JP4429059B2 - Communication control method and program, communication control system, and communication control related apparatus - Google Patents

Description

  The present invention relates to a communication control technique for enabling secure communication.

  In recent years, in the communication via the Internet, there is an increasing number of cases in which secure communication is realized by tunneling (for example, VPN (Virtual Private Network) technology) VPN is generally used as a substitute for a dedicated line. In many cases, confidentiality and integrity of communication data via the Internet are maintained by techniques such as connection authentication, encapsulation, and encryption.

  FIG. 13 shows a general VPN connection system configuration diagram. For example, one or a plurality of VPN servers 5, one or a plurality of user terminals 3, for example, a personal computer, and one or a plurality of gateways 7 are connected to a network 1 that is the Internet by wireless or wired connection. The VPN server 5 is connected to, for example, an in-house LAN 21 that is an in-company network, and the in-house LAN 21 includes one or more authentication servers 23, one or more mail servers 25, and one or more web (Web) servers. 27, one or a plurality of application servers 29, and other servers (not shown) are connected.

  The gateway 7 is connected to, for example, a base LAN 9 that is a network within the base, and one or a plurality of user terminals 11 and 13 that are, for example, personal computers are connected to the base LAN 9. The gateway 7 includes a VPN client 71 and an address conversion unit 73. The VPN client 71 establishes a VPN connection with the VPN server 5. The address conversion unit 73 is, for example, NAT (Network Address Translation), and transparently converts the IP address (local address) of the user terminal 11 or the user terminal 13 and the address on the Internet (global address). Thereby, the user terminal 11 and the user terminal 13 can communicate via the network 1. Further, the user terminal 3 includes a VPN client 33, and VPN connection with the VPN server 5 is possible. The VPN server 5, the VPN client 33, and the VPN client 71 are connected to each other by a communication method such as PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol), IPSec (Security Architecture for Internet Protocol), or the like. Is realized.

As described above, in the conventional general VPN connection system, the user terminal 3, the user terminal 11, or the user terminal 13 always passes through the VPN server 5 when accessing any server connected to the in-house LAN 21. It is supposed to be. That is, even when communicating with any server connected to the in-house LAN 21, encapsulation or encryption is performed by performing VPN connection.
K. Lahey, "RFC 2923 (Request for Comments: 2923), TCP Problems with Path MTU Discovery", [online], September 2000, Internet Engineering Task・ Force (Internet Engineering Task Force), [Search December 16, 2003], Internet <URL: http://www.faqs.org/rfcs/rfc2923.html>

  However, according to the techniques described above, the processing load associated with encapsulation and encryption is relatively high, and it is often impossible to obtain a sufficient throughput with respect to the line speed. In addition, when the size of communication data increases due to encapsulation or encryption, a communication failure occurs in an algorithm (Path MTU Discovery Protocol) that limits the maximum transmission size (MTU) and detects the maximum transmission size (Non-patent Document 1). ) Is likely to cause problems.

  Also, in TCP communication, packet reachability is guaranteed, so retransmission is performed when a timeout occurs, but depending on the combination of the tunneling technology used and the system configuration, TCP retransmission and encapsulation Multiple retransmissions due to the protocol for performing the transmission may occur, and retransmission packets may be generated more than necessary.

  On the other hand, some application programs used over the Internet are encrypted for each application program using SSL (Secure Socket Layer) such as HTTPS (Hypertext Transfer Protocol Security) and SSH (Secure SHell). In many cases, it is inefficient to perform encryption for VPN communication for all communications.

  Therefore, an object of the present invention is to provide a communication control technique for appropriately performing secure communication.

  The communication control method according to the first aspect of the present invention is a communication executed by an application gateway server in which a VPN server communicates with a specific VPN client device that makes a VPN connection and controls access to the specific server. A control method for receiving an IP address of a VPN client device to which access to a specific server is to be permitted and storing the IP address in a storage device; and between the VPN server and the specific VPN client device In the state where the VPN connection is established, when the access request data to the specific server is received by the communication means different from the VPN connection, the IP address of the access request data is stored in the storage device. Based on the IP address, a specific service using a communication method different from the VPN connection is used. And a determination step whether to allow access to server.

  Thereby, the VPN client apparatus permitted to access the specific server can communicate with the specific server by a communication means different from the VPN connection. For example, when a specific server performs communication using SSL, it is possible to avoid an increase in the size of communication data due to double encryption by SSL and VPN. In addition, since access permission to a specific server is made in a state where a VPN connection is established between the VPN server and the VPN client device, access from an access request source not making a VPN connection is not permitted. For example, it is possible to restrict access appropriately.

  Further, in the above-described permitted IP address receiving step, the IP address of the VPN client device authenticated by the predetermined authentication processing server for the VPN connection with the VPN server is received from the predetermined authentication processing server and stored in the storage device. You may do it. As a result, access to a specific server is permitted for the VPN client device authenticated in the VPN connection.

  The communication control method according to the second aspect of the present invention is a communication executed by an application gateway server in which a VPN server communicates with a specific VPN client device that performs VPN connection and controls access to the specific server. In the control method, when the VPN connection is established between the VPN server and the specific VPN client device, when access request data to the specific server is received by a communication means different from the VPN connection, The step of transmitting the IP address of the source of the access request data to a predetermined authentication server, and the IP address of the source of the access request data is the IP address of the VPN client device that should be allowed to access the specific server Whether or not is received from a predetermined authentication server and stored in a storage device That and a step.

  Thereby, the VPN client apparatus permitted to access the specific server can communicate with the specific server by a communication means different from the VPN connection. When the application gateway server receives access request data for a specific server, the application gateway server transmits the IP address of the access request data source to the authentication server and receives the authentication result from the authentication server. There is no need to hold in advance the IP address of the VPN client device that should be permitted to access the server.

  In the first aspect of the present invention, the connection request data to the application gateway server is received from the predetermined access management server via the VPN in the permitted IP address receiving step, and the source of the connection request data is transmitted. When the IP address is received, it may be stored in the storage device as the IP address of the VPN client device that should be allowed to access the specific server. In this way, for example, a dedicated access management server can be provided, and permission or non-permission of access to a specific server can be determined based on the IP address received from the access management server. In this case, since the connection request data transmission source has already authenticated the VPN connection and has transmitted the connection request data to the access management server via the VPN, the connection request data transmission source in the application gateway server. There is no need to check again whether is a VPN client.

  In the first aspect of the present invention, the connection request data to the application gateway server is received by the communication means different from the VPN connection in the permitted IP address receiving step, and the transmission source of the connection request data is authenticated. When the IP address of the connection request data transmission source is received from the predetermined authentication server, the IP address of the VPN client device that should be permitted to access the specific server may be stored in the storage device. Good. In this way, the authentication server receives connection request data by a communication means different from the VPN connection, and determines whether access to the specific server is permitted or not based on the IP address of the authenticated connection request data transmission source. You may do it. In this case, it is not necessary for the application gateway server to check because the authentication server checks whether or not the connection request data transmission source is a VPN client.

  In the first aspect of the present invention, when it is determined in the determining step that access to a specific server is permitted by a communication means different from the VPN connection for the transmission source of the access request data, the application gateway server The method may further include a step of transmitting at least one of data relating to a relayable server service, an IP address of the application gateway server, and data relating to a processing method in the application gateway server to a transmission source of the access request data. Good. As a result, data for causing the application gateway server to perform appropriate relay processing is transmitted to the transmission source of the access request data.

  Also, in the first and second aspects of the present invention, when it is detected that either the VPN connection disconnection request or the state of the VPN connection is in a disconnected state, the VPN client device in which the VPN connection is in a disconnected state The method may further include a step of disabling access to a specific server. In this way, when the VPN connection is disconnected, secure communication can be realized by preventing the VPN client device from being connected by a communication means different from the VPN connection. The state of the VPN connection is a method of notifying the application gateway server when the VPN server detects a disconnection request. When the VPN connection status is in a disconnected state, the VPN server is in the application gateway. -It grasps | ascertains using the method of notifying with respect to a server, and the method of an application gateway server confirming a state with respect to a VPN server.

  A communication control method according to a third aspect of the present invention is a communication control method executed by an authentication server that authenticates a specific VPN client device to which a VPN server performs VPN connection, and includes a specific VPN client device and At least of data relating to server services that can be relayed in an application gateway server that performs communication and controls access to a specific server, IP address of the application gateway server, and data relating to a processing method in the application gateway server If either of them is received, the gateway-related data is stored in the storage device, and if the specific VPN client device requesting the VPN connection is authenticated, the gateway-related data stored in the storage device is stored. It is the data with the VPN connection and sending to a specific VPN client unit by different communication means.

  In this way, when a specific VPN client device requesting a VPN connection is authenticated, gateway-related data is transmitted from the authentication server to the specific VPN client device by a communication means different from the VPN connection. May be. The authentication server may make an inquiry to the application gateway server in order to acquire gateway related data.

  In the third aspect of the present invention, when a request for gateway-related data is received, an authentication step for determining whether or not the requester of the gateway-related data is authenticated, and the requester for the gateway-related data are authenticated in the authentication step. In this case, the method may further include a step of transmitting the gateway related data stored in the storage device to the requester of the gateway related data by a communication means different from the VPN connection. As described above, when there is a request for gateway-related data, the request source may be authenticated and the gateway-related data may be transmitted.

  A communication control method according to a fourth aspect of the present invention is a communication control method executed by a VPN client device connected to a user terminal and capable of VPN connection with a VPN server, and includes a predetermined authentication server, VPN server, and application -Data related to server services that can be relayed in any application gateway server from any of the gateway servers, IP addresses of application gateway servers, data related to processing methods in application gateway servers, and destination IPs that cannot be relayed When the address is received, the access request data to the specific server is transmitted from the user terminal in the state where the VPN connection is established between the step of storing in the storage device as gateway related data and the VPN server. A route setting step for setting any one of the communication route via the VPN server, the communication route via the application gateway server, and the other communication route using the gateway related data; When the communication route is set to a communication route that passes through the application gateway server, the gateway-related data is used to send access request data to a specific server in a mode that the application gateway server can relay to the application gateway. Sending to the server.

  As a result, the VPN client device can select an appropriate route and can cause the application gateway server to perform an appropriate relay process. Specifically, select an appropriate port number and protocol according to the server to be accessed, and for example, when specifying the target host, add the target host data to request access to a specific server. Will be able to.

  In the route setting step, when the destination IP address of access request data to a specific server matches a predetermined IP address, it may be excluded from the route setting processing target. Thereby, for example, a network administrator or the like can set the server that the user does not want to access to be inaccessible.

  It is also possible to create a program for causing a computer to execute the method according to the present invention, and the program is a storage medium such as a flexible disk, a CD-ROM, a magneto-optical disk, a semiconductor memory, and a hard disk. Alternatively, it is stored in a storage device. Moreover, it may be distributed as a digital signal via a network. Note that data being processed is temporarily stored in a storage device such as a computer memory.

  According to the present invention, secure communication can be appropriately performed.

[Embodiment 1]
A system configuration diagram according to the first embodiment of the present invention is shown in FIG. Note that the same components as those of the system shown in FIG. 13 are denoted by the same reference numerals, and redundant description may be omitted below.

  For example, one or more VPN servers 5, one or more application gateways 30, and one or more gateways 7 are connected to the network 1, which is the Internet, by wireless or wired connection. The VPN server 5 is connected to an in-house LAN 21, which includes one or more authentication servers 23, one or more mail servers 25, one or more Web servers 27, and one or more application servers 29. Are connected to other servers (not shown). An IP address storage unit 230 is connected to the authentication server 23. The IP address storage unit 230 stores, for example, the IP address of the gateway 7 authenticated for establishing the VPN connection.

  The application gateway 30 includes a relay processing unit 31 and an access control unit 32. The relay processing unit 31 performs server connection relay processing based on additional data such as a destination address and target host included in the communication data. The access control unit 32 determines whether the server connection request source is permitted or not permitted to access the server. For example, it is determined whether to permit access based on the IP address of the server connection request source. If it is determined not to be permitted, the relay process is not performed.

  The gateway 7 is connected to the base LAN 9, and one or a plurality of user terminals 11 and 13 are connected to the base LAN 9. The gateway 7 includes a VPN client 71, a communication control unit 72, and an address conversion unit 73. The VPN client 71 establishes a VPN connection with the VPN server 5. When receiving a request for access to a specific server from the user terminal 11 or 13, the communication control unit 72 determines a communication path via the VPN server 5 and a communication path via the application gateway 30 according to the destination IP address. One of the other communication paths is set. When the communication path is set to a communication path that passes through the application gateway 30, the access request data is transmitted in a manner that the application gateway 30 can relay. Specifically, an appropriate port number or protocol is selected according to the server to be accessed. For example, when the target host needs to be specified, the data of the target host is also added. The address conversion unit 73 is, for example, the well-known NAPT (Network Address Port Translation), and transparently converts the IP address (local address) of the user terminal 11 or the user terminal 13 and the address (global address) on the Internet. To do. Since NAPT dynamically converts TCP and UDP port numbers, it is possible to realize simultaneous connection from a plurality of user terminals with one global address. Thereby, the user terminal 11 and the user terminal 13 can communicate via the network 1.

  Note that the VPN server 5 and the VPN client 71 realize VPN connection by a communication method such as PPTP, L2TP, and IPSec, for example. The Web server 27 performs communication using SSL. The user terminal 11 and the user terminal 13 have SSL-compatible Web browsers, and secure communication is possible between the user terminal 11 or 13 and the Web server 27 without using a VPN.

  2 and 3 show a processing flow of the system shown in FIG. Hereinafter, it demonstrates according to each step. First, for example, the user terminal 11 that is a terminal for an administrator transmits a VPN connection request to the gateway 7 in accordance with an operation from a user such as an administrator (FIG. 2: step S1). The VPN client 71 of the gateway 7 receives the VPN connection request from the user terminal 11 and stores it in a storage device such as a work memory area (step S3). Then, the VPN client 71 transmits authentication data for establishing a VPN connection to the VPN server 5 (step S5). The authentication data is, for example, a password received from the user.

  The VPN server 5 receives the authentication data from the gateway 7 and stores it in a storage device such as a work memory area (step S7). Then, the VPN server 5 cooperates with the authentication server 23 to perform authentication processing of the gateway 7 that is a VPN connection request source (step S9). When authentication is performed, the authentication server 23 transmits the IP address of the gateway 7 to the application gateway 30 as a permitted IP address (step S11). The application gateway 30 receives the permitted IP address from the authentication server 23 and stores it in, for example, the permitted IP address table generated in the work memory area or the like (step S13). The permitted IP address is an IP address used when the access control unit 32 of the application gateway 30 performs access control. For example, when there is an access request from the gateway 7 having the permitted IP address to the Web server 27. A determination is made to allow access. In some cases, after the authentication process in step S9, the permitted IP address is transmitted from the VPN server 5 to the application gateway 30.

  When the authentication in step S9 is performed, the VPN server 5 transmits the application gateway related data and the VPN connection response stored in advance to the gateway 7 (step S15). The VPN client 71 of the gateway 7 receives the application gateway related data and the VPN connection response from the VPN server 5, and stores them in, for example, the application gateway related data storage section in the work memory area or the like (step S17). The application gateway related data includes data related to server services that can be relayed in the application gateway 30, IP address of the application gateway 30, data related to processing methods in the application gateway 30, destination IP addresses that cannot be relayed, and the like. It is. The data related to the processing method in the application gateway 30 means that, for example, when a communication protocol that requires the designation of the target host is used, the access request data in a mode in which the target host data is also added is accepted. It is the data shown. An identifier may be used.

  In some cases, the VPN server 5 does not hold application / gateway related data in advance. In such a case, the VPN server 5 transmits a request for application gateway related data to the application gateway 30, and transmits the application gateway related data received from the application gateway 30 to the gateway 7. In some cases, application gateway related data is not transmitted together with the VPN connection response. In such a case, for example, the VPN client 71 of the gateway 7 requests application gateway related data from the VPN server 5 and receives data transmitted from the VPN server 5 in response to the request.

  Then, the VPN client 71 of the gateway 7 generates VPN connection completion notification data and transmits it to the user terminal 11 (step S19). The user terminal 11 receives the VPN connection completion notification data from the gateway 7 and displays it on the display device (step S21).

  The VPN server 5 transmits data indicating the VPN connection state to the application gateway 30 (step S23). The access control unit 32 of the application gateway 30 receives data indicating the VPN connection state from the VPN server 5 and stores it in a storage device such as a work memory area (step S25). The data indicating the VPN connection status is transmitted from the VPN server 5 to the application gateway 30 when the connection status changes, for example. In some cases, the application gateway 30 periodically transmits a data request indicating the VPN connection state to the VPN server 5. In addition, when a state in which no data is received from the VPN server 5 continues for a predetermined period or longer, a data request may be transmitted from the application gateway 30 to the VPN server 5.

  In this way, the VPN connection is established, and the permitted IP address and the VPN connection state are held in the application gateway 30.

  For example, the user terminal 13 transmits, for example, an access request to the Web server 27 to the gateway 7 in accordance with an operation from a general user or the like (FIG. 3: step S31). The communication control unit 72 of the gateway 7 receives an access request to the Web server 27 from the user terminal 13 and stores it in a storage device such as a work memory area (step S33). Then, the address conversion unit 73 of the gateway 7 performs address conversion from a local address to a global address (step S35). Then, the communication control unit 72 of the gateway 7 determines the communication route of the access request based on the application / gateway related data (step S37). Specifically, any one of a communication route via VPN (VPN server 5), a communication route via application gateway 30 and other routes is selected. In the present embodiment, a communication route via the application gateway 30 is selected for data addressed to the Web server 27.

  FIG. 4A and FIG. 4B are schematic diagrams of communication route setting. First, FIG. 4A shows an outline of communication route setting in the gateway 7 in the conventional general VPN connection system shown in FIG.

  The VPN route 416 and the default route (Default Route) 419 are included in the Ethernet (registered trademark) route 414. The Ethernet route 414 represents a communication route by TCP / IP, for example, and all the communication routes via the Internet are included in the Ethernet route 414. The VPN route 416 represents a communication route by VPN connection, and data passing through the VPN route 416 is encapsulated and encrypted, and then transmitted to the Internet. By the encapsulation, the destination IP address is once converted into the IP address of the VPN server 5. A default route 419 indicates a route for transmitting data to the Internet without processing. The communication route 418 indicates a route through which data that has reached the gateway 7 via the base LAN 9 first passes, for example.

  The data is assumed to progress from the left to the right in the figure. First, for example, data addressed to the server transmitted from the user terminal 13 passes through the communication route 418 and enters the address conversion unit processing range 410. Here, the IP address of the user terminal 13 that is the data transmission source is converted from a local address to a global address. Then, the data addressed to the server further proceeds to the right and enters the VPN client processing range 412. Here, the data addressed to the server first passes through the default route 419, and when the VPN connection is established, the VPN connection is not established through the VPN route 416 switched from the middle of the default route 419. In this case, the default route 419 is directly passed. Even when a VPN connection is established, settings are made so that data addressed to a server whose IP address is outside the predetermined range (for example, a server not connected to the in-house LAN 21) passes through the default route 419 as it is. May have been made. On the other hand, for example, all data addressed to the server connected to the in-house LAN 21 passes through the VPN route 416. That is, for example, communication data encapsulated or encrypted by HTTPS is also double-encapsulated or encrypted.

  FIG. 4B shows an outline of communication route setting in the gateway 7 in the present embodiment as shown in FIG. A VPN route 416, a default route 419, and an HTTPS route 420 are included in the Ethernet route 414. In addition, the same number is attached | subjected about the component similar to FIG. 4-1, and redundant description is abbreviate | omitted below.

  For example, server-addressed data transmitted from the user terminal 13 passes through the communication route 418 and enters the VPN client processing range 412. Here, the data addressed to the server is distributed so as to pass through one of the VPN route 416, the default route 419, and the HTTPS route 420, for example, depending on the port number associated with the communication protocol used by the destination server. This process is performed by the communication control unit 72 of the gateway 7. For example, data addressed to a server (for example, the Web server 27) that performs communication using HTTPS (port number 443) is transmitted to the Internet through the HTTPS route 420 in a manner that the application gateway 30 can relay. The data passing through the HTTPS route 420 is encapsulated, and the destination IP address is once converted into the IP address of the application gateway 30. In addition, data addressed to a server (for example, mail server 25) using POP3 (port number 110) or SMTP (port number 25) is transmitted to the Internet through the VPN route 416. In addition, data addressed to a server whose IP address is outside the predetermined range (for example, a server not connected to the in-house LAN 21) is transmitted to the Internet as it is through the default route 419. In this way, double encapsulation and encryption are not performed.

  Returning to the description of FIG. 3, the communication control unit 72 of the gateway 7 transmits an access request to the Web server 27 to the application gateway 30 (FIG. 3: step S39). Based on the data related to the application gateway, when additional data such as a target host is necessary, it is transmitted together. The access control unit 32 of the application gateway 30 receives an access request to the Web server 27 from the gateway 7 and stores it in a storage device such as a work memory area (step S41). Then, the access control unit 32 confirms whether the IP address of the gateway 7 matches the permitted IP address received in step S13 (FIG. 2) (step S43). In step S25 (FIG. 2), the access control unit 32 also confirms the state of the VPN connection stored in the storage device such as the work memory area, and the gateway having the permitted IP address in the state where the VPN connection is established. If the access request is from 7, the access is permitted.

  If the VPN connection is not established or the IP addresses do not match, it is determined that “access is not permitted”. If it is determined that “access is not permitted”, the application gateway 30 terminates the process. However, for example, a connection rejection notification may be transmitted to the user terminal 13 via the gateway 7. Hereinafter, the description will be continued assuming that it is determined that “access is permitted”.

  Then, the relay processing unit 31 of the application gateway 30 transmits the access request data to the Web server 27 (Step S45). At this time, the relay processing unit 31 converts the destination IP address of the access request from the IP address of the application gateway 30 to the IP address of the Web server 27 and transmits it. The Web server 27 receives the access request data from the application gateway 30 and stores it in a storage device such as a work memory area (step S47). The Web server 27 uses, for example, HTTPS as a communication protocol, generates access response data for establishing communication by HTTPS, and transmits it to the application gateway 30 (step S49).

  The relay processing unit 31 of the application gateway 30 receives the access response data from the Web server 27 and transfers it to the gateway 7 (step S51). The communication control unit 72 of the gateway 7 receives the access response data from the application gateway 30 and stores it in a storage device such as a work memory area (step S53). Then, the address conversion unit 73 of the gateway 7 converts the destination address of the access response data from the global address to the local address (step S55). Then, the communication control unit 72 transmits access response data to the user terminal 13 (step S57). The user terminal 13 receives the access response data and stores it in a storage device such as a work memory area (step S59). Thereafter, the user terminal 13 and the Web server 27 perform data communication according to HTTPS.

  In this way, server access via the application gateway 30 is performed. Thereby, encapsulation and encryption can be prevented from being performed twice, and the size of communication data is not unnecessarily increased.

[Embodiment 2]
A processing flow according to the second embodiment of the present invention is shown in FIGS. The system configuration is the same as that of the first embodiment, and will be described below using the components shown in FIG. First, the processing flow shown in FIG. 5 is obtained by changing the processing of step S11 and step S13 of the processing flow shown in FIG. 2 to the processing of step S81. . The process of step S81 is executed by the authentication server 23 after the authentication process of step S79 is performed. In the processing flow of FIG. 2, the permitted IP address is transmitted to the application gateway 30 and the application gateway 30 holds the permitted IP address. In this embodiment, the authentication server 23 sets the permitted IP address. The data is stored in the IP address storage unit 230 (FIG. 5: Step S81).

  In this way, the VPN connection is established, and the permitted IP address is stored in the IP address storage unit 230. Further, the VPN connection state is held in the application gateway 30.

  The process flow shown in FIG. 6 is obtained by changing the process in step S43 of the process flow shown in FIG. 3 to the process in step S113. In the permitted IP address confirmation processing in step S113, the access control unit 32 of the application gateway 30 receives an access request to the Web server 27 from the gateway 7 (step S111), and then authenticates with the access control unit 32 of the application gateway 30. It is executed by the server 23. Specifically, first, the access control unit 32 of the application gateway 30 transmits the IP address of the gateway 7 that is the access request source to the authentication server 23. The authentication server 23 collates whether the received IP address matches the permitted IP address stored in the IP address storage unit 230 and transmits the collation result to the application gateway 30. When the access control unit 32 of the application gateway 30 receives the collation result, the access control unit 32 confirms the state of the VPN connection, and in the state where the VPN connection is established based on the received collation result and the VPN connection state, the permitted IP address If it is an access request from the gateway 7 having the above, it is determined that “access is permitted”.

  In this way, server access via the application gateway 30 is performed. In the present embodiment, an inquiry to the authentication server 23 is made instead of the application gateway 30 need not hold the permitted IP address.

[Embodiment 3]
FIG. 7 shows a system configuration diagram according to the third embodiment of the present invention. The system configuration shown in FIG. 7 is obtained by removing the IP address storage unit 230 from the system configuration shown in FIG. 1 and adding an access management server 22 newly. In addition, the same number is attached | subjected about the component similar to the component of the system shown in FIG. 1, and redundant description is abbreviate | omitted below. One or a plurality of access management servers 22 exist and are connected to the in-house LAN 21 by radio or wire. The processing contents of the access management server 22 will be described in the following description of the processing flow.

  FIG. 8 shows a processing flow of the system shown in FIG. The processing flow shown in FIG. 8 excludes the processing of step S81 from the processing flow shown in FIG. 5 and newly adds the processing of steps S163 to S171. Since other processes are the same, description thereof is omitted. Steps S163 to S171 are executed after the VPN connection is established between the gateway 7 and the VPN server 5.

  First, the communication control unit 72 of the gateway 7 transmits an application / gateway connection request to the VPN server 5 (step S163). The VPN server 5 receives the application gateway connection request from the gateway 7 and transfers it to the access management server 22 (step S165). The access management server 22 receives the application gateway connection request from the VPN server 5 and stores it in a storage device such as a work memory area (step S167). Then, the access management server 22 transmits the IP address of the gateway 7 to the application gateway 30 as a permitted IP address (step S169). The application gateway 30 receives the permitted IP address from the access management server 22 and stores it in, for example, the permitted IP address table generated in the work memory area or the like (step S171).

  After the VPN connection is established in this way, the permitted IP address is held in the application gateway 30 by transmitting the permitted IP address from the access management server 22 to the application gateway 30 in response to a request from the gateway 7. Is done. When the access management server 22 confirms that the application gateway 30 has received the permitted IP address, the access management server 22 may transmit a permitted IP address setting response to the gateway 7 via the VPN server 5. In addition, the VPN server 5 may transmit application gateway related data to the gateway 7 together with the transmission of the permitted IP address setting response.

  Then, the server access processing via the application gateway 30 is performed according to the request from the user terminal, but since it is the same as the processing in the first embodiment (processing flow in FIG. 3), the description is omitted. .

[Embodiment 4]
FIG. 9 shows a system configuration diagram according to the fourth embodiment of the present invention. The system configuration illustrated in FIG. 9 is obtained by removing the IP address storage unit 230 from the system configuration illustrated in FIG. 1 and changing the installation location of the authentication server 23. In addition, the same number is attached | subjected about the component similar to the component of the system shown in FIG. 1, and redundant description is abbreviate | omitted below. In the present embodiment, the authentication server 23 is connected to the in-house LAN 21 by wireless or wired and is connected to the network 1 by wireless or wired. The processing content of the authentication server 23 in the present embodiment will be described in the description of the processing flow below.

  FIG. 10 shows a processing flow of the system shown in FIG. The processing flow shown in FIG. 10 is obtained by changing the processing from step S163 to step S171 to the processing from step S203 to step S213 in the processing flow shown in FIG. Since other processes are the same, description thereof is omitted. The processing from step S203 to step S213 is executed after the VPN connection is established between the gateway 7 and the VPN server 5.

  First, the communication control unit 72 of the gateway 7 transmits an application / gateway connection request to the authentication server 23 (step S203). The authentication server 23 receives the application gateway connection request from the gateway 7 and stores it in a storage device such as a work memory area (step S205). Then, the authentication server 23 transmits the IP address of the gateway 7 to the application gateway 30 as a permitted IP address (step S207).

  At this time, the authentication server 23 performs authentication processing of the gateway 7. If the authentication is not successful, the transmission process of the permitted IP address is not performed. In the third embodiment described above, since the access management server 22 receives the application gateway connection request via the VPN (VPN server 5), re-authentication of the gateway 7 that has already been authenticated for the VPN connection. No treatment was necessary. On the other hand, in the present embodiment, since the authentication server 23 receives an application / gateway connection request directly from the Internet (network 1), authentication processing of the data transmission source (here, the gateway 7) is performed again. .

  Then, the application gateway 30 receives the permitted IP address from the authentication server 23 and stores it in, for example, the permitted IP address table generated in the work memory area or the like (step S209). Further, for example, when the authentication server 23 confirms that the application gateway 30 has received the permitted IP address, the authentication server 23 transmits a permitted IP address setting response to the gateway 7 (step S211). The communication control unit 72 of the gateway 7 receives the permitted IP address setting response from the authentication server 23 and stores it in a storage device such as a work memory area (step S213).

  Thus, after the VPN connection is established, the permitted IP address is held in the application gateway 30 by transmitting the permitted IP address from the authentication server 23 to the application gateway 30 in response to a request from the gateway 7. The

  Then, the server access processing via the application gateway 30 is performed according to the request from the user terminal, but since it is the same as the processing in the first embodiment (processing flow in FIG. 3), the description is omitted. .

[Embodiment 5]
FIG. 11 shows a processing flow according to the fifth embodiment of the present invention. The system configuration is the same as that of the fourth embodiment, and will be described below using the components shown in FIG. First, in the processing flow shown in FIG. 11, the processing in steps S191 and S193 in the processing flow shown in FIG. 10 is changed to the processing in steps S231 and S233, and the processing in steps S211 and S213 (FIG. 10) is performed. Since the processing is changed to the processing of S251 and step S253, and the other processing is the same, the description thereof is omitted.

  First, in the process of step S231, the VPN server 5 transmits a VPN connection response to the gateway 7. In step S191 (FIG. 10), the application gateway related data is also transmitted, but here the application gateway related data is not transmitted. The VPN client 71 of the gateway 7 receives the VPN connection response data from the VPN server 5 and stores it in a storage device such as a work memory area (step S233).

  Then, the processing from step S235 to step S249 is performed, and in the processing of step S251, the authentication server 23 transmits the application / gateway related data and the permitted IP address setting response to the gateway 7. That is, since the VPN server 5 has not transmitted the application gateway related data to the gateway 7 in step S231, the authentication server 23 transmits at this time. In some cases, the authentication server 23 does not hold application / gateway related data in advance. In such a case, the authentication server 23 transmits a request for application gateway related data to the application gateway 30, and transmits the application gateway related data received from the application gateway 30 to the gateway 7.

  Then, the communication control unit 72 of the gateway 7 receives the application gateway related data and the permitted IP address setting response from the authentication server 23 and stores them in, for example, the application gateway related data storage unit in the work memory area or the like (step) S253).

  In this way, application gateway related data is held in the gateway 7. Then, the server access processing via the application gateway 30 is performed according to the request from the user terminal, but since it is the same as the processing in the first embodiment (processing flow in FIG. 3), the description is omitted. .

  As described above, in secure communication, appropriate path control is performed so as not to perform double encapsulation or encryption.

  The authentication server 23, mail server 25, Web server 27, application server 29, access management server 22 (FIG. 7), VPN server 5, application gateway 30, gateway 7, user terminal 11 and user terminal 13 are: The computer device shown in FIG. 12 includes a memory 201, a CPU 203, a hard disk drive (HDD) 205, a display control unit 207 connected to the display device 209, a drive device 213 for the removable disk 211, and an input device 215. And a communication control unit 217 for connecting to a network are connected by a bus 219. An application program including an operating system (OS) and a program for realizing processing in the present embodiment is stored in the HDD 205, and is read from the HDD 205 to the memory 201 when executed by the CPU 203. It is. If necessary, the CPU 203 controls the display control unit 207, the communication control unit 217, and the drive device 213 to perform necessary operations. Further, data in the middle of processing is stored in the memory 201, and if necessary, stored in the HDD 205. A program for realizing the processing in the embodiment of the present invention is stored in the removable disk 211 and distributed, for example, is received from the drive device 213 or via the network and communication control unit 217, and is installed in the HDD 205. Such a computer apparatus realizes various functions as described above by organically cooperating hardware such as the CPU 203 and the memory 201 with the OS and necessary application programs. The gateway 7 may be a dedicated device such as a router having a memory and a processor.

  Although the embodiment of the present invention has been described above, the present invention is not limited to this. For example, the functional block configuration of the application gateway 30 and the functional block configuration of the gateway 7 shown in FIGS. 1, 7, and 9 are examples, and may differ from the actual program module configuration. Each server may be constituted by a plurality of computers, and one server may have a plurality of server functions. In addition, the outline diagram of the communication route setting illustrated in FIGS. 4A and 4B is an example, and the communication protocol to be applied is not limited to that illustrated in the drawings. The processing flows shown in FIGS. 2, 3, 5, 6, 8, 10, and 11 are also examples, and the processing order may be changed within a range in which similar processing results can be obtained. However, steps may be added or deleted as necessary. Further, the functional block diagram of the computer shown in FIG. 12 is an example, and may differ from the actual hardware configuration.

It is a system configuration figure in the 1st and 2nd embodiment of the present invention. It is a figure which shows the process flow of the first half in the 1st Embodiment of this invention. It is a figure which shows the processing flow of the second half in the 1st, 3rd, 4th and 5th embodiment of this invention. It is a schematic diagram (the 1) of communication route setting. It is a schematic diagram (the 2) of communication route setting. It is a figure which shows the processing flow of the first half in the 2nd Embodiment of this invention. It is a figure which shows the process flow of the second half in the 2nd Embodiment of this invention. It is a system block diagram in the 3rd Embodiment of this invention. It is a figure which shows the process flow of the first half in the 3rd Embodiment of this invention. It is a system configuration figure in the 4th and 5th embodiment of the present invention. It is a figure which shows the processing flow of the first half in the 4th Embodiment of this invention. It is a figure which shows the processing flow of the first half in the 5th Embodiment of this invention. It is a figure which shows the outline | summary of the functional block of the computer in embodiment of this invention. It is a block diagram of a general VPN connection system.

Explanation of symbols

1 Network 5 VPN Server 7 Gateway 9 Base LAN
3, 11, 13 User terminal 21 Internal LAN
DESCRIPTION OF SYMBOLS 22 Access management server 23 Authentication server 25 Mail server 27 Web server 29 Application server 30 Application gateway 31 Relay processing part 32 Access control part 33,71 VPN client 72 Communication control part 73 Address conversion part 230 IP address storage part

Claims (16)

A communication control method executed by an application gateway server in which a VPN server communicates with a specific VPN client device for VPN connection and controls access to the specific server,
Receiving an IP address of a VPN client device to which access to the specific server is to be permitted, and storing the IP address in a storage device;
In the state where the VPN connection is established between the VPN server and the specific VPN client device, when access request data to the specific server is received by a communication means different from the VPN connection, A determination step of determining whether to permit access to the specific server by a communication means different from the VPN connection based on an IP address of a transmission source of access request data and an IP address stored in the storage device;
A communication control method executed by an application gateway server. In the permitted IP address receiving step,
An IP address of a VPN client device authenticated by a predetermined authentication processing server for the VPN connection with the VPN server is received from the predetermined authentication processing server and stored in the storage device. Item 4. The communication control method according to Item 1. A communication control method executed by an application gateway server in which a VPN server communicates with a specific VPN client device for VPN connection and controls access to the specific server,
In a state where the VPN connection is established between the VPN server and the specific VPN client device, when access request data to the specific server is received by a communication means different from the VPN connection, Transmitting an IP address of a transmission source of access request data to a predetermined authentication server;
A determination result is received from the predetermined authentication server as to whether or not the IP address of the transmission source of the access request data is an IP address of a VPN client device that should be allowed to access the specific server, and stored in the storage device Storing, and
A communication control method executed by an application gateway server. In the permitted IP address receiving step,
The connection request data to the application gateway server from a predetermined access management server that has received via the VPN server, when receiving the transmission source IP address of the connection request data, the access to certain servers The communication control method according to claim 1, wherein an IP address of a VPN client device to be permitted is stored in the storage device. In the permitted IP address receiving step,
The connection request data to the application gateway server is received by a communication means different from the VPN connection, and the transmission source of the connection request data is sent from a predetermined authentication server that has authenticated the transmission source of the connection request data. The communication control method according to claim 1, wherein when an IP address is received, the IP address is stored in the storage device as an IP address of a VPN client device to which access to the specific server should be permitted. In the determination step, when it is determined that the access source of the access request data is permitted to access the specific server by communication means different from the VPN connection, a server service that can be relayed in the application gateway server 6. The method according to claim 5, further comprising: transmitting at least any one of data relating to an IP address of the application gateway server and data relating to a processing method in the application gateway server to a transmission source of the access request data. Communication control method. If the state of the disconnection request and the VPN connection VPN connection is detected either be in a disconnected state, for said VPN connection the VPN client unit to be disconnected, unauthorized access of the to a particular server The communication control method according to any one of claims 1 to 6, further comprising a step of: A communication control method executed by an authentication server that authenticates a specific VPN client device to which a VPN server performs VPN connection,
Data relating to server services that can be relayed in an application gateway server that communicates with the specific VPN client device and controls access to the specific server, the IP address of the application gateway server, and the application gateway When receiving at least one of the data related to the processing method in the server, the step of storing in the storage device as gateway related data;
When the specific VPN client device requesting the VPN connection is authenticated, the gateway related data stored in the storage device is transmitted to the specific VPN client device by a communication means different from the VPN connection. Steps,
And a communication control method executed by the authentication server. An authentication step of determining whether or not authentication of the request source of the gateway related data is received when the request of the gateway related data is received;
When the requester of the gateway related data is authenticated in the authentication step, the gateway related data stored in the storage device is transmitted to the requester of the gateway related data by a communication means different from the VPN connection. Steps,
The communication control method according to claim 8, further comprising: A communication control method executed by a VPN client device connected to a user terminal and capable of VPN connection with a VPN server,
Data related to a server service that can be relayed in the application gateway server from any one of a predetermined authentication server, the VPN server, and the application gateway server, an IP address of the application gateway server, the application gateway A step of storing data relating to a processing method in the server and a destination IP address that cannot be relayed in a storage device as gateway-related data;
When access request data to a specific server is received from the user terminal in a state where the VPN connection is established with the VPN server, the gateway server uses the gateway related data to pass through the VPN server. A route setting step for setting any one of a communication route, a communication route via the application gateway server, and another communication route;
When the communication path is set to a communication path passing through the application gateway server, access request data to the specific server in a mode that the application gateway server can relay using the gateway related data Sending to the application gateway server;
And a communication control method executed by a VPN client device.   11. The communication control according to claim 10, wherein in the route setting step, a case where a destination IP address of access request data to the specific server matches a predetermined IP address is excluded from a route setting processing target. Method.   A program for causing a computer to execute the communication control method according to any one of claims 1 to 11. A VPN server having VPN connection means;
A VPN client device for VPN connection with the VPN server;
An application gateway server capable of communicating with the VPN client device and controlling access to a specific server;
Communication with the VPN client device is possible without going through the VPN server, and access to the specific server in a state where a VPN connection is established between the VPN server and the VPN client device An authentication server that accepts an authentication request from a specific VPN client device that requests and transmits the IP address of the authenticated specific VPN client device to the application gateway server when the specific VPN client device is authenticated When,
A communication control system. An application gateway server for controlling access to a specific server from a specific VPN client device to which the VPN server makes a VPN connection,
Means for receiving an IP address of a VPN client device to which access to the specific server should be permitted and storing it in a storage device;
In the state where the VPN connection is established between the VPN server and the specific VPN client device, when access request data to the specific server is received by a communication means different from the VPN connection, Means for determining whether to permit access to the specific server by a communication means different from the VPN connection based on an IP address of a transmission source of access request data and an IP address stored in the storage device;
An application gateway server. A VPN client device for connecting to a user terminal and realizing VPN connection in communication with a VPN server,
Data related to a server service that can be relayed in the application gateway server from any one of a predetermined authentication server, the VPN server, and the application gateway server, an IP address of the application gateway server, the application gateway Means for storing data related to a processing method in the server and a destination IP address that cannot be relayed in a storage device as gateway-related data;
When access request data to a specific server is received from the user terminal in a state where the VPN connection is established with the VPN server, the gateway server uses the gateway related data to pass through the VPN server. Means for setting any one of a communication path, a communication path via the application gateway server, and another communication path;
When the communication path is set to a communication path passing through the application gateway server, access request data to the specific server in a mode that the application gateway server can relay using the gateway related data Means for transmitting to the application gateway server;
VPN client device. A VPN server for realizing VPN connection in communication with a VPN client device,
Data related to server services that can be relayed in the application gateway server from the application gateway server that communicates with the VPN client device and controls access to a specific server, and the IP address of the application gateway server And at least one of data relating to the processing method in the application gateway server, means for storing in the storage device as gateway related data;
Means for transmitting a VPN connection response and the gateway-related data to the VPN client device when establishing a VPN connection with the VPN client device;
A VPN server.

Images