmission of video or the like may be requested from the user device 17. The owner can grasp the state of the store from the video or the like. In addition, the owner can send a voice or the like from the user device 17 to the monitoring device 15 to instruct the store clerk about necessary items.

  Next, a communication form of the monitoring system 1 will be described. The communication management device 11, the monitoring device 15, and the user device 17 are connected to the Internet.

  Furthermore, the communication management device 11 is connected to the monitoring device 15 and the user device 17 by a VPN (Virtual Private Network) 21 between center terminals on the Internet. In order to construct the VPN 21 between center terminals, the communication management device 11 is provided with a VPN server function, and the monitoring device 15 and the user device 17 are provided with a VPN client function. In VPN, a VPN tunnel is constructed, encrypted communication is performed, and high security is realized.

  Further, the monitoring device 15 and the user device 17 perform SIP communication 23 via the communication management device 11. The SIP communication 23 is performed via the center terminal VPN 21 described above. The communication management device 11 has a SIP server function.

  Further, the monitoring device 15 and the user device 17 are directly connected by the inter-terminal VPN 25 without going through the communication management device 11. In order to construct the inter-terminal VPN 25, the user device 17 is provided with a VPN server function, and the monitoring device 15 is provided with a VPN client function.

  Here, the center terminal VPN 21 is always connected and a VPN tunnel is established, and is used for communication between the center device 13, the monitoring device 15, and the user device 17. On the other hand, the inter-terminal VPN 25 is constructed only when necessary.

  The reason for using the inter-terminal VPN 25 will be described. In the monitoring system 1, a large amount of data such as video is communicated. When the center terminal VPN 21 is used for all communications, the load of the communication management apparatus 11 becomes enormous. Therefore, communication between the monitoring device 15 and the user device 17 is performed by the inter-terminal VPN 25, thereby reducing the load on the communication management device 11 while ensuring security.

  Further, the role of the SIP communication 23 in the present embodiment is a special one that is different from a normal IP telephone or the like. That is, in the present embodiment, SIP signaling is positioned as a preparation process before the VPN connection of the VPN 25 between terminals. More specifically, when establishing a SIP 23 session, signaling is performed. Two-way communication is performed by this signaling, and an INVITE (invite) message and an OK message are exchanged between the user device 17 and the monitoring device 15. On the other hand, in order to establish a VPN connection, it is necessary to exchange information. In this embodiment, the IP address and the electronic certificate are exchanged. Therefore, the signaling of the SIP communication 23 is used as an information exchange means for establishing a VPN connection. An electronic certificate is used when verifying the validity of an electronic signature or the like and is issued from a trusted third party.

  The overall configuration of the monitoring system 1 has been described above. As described above, in this embodiment, two types of VPN are used. One connects the communication management device 11 and the terminal (the monitoring device 15 or the user device 17), and the other connects the terminals (the monitoring device 15 and the user device 17). Therefore, in FIG. 1, in order to distinguish these two VPNs, terms such as the center terminal VPN 21 and the terminal VPN 25 are used. However, terms such as VPN21 and VPN25 may be used.

  Next, the configuration of the monitoring system 1 will be described more specifically with reference to FIG. The communication management apparatus 11 includes a firewall 31, an HTTP server 33, a VPN server 35, a SIP server 37, a STUN server 39, an account management server 41, a database 43, and a log server 45.

  The firewall 31 is a device that blocks data other than communication data used between the communication management device 11, the monitoring device 15, and the user device 17. The HTTP server 33 is configured for Internet connection. The VPN server 35 is a server that performs authentication and encryption for VPN tunnel construction.

  The VPN server 35 is configured to realize the center terminal VPN 21, constructs a VPN between the communication management device 11 and the monitoring device 15, and constructs a VPN between the communication management device 11 and the user device 17. . A signal from the monitoring device 15 is decrypted by the VPN server 35 and transmitted to the center device 13. A signal from the center device 13 is encrypted by the VPN server 35 and transmitted to the monitoring device 15. Also, when the communication management device 11 sends a signal to the monitoring device 15, encryption is performed by the VPN server 35. In the communication between the communication management device 11 and the user device 17, the VPN server 35 similarly performs encryption and decryption.

  The SIP server 37 performs signaling processing according to the SIP protocol, and connects the monitoring device 15 and the user device 17. The SIP server 37 performs a SIP connection control function when the user device 17 requests connection to the monitoring device 15 or when the monitoring device 15 requests connection to the user device 17.

  In SIP signaling, messages are exchanged. Specifically, an INVITE (invite) message and an OK message are exchanged. Using this message exchange, as described above, an IP address and an electronic certificate are exchanged for establishing a VPN connection.

  The STUN server 39 provides a STUN function in order to correspond to the NAT function of the routers of the monitoring device 15 and the user device 17.

  The account management server 41 is a server that manages various types of information such as authentication. Information to be managed is stored in the database 43. Information to be managed includes an IP line account, a digital certificate for VPN connection (tunnel construction), and key pair information. In the present embodiment, authentication and authorization are performed for connections between terminals in the course of SIP signaling. Information for this processing is also stored in the database 43 and used by the account management server 41. It should be noted that authentication and authorization for connection between terminals can be performed by the SIP server itself. In this case, the authorization server and authorization information storage unit of the present invention are provided in the SIP server.

  The log server 45 is a server for storing a log generated by the monitoring device 15.

  The center device 13 includes a monitoring console 51 and a line connection device 53. A monitoring console 51 is connected to the communication management device 11 via the line connection device 53. For example, when the center device 13 is an image center, the monitoring video is supplied to the monitoring console 51 and managed by the monitoring console 51. When the center device 13 is a control center, security-related information is supplied to the monitoring console 51. The monitoring video is also suitably displayed on the control center monitor. The monitoring video or the like may be communicated between the center devices.

  Next, the monitoring device 15 will be described. The monitoring device 15 includes a controller 61, an IP line unit 63, a router 65, a peripheral device 67, a multi-line adapter 69, and a monitoring target PC (personal computer) 71.

  The controller 61 is configured by a computer and realizes a monitoring function in cooperation with the peripheral device 67. The controller 61 is connected to the monitoring center 3 via the IP line unit 63. The controller 61 is also connected to the user device 17 via the IP line unit 63.

  In FIG. 2, a monitoring camera 73, a sensor 75, and an alarm button 77 are illustrated as the peripheral devices 67. The controller 61 performs an image recognition process on the monitoring video to detect an abnormality. The controller 61 detects an abnormality based on the detection signal input from the sensor 75. An abnormality is also detected when the alarm button 77 is pressed. Other peripheral devices may be used for abnormality detection. When an abnormality occurs, the controller 61 communicates with the center device 13 and transmits a security signal and an image signal. A microphone is provided together with the monitoring camera 73, and an audio signal is also transmitted. In this way, the controller 61 realizes the security function of the monitoring target 5.

  The monitoring video and audio are also transmitted when requested by the center device 13. Furthermore, the monitoring video and audio are also sent to the user device 17. Transmission to the user device 17 is performed, for example, periodically, or according to other settings. For example, when a visitor is detected by the sensor 75, an image or the like is sent to the user device 17. Also, when requested by the user device 17, the monitoring device 15 transmits a video or the like.

  The IP line unit 63 constructs a VPN tunnel for the controller 61 to communicate with the communication management apparatus 11. In addition, a VPN tunnel for the controller 61 to communicate with the user device 17 is constructed. The former corresponds to the inter-terminal VPN 21, and the latter corresponds to the inter-terminal VPN 25. In these connections, the IP line unit 63 realizes a VPN client function.

  In FIG. 2, the IP line unit 63 is shown as an internal configuration of the controller 61. This represents a physical arrangement. As a communication configuration, the IP line unit 63 is disposed between the controller 61 and the router 65. The IP line unit 63 is LAN-connected to the controller 61 via Ethernet (registered trademark). The router 65 is a router for a broadband line.

  The multi-line adapter 69 is connected to the center device 13 via a mobile phone network. The multi-line adapter 69 is used for transmitting a security signal when the broadband line is disconnected. A security signal is sent from the controller 61 to the multi-line adapter 69 via the IP line unit 63, and is sent from the multi-line adapter 69 to the center device 13.

  The monitoring target PC 71 is a PC installed on the monitoring target 5. In the example of the present embodiment, the monitoring target 5 is a store. Therefore, the monitoring target PC 71 may be a store PC.

  Next, the user device 17 will be described. The user device 17 includes a VPN terminal device (hereinafter referred to as VTE) 81, a router 83, and a user PC (personal computer) 85.

  The VTE 81 is a line termination device for broadband connection. Then, the VTE 81 constructs a VPN tunnel with the VPN server 35 of the communication management apparatus 11 and constructs a VPN tunnel with the IP line unit 63 of the monitoring apparatus 15. In the former, the VTE 81 functions as a VPN client, and in the latter, the VTE 81 functions as a VPN server. The router 83 is a router for a broadband line.

  The VTE 81 is connected to the user PC 85. The VTE 81 transfers the video, audio and control signals received from the controller 61 of the monitoring device 15 to the user PC 85. Further, the VTE 81 transfers the voice and control signal received from the user PC 85 to the controller 61.

  In the present embodiment, the user base 7 is a store owner's office or the like. Therefore, the user PC 85 may be a store owner's PC. The user PC 85 is used by the owner to view the monitoring video of the monitoring target 5. In order to provide this function, application software capable of displaying and switching the monitoring video of the monitoring target 5 by communicating with the controller 61 is installed in the user PC 85.

  In the present embodiment, the user device 17 is fixed. However, the function of the user device 17 may be incorporated in a mobile terminal or the like and movable.

  The overall configuration of the monitoring system 1 has been described above. Next, the structure which concerns on the characteristic of this invention is demonstrated.

  As described with reference to FIG. 1, the center terminal VPN 21 is always constructed between the communication management device 11 and the monitoring device 15. Between the communication management device 11 and the user device 17, the center terminal VPN 21 is always constructed. In addition to these center terminal VPNs 21, an inter-terminal VPN 25 is constructed directly between the monitoring device 15 and the user device 17.

  When the inter-terminal VPN 25 is connected, information is exchanged. Information necessary for connection establishment is referred to herein as “connection establishment information”. In the present embodiment, an IP address and an electronic certificate are exchanged between the monitoring device 15 and the user device 17 as connection establishment information.

  As a means for exchanging connection establishment information, the present embodiment focuses on SIP. In SIP signaling, messages are exchanged between terminals. The above IP address and electronic certificate are incorporated into these SIP messages. As a result, information exchange for preparation of the construction of the inter-terminal VPN 25 is performed in the SIP signaling process.

  As described above, in this embodiment, SIP and VPN are combined well, information necessary for VPN connection is exchanged by SIP, and the VPN information is established by authenticating each other using the exchanged information. Furthermore, this embodiment is configured not only by combining SIP and VPN, but also by considering the following points.

  The monitoring device 15 transmits an image or the like to the user device 17 using the inter-terminal VPN 25, for example, regularly or at the time of a visitor or the like. Further, the owner may operate the user device 17 to request a video from the monitoring device 15, and may acquire a video or the like from the monitoring device 15 using the inter-terminal VPN 25. In the former, the monitoring device 15 is the connection request source, and in the latter, the user device 17 is the connection request source.

  However, for VPN connection, a VPN connection request must be made from the VPN client to the VPN server. Therefore, if VPN is simply applied, in order to make a connection request from the monitoring device 15 to the user device 17, the user device 17 needs to have a VPN server function. Further, in order to make a VPN connection request from the user device 17 to the monitoring device 15, the monitoring device 15 also needs to have a VPN server function. After all, it is necessary to provide a VPN server function in both terminals, and the configuration becomes complicated.

  The present embodiment eliminates the need for providing the VPN server function in both the monitoring device 15 and the user device 17 as described above, and simplifies the configuration.

  FIG. 3 is a part of the monitoring system 1 shown in FIGS. 1 and 2 and shows a main part of the present invention. In FIG. 3, the elements described in FIGS. 1 and 2 are denoted by the same reference numerals.

  As illustrated in FIG. 3, the communication management apparatus 11 includes an authorization information storage unit 101 and an authorization processing unit 103 in addition to the VPN server 35 and the SIP server 37. The authorization information storage unit 101 stores connection authorization information representing a combination of terminals (monitoring device 15 and user device 17) whose connection is to be authorized. Then, the authorization processing unit 103 refers to the connection authorization information and determines whether to authorize the connection between the terminals. The authorization information storage unit 101 and the authorization processing unit 103 are realized by the database 43 and the account management server 41 in FIG.

  FIG. 4 shows an example of connection authorization information to be stored in the authorization information storage unit 101. In this example, the connection authorization information is a table representing a combination of terminal IDs. This table associates each user (store owner), the monitoring device ID (ID of the monitoring device 15), and the user device ID (ID of the user device 17). The monitoring device ID and the user device ID may be any information that can identify the monitoring device 15 and the user device 17. In the example described later, the monitoring device ID is the ID of the IP line unit 63, and the user device ID is the ID of the VTE 81.

  One owner may have multiple stores. In this case, one monitoring device 15 is combined with a plurality of user devices 17. In the example of FIG. 4, a user C has two stores, and two monitoring devices 15 (C01, C02) are associated with the user device 17 (C11). In addition, when one owner uses a plurality of user devices 17, one monitoring device 15 may be associated with a plurality of user devices 17.

  Returning to FIG. 3, in the monitoring device 15, the IP line unit 63 includes a SIP processing unit 111, a VPN client unit 113, and a storage unit 115. The SIP processing unit 111 performs processing related to SIP. The VPN client unit 113 functions as a VPN client and performs processing related to the inter-terminal VPN 25.

  The storage unit 115 stores various types of information processed by the IP line unit 63. In particular, in relation to the present invention, the storage unit 115 stores the IP address of the IP line unit 63 and the individual certificate of the IP line unit 63. This individual certificate is an electronic certificate assigned to each IP line unit of the monitoring device. These information correspond to the connection establishment information of the present invention, and are provided to the connection partner for VPN connection. Further, the storage unit 115 stores an IP line unit ID (ID of the IP line unit 63), and this IP line unit ID is used as an ID of the monitoring target 5.

  As shown in FIG. 3, the storage unit 115 further stores VPN connection request conditions. The VPN connection request condition is a condition for the VPN client unit 113 to request a VPN connection from the user device 17. As VPN connection request conditions, two VPN connection request conditions that differ depending on the exchange order of connection establishment information using SIP are stored as described below.

  FIG. 5 shows the first and second VPN connection request conditions stored in the storage unit 115. The first and second VPN connection request conditions are as follows.

(First VPN connection requirement)
The first VPN connection request condition is a condition when the monitoring device 15 is a connection establishment information exchange request source and the user device 17 is an exchange request destination. In this case, the monitoring device 15 transmits an INVITE message including connection establishment information to the user device 17 as an exchange request source. The first VPN connection request condition is “the monitoring device 15 has received an OK message including connection establishment information from the user device 17”.

(Second VPN connection requirement)
The second VPN connection request condition is a condition when the user device 17 is a connection establishment information exchange request source and the monitoring device 15 is an exchange request destination. In this case, the monitoring device 15 receives an INVITE message including connection establishment information from the user device 17. The second VPN connection request condition is “the monitoring device 15 has returned an OK message including connection establishment information to the user device 17 and has received an ACK message from the user device 17”.

  Returning to FIG. 3, the user device 17 will be described. The VTE 81 of the user device 17 includes a SIP processing unit 121, a VPN server unit 123, and a storage unit 125. The SIP processing unit 121 performs processing related to SIP. The VPN server unit 123 functions as a VPN server and performs processing related to the inter-terminal VPN 25. The storage unit 125 stores the IP address of the VTE 81 and the individual certificate of the VTE 81. The individual certificate is an electronic certificate assigned to each VTE. The storage unit 125 stores VTE-ID (ID of VTE 81).

  Next, the operation of the present embodiment will be described with reference to FIGS. Here, the operation when constructing the inter-terminal VPN 25, that is, the operation when performing the VPN connection between the monitoring device 15 and the user device 17 will be described.

  First, a case where the monitoring device 15 becomes a connection establishment information exchange request source will be described with reference to FIG. This is the case, for example, when the monitoring device 15 voluntarily transmits monitoring information such as video to the user device 17. In the above-described example, periodic video transmission and video transmission at the time of visitor are applicable. In FIG. 6 and the next FIG. 7, the operations of the monitoring device 15 and the user device 17 are specifically performed mainly by the IP line unit 63 and the VTE 81.

  As shown in FIG. 6, the monitoring device 15 sends an INVITE message (specifically, a SIP INVITE message, the same applies hereinafter) to the SIP server 37 (S1). The ID of the monitoring device 15 and the user device 17 is added to the INVITE message, and the IP address of the monitoring device 15 and the individual certificate of the IP line unit 63 are added as connection establishment information.

  When the SIP server 37 receives the INVITE message, the SIP server 37 supplies the IDs of the monitoring device 15 and the user device 17 to the authorization processing unit 103, and inquires of the authorization processing unit 103 whether the connection is possible (S3). The authorization processing unit 103 refers to the connection authorization information in the authorization information storage unit 101 shown in FIG. 4 and determines whether to authorize the connection (S5). If the combination of the IDs of the monitoring device 15 and the user device 17 is registered in the authorization information storage unit 101, the connection is authorized.

  The SIP server 37 receives the authorization result from the authorization processing unit 103 (S7). When the connection is authorized by the authorization processing unit 103, the SIP server 37 transmits an INVITE message to the user device 17 (S9). This INVITE message includes the IP address of the monitoring device 15 and the individual certificate of the IP line unit 63 as connection establishment information.

  Upon receiving the INVITE message, the user device 17 sends an OK message (specifically, a SIP 200 OK message, the same applies hereinafter) to the SIP server 37 (S11). To the OK message, the IP address of the user device 17 and the individual certificate of the VTE 81 are added as connection establishment information. The OK message is transmitted to the monitoring device 15 via the SIP server 37 (S13).

  In the monitoring device 15, the VPN client unit 113 of the IP line unit 63 refers to the VPN connection request condition in the storage unit 115 and determines whether the VPN connection request condition is satisfied. When the monitoring device 15 receives the OK message, the first VPN connection request condition is satisfied (S15). Therefore, the VPN client unit 113 makes a VPN connection request to the VPN server unit 123 of the user device 17 (S17). The user device 17 determines whether or not the VPN connection is possible by checking the individual certificate of the VTE included in the VPN connection request with the individual certificate stored after being exchanged. Thereby, VPN connection is established and monitoring information is communicated (S19).

  Next, a case where the user device 17 is a connection establishment information exchange request source, that is, the monitoring device 15 is a connection establishment information exchange request destination will be described with reference to FIG. This is the case, for example, when the user device 17 requests monitoring information such as video from the monitoring device 15 in accordance with the operation of the owner.

  The user device 17 sends an INVITE message to the SIP server 37 (S31). The IDs of the user device 17 and the monitoring device 15 are added to the INVITE message, and the IP address of the user device 17 and the individual certificate of the VTE 81 are added as connection establishment information.

  When the SIP server 37 receives the INVITE message, the SIP server 37 supplies the IDs of the user device 17 and the monitoring device 15 to the authorization processing unit 103 and inquires of the authorization processing unit 103 whether the connection is possible (S33). The authorization processing unit 103 refers to the connection authorization information in the authorization information storage unit 101 illustrated in FIG. 4 and determines whether to authorize the connection (S35). If the combination of the IDs of the user device 17 and the monitoring device 15 is registered in the authorization information storage unit 101, the connection is authorized.

  The SIP server 37 receives the authorization result from the authorization processing unit 103 (S37). When the connection is authorized by the authorization processing unit 103, the SIP server 37 transmits an INVITE message to the monitoring device 15 (S39). This INVITE message includes the IP address of the user device 17 and the individual certificate of the VTE 81 as connection establishment information.

  When receiving the INVITE message, the monitoring device 15 transmits an OK message including the IP address of the monitoring device 15 and the individual certificate of the IP line unit 63 as connection establishment information to the SIP server 37 (S41). The OK message is transmitted to the user device 17 via the SIP server 37 (S43).

  Upon receiving the OK message, the user device 17 transmits an ACK message to the SIP server 37 (S45). The ACK message is transmitted from the SIP server 37 to the monitoring device 15 (S47). In the monitoring device 15, the VPN client unit 113 of the IP line unit 63 refers to the VPN connection request condition in the storage unit 115 and determines whether the VPN connection request condition is satisfied. When the monitoring device 15 receives the ACK message, the second VPN connection request condition is satisfied (S49). Therefore, the VPN client unit 113 makes a VPN connection request to the VPN server unit 123 of the user device 17 (S51). This VPN connection request includes the individual certificate of the IP line unit 63 and is collated with the certificate exchanged earlier. Thereby, a VPN connection is established and monitoring information is communicated (S53).

  As described above, in the present embodiment, a VPN connection request is triggered according to which of the monitoring device 15 and the user device 17 is a connection establishment information exchange request source, that is, according to the exchange order of connection establishment information. The conditions are set differently. Thereby, in any case, a VPN connection request is made from the monitoring device 15 to the user device 17. Therefore, the VPN server function only needs to be provided in the user device 17, and the monitoring device 15 does not have to have the VPN server function.

  Although omitted in FIG. 6, when the monitoring device 15 also receives the SIP OK message, it returns an ACK message. However, in the case of FIG. 6, the VPN connection request condition is satisfied by receiving the OK message, regardless of the ACK message.

  FIG. 8 is a flowchart showing the operation of the IP line unit 63 of the monitoring device 15 in the processing of FIG. 6 and FIG.

  The IP line unit 63 determines whether an INVITE message has been transmitted to the VTE 81 of the user device 17 (S71). If the IP line unit 63 has not transmitted the INVITE message, the IP line unit 63 conversely determines whether or not the INVITE message has been received from the VTE 81 (S73).

  If step S71 is Yes, the IP line unit 63 determines whether an OK message has been received from the VTE 81 (S75). When the OK message is received from the VTE 81, the first VPN connection request condition is satisfied (S77). Therefore, the VPN client unit 113 of the IP line unit 63 makes a VPN connection request to the VPN server unit 123 of the VTE 81 (S85).

  On the other hand, if Step S73 is Yes, the IP line unit 63 transmits an OK message to the VTE 81 (S79), and determines whether an ACK message is received from the VTE 81 (S81). When the ACK message is received from the VTE 81, the second VPN connection request condition is satisfied (S83). Therefore, the VPN client unit 113 of the IP line unit 63 makes a VPN connection request to the VPN server unit 123 of the VTE 81 (S85).

  Next, details of the operation of the monitoring system 1 will be described with reference to FIGS. 9 and 10. 9 and 10 show details of the operations of FIGS. 6 and 7, respectively.

  In the time chart of FIG. 9, the controller 61 and the IP line unit 63 are the configuration of the monitoring device 15, the SIP server 37 and the authorization information storage unit 101 (account management server 41) are the configuration of the communication management device 11, and the VTE 81 and A user PC 85 is the configuration of the user device 17.

  The controller 61 sends a connection instruction (P2P connection instruction) including the VTE-ID (the ID of the VTE 81) to the IP line unit 63 (S101). Here, the VTE-ID is used as the connection destination terminal ID.

  The IP line unit 63 reads the IP line unit IP address (IP address of the IP line unit 63) and the IP line unit individual certificate (electronic certificate assigned to the IP line unit 63) from the storage unit 115. Further, the IP line unit 63 reads the IP line unit ID (ID of the IP line unit 63) as the connection source terminal ID from the storage unit 115. Then, the IP line unit 63 adds these pieces of information to the INVITE message and sends the INVITE message to the SIP server 37 (S103). Specifically, the INVITE message includes an IP line unit IP address, an IP line unit ID, a VTE-ID, and an IP line unit individual certificate.

  The SIP server 37 receives the INVITE message, transmits the IP line unit ID and VTE-ID to the authorization processing unit 103, and inquires whether or not to authorize the connection (S105). The authorization processing unit 103 refers to the connection authorization information in the authorization information storage unit 101 and determines whether to authorize the connection (S107). Here, the table of FIG. 4 is read. Then, the authorization processing unit 103 determines whether or not the combination of terminal IDs for inquiry is registered in the table. If the corresponding combination is registered, the authorization processing unit 103 authorizes the connection. The authorization result is transmitted from the authorization processing unit 103 to the SIP server 37 (S109). The SIP server 37 transmits an INVITE message to the VTE 81 when the authorization processing unit 103 authorizes the connection (S111). An IP line unit IP address and an IP line unit individual certificate are added to the INVITE message.

  In the above processing, if the connection is not authorized in step S107, the SIP server 37 does not send the INVITE message to the VTE 81. Therefore, subsequent SIP processing is not performed, and further VPN connection is not performed.

  When receiving the INVITE message, the VTE 81 holds the IP line unit IP address and the IP line unit individual certificate in the storage unit 125, and inquires of the user PC 85 for a connection request (P2P connection request) (S113). An IP line unit IP address is added to this connection request. Then, the user PC 85 sends a connection response to the VTE 81 (S115).

  The VTE 81 reads out the VTE-IP address (the IP address of the VTE 81) and the VTE individual certificate (the electronic certificate allocated to the VTE 81) from the storage unit 125. Then, the VTE 81 transmits an OK message to the SIP server 37 (S117). A VTE-IP address and a VTE individual certificate are added to this OK message.

  The SIP server 37 transmits an OK message together with the VTE-IP address and the VTE individual certificate to the IP line unit 63 (S119). Upon receiving the OK message, the IP line unit 63 holds the VTE-IP address and the VTE individual certificate in the storage unit 115, sends an ACK message to the SIP server 37 (S121), and the SIP server 37 further sends an ACK message. The data is sent to the VTE 81 (S123).

  In the above process, the IP line unit 63 obtains the IP address of the VTE 81 and the VTE individual certificate. Also, the VTE 81 has acquired the IP address of the IP line unit 63 and the IP line unit individual certificate. Then, the IP line unit 63 satisfies the first VPN connection request condition shown in FIG. 5 by receiving the OK message (S119).

  Therefore, as shown in the figure, the IP line unit 63 makes a VPN connection request to the VTE 81 (S125). Here, VPN connection is directly requested without going through the SIP server 37. The VTE 81 sends incoming call information including the IP line unit IP address of the other party to the user PC 85 (S127). The IP line unit IP address is used by the user PC 85 for VPN communication. Further, the VTE 81 notifies the IP line unit 63 that the VPN connection processing has been performed as a VPN server (S129). The IP line unit 63 notifies the controller 61 that the connection result is OK, and also notifies the controller 61 of the destination VTE-IP address (S131). The VTE-IP address is used by the controller 61 for VPN communication. Thus, a VPN connection is established, and information is communicated via the inter-terminal VPN 25. Monitoring video, audio, and the like are provided from the monitoring device 15 to the user device 17.

  Next, a case where the user device 17 is a connection source will be described with reference to FIG. It is assumed that the user (owner) inputs a video display instruction to the user PC 85, for example. The user PC 85 sends a connection instruction (P2P connection instruction) including the IP line unit ID to the VTE 81 (S201). Here, the IP line unit ID is used as the ID of the connection destination terminal.

  The VTE 81 reads the VTE-IP address and the VTE individual certificate from the storage unit 125. The VTE 81 reads the VTE-ID as the connection source terminal ID from the storage unit 125. The VTE 81 adds the information to the INVITE message and sends the INVITE message to the SIP server 37 (S203). Specifically, the INVITE message includes a VTE-IP address, a VTE-ID, an IP line unit ID, and a VTE individual certificate.

  The SIP server 37 receives the INVITE message, transmits the VTE-ID and IP line unit ID to the authorization processing unit 103, and inquires whether or not to authorize the connection (S205). The authorization processing unit 103 refers to the connection authorization information in the authorization information storage unit 101 in the same manner as described above, determines whether or not to authorize the connection (S207), and sends the authorization result to the SIP server 37 (S209). If the combination of VTE-ID and IP line unit ID is registered, the connection is authorized. When the authorization processing unit 103 authorizes the connection, the SIP server 37 transmits an INVITE message to the IP line unit 63 (S211). A VTE-IP address and a VTE individual certificate are added to this INVITE message.

  In the above processing, if the connection is not approved in step S207, the SIP server 37 does not send the INVITE message to the IP line unit 63. Therefore, subsequent SIP processing is not performed, and further VPN connection is not performed.

  When receiving the INVITE message, the IP line unit 63 holds the VTE-IP address and the VTE individual certificate in the storage unit 115. The IP line unit 63 inquires of the controller 61 for a connection request (P2P connection request) (S213). A VTE-IP address is added to this connection request. Then, the controller 61 sends a connection response to the IP line unit 63 (S215).

  The IP line unit 63 reads the IP line unit IP address and the IP line unit individual certificate from the storage unit 115. And then. The IP line unit 63 transmits an OK message to the SIP server 37 (S217). An IP line unit IP address and an IP line unit individual certificate are added to this OK message.

  The SIP server 37 transmits an OK message to the VTE 81 together with the IP line unit IP address and the IP line unit individual certificate (S219). When the VTE 81 receives the OK message, it stores the IP line unit IP address and the IP line unit individual certificate in the storage unit 125 and returns an ACK message to the SIP server 37 (S221). The establishment of connection is notified (S223). The SIP server 37 transmits an ACK message to the IP line unit 63 (S225).

  In the above process, the IP address and each individual certificate are exchanged between the IP line unit 63 and the VTE 81. In the IP line unit 63, the second VPN connection request condition shown in FIG. 5 is established by receiving the ACK message (S225).

  Therefore, as shown in the figure, the IP line unit 63 makes a VPN connection request to the VTE 81 (S227). The VPN connection is made without going through the SIP server 37. The VTE 81 sends incoming information including the other party's VTE-IP address to the user PC 85 (S229). Further, the VTE 81 notifies the IP line unit 63 that the VPN connection processing has been performed as a VPN server (S231). The IP line unit 63 sends incoming information including the other party's VTE-IP address to the controller 61 (S233). Thus, a VPN connection is established, and information is communicated via the inter-terminal VPN 25.

  As shown in FIGS. 9 and 10, a VPN connection request is sent from the IP line unit 63 to the VTE 81 in the processes of both figures. Therefore, even with the configuration of FIG. 3 in which the VPN server function is provided in the VTE 81 and the VPN server function is not provided in the IP line unit 63, the VPN connection can be suitably established in both the situation of FIG. 9 and FIG.

  The preferred embodiments of the present invention have been described above. In the present embodiment, the user device 17 and the monitoring device 15 correspond to the first terminal and the second terminal of the present invention, respectively. The storage unit 125 of the VTE 81 and the storage unit 115 of the IP line unit 63 correspond to the first storage unit and the second storage unit of the present invention. Furthermore, the IP address and electronic certificate of the VTE 81 correspond to server-side connection establishment information, the IP address and electronic certificate of the IP line unit 63 correspond to client-side connection establishment information, and an SIP ACK message This corresponds to receipt confirmation of the present invention.

  According to the present embodiment, as described above, the first terminal (user device 17) is provided with the VPN server function, and the second terminal (monitoring device 15) is provided with the VPN client function. In connection with the exchange order of the connection establishment information, two VPN connection request conditions are stored in the second terminal, and when one of the VPN connection request conditions is satisfied, the second terminal sends the VPN to the first terminal. Make a connection request. As a result, the first terminal makes a VPN connection request to the second terminal when either terminal becomes a request source of connection establishment information, that is, when either terminal desires connection. Therefore, it is not necessary to provide a VPN server function in both terminals, and the configuration is simplified.

  In the present embodiment, SIP is used as a means for exchanging connection establishment information for VPN connection. A combination of SIP and VPN is successfully established, and connection establishment information necessary for VPN connection is exchanged by SIP, and a VPN connection is established using the exchanged information. Furthermore, the present invention not only combines SIP and VPN, but also sets the first and second VPN connection request conditions as described above. Thereby, regardless of which of the first and second terminals issues the SIP invitation message, the VPN connection request is made from the second terminal to the first terminal. Therefore, it is not necessary to provide a VPN server function in both terminals, and the configuration is simplified.

  Further, although the IP address and the electronic certificate have been described as examples of the connection establishment information, the other party may be authenticated using other information instead of the electronic certificate. For example, a common name included in the electronic certificate may be used as connection establishment information.

  Further, in the present embodiment, information on the combination of terminals to be authorized for connection is stored in advance, and the connection between the terminals is authorized at the time of SIP signaling. Accordingly, not only authentication between the terminal and the SIP server, but authorization between terminals via the SIP server, that is, P2P can be performed, and the number of users of the monitoring information can be suitably limited. In this way, security can be improved when SIP is applied to the monitoring system.

  In the present embodiment, the first terminal is a user device that uses a monitoring service, and the second terminal is a monitoring device that is installed as a monitoring target. When the monitoring device transmits monitoring information to the user device according to a predetermined setting, the monitoring device makes a VPN connection request to the user device. Also, when the user device requests the monitoring device to transmit monitoring information, the monitoring device makes a VPN connection request to the user device. Therefore, when the monitoring device and the user device are connected by VPN, the VPN server function only needs to be provided in the user device, and the configuration can be simplified.

  As a simple calculation, if the same number of user devices as many monitoring devices are arranged in the monitoring system, the VPN server function only needs to be provided in half of the terminal devices, and the configuration can be greatly simplified.

  Within the scope of the present invention, a VPN client unit may be provided in the user device, and a VPN server unit may be provided in the monitoring device. In this case as well, the number of VPN servers can be reduced and the configuration can be simplified.

  In the above embodiment, it has been described that the monitoring device refers to the VPN connection request condition of the storage unit at a predetermined timing (OK message reception, ACK message reception) to determine whether the condition is satisfied. You may implement | achieve as two programs which perform a VPN connection request | requirement based on a requirement condition. In this case, the monitoring device executes a program including the first VPN connection request condition when it becomes a connection establishment information exchange request source, and executes a program including the second VPN connection request condition when receiving the exchange request. To do. In such a configuration, the VPN connection request condition is stored as a part of the program, and is included in the scope of the present invention.

  The preferred embodiments of the present invention have been described above. However, the present invention is not limited to the above-described embodiments, and it goes without saying that those skilled in the art can modify the above-described embodiments within the scope of the present invention.

  As described above, the monitoring system according to the present invention is useful for monitoring a store or the like from a remote place using communication.

DESCRIPTION OF SYMBOLS 1 Monitoring system 3 Monitoring center 5 Monitoring object 7 User base 11 Communication management apparatus 13 Center apparatus 15 Monitoring apparatus 17 User apparatus 21 VPN between center terminals
23 SIP communication 25 VPN between terminals
33 HTTP server 35 VPN server 37 SIP server 41 Account management server 43 Database 61 Controller 63 IP line unit 65, 83 Router 69 Multi-line adapter 73 Surveillance camera 81 VPN terminator (VTE)
85 User PC
101 Authorization Information Storage Unit 103 Authorization Processing Unit 113 VPN Client Unit 123 VPN Server Unit

Claims (5)

A monitoring system having first and second terminals connected by VPN and communicating monitoring information between the first and second terminals,
The first terminal is
A VPN server for realizing the VPN server function;
A first storage unit for holding server-side connection establishment information to be transmitted to the second terminal in order to establish a VPN connection;
The second terminal is
A VPN client unit that implements a VPN client function;
VPN connection request condition, which is a condition for holding connection information on the client side to be transmitted to the first terminal to establish a VPN connection and requesting a VPN connection from the VPN client unit to the VPN server unit A second storage unit for storing
The second storage unit has the VPN connection request condition as follows:
The second terminal is established by receiving the server side connection establishment information from the first terminal when the second terminal transmits the client side connection establishment information to the first terminal as an exchange request source. 1 VPN connection requirement,
When the second terminal receives the server-side connection establishment information from the first terminal as an exchange request destination, the client-side connection establishment information is returned to the first terminal, and the first terminal Storing the second VPN connection request condition established upon receipt of the receipt confirmation from the terminal of
The VPN client unit of the second terminal makes a VPN connection request to the VPN server unit of the first terminal when the first or second VPN connection request condition is satisfied. system. The first and second terminals exchange SIP messages;
When the second terminal transmits an invitation message including connection establishment information on the client side to the first terminal, an OK message including connection establishment information on the server side is received from the first terminal. The first VPN connection request condition is satisfied,
When the second terminal receives an invitation message including connection establishment information on the server side from the first terminal, an OK message including connection establishment information on the client side is returned to the first terminal. The monitoring system according to claim 1, wherein the second VPN connection request condition is satisfied when an ACK message is received from the first terminal. A communication management device connected to the first and second terminals, wherein the first and second terminals exchange the SIP message via the communication management device;
The communication management device
A SIP server;
An authorization information storage unit that stores connection authorization information representing a combination of a connection source and a connection destination terminal whose connection is to be authorized;
An authorization processing unit that determines whether to authorize a connection between terminals with reference to the connection authorization information;
When an invitation message is received from the first or second terminal, the SIP server supplies identification information of the connection destination terminal included in the invitation message to the authorization processing unit, and the authorization processing unit The server according to claim 2, wherein the SIP server supplies an invitation message from the connection source terminal to the connection destination terminal when the connection server and the connection destination terminal are permitted to connect. Monitoring system. The first terminal is a user device that uses a monitoring service, and the second terminal is a monitoring device installed in a monitoring target;
When monitoring information is transmitted from the monitoring device to the user device according to a predetermined setting, the monitoring device serves as the exchange request source and sends a VPN to the user device when the first VPN connection request condition is satisfied. Make a connection request,
When the user device requests the monitoring device to transmit the monitoring information, the monitoring device becomes the exchange request destination and establishes a VPN connection to the user device when the second VPN connection request condition is satisfied. The monitoring system according to claim 1, wherein a request is made. A terminal device for a monitoring system, provided in a monitoring system including a plurality of terminal devices for communicating monitoring information, and configured to communicate with a VPN server terminal that constitutes the monitoring system and has a VPN server function,
A VPN client unit that implements a VPN client function;
VPN connection request conditions, which are conditions for requesting a VPN connection from the VPN client unit to the VPN server terminal, while holding client side connection establishment information to be transmitted to the VPN server terminal in order to establish a VPN connection A storage unit for storing,
The storage unit has the VPN connection request condition as follows:
The first VPN established when the server side connection establishment information is received from the VPN server terminal when the client side connection establishment information is transmitted to the VPN server terminal as the connection establishment information exchange request source. Connection requirements,
When the server side connection establishment information is received from the VPN server terminal as the connection establishment information exchange request destination, the client side connection establishment information is returned to the VPN server terminal, and further received from the VPN server terminal Storing the second VPN connection request condition established upon receipt of the confirmation;
A terminal device for a monitoring system, wherein the VPN client unit makes a VPN connection request to the VPN server terminal when the first or second VPN connection request condition is satisfied.