JP2019121846A - Vpn system and vpn system control method - Google Patents

Abstract

To improve an accommodation ratio with respect to the number of VPN sessions.SOLUTION: A VPN system comprises at least three VPN servers. Each VPN server has the upper limit number of VPN sessions, two management groups, an entrusted group associated with a management group of another VPN server, VPNIDs belonging to the management groups, and the upper limit number of VPNIDs capable of being registered with the management groups. The sum of the upper limit numbers of the respective management groups and the upper limit number of the entrusted group is equal to or smaller than the upper limit number of VPN sessions. The respective management groups are associated with entrusted groups of other VPN servers differing from each other. When a failure occurs in one VPN server, a VPN server including an entrusted group associated with a management group of the one VPN server accepts management of the management group.SELECTED DRAWING: Figure 8

Description

  The present disclosure relates to a VPN system and a control method of the VPN system.

  Medical information such as medical records and prescriptions handled by medical institutions such as hospitals and pharmacies has shifted from management by paper media to management by electronic data from the viewpoint of information sharing and ease of retrieval (eg, patent documents 1). Currently, medical institutions install and operate their own servers that manage medical information as electronic data.

  Setting up and operating a server on its own requires a large burden on the medical institution, such as securing the server installation location and operators. Therefore, managing medical information with a so-called cloud server has been considered. In this case, a terminal installed at a medical institution accesses medical information managed by a server on a so-called cloud via a communication network. Since medical information contains personal sensitive information, a server that manages medical information is required to have high security. One of the methods for enhancing security on the communication network is to provide a VPN server on the cloud and establish a VPN session between the terminal and the VPN server.

JP, 2016-181296, A

  The VPN server may have an upper limit number of VPN sessions that can be established. In the case of a VPN system in which multiple VPN servers are redundantly configured, the upper limit number of VPN sessions of each VPN server becomes a bottleneck, and the upper limit number of VPN sessions and the maximum number of actually established VPN sessions in the entire VPN system And the rate of (containment rate) may decrease.

  The present disclosure is to provide a VPN system having a relatively high occupancy rate related to the number of VPN sessions and a control method of the VPN system.

  A VPN system according to an aspect of the present disclosure includes at least three virtual private network (VPN) servers, and each VPN server has an upper limit number of VPN sessions, at least two management groups to be managed, and another VPN. The management group includes a trust group associated with a management group of a server, an ID used to identify the VPN session belonging to the management group, and an upper limit number of IDs that can be registered in the management group. The sum of the upper limit number of and the upper limit number of the consignment group is equal to or less than the upper limit number of the VPN sessions, and each management group is associated with a consignment group of another VPN server different from each other, and one VPN server When a failure occurs, there is a trust group associated with the management group of the one VPN server That VPN server, take over the management of the management group.

  Note that these general or specific aspects may be realized by an apparatus, a method, an integrated circuit, a computer program, or a recording medium, and any of a system, an apparatus, a method, an integrated circuit, a computer program, and a recording medium It may be realized by any combination.

  According to the present disclosure, the accommodation rate related to the number of VPN sessions can be increased.

  Further advantages and effects of one aspect of the present disclosure are apparent from the specification and the drawings. Such advantages and / or effects may be provided by some embodiments and features described in the specification and drawings, respectively, but need to be all provided to obtain one or more identical features. There is no.

1 is a block diagram showing an example of the configuration of a medical information management system according to Embodiment 1. FIG. FIG. 2 is a block diagram showing an example of the configuration of a VPN server. The figure which shows the example of connecting point information. The sequence chart which shows the example of issue processing of a temporary password. The sequence chart which shows the example of first time VPN connection processing. The sequence chart which shows the example of the renewal processing of connection point information. The schematic diagram which shows the example of the redundancy structure of a VPN server. FIG. 7 is a schematic view showing an example of a redundant configuration of the VPN server according to the second embodiment. FIG. 2 is a block diagram illustrating an example of a hardware configuration of an apparatus according to the present disclosure.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings as appropriate. However, the detailed description may be omitted if necessary. For example, detailed description of already well-known matters and redundant description of substantially the same configuration may be omitted. This is to avoid unnecessary redundancy in the following description and to facilitate understanding by those skilled in the art.

  It should be noted that the attached drawings and the following description are provided to enable those skilled in the art to fully understand the present disclosure, and they are not intended to limit the claimed subject matter.

  Further, in the case of describing the elements of the same type in a different manner, the reference symbols such as "user terminal 31A" and "user terminal 31B" are used, and in the case of explaining the elements of the same type without distinction Only the common number among the reference signs may be used like 31 ".

Embodiment 1
<System configuration>
Next, the configuration of the information management system will be described with reference to FIG.

  The information management system 10 manages various information (medical information) handled by a medical institution as electronic data. Medical institutions are, for example, hospitals and pharmacies. The medical information is, for example, medical record information and prescription information.

  The information management system 10 includes a DB (DataBase) server 21, a DB 22, an authentication server 23, an APP (Application) server 24, and VPN (Virtual Private Network) servers 25A and 25B. The DB server 21, the authentication server 23, the APP server 24, and the VPN servers 25A and 25B are connected to the LAN 26. The VPN servers 25A, 25B exchange data with the DB server 21 via the APP server 24. The LAN 26 may be either a physical or logical network. Further, hereinafter, when the VPN servers 25A and 25B are described without distinction, they are described as the VPN server 25.

  Further, each of the user terminals 31A, 31B, 31C, 31D, the maintenance terminal 32, and the operation terminal 33 can bidirectionally exchange data with the information management system 10 through the communication network 34. The communication network 34 is, for example, the Internet. The user terminals 31A, 31B, 31C, 31D, the maintenance terminal 32, and the operation terminal 33 may be collectively referred to as the information management system 10. Further, hereinafter, when the user terminals 31A, 31B, 31C, and 31D are described without distinction, they are described as the user terminal 31.

  The DB 22 manages medical information of each medical institution as a database.

  The DB server 21 is connected to the DB 22, and performs registration, change, deletion, search and the like of medical information in the DB 22. The DB server 21 is, for example, an SQL server.

  The authentication server 23 manages and authenticates the ID and password pair. The ID managed and authenticated by the authentication server 23 is, for example, VPNID used when the user terminal 31 connects to the VPN server 25.

  The APP server 24 provides an API (Application Programming Interface) corresponding to the function of the information management system 10. The APP server 24 provides, for example, a Web API in JSON format.

  The VPN server 25 establishes a VPN session with the user terminal 31, the maintenance terminal 32 and / or the operation terminal 33. The details of the VPN server 25 will be described later. The protocol used for VPN is, for example, SSL, IPSec, L2TP / IPSec, SSTP or OpenVPN.

  The user terminal 31 is a terminal used by a medical worker who belongs to a medical institution. Medical workers are, for example, doctors, nurses, pharmacists and medical clerks. The user terminal 31 connects to the VPN server 25 via the communication network 34 (the Internet), and establishes a VPN session with the VPN server 25. Then, the user terminal 31 accesses the medical information of the medical institution to which the user terminal 31 belongs via the VPN session. The user terminals 31 belonging to the same medical institution do not necessarily have to be installed in the same facility. For example, user terminals 31 belonging to the same medical institution may be installed in another facility of the same medical institution, or may be possessed by medical workers belonging to the same medical institution. The user terminal 31 is, for example, a PC, a tablet terminal or a smartphone.

  The maintenance terminal 32 is a terminal used by a maintenance person who belongs to a maintenance organization. The maintenance organization is, for example, an organization which receives a commission from a medical institution, and undertakes various settings, management, and the like related to the medical institution in the information management system 10. The maintenance terminal 32 connects to the VPN server 25 via the communication network 34 and establishes a VPN session with the VPN server 25. Then, the maintenance person operates the maintenance terminal 32, and performs various settings, management, and the like related to the medical institution to be maintained.

  The operation terminal 33 is a terminal used by an operator belonging to the operation organization of the information management system 10. The operation terminal 33 connects to the VPN server 25 via the communication network 34 and establishes a VPN session with the VPN server 25. Then, the operator operates the operation terminal 33 to operate the information management system 10.

  The information management system 10 may include two or more VPN servers 25A, 25B to enhance availability. When the user terminal 31 can not connect to the primary VPN server 25A, the user terminal 31 may connect to the secondary VPN server 25B. Similarly, in order to improve availability, the information management system 10 may include two or more DB servers 21, authentication servers 23, and / or APP servers 24.

<Detail of VPN server>
Next, the VPN server 25 will be described in detail with reference to FIG.

  The VPN server 25 implements the functions possessed by the conventional HUB device, NAT device and DHCP device as software functions. The software functions corresponding to the HUB device, the NAT device, and the DCHP device are hereinafter referred to as virtual HUB, virtual NAT, and virtual DHCP, respectively.

  The VPN server 25 can virtually connect these virtual devices to construct a virtual network. For example, FIG. 2 shows that the virtual NAT 42A and the virtual DHCP 43A are virtually connected to the virtual HUB 41A, and the virtual NAT 42B and the virtual DHCP 43B are virtually connected to the virtual HUB 43B. In the following description, virtual HUBs 41A and 41B, virtual NATs 42A and 42B, and virtual DHCPs 43A and 43B will be described as virtual HUB 41, virtual NAT 42, and virtual DHCP 43, respectively, when they are described without distinction.

  The VPN server 25 can virtually connect the user terminal 31 to the virtual HUB 41. That is, the VPN server 25 can establish the VPN session 51 between the user terminal 31 and the virtual HUB 41. Hereinafter, establishing the VPN session 51 between the user terminal 31 and the virtual HUB 41 and connecting the user terminal 31 virtually to the virtual HUB 41 may be described as “VPN connection”. The VPN server 25 also manages the VPNID used for authentication of the user terminal 31.

  The VPN server 25 VPN-connects the user terminals 31 belonging to the same medical institution to the same virtual HUB 41 associated with the medical institution. The virtual DHCP 43 connected to the virtual HUB 41 has a private IP address (for example, “192.168.1.1/24” or “192.168.1”) belonging to the same subnet as the user terminal 31 connected by VPN. .2) etc.). As a result, the user terminals 31 belonging to the same medical institution are logically connected to the same LAN. In other words, since the user terminals 31 belonging to different medical institutions are connected to different virtual HUBs 41 by VPN, they are logically connected to different LANs. For example, in FIG. 2, user terminals 31A and 31B belonging to the same medical institution A are connected by VPN to the same virtual HUB 41A associated with the medical institution A, and user terminals 31C and 31D belonging to the same medical institution B are medical It shows that the same virtual HUB 41 B associated with the organization B is connected by VPN.

  The user terminal 31 VPN-connected to the virtual HUB 41 can access the DB server 21, the authentication server 23 and the APP server 24 through the virtual NAT 42. The access to the DB server 21 is performed via the APP server 24. For example, the user terminal 31 can access the DB server 21 via the APP server 24 through the virtual NAT 42, and acquire medical information of a medical institution to which the user terminal 31 belongs.

  The VPN server 25 VPN-connects the maintenance terminal 32 to the virtual HUB 41 associated with the medical institution to be maintained. In this case, the virtual DHCP 43 connected to the virtual HUB 41 has a private IP address (for example, “192.168.1.3/”) belonging to the subnet related to the medical institution to be maintained with respect to the maintenance terminal 32 connected by VPN. 24) etc.). As a result, the maintenance terminal 32 is logically connected to the same LAN as the user terminal 31 of the medical institution to be maintained. Therefore, a maintenance person can maintain the operation concerning the medical institution of maintenance object in information management system 10 through maintenance terminal 32.

  The VPN server 25 may have setting information of a period in which the maintenance terminal 32 can make a VPN connection to the virtual HUB 41 (hereinafter referred to as a “serviceable period”). For example, when the maintenance possible period is set from the medical institution, the VPN server 25 rejects the VPN connection from the maintenance terminal 32 to the virtual HUB 41 associated with the medical organization except for the maintenance possible period. As a result, the maintenance terminal 32 can not connect to the virtual HUB 41 corresponding to the medical institution other than the maintainable period set by the medical institution to be maintained. It can prevent unauthorized access to medical information.

<Connection destination information>
Next, the connection destination information 60 held by the user terminal 31 will be described with reference to FIG.

  The user terminal 31 holds connection destination information 60 for connecting to the VPN server 25 in nonvolatile memory (for example, HDD (Hard Disk Drive), SSD (Solid State Drive)). In the connection destination information 60, for example, as shown in FIG. 3, VPN ID, password, IP address of primary VPN server, port number of primary VPN server, IP address of secondary VPN server, port of secondary VPN server The number and the virtual HUB name are included.

  First, the user terminal 31 accesses the IP address and port number of the primary VPN server recorded in the connection destination information 60, and tries to establish a VPN session. If this fails, then the user terminal 31 accesses the IP address and port number of the secondary VPN server and tries to establish a VPN session. Thus, even if a failure occurs in the primary VPN server 25A, the user terminal 31 can connect to the secondary VPN server 25B.

  Also, when establishing a VPN session, the user terminal 31 generates a VPN connection request including the pair of the VPN ID and the password recorded in the connection destination information 60 and transmits it to the VPN server 25. The VPN server 25 requests the authentication server 23 to authenticate the pair of VPNID and password included in the transmitted VPN connection request to the authentication server 23, and when the authentication succeeds, establishes a VPN session with the user terminal 31. Do. This makes it possible to prevent the user terminal 31 that does not hold the correct VPN ID-password pair from making a VPN connection to the VPN server 25.

  Also, the user terminal 31 transmits the virtual HUB name to the VPN server 25 when establishing a VPN session. The VPN server 25 VPN-connects the user terminal 31 to the virtual HUB 41 corresponding to the transmitted virtual HUB name. Thereby, the user terminals 31 belonging to the same medical institution are connected to the same virtual HUB 41 by VPN.

  When connecting to the VPN server 25 for the first time, the user terminal 31 establishes a VPN session using a pair of VPNID and a temporary password, and then automatically generates a new password, and encrypts the generated new password. The connection destination information 60 is recorded. Then, when connecting to the VPN server 25 from the second time onward, the user terminal 31 establishes a VPN session using a pair of the VPN ID and the password recorded in an encrypted manner. As a result, the user terminal 31 can establish a VPN session without anyone knowing the new password. That is, leakage of a new password for establishing a VPN session can be prevented. The details of the temporary password issuance process, the process when the user terminal 31 connects to the VPN server 25 for the first time (hereinafter referred to as “first VPN connection process”), and the process of updating the connection destination information 60 will be described later.

<Provisional password issuance process>
Next, the process of issuing a temporary password will be described with reference to the sequence chart of FIG. The temporary password issuance process may be performed at the time of the new issuance of the ID, or may be performed separately (independently) from the new issuance of the ID.

  First, the operation terminal 33 establishes a VPN session with the VPN server 25 (S101). This VPN session may be established by the dedicated VPN ID and password of the operation terminal 33.

  Next, the operation terminal 33 generates a temporary password issuance request including the VPNID for which the temporary password is to be issued, and transmits the temporary password issuance request to the APP server 24 (S102). The temporary password issuance request may have a data format in accordance with the Web API provided by the APP server 24 as a temporary password issuance function.

  The APP server 24 receives the temporary password issuance request of S102, and generates a temporary password (S103). Next, the APP server 24 generates an ID registration request including the VPNID included in the temporary password issuance request and the temporary password generated in S103, and transmits the ID registration request to the authentication server 23 (S104).

  The authentication server 23 receives the ID registration request of S104, associates the VPNID contained in the ID registration request with the temporary password, and registers them (S105). Next, when the authentication server 23 succeeds in the registration, the authentication server 23 transmits a success response corresponding to the ID registration request in S104 to the APP server 24 (S106).

  The APP server 24 receives the success response of S106, and transmits a success response corresponding to the temporary password issuance request of S102 to the operation terminal 33 (S107). Here, the APP server 24 includes the temporary password generated in S103 in the success response.

  By the above processing, the pair of the VPN ID and the temporary password is registered in the authentication server 23. Further, the temporary password associated with the VPN ID is notified to the operation terminal 33 (and the operator).

<First time VPN connection process>
Next, processing (first connection processing) when the user terminal 31 connects to the VPN server 25 for the first time will be described with reference to the sequence chart of FIG. 5.

  First, a pair of the VPNID and the temporary password issued in the temporary password issuing process of FIG. 4 is notified from the operator to the medical worker, for example (S201). This notification may be made in any way that is secure. For example, it may be mail, telephone or verbal notification. Alternatively, the operation terminal 33 may transmit the information including the VPN ID and the temporary password to the user terminal 31 by a secure communication means (for example, encrypted electronic mail). Alternatively, the operation terminal 33 uploads information including the VPNID and the temporary password to a predetermined server by the secure communication means, and the user terminal 31 downloads information including the VPNID and the temporary password from the server by the secure communication means. It is also good.

  Next, the user terminal 31 generates a VPN connection request including the pair of the VPN ID in S201 and the temporary password, and transmits the VPN connection request to the VPN server 25 (S202). The pair of the VPNID and the temporary password may be input to the user terminal 31 by a medical worker.

  The VPN server 25 receives the VPN connection request of S202, generates an ID authentication request including the pair of the VPN ID and the temporary password included in the request, and transmits the ID authentication request to the authentication server 23 (S203).

  The authentication server 23 receives the ID authentication request in S203, and authenticates the pair of the VPN ID and the temporary password included in the request (S204). Since this pair is already registered in the temporary password issuance process of FIG. 4, the authentication is successful if there is no error in the input in S202.

  Next, when the authentication server 23 succeeds in the authentication, the authentication server 23 transmits a success response corresponding to the ID authentication request in S203 to the VPN server 25 (S205).

  When the VPN server 25 receives the success response of S205, it establishes a first VPN session with the user terminal 31 (S206).

  When the user terminal 31 succeeds in establishing the first VPN session, the user terminal 31 automatically generates a new password to be associated with the VPNID input in S202 (S207). That is, the user terminal 31 generates a new password without having the medical staff enter the password.

  Next, the user terminal 31 generates an initial setting request including the VPNID and the temporary password of S202 and the new password automatically generated in S207, and transmits the first setting request to the APP server 24 (S208). This initial setting request may be a data format in accordance with the Web API provided by the APP server 24 as an initial setting function.

  The APP server 24 receives the initial setting request of S207, generates a password change request including the VPNID, the temporary password, and the new password included in the request, and transmits the password change request to the authentication server 23 (S209).

  The authentication server 23 receives the password change request in S209, and changes the password corresponding to the VPNID included in the password change request from the temporary password to the new password (S210).

  Next, when the change to the new password is successful, the authentication server 23 transmits a success response corresponding to the password change request in S209 to the APP server 24 (S211).

  When the APP server 24 receives the success response in S211, the APP server 24 transmits a success response corresponding to the initial setting request in S208 to the user terminal 31 (S212).

  When the user terminal 31 receives the success response in S212, it records the VPNID and the new password in the connection destination information 60 (S213). At this time, the user terminal 31 encrypts and records the new password.

  Next, the user terminal 31 once disconnects the first VPN session established in S206 (S214).

  Next, the user terminal 31 generates a VPN connection request including the pair of the VPN ID and the new password recorded in the connection destination information 60, and transmits the VPN connection request to the VPN server 25 (S215).

  Next, the VPN server 25 and the authentication server 23 execute the same flow as S203 to S205 described above, replacing the temporary password with the new password (S216 to S218), and the VPN server 25 communicates with the user terminal 31. Establish a second VPN session (S219).

  From the next time on, the user terminal 31 may automatically execute the processing of S215 and establish a second VPN session with the VPN server 25.

  By the above processing, it is possible to establish a second VPN session between the user terminal 31 and the VPN server 25 without notifying anyone, such as medical staff and operators, of the new password. Therefore, it is possible to prevent the password associated with the VPNID corresponding to the user terminal 31 from leaking.

  In addition, the user terminal 31 can automatically establish a second VPN session with the VPN server 25 without having a medical worker enter a VPN ID and a password. Therefore, it is possible to simultaneously achieve the reduction of the labor of the medical staff and the improvement of the security.

<Update process of connection destination information>
Next, the process of updating the connection destination information 60 held by the user terminal 31 will be described with reference to the sequence chart of FIG. This process is executed after the user terminal 31 establishes a second VPN session with the VPN server 25 (S300).

  First, the user terminal 31 generates a connection destination information request including its own VPN ID, and transmits it to the APP server 24 (S301).

  The APP server 24 receives the connection destination information request in S301, generates an attribute information request including the VPNID included in the request, and transmits the attribute information request to the authentication server 23 (S302).

  The authentication server 23 receives the attribute information request of S302, and acquires attribute information associated with the VPNID included in the request (S303). That is, the authentication server 23 may manage the contents of the connection destination information 60 corresponding to the VPNID as attribute information of the VPNID. Next, the authentication server 23 transmits a response corresponding to the attribute information request of S302 including the acquired attribute information to the APP server 24 (S304).

  The APP server 24 receives a response including the attribute information of S304 from the authentication server 23, and generates connection destination information 60 based on the content included in the response (S305). Next, the APP server 24 generates a response corresponding to the connection destination information request in S301, including the generated connection destination information 60, and transmits the response to the user terminal 31 (S306).

  The user terminal 31 receives the connection destination information 60 in S306, and determines whether the content of the received connection destination information 60 is different from the content of the connection destination information 60 already held (S307).

  When the content of the received connection destination information 60 matches the content of the connection destination information 60 already held (S307: NO), the user terminal 31 maintains the second VPN session.

  If the content of the received connection destination information 60 is different from the connection destination information 60 already stored (S307: YES), the user terminal 31 once disconnects the second VPN session of S300 (S308). Next, the user terminal 31 updates the held connection destination information 60 to the received connection destination information 60 (S309). Next, the user terminal 31 establishes a third VPN session with the VPN server 25 using the connection destination information 60 updated in S309 (S310).

  By the above processing, the user terminal 31 can update the held connection destination information 60. The update of the connection destination information 60 is executed, for example, when changing the VPN server 25 and / or the virtual HUB 41 of the connection destination of the user terminal 31 belonging to a certain medical institution.

  When the IPSec protocol is used for VPN, the connection destination information 60 shown in FIG. 3 may further include a pre-shared key. The pre-shared key establishes a first VPN session with the user terminal 31 in FIG. 5 (S206), and the VPN server 25 establishes a second VPN session with the user terminal 31. It is used at the time of (S219). When the SSL protocol is used for VPN, the connection destination information 60 shown in FIG. 3 may include a server certificate instead of the pre-shared key.

<Effect of Embodiment 1>
In the first embodiment, the APP server 24 generates a temporary password to be associated with the VPN ID, registers the temporary password in the authentication server 23, and notifies the operation terminal 33 of the temporary password. Then, the operator of the operation terminal 33 notifies the medical worker who uses the user terminal 31 of the VPNID and the temporary password. The user terminal 31 establishes a first VPN session with the VPN server 25 using the VPNID and the temporary password, automatically generates a new password, and generates an initial setting request including the VPNID, the temporary password, and the new password on the APP server 24. Send to The APP server 24 receives the initial setting request, changes the VPNID password of the authentication server 23 from the temporary password to the new password, and transmits a success response to the user terminal 31. When the user terminal 31 receives a success response corresponding to the initial setting request from the APP server 24, it encrypts and stores the new password, disconnects the first VPN session, and uses the new password to connect with the VPN server 25. Establish a second VPN session.

  As a result, the user terminal 31 can establish a second VPN session with the VPN server 25 without notifying anyone, such as medical staff and operators, of the new password. Therefore, it is possible to prevent the new password associated with the VPNID corresponding to the user terminal 31 from leaking. Also, the medical staff can use the user terminal 31 without remembering or entering a new password. That is, the convenience of the medical staff is improved.

Second Embodiment
An information management system 10 according to the second embodiment will be described. The information management system 10 according to the second embodiment may have the same configuration as that shown in FIG.

  As shown in FIG. 1, in the information management system 10, the VPN server 25 is made redundant in order to enhance the availability. That is, the information management system 10 includes a plurality of VPN servers 25A and 25B. The plurality of redundantly configured VPN servers 25 may be referred to as a "VPN system".

  The VPN server 25 may require the number of licenses according to the upper limit number of VPN sessions that can be established simultaneously (hereinafter referred to as the “upper limit number of VPN connections”). For example, when the operator sets the VPN connection upper limit number of one VPN server 25 to "300", the VPN server 25 needs the number of licenses of "300". In this case, for example, as shown in FIG. 7, in the case of redundancy using two VPN servers 25A and 25B of the primary and secondary, the total number of required licenses is "300 + 300 = 600".

  However, since the secondary VPN server 25B is not used when the primary VPN server 25A has not failed, the two VPN servers 25A and 25B with respect to the total number "600" of the number of licenses of the two VPN servers The maximum number of VPN sessions actually established simultaneously with respect to 25A and 25B (hereinafter referred to as "the actual maximum number of VPN connections") is "300". That is, the ratio of the actual maximum number of VPN connections to the total of the number of licenses (the maximum number of VPN connections) (hereinafter referred to as “capacity”) is 300/600 = 50%. The accommodation rate is an example of an index of the utilization efficiency of the license of the VPN server 25. In the second embodiment, an information management system 10 will be described in which the utilization efficiency (accommodation rate) of the license of the VPN server 25 is relatively high.

  FIG. 8 is a view showing a configuration example of the VPN server 25 according to the second embodiment.

  The information management system 10 according to the second embodiment includes three VPN servers 25C, 25D, and 25E as shown in FIG. Then, the operator sets the number of licenses of “300” (the upper limit number of VPN connections) to each of the VPN servers 25C, 25D, and 25E.

  In addition, the operator provides six groups A to F to which the VPNIDs belong, and sets the upper limit number of VPNIDs (hereinafter referred to as the "group upper limit number") "100" to the groups A to F respectively. Do.

  Also, the operator assigns two groups to be managed at normal times to the VPN servers 25C, 25D, and 25E, respectively. Hereinafter, a group managed by the VPN server 25 at the normal time will be referred to as a “management group”. For example, as shown in management groups A to F without parentheses in FIG. 8, management groups A and D for the VPN server 25C, management groups B and E for the VPN server 25D, and management groups C and F for the VPN server 25E. assign.

  In addition, when a failure occurs in another VPN server 25 in each of the VPN servers 25C, 25D, and 25E, the operator of the two management groups assigned to the VPN server 25 in which the failure occurs. Set which management group to take over. However, the operator configures the two management groups assigned to the VPN server 25 in which the failure has occurred so that another VPN server 25 takes over respectively. Hereinafter, a group to which the normal VPN server 25 assumes management at the time of failure is referred to as a “trusted group”. For example, as shown in the entrusted groups A to F with parentheses in FIG. 8, the operator entrusts the VPN servers 25C with entrusted groups B and C, the VPN server 25D with entrusted groups A and F, and the VPN server 25E with entrusted groups Set D and E.

  Thus, in the case of the configuration shown in FIG. 8, in one VPN server 25, the actual maximum number of VPN connections is the total “100 + 100 = 200” of the upper limit number of two groups. Therefore, the sum of the actual maximum number of VPN connections in the three VPN servers 25C, 25D, and 25E is "200 + 200 + 200 = 600". On the other hand, the total number of licenses of the two VPN servers 25C, 25D, and 25E is "300 + 300 + 300 = 900". Therefore, the accommodation rate is 600/900 = 66%. This accommodation rate is higher than the accommodation rate (50%) of the configuration shown in FIG. That is, according to the configuration of the VPN system according to the second embodiment, the utilization efficiency of the license of the VPN server 25 can be improved.

  The numerical values in the above description are merely an example. For example, the number of VPN servers 25 included in the VPN system may be three or more. Further, the number of management groups set in one VPN server 25 may be any number as long as it is two or more.

  In each VPN server 25, the sum of the upper limit number of each management group and the upper limit number of each trustee group is equal to or less than the number of licenses (the upper limit number of VPN connections), and other VPN servers whose management groups are different from each other The management server and the trust group may be set in the VPN server 25 as long as it is set to 25 trust servers.

  Further, the number of licenses (the maximum number of VPN connections) set in the VPN server 25 may be any number as long as it is equal to or more than the total of the upper limit number of each management group of the VPN server 25 and the upper limit number of each trust group.

  Also, the operator may register VPNIDs belonging to the same medical institution in the same group. Thereby, when the normal VPN server 25 takes over the management group of the VPN server 25 in which the failure has occurred in the consignment group, the user terminals 31 related to the VPNID registered in the management group are put together, and the medical institution Can be connected to the corresponding virtual HUB 41.

  The processing described above mainly by the “operator” may be automatically performed by a program operated by the operation terminal 32, the APP server 24, the VPN server 25 or the like.

<Effect of Second Embodiment>
In the second embodiment, the information management system 10 (VPN system) includes at least three VPN servers 25. Each VPN server 25 has the number of licenses (the maximum number of VPN connections), at least two management groups, at least one trust group, and the maximum number of groups. Here, the sum of the upper limit number of the management group and the upper limit number of the consignment group is equal to or less than the number of licenses, and each management group is associated with consignment groups of different VPN servers different from each other. Then, when a failure occurs in one VPN server 25, the VPN server 25 having a trust group associated with the management group of the one VPN server 25 takes over management of the management group.

  This improves the utilization efficiency (accommodation rate) of the number of licenses in the VPN system. Also, the availability of the VPN system can be maintained and improved.

  The embodiment according to the present invention has been described in detail with reference to the drawings, but the DB server 21, DB 22, authentication server 23, APP server 24, VPN server 25, user terminal 31, maintenance terminal 32, and operation described above The function of each device of the terminal 33 can be realized by a computer program.

  FIG. 9 is a diagram showing a hardware configuration of a computer that realizes the functions of the respective devices by a program. The computer 2100 includes an input device 2101 such as a keyboard or a mouse or a touch pad, an output device 2102 such as a display or a speaker, a central processing unit (CPU) 2103, a read only memory (ROM) 2104, and a random access memory (RAM) 2105. A storage device 2106 such as a hard disk drive or solid state drive (SSD), a reader 2107 for reading information from a recording medium such as a digital versatile disk read only memory (DVD-ROM) or a universal serial bus (USB) memory A transmission / reception device 2108 for communicating is provided, and each unit is connected by a bus 2109.

  Then, the reading device 2107 reads the program from the recording medium storing the program for realizing the function of each of the above-described devices, and causes the storage device 2106 to store the program. Alternatively, the transmission / reception device 2108 communicates with a server device connected to the network, and stores in the storage device 2106 a program for realizing the functions of the respective devices downloaded from the server device.

  Then, the CPU 2103 copies the program stored in the storage device 2106 to the RAM 2105, sequentially reads out the instruction included in the program from the RAM 2105, and executes the function, whereby the functions of the respective devices are realized.

  The embodiments described above are exemplifications for describing the present invention, and are not intended to limit the scope of the present invention only to the embodiments. Those skilled in the art can practice the present invention in various other aspects without departing from the scope of the present invention.

  The present disclosure is applicable to systems and methods for managing medical information.

10 Information Management System 21 DB Server 22 DB
23 Authentication server 24 APP server 25, 25A, 25B, 25C, 25D, 25E VPN server 31, 31A, 31B, 31C, 31D User terminal 32 Maintenance terminal 33 Operation terminal 34 Communication network 41, 41A, 41B Virtual HUB
42, 42A, 42B Virtual NAT
43, 43A, 43B Virtual DHCP

Claims (3)

It has at least 3 Virtual Private Network (VPN) servers,
Each VPN server has an upper limit number of VPN sessions, at least two management groups to be managed, a trust group associated with a management group of another VPN server, and an identification of the VPN sessions belonging to the management group And an upper limit number of IDs that can be registered in the management group,
The sum of the upper limit number of each management group and the upper limit number of the consignment group is equal to or less than the upper limit number of the VPN sessions, and the respective management groups are associated with consignment groups of different VPN servers different from each other.
When a failure occurs in one VPN server, a VPN server having a trust group associated with the management group of the one VPN server takes over management of the management group,
VPN system. Said ID is matched with the terminal which each belongs to any medical institution,
The IDs associated with the terminals belonging to the same medical institution are registered in the same management group,
The VPN system according to claim 1. It is a control method of a VPN system, and
The VPN system comprises at least three Virtual Private Network (VPN) servers,
Each VPN server has an upper limit number of VPN sessions, at least two management groups to be managed, a trust group associated with a management group of another VPN server, and an identification of the VPN sessions belonging to the management group And an upper limit number of IDs that can be registered in the management group,
The sum of the upper limit number of each management group and the upper limit number of the consignment group is equal to or less than the upper limit number of the VPN sessions, and the respective management groups are associated with consignment groups of different VPN servers different from each other.
When a failure occurs in one VPN server, a VPN server having a trust group associated with the management group of the one VPN server takes over management of the management group,
Control method of VPN system.

Images