JP5633748B2 - Relay server and relay communication system - Google Patents

Description

  The present invention mainly relates to a relay server that enables communication between terminals connected to different LANs (Local Area Networks).

  Conventionally, a communication technique called a virtual private network (VPN) is known (see, for example, Patent Document 1). This VPN is used, for example, for applications in which terminals connected to LANs of a plurality of branch offices (bases) provided for each region communicate via the Internet. If the VPN is used, another remote LAN can be used as if it were a directly connected network.

JP 2002-217938 A

  By the way, in this type of system, communication between devices is generally performed using the IP address and identification information of the devices. On the other hand, when working in this type of system, the equipment used by the operator is not always the same, and different equipment may be used at the destination and the destination. Since this means a change in VPN configuration equipment, it is usually necessary to change the VPN settings. However, when changes to the network settings occur, these changes must be reflected on other devices, resulting in complicated processing.

  The present invention has been made in view of the above circumstances, and a main object of the present invention is to provide a relay server that can flexibly and flexibly construct a VPN in accordance with equipment used by an operator.

Means and effects for solving the problems

  The problems to be solved by the present invention are as described above. Next, means for solving the problems and the effects thereof will be described.

  According to a first aspect of the present invention, a relay server having the following configuration is provided. That is, the relay server has first address filter information that is an address to which the packet can be transferred, and second address filter information that is an address to which the connection target device indicating the other relay server and the client terminal can transfer the packet. And means for accepting identification information of an operator who performs a login operation via a communication device connected via a LAN, and the connection to which the operator can connect based on the identification information of the operator who has accepted the login Means for acquiring a list of target devices, means for receiving selection of the connection target device by an operator from the list of connectable target devices, and establishing a routing session with the connection target device selected by the operator Means. The relay server stores, as first address filter information, the address of the communication device on which the operator has logged in, and transmits the address of the communication device to the connection target device. The relay server stores the address received from the connection target device as second address filter information. If the transmission destination of the received packet is stored as the first address filter information, the relay server transmits the packet to the transmission destination. When the transmission destination of the received packet is stored as the second address filter information, the relay server transmits the packet to the routing session.

  Thus, the operator can perform communication using the routing session established between the relay server and the selected connection target device. In the above configuration, a connection target device that can be connected for each operator is set. Therefore, even if the communication device used by the operator is changed, if the operator who logs in is the same, it is possible to establish a routing session with the same partner as before and perform communication. Further, different access control can be easily performed for each operator.

  According to a second aspect of the present invention, a relay server having the following configuration is provided. That is, the relay server includes an address filter information storage unit and a control unit. The address filter information storage unit can store address filter information indicating an address of a routing target device that can be specified as a packet transfer destination by itself (relay server) in association with its own identification information, and is connected to itself. The connection target device indicating the possible connection target relay server and the client terminal belonging to the connection target relay server receives the address filter information indicating the address of the routing target device that can be designated as the packet transfer destination of the connection target device. It can be stored in association with the identification information. The control unit includes a connection target device acquisition control unit, a VPN start control unit, an address filter information communication control unit, a routing session establishment control unit, and a routing control unit. The connection target device acquisition control unit is information stored in itself (relay server) or another relay server to which the connection target device can be connected, and can log in to a relay communication system including the device and the connection target device. The connection that can be connected by the operator who made the login request based on the connection permission information that is the information that associates the identification information of the correct operator with the identification information of the connection target device that can be connected by the operator Get the target device. The VPN start control unit performs a virtual private network start process on the selected connection target device among the acquired connection target devices. The address filter information communication control unit stores, in the address filter information storage unit, the address of the communication device operated by the operator to make a login request as address filter information associated with the identification information of itself (relay server). The address filter information is transmitted to the connection target device, and the address filter information received from the connection target device is stored in the address filter information storage unit as address filter information associated with the identification information of the connection target device. The routing session establishment control unit establishes a routing session for the selected connection target device. When the destination of the received packet is specified in the address filter information associated with the identification information of itself (relay server), the routing control unit transmits the packet to the destination, When the transmission destination is specified in the address filter information associated with the identification information of the connection target device, the connection is made via a routing session established between itself (relay server) and the connection target device. Send the packet to the target device.

  Thereby, using the constructed VPN, communication can be performed between the communication device operated by the operator to make a login request and the routing target device to which the connection target device can transfer the packet. In the connection permission information, the identification information of the operator is associated with the identification information of the connection target device that can be connected by the operator. Therefore, even if the device used for login by the operator is changed, if the operator who logs in is the same, a VPN including the same partner as before can be easily constructed and used on the spot. Further, different access control can be easily performed for each operator.

  The relay server preferably has the following configuration. That is, the relay server includes a management destination information storage unit that stores identification information of a relay server with a management function that manages a relay server including itself (relay server). The connection permission information is stored by the relay server with management function. When the control unit receives a login request from an operator, the control unit can connect to the relay server with management function based on the storage contents of the management destination information storage unit, so that the operator who has made the login request can connect. The connection target device is acquired.

  Accordingly, since the relay server with a management function is configured to centrally manage the connection permission information, it is not necessary to share the connection permission information by a plurality of devices. Therefore, the synchronization control of the connection permission information between the devices becomes unnecessary, and the processing performed by the relay server can be lightened.

  The relay server preferably has the following configuration. That is, the relay server includes a connection permission information storage unit that stores the connection permission information. When the control unit receives a login request from an operator, the control unit acquires the connection target device that can be connected by the operator who has made the login request, based on the connection permission information stored in the connection permission information storage unit. To do.

  That is, when the relay server with a management function centrally manages the connection permission information as in the above configuration, it is necessary to access the relay server every time a login request is received from the operator. In this regard, in the above configuration, the connection target device that can be connected by the operator who has made the login request can be acquired simply by referring to the stored content of itself (relay server). For this reason, the process up to the start of VPN can be simplified.

  In the relay server, the device itself (relay server) or the connection target device stores an operator group composed of a plurality of operators using identification information of operators constituting the operator group, and creates a virtual private network. It is preferable to store, for each operator group, identification information of the connection target device that can be connected by an operator when building.

  This makes it possible to simplify the storage content of the connection permission information storage unit when a team is formed by a plurality of operators and maintenance of a predetermined connection target device (and routing target device) is performed in the team. . In addition, even when there is a change in the operators that make up this team, it is only necessary to delete the operator's identification information from the operator group or add it to the operator group, making it easy to set connection permission information. .

  According to the 3rd viewpoint of this invention, the relay communication system of the following structures is provided. That is, the relay communication system includes a relay server and a client terminal belonging to the relay server. The relay server that functions as a connection source relay server among the relay servers includes an address filter information storage unit and a control unit. The address filter information storage unit can store address filter information indicating an address of a routing target device that can be specified as a packet transfer destination by itself (relay server) in association with its own identification information, and is connected to itself. The connection target device indicating the possible connection target relay server and the client terminal belonging to the connection target relay server receives the address filter information indicating the address of the routing target device that can be designated as the packet transfer destination of the connection target device. It can be stored in association with the identification information. The control unit includes a connection target device acquisition control unit, a VPN start control unit, an address filter information communication control unit, a routing session establishment control unit, and a routing control unit. The connection target device acquisition control unit is based on connection permission information that is information in which operator identification information is associated with identification information of the connection target device that can be connected by the operator when constructing a virtual private network. Then, the connection target device that can be connected by the operator who made the login request is acquired. The VPN start control unit performs a virtual private network start process on the selected connection target device among the acquired connection target devices. The address filter information communication control unit stores, in the address filter information storage unit, the address of the communication device operated by the operator to make a login request as address filter information associated with the identification information of itself (relay server). The address filter information is transmitted to the connection target device, and the address filter information received from the connection target device is stored in the address filter information storage unit as address filter information associated with the identification information of the connection target device. The routing session establishment control unit establishes a routing session for the selected connection target device. When the destination of the received packet is specified in the address filter information associated with the identification information of itself (relay server), the routing control unit transmits the packet to the destination, When the transmission destination is specified in the address filter information associated with the identification information of the connection target device, the packet is transmitted to the connection target device via a routing session established between itself and the connection target device. Send.

  Thereby, using the constructed VPN, communication can be performed between the communication device operated by the operator to make a login request and the routing target device to which the connection target device can transfer the packet. In the connection permission information, the identification information of the operator is associated with the identification information of the connection target device that can be connected by the operator. Therefore, even if the device used for login by the operator is changed, if the operator who logs in is the same, a VPN including the same partner as before can be easily constructed and used on the spot. In addition, it is possible to set different access ranges for each operator.

BRIEF DESCRIPTION OF THE DRAWINGS Explanatory drawing which shows the whole structure of the relay communication system which concerns on one Embodiment of this invention. The functional block diagram of the relay server 1 with a management function. The functional block diagram of the relay servers 2 and 3 to be managed. The functional block diagram which shows the detailed structure of the communication control part 63 of a relay server. The figure which shows the content of operator information. The figure which shows the content of connection permission information. The figure which shows the content of the address filter information shared between the relay server 2 and the client terminal 47. FIG. The sequence diagram which shows the flow of the process which starts VPN in this invention. The figure explaining the path | route when the communication apparatus 22 transmits a packet to the file server 46. FIG. The figure explaining the path | route when the file server 46 transmits a packet to the communication apparatus 22. FIG. The functional block diagram which shows the modification of the relay server 2. FIG. The figure which shows the content of operator group information. The figure which shows the content of the connection permission information in a modification.

  Next, embodiments of the present invention will be described with reference to the drawings. First, an overview of the relay communication system 100 of the present embodiment will be described with reference to FIG. FIG. 1 is an explanatory diagram showing the overall configuration of a relay communication system 100 according to an embodiment of the present invention.

  As shown in FIG. 1, the relay communication system 100 includes a plurality of relay servers 1, 2, 3 connected to a wide area network (WAN) 80, relay servers 1, 2, 3 and a LAN 10, And client terminals 11, 21, 42, 47 connected via 20, 30, 40, 45. Further, the LANs 10, 20, and 30 are arranged at physically separated locations. In the present embodiment, the Internet is used as the WAN 80.

  Next, each LAN will be described. As shown in FIG. 1, a relay server 1 and a client terminal 11 are connected to the LAN 10. Connected to the LAN 20 are the relay server 2, the client terminal 21, and the communication devices 22 and 23. A relay server 3 and a file server 31 are connected to the LAN 30. In addition, another LAN 40 is connected to the LAN 30 via a router 32, and another LAN 45 is further connected via a router 33. A file server 41 and a client terminal 42 are connected to the LAN 40. A file server 46 and a client terminal 47 are connected to the LAN 45. Each client terminal can communicate with another relay server or a client terminal connected to another relay server via the relay server connected to the client terminal. Although only a part is shown in FIG. 1, it is assumed that a large number of client terminals and the like are arranged on the LANs 20 and 30.

  In operating the relay communication system 100, an operator is kept waiting at a place where the LAN 20 is installed. In the LANs 30, 40, and 45, file servers 31, 41, and 46, which are targets for maintenance by the operator, are arranged. Further, the place where the LAN 10 is installed is a base for managing maintenance work by the operator, and the access authority for each operator is preset in the relay server 1 (as connection permission information described later). The operator uses the communication devices 22, 23, etc. to access the file servers 31, 41, 46, etc. within the range of access authority possessed by the operator himself and perform maintenance.

  Thus, in this relay communication system 100, it is assumed that a connection is made from the operator to the maintenance destination. In the following description, a relay server connected to a connection source LAN, such as the relay server 2, is referred to as a connection source relay server, and a connection target relay server, such as the relay server 3, is connected to the connection target relay. Sometimes called a server. Further, the relay server to be connected and the client terminals belonging to the relay server may be collectively referred to as connection target devices.

  Next, the relay servers 1, 2, and 3 will be described with reference to FIGS. FIG. 2 is a functional block diagram of the relay server 1 which is a relay server with a management function. FIG. 3 is a functional block diagram of the relay servers 2 and 3.

  Since each of the relay servers 1, 2, and 3 is connected not only to the LANs 10, 20, and 30 but also to the WAN 80, not only can it communicate with client terminals connected to the same LAN, but also to other LANs. It is possible to communicate with the arranged relay server. Therefore, a private IP address is assigned to the relay servers 1, 2, and 3 in addition to the global IP address.

  In the relay communication system 100 according to the present embodiment, one of the relay servers included in the system operates as a relay server with a management function, and the other relay servers operate as managed relay servers. It is configured. In the present embodiment, the relay server 1 is set to operate as a relay server with a management function, and the remaining relay servers 2 and 3 are set to operate as managed relay servers. In the following, first, the relay server 1 with a management function will be mainly described, and then the relay servers 2 and 3 to be managed will be described.

  As illustrated in FIG. 2, the relay server 1 with a management function includes a storage unit 50, a control unit 60, and an interface unit 70.

  The interface unit 70 can communicate with a terminal in the LAN 10 using a private IP address. In addition, the interface unit 70 can perform communication via the WAN 80 using a global IP address.

  The control unit 60 is a CPU having control and calculation functions, for example, and can execute various processes by a program read from the storage unit 50. The control unit 60 can control various communications according to protocols such as TCP / IP, UDP, and SIP. As shown in FIG. 2, the control unit 60 includes an interface driver 61, a LAN side IP packet processing unit 62, a communication control unit 63, and a WAN side IP packet processing unit 64.

  The interface driver 61 is driver software that controls the interface unit 70. The LAN side IP packet processing unit 62 performs appropriate processing on the packet received from the LAN 10 and outputs the packet to the communication control unit 63. The WAN-side IP packet processing unit 64 performs appropriate processing on the packet received from the WAN 80 and outputs the packet to the communication control unit 63.

  For the received packet, the communication control unit 63 determines a transmission destination based on the information indicated by the packet and the information stored in the storage unit 50, and transmits the packet to the determined transmission destination. Moreover, the communication control part 63 can update the memory content of the memory | storage part 50 based on the information received from the other terminal. As shown in FIG. 4, the communication control unit 63 includes a connection target device acquisition control unit 631, a VPN start control unit 632, an address filter information communication control unit 633, a routing session establishment control unit 634, and a routing control unit 635. And comprising. The control performed by each control unit will be described later.

  The storage unit 50 is composed of, for example, a hard disk or a nonvolatile RAM, and can store various data. The storage unit 50 includes an operator information storage unit 51 and a connection permission information storage unit 52. Hereinafter, the contents stored in the storage unit 50 will be described with reference to FIGS. 5 and 6. FIG. 5 is a diagram showing the contents of the operator information. FIG. 6 is a diagram showing the contents of the connection permission information.

  The operator information storage unit 51 provided in the relay server 1 stores operator information that is information for specifying an operator who can log in to the relay communication system 100 and information indicating the usage status of the operator. The operator information storage unit 51 is configured only in the relay server 1 with a management function, and the relay servers 2 and 3 do not include the operator information storage unit 51 as shown in FIG. . Hereinafter, the contents of the operator information will be specifically described.

  In the operator information shown in FIG. 5, a list of operator IDs that can log in to the relay communication system 100 is described in the column described as “operator ID”. This operator ID is composed of a unique character string set for each operator. In the column described as “password”, a password necessary for logging in to the relay communication system 100 using the operator ID described in the same row is described. Each operator can log in to the relay communication system 100 using the operator ID and password set in the operator.

  The flow when the operator logs in to the relay communication system 100 using this operator ID and password will be briefly described. An operator may make a login request to the relay communication system 100 by accessing the relay server 2 or the client terminal 21 using the communication devices 22 and 23 and inputting the operator ID and password on a predetermined login screen. it can. The relay server 2 or the client terminal 21 that has received this login request transmits this input content to the relay server 1. The relay server 1 that has received the input content collates the operator ID and password input by the operator with the operator information stored in the operator information storage unit 51, and the operator ID has already been logged in through another relay server. It is determined whether or not. The relay server 1 determines whether or not login is possible based on this result.

  FIG. 5 shows an example of operator information stored in the operator information storage unit 51 of the relay server 1. In this operator information storage unit 51, in the column described as “used device information”, when the operator has logged in to the relay communication system 100 using the operator ID described in the same row, the operator relays Information relating to devices on the relay communication system 100 side used to log in to the communication system 100 (specifically, not the communication devices 22 and 23 but the relay server 2 or the client terminal 21; hereinafter referred to as “used device”). (Used device information) is described.

  Specifically, when an operator logs in using a relay server, the identification information of the relay server is used device information. For example, when the operator 92 in FIG. 1 logs in to the relay server 2 via the communication device 22, the operator information storage unit 51 of the relay server 1 stores the identification information of the relay server 2 as shown in FIG. It is described as used device information associated with the operator ID (Op2) of the operator 92.

  On the other hand, when the operator logs in using a client terminal, both the identification information of the client terminal and the identification information of the relay server to which the client terminal belongs are used device information. For example, when the operator 91 in FIG. 1 logs into the client terminal 21 via the communication device 23, the operator information storage unit 51 of the relay server 1 stores the identification information of the client terminal 21 and the identification information of the relay server 2. As shown in FIG. 5, it is described as used device information associated with the operator ID (Op 1) of the operator 91.

  When the operator is not logged in to the relay communication system 100, the used device information is blank (see used device information corresponding to Op3 and Op4 in FIG. 5).

  Among the operator information stored in the operator information storage unit 51, a list of operator IDs that can be logged in and a password set for each operator ID are set in advance by each operator, administrator, and the like. On the other hand, the used device information is updated to the latest information every time the operator logs in or logs out.

  The connection permission information storage unit 52 stores connection permission information indicating an access authority of an operator who can log in to the relay communication system 100. In this embodiment, the connection permission information storage unit 52 is provided only in the relay server 1 with a management function. As shown in FIG. 3, the relay servers 2 and 3 store the connection permission information. The part 52 is not provided. Hereinafter, the content of the connection permission information will be specifically described.

  In the connection permission information illustrated in FIG. 6, a list of operator IDs that can log in to the relay communication system 100 is described in a column in which “operator ID” is described. In the column described as “identification information of connection target device”, the identification information of the connection target device that is permitted to connect using the operator ID described in the same row is described. Specifically, when the operator 92 (operator ID = Op2) operates the communication device 22 to access the relay server 2 and logs in to the relay communication system 100 using the relay server 2, the operator 92 The connection between the relay server 2 (use device) and the connection target device (specifically, the client terminal 42 or the client terminal 47) corresponding to the operator 92 in the connection permission information of FIG. 6 can be used. . In this case, a routing session starting from the relay server 2 (use device) and ending with the client terminal 42 or the client terminal 47 via the relay server 3 is established, and a virtual private using the routing session is established. A network (VPN) is established.

  Here, in the connection permission information (FIG. 6) stored in the connection permission information storage unit 52, the connection target device is associated with the operator ID (not the identification information of the device used). For this reason, even when the device used by the operator 92 at the time of login is different, the connectable connection target devices are the same as described above. For example, if the operator 92 operates the communication device 23 to access the client terminal 21 and logs in to the relay communication system 100 using the client terminal 21, the client terminal 21 (use device) is the starting point, A routing session with the client terminal 42 or client terminal 47 as an end point is established via the relay server 2 and the relay server 3, and a VPN using the routing session is established.

  Next, the configuration of the relay servers 2 and 3 will be described with reference to FIG. FIG. 7 is a diagram illustrating the contents stored in the address filter information storage unit. The relay server 3 has substantially the same configuration as the relay server 2, and therefore, the relay server 2 will be described as a representative.

  The relay server 2 includes a control unit 60 and an interface unit 70 that are configured in the same manner as the relay server 1. On the other hand, the storage unit 50 of the relay server 2 is different from the storage unit 50 of the relay server 1 in part of the stored contents. Specifically, the relay server 2 includes a management destination information storage unit 53 and an address filter information storage unit 54 in the storage unit 50.

  The management destination information storage unit 53 stores identification information of the relay server 1 that is a relay server with a management function and that manages itself. Therefore, the relay server 2 can access the relay server 1 that is a relay server with a management function by referring to the stored contents of the management destination information storage unit 53. If the relay server with a management function is changed due to maintenance or the like, the other relay server is notified to that effect, and the storage contents of the management destination information storage unit 53 are updated.

  The address filter information storage unit 54 is configured so that the relay server 2 forms a routing session with another device as a result of the operator logging in to the relay server 2 and the VPN using this routing session is constructed. If the packet has a transmission destination, address filter information indicating whether the relay server 2 transfers the packet is stored. In the following description, a device that forms a routing session with another device and transfers a packet may be referred to as a routing device. In this embodiment, the relay server can function as a routing device, and the client terminal can function as a routing device. However, the address filter information storage unit 54 of the relay server 2 stores the relay server 2. Is used when it functions as a routing device.

  FIG. 7A illustrates an overview of the contents stored in the address filter information storage unit 54. In FIG. 7A, the column of “routing target device” on the right side shows a device to which a packet is permitted to be transferred. Accordingly, in the example of FIG. 7A, when the relay server 2 functions as a routing device, if the transmission destination of the packet received by the relay server 2 is the file server 46 or the communication device 22, the relay server 2 Forwards the packet to another device. In this case, there are two possible transfer destinations: a case of another routing device and a case of the packet transmission destination itself. On the other hand, when the destination of the packet is not any of the above devices, the packet is not transferred.

  Therefore, this “routing target device” column corresponds to address filter information. As described above, this address filter information is used to determine whether or not a packet can be transferred based on the transmission destination (filter the packet).

  The “routing device” column on the left side of FIG. 7A indicates a routing device that can directly transmit a packet to the packet transmission destination indicated in the right column. Here, “directly transmittable” means that a routing device can transmit a packet to its destination without passing through another routing device.

  As shown in the table of FIG. 7A, in the address filter information storage unit 54, the address filter information includes a routing device (including itself) that can directly transmit a packet to the destination indicated by the address filter information. ) Is stored in a form associated with. Accordingly, the table of FIG. 7A is used not only for reference when filtering packets that are permitted to be transferred, but also for the purpose of determining a packet transfer route (packet routing). In the following description, as shown in FIG. 7 (a), information including itself and other routing devices used in constructing a VPN, and address filter information associated with each of them is used as packet transfer control. Sometimes called information.

  That is, according to the example of FIG. 7A, when the transmission destination of the packet received by the relay server 2 is the communication device 22, the relay server 2 sends the packet to the communication device 22 without passing through other routing devices. Can be sent. Therefore, the relay server 2 transfers the received packet to the communication device 22. In this manner, the address filter information associated with itself (that is, the address to which the packet can be transferred) may be referred to as first address filter information below.

  On the other hand, when the transmission destination of the packet received by the relay server 2 is the file server 46, according to FIG. 7A, in order to deliver the packet to the file server 46, the client terminal which is another routing device It can be seen that 47 must be routed. Therefore, the relay server 2 first transfers the packet to the client terminal 47 via the relay server 3. The client terminal 47 that has received this packet functions as a routing device, and further transfers the packet to the file server 46. In this way, the address filter information associated with other routing devices (that is, an address to which other routing devices can transfer a packet) may be referred to as second address filter information below. As described above, the relay server 2 includes means (address filter information storage unit 54) for storing the first address filter information and the second address filter information.

  FIG. 7B shows specific storage contents of the address filter information storage unit 54, and the substantial meaning thereof is the same as that of FIG. 7A. As shown in FIG. 7B, the address filter information storage unit 54 includes the identification information of each routing device used in the VPN and the IP address of the routing target device to which the routing device can directly transmit a packet. And a name are stored in association with each other.

  As the “routing target device name” in the column on the right side of FIG. 7B, for example, considering the type of device (processing device, communication device, file server, etc.) and the location where the device is placed, etc. Can set any name. The set name of the routing device can be displayed on the communication device 22 or the like connected to the relay server 2. Further, the relay server 2 not only displays the name of the device, but also obtains it by inquiring the operator ID of the operator who has logged in to the relay communication system 100 using the device as a device to be used. It can also be configured to display on the communication device 22 or the like. With the configuration described above, it is possible to manage the packet transfer destination routing target device and the like in an easily understandable manner.

  The relay server 2 is configured as described above. Although detailed description of the configuration of the client terminals 11, 21, 42, 47 is omitted, the storage unit 50 and the control unit 60 configured substantially the same as the relay server 2 are provided. In particular, the client terminal includes an address filter information storage unit capable of storing the same contents as the address filter information storage unit 54 included in the relay servers 2 and 3.

  Next, the process of creating the packet transfer control information as shown in FIG. 7 in each routing device (relay server and client terminal) will be described. As described above, the packet transfer control information defines rules for packet transfer control performed by the routing device for realizing the VPN. On the other hand, in the relay communication system 100 of the present embodiment, a plurality of VPNs having different constituent devices can be constructed. In order to realize such a relay communication system 100, the address filter information storage unit included in the relay server and the client terminal can store the packet transfer control information for each VPN. That is, every time a new VPN is constructed, new packet transfer control information is created and stored in the address filter information storage unit of the routing device.

  The routing session for VPN is formed between a device used by the operator and a connection target device designated by the operator when instructing creation of the VPN. That is, when creating a VPN, packet transfer control information as shown in FIG. 7 is created and stored in the address filter information storage unit in each of the used devices and connection target devices that function as routing devices. .

  For this reason, when a VPN is constructed, a relay server or client terminal that has functioned as a routing device can transmit address filter information associated with itself to a routing device on the other side. By exchanging the address filter information, each routing device synthesizes the address filter information associated with itself and the address filter information associated with another routing device, and performs packet transfer control as shown in FIG. Information is created and stored in the address filter information storage unit provided in itself.

  At this time, as address filter information associated with itself, different information is adopted depending on whether the device itself (routing device) is a used device or a connection target device. That is, the relay server and the client terminal that may function as a routing device have address filter information (hereinafter, referred to as “address filter information”) set in advance in the address filter information storage unit so as to indicate a device that can directly transmit a packet. (Sometimes called default address filter information). When the relay server or the client terminal functions as a routing device by specifying itself as a connection target device, the default address filter information is set as address filter information associated with the relay server or client terminal when the VPN is constructed. .

  On the other hand, when the device itself becomes a used device (the result of the operator using himself / herself for login) and functions as a routing device, the relay server or the client terminal may receive the default address filter information when constructing the VPN. Instead, the address of the device directly operated by the operator for logging in to the device is used as address filter information associated with the device.

  Next, a specific flow when the operator 92 logs into the relay communication system 100 and constructs a VPN will be described mainly with reference to FIG. FIG. 8 is a sequence diagram showing a flow of processing for starting a VPN in the present invention.

  As described above, the operator 92 performs an appropriate operation on the communication device 22 to access the relay server 2 and makes a login request using the relay server 2 as a device used. This login request requires input of an operator ID and a password. Then, when the operator 92 inputs the operator ID (Op2) and password (def) corresponding to the operator 92 and confirms the input contents, the relay server 2 receives the login request (sequence number 1). As described above, the relay server 2 includes means for receiving identification information of an operator who performs a login operation. Then, the relay server 2 transmits a login request to the relay server 1 together with the input operator ID, password, and used device information (specifically, identification information of the relay server 2) (sequence number 2).

  The relay server 1 that has received this login request or the like authenticates the operator ID and password based on the operator information shown in FIG. 5 (sequence number 3). Further, the relay server 1 determines whether or not another login using the input operator ID has been performed in order to prevent multiple logins with the same operator ID (sequence number 4). If the operator authentication is successful and the multiple login is not performed, the relay server 1 permits the login and updates the operator information in the operator information storage unit 51 (sequence number 5). That is, the identification information of the relay server 2 is stored as used device information corresponding to Op2.

  Then, the relay server 1 refers to the connection permission information stored in the connection permission information storage unit 52, and reads a list of connection target devices that can be connected by the operator 92 permitted to log in (sequence number 6). In this example, in the connection permission information shown in FIG. 6, the client terminals 42 and 47 are associated with the operator 92. Accordingly, the relay server 1 transmits the identification information of the client terminals 42 and 47 to the relay server 2 together with permission to log in (sequence number 7).

  Based on this notification, the connection target device acquisition control unit 631 of the relay server 2 can acquire connection target devices that can be connected by the operator 92 (that is, client terminals 42 and 47). That is, the relay server 2 includes means for obtaining a list of connection target devices that can be connected by the operator. Further, the relay server 2 displays a connection target device that can be connected by the operator 92 on the communication device 22 together with the fact that the login is permitted (sequence number 8). It is assumed that the operator 92 selects the client terminal 47 as a target to function as a routing device (connection target device) among the client terminals 42 and 47. The relay server 2 includes means for accepting the operator's selection. When the operator's selection is accepted (sequence number 9), the IP address of the communication device 22 directly operated by the operator 92 at the time of the login request is assigned to the identification information of the relay server 2. Are stored in the address filter information storage unit 54 as the first address filter information (sequence number 10). Specifically, the lower information in the table of FIG. 7 is stored in the address filter information storage unit 54. Next, the VPN start control unit 632 of the relay server 2 transmits a VPN start command to the client terminal 47 via the relay server 3, and the address filter information communication control unit 633 associates it with its own identification information. The stored address filter information (first address filter information) is transmitted to the client terminal 47 via the relay server 3 (sequence number 11).

  The client terminal 47 that has received this start command stores the received address filter information in the address filter information storage unit (sequence number 12). Here, as described above, the address filter information storage unit of the client terminal 47 stores in advance the address filter information for designating the file server 46 in association with the identification information of itself (client terminal 47) (the above-mentioned default). Stored as address filter information). Therefore, packet transfer control information including two pieces of address filter information is stored in the address filter information storage unit of the client terminal 47 as shown in FIG. The client terminal 47 transmits the address filter information (the upper information in the table of FIG. 7) associated with itself to the relay server 2 via the relay server 3 together with the fact that the signal has been received (sequence number). 13).

  In response to the response from the client terminal 47, the relay server 2 stores the received address filter information in the address filter information storage unit 54 as second address filter information (sequence number 14). As a result, as shown in FIG. 7, packet transfer control information including two pieces of address filter information is also stored in the address filter information storage unit 54 of the relay server 2. As described above, the exchange of the address filter information is completed between the relay server 2 and the client terminal 47. After the exchange of the address filter information, the address filter information storage unit 54 of the relay server 2 and the address filter information storage unit of the client terminal 47 both store the contents shown in FIG.

  The relay server 2 includes means for establishing a routing session (routing session establishment control unit 634), and performs communication control for establishing a routing session with the client terminal 47 on the client terminal 47 via the relay server 3. (Sequence number 15). As a result, a routing session is established with the relay server 2 as the starting point and the client terminal 47 as the end point via the relay server 3.

  In the above description, the processing for establishing a routing session between the relay server 2 as a device to be used and the client terminal 47 as a device to be connected has been described. However, a routing session may be established by a combination other than the above. Of course it is possible. For example, consider a case where the operator 91 accesses the client terminal 21 from the communication device 23 and logs in to the relay communication system 100 using the client terminal 21 as a used device. As shown in FIG. 6, the operator 91 is permitted to connect to the relay server 3. Therefore, in this case, it is possible to establish a routing session starting from the client terminal 21 via the relay server 2 and ending at the relay server 3. In this case, the address filter information storage unit of the routing device (client terminal 21 and relay server 3) stores the address of the communication device 23 as address filter information in association with the identification information of the client terminal 21.

  Next, routing control performed by the routing control unit 635 of the relay server 2 using the established routing session will be described. FIG. 9 is a diagram for explaining a route when the communication device 22 transmits a packet to the file server 46. FIG. 10 is a diagram illustrating a path when the file server 46 transmits a packet to the communication device 22.

  First, processing when the relay server 2 receives the first packet (packet01) shown in FIG. 9 will be described. The first packet is transmitted by the communication device 22, and the IP address (192.168.45.100) of the file server 46 is designated as the transmission destination address.

  When the relay server 2 receives the first packet, the relay server 2 compares the content stored in the address filter information storage unit 54 (FIG. 7) with the transmission destination address of the first packet. Then, a routing device that can directly transmit the packet to the transmission destination described in the first packet is checked. As shown in FIG. 7, the transmission destination address (192.168.45.100) of the first packet is stored as address filter information (second address filter information) associated with the client terminal 47. Therefore, the relay server 2 permits the transfer of the first packet, and the first packet is sent to the client terminal 47 as the final transmission destination via the routing session established between the relay server 2 and the client terminal 47. Transmit to the relay server 3.

  Similarly to the relay server 2, the client terminal 47 that has received the first packet also compares the content stored in the address filter information storage unit (FIG. 7) with the transmission destination address of the first packet. As a result, the client terminal 47 can directly transmit the packet because the transmission destination (192.168.45.100) described in the first packet is stored as the first address filter information. Detect that. Accordingly, the client terminal 47 permits the transfer of the first packet and transmits the first packet to the file server 46.

  Next, processing when the client terminal 47 receives the second packet (packet02) illustrated in FIG. 10 will be described. This second packet is transmitted by the file server 46, and the IP address (200.1.2.100) of the communication device 22 is designated as the transmission destination address.

  After receiving the second packet, the client terminal 47 performs the same process as described above, and the destination address (200.1.2.100) of the second packet is associated with the relay server 2. Detect that it is specified by information. Therefore, the client terminal 47 permits the transfer of the second packet, and the second packet is transmitted to the relay server 2 as the final destination via the routing session established between the client terminal 47 and the relay server 2. Transmit to the relay server 3.

  The relay server 2 that has received the second packet performs the same process as described above, and the address filter in which the transmission destination address (200.1.2.100) of the second packet is associated with itself (relay server 2). Detect that it is specified by information. Therefore, the relay server 2 permits the transfer of the second packet and transmits the second packet to the communication device 22.

  As described above, in the present embodiment, the routing target data is flowed in the routing session of the application layer. Therefore, the routing described above is different from normal IP routing.

  By performing routing in the application layer, remote LANs can communicate with each other using private IP addresses without being aware of the WAN. Further, as described above, the routing device can display the names of routing target devices that can be designated as packet transfer destinations. Therefore, the user can easily recognize to which device the packet can be transmitted using the VPN.

  As described above, the relay server 2 according to this embodiment has the first address filter information that is an address to which the packet can be transferred, and the address to which the client terminal 47 that is another connection target device can transfer the packet. And means for storing the second address filter information (address filter information storage unit 54). Further, the relay server 2 receives the identification information of the operator 92 who performs the login operation via the communication device 22 connected via the LAN 20, and the identification information (Op2) of the operator 92 that has accepted the login. Selected by the operator 92, a means for obtaining a list of connection target devices that can be connected, a means for accepting selection of a connection target device (client terminal 47) by the operator 92 from the list of connection target devices that can be connected And means for establishing a routing session with the client terminal 47 (routing session establishment control unit 634). The relay server 2 stores, as first address filter information, the address of the communication device 22 on which the operator 92 performs a login operation, and transmits the address of the communication device 22 to the client terminal 47. The relay server 2 stores the address of the file server 46 received from the client terminal 47 as second address filter information. When the transmission destination of the received packet is stored as the first address filter information, the relay server 2 transmits the packet to the transmission destination. When the transmission destination of the received packet is stored as the second address filter information, the relay server 2 transmits the packet to the routing session.

  As a result, the operator 92 can communicate using the routing session established between the relay server 2 and the selected client terminal 47. In the above configuration, a connection target device that can be connected for each operator is set. Therefore, even if the communication device used for login by the operator 92 is changed, it is possible to establish a routing session and communicate with the same partner as before. Further, different access control can be easily performed for each operator.

  The relay server 2 according to the present embodiment includes an address filter information storage unit 54 and a control unit 60. The address filter information storage unit 54 can store the address filter information indicating the address of the routing target device that can be designated as the packet transfer destination by the relay server 2 in association with the identification information of the relay server 2, and the relay server 2. Filter information indicating the address of a routing target device that can be specified as a packet transfer destination by a connection target device that can be connected to the device can be stored in association with the identification information of the connection target device. In the relay server 1 with a management function to which the relay server 2 can be connected, the identification information of the operator who can log in to the relay communication system 100 is associated with the identification information of the connection target device that can be connected by the operator. Stored connection permission information. The control unit 60 includes a connection target device acquisition control unit 631, a VPN start control unit 632, an address filter information communication control unit 633, a routing session establishment control unit 634, and a routing control unit 635. The connection target device acquisition control unit 631 acquires connection target devices (client terminals 42 and 47) to which the operator 92 who has made the login request can connect based on the connection permission information stored in the relay server 1 with a management function. . In the VPN start control unit 632, the control unit 60 of the relay server 2 performs a virtual private network start process for the selected client terminal 47 among the read connection target devices. The address filter information communication control unit 633 uses the address filter information storage unit 54 as address filter information in which the address of the communication device 22 operated by the operator 92 to make a login request is associated with the identification information of itself (the relay server 2). The address filter information is transmitted to the client terminal 47, and the address filter information received from the client terminal 47 is stored in the address filter information storage unit 54 as address filter information associated with the identification information of the client terminal 47. To do. The routing session establishment control unit 634 establishes a routing session for the client terminal 47. When the transmission destination of the received packet is specified in the address filter information associated with the identification information of the relay server 2 (for example, when the transmission destination is the communication device 22), the routing control unit 635 performs the transmission. When the packet is transmitted first and the destination of the received packet is specified in the address filter information associated with the identification information of the client terminal 47 (for example, when the destination is the file server 46), the relay server 2 and a client terminal 47 through a routing session established between the client terminal 47 and the client terminal 47.

  Thus, using the constructed VPN, communication can be performed between the communication device 22 operated by the operator 92 to make a login request and the file server 46 to which the client terminal 47 can transfer a packet. . In the connection permission information, the identification information of the operator is associated with the identification information of the connection target device. Therefore, for example, when the operator 92 operates the communication device 22 to log in to the relay server 2, the relay server 2 and the client terminal 47 are used as routing devices, and a VPN is constructed between the communication device 22 and the file server 46. can do. When the logged-out operator 92 operates the communication device 23 and logs in to the client terminal 21 this time, the client terminal 21 and the client terminal 47 are used as routing devices, and the VPN between the communication device 23 and the file server 46 is established. Can be built. In this way, even if the device used for login is changed, if the operator who logs in is the same, a VPN including the same partner as before can be easily constructed and used on the spot. Further, different access control can be easily performed for each operator.

  Further, the relay server 2 of the present embodiment includes a management destination information storage unit 53 that stores identification information of the relay server 1 that is a relay server with a management function. The connection permission information is stored by the relay server 1. When the control unit 60 of the relay server 2 receives a login request from the operator 92, the control unit 60 accesses the relay server 1 based on the storage contents of the management destination information storage unit 53, so that the operator 92 who has made the login request is connected. Possible connection target devices (client terminals 42 and 47) are acquired.

  Accordingly, since the relay server 1 is configured to centrally manage the connection permission information, it is not necessary to share the connection permission information by a plurality of devices. Therefore, the synchronization control of the connection permission information between the devices becomes unnecessary, and the processing performed by the relay server can be lightened.

  Next, a modification of the above embodiment will be described with reference to FIGS. FIG. 11 is a functional block diagram illustrating a modified example of the relay server 2. FIG. 12 is a diagram showing the contents of the operator group information. FIG. 13 is a diagram showing the contents of the connection permission information in the modification. In the following description of the modified examples, the same or similar configurations as those in the above embodiment may be denoted by the same reference numerals and description thereof may be omitted.

  As shown in FIG. 11, the relay server 2 of this modification includes an operator information storage unit 51, a connection permission information storage unit 521, an address filter information storage unit 54, and an operator group information storage unit 55.

  Thus, in this modification, the relay server 2 includes the operator information storage unit 51 and the connection permission information storage unit 52 included in the relay server 1 in the above embodiment. Therefore, the relay server 2 of this modification functions as a relay server with a management function and also functions as a connection source relay server. Therefore, in this modification, in the relay server 2 as the connection source relay server and the relay server 3 as the connection target relay server (the same configuration as the above embodiment), the same relay communication system 100 as in the above embodiment is provided. realizable.

  In this modification, an operator group including one or a plurality of operators is created, and information related to the operator group is stored in the operator group information storage unit 55 of the relay server 2. As shown in FIG. 12, the operator group information storage unit 55 includes a group name, an operator ID of an operator (belonging to the operator group) constituting the operator group, It is memorized using.

  Then, as shown in FIG. 13, the connection permission information storage unit 521 of the present modification stores the name of the operator group and the identification information of the connection target device in association with each other. Therefore, in the example of FIG. 13, when an operator belonging to group 1 (operator whose operator ID is Op1, Op2, Op3) logs in using the client terminal 21 as a device to be used, the client terminal 21, relay server 3, , Connection can be used. Note that the operator login process and the VPN construction process are the same as those in the above embodiment, and a description thereof will be omitted.

  As described above, the relay server 2 of the present modification includes the connection permission information storage unit 521 that stores connection permission information. When the control unit 60 receives a login request from the operator, the control unit 60 acquires a connection target device to which the operator who has made the login request can connect based on the storage content of the connection permission information storage unit 521.

  Thereby, the relay server 2 can acquire the connection object apparatus which the operator who made the login request | requirement can connect only by referring to own memory content. For this reason, the process up to the start of VPN can be simplified.

  In addition, the relay server 2 of the present modification includes an operator group information storage unit 55 that stores an operator group composed of a plurality of operators using identification information of the operators constituting the operator group. The connection permission information storage unit 521 stores, for each operator group, identification information of connection target devices that can be connected by an operator when constructing a virtual private network.

  Thereby, when a team is formed by a plurality of operators, and maintenance of a predetermined connection target device (and routing target device) is performed in the team, the storage content of the connection permission information storage unit 521 can be simplified. it can. Therefore, this configuration is particularly suitable when there are many operators who perform maintenance in the relay communication system 100. In addition, even when there is a change in the operators that make up this team, it is only necessary to delete the operator's identification information from the operator group or add it to the operator group, making it easy to set connection permission information. .

  The preferred embodiment of the present invention has been described above, but the above configuration can be modified as follows, for example.

  The above operator information, operator group information, usage status information, and the like can be stored in an appropriate format (for example, XML format).

  Instead of the configuration of the above-described embodiment, an external server used for communication between each relay server may be installed on the Internet, and a communication may be performed by exhibiting a function as a SIP (Session Initiation Protocol) server. .

1, 2, 3 Relay server 11, 21, 42, 47 Client terminal 10, 20, 30, 40, 45 LAN
DESCRIPTION OF SYMBOLS 50 Storage part 51 Operator information storage part 52 Connection permission information storage part 53 Management destination information storage part 54 Address filter information storage part 60 Control part 100 Relay communication system

Claims (6)

Means for storing first address filter information that is an address to which a packet can be transferred, and second address filter information that is an address to which a connection target device indicating another relay server and a client terminal can transfer a packet; ,
Means for receiving identification information of an operator who performs a login operation via a communication device connected via a LAN;
Based on the identification information of the operator who accepted the login, means for obtaining a list of the connection target devices that can be connected to the operator
Means for receiving selection of the connection target device by an operator from a list of connectable target devices;
Means for establishing a routing session with the connection target device selected by the operator;
With
The address of the communication device that the operator has logged in is stored as first address filter information, the address of the communication device is transmitted to the connection target device,
Storing the address received from the connection target device as second address filter information;
When the destination of the received packet is stored as the first address filter information, the packet is transmitted to the destination,
A relay server that transmits a packet to the routing session when a transmission destination of the received packet is stored as the second address filter information. Address filter information indicating the address of a routing target device that can be designated as a packet transfer destination can be stored in association with its own identification information, and can be connected to itself as a connection target relay server and the connection target Address filter that can be stored by the connection target device indicating the client terminal belonging to the relay server in association with the address filter information indicating the address of the routing target device that can be designated as the packet transfer destination in association with the identification information of the connection target device An information storage unit;
A control unit;
With
The controller is
Information stored by itself or another relay server that can be connected to itself, and identification information of an operator who can log in to the relay communication system including the device and the connection target device, and connection by the operator is possible A connection target device acquisition control unit that acquires the connection target device that can be connected by an operator who has made a login request, based on connection permission information that is information associated with the identification information of the connection target device.
A VPN start control unit that performs a virtual private network start process on the connection target device selected from the acquired connection target devices;
The address of the communication device operated by the operator to make a login request is stored in the address filter information storage unit as address filter information associated with its own identification information, and the address filter information is transmitted to the connection target device. An address filter information communication control unit for storing address filter information received from the connection target device in the address filter information storage unit as address filter information associated with identification information of the connection target device;
A routing session establishment control unit for establishing a routing session for the selected connection target device;
When the destination of the received packet is specified in the address filter information associated with its own identification information, the packet is transmitted to the destination, and the destination of the received packet is the identification of the connection target device Routing that performs control to transmit a packet to the connection target device via a routing session established between itself and the connection target device when specified in the address filter information associated with the information A control unit;
A relay server comprising: The relay server according to claim 2,
A management destination information storage unit for storing identification information of a relay server with a management function for managing a relay server including itself;
The connection permission information is stored by the management function relay server,
When the control unit receives a login request from an operator, the control unit can connect to the relay server with management function based on the storage contents of the management destination information storage unit, so that the operator who has made the login request can connect. A relay server that acquires the connection target device. The relay server according to claim 2,
A connection permission information storage unit for storing the connection permission information;
When the control unit receives a login request from an operator, the control unit acquires the connection target device that can be connected by the operator who has made the login request, based on the connection permission information stored in the connection permission information storage unit. A relay server characterized by The relay server according to any one of claims 1 to 4, wherein
The device itself or the connection target device stores an operator group composed of a plurality of operators using the identification information of the operators constituting the operator group, and the identification information of the connection target device that can be connected by the operator is stored in the operator. A relay server storing each group. A relay server;
A client terminal belonging to the relay server;
A relay communication system comprising:
Among the relay servers, the relay server functioning as a connection source relay server is:
Address filter information indicating the address of a routing target device that can be designated as a packet transfer destination can be stored in association with its own identification information, and can be connected to itself as a connection target relay server and the connection target Address filter that can be stored by the connection target device indicating the client terminal belonging to the relay server in association with the address filter information indicating the address of the routing target device that can be designated as the packet transfer destination in association with the identification information of the connection target device An information storage unit;
A control unit;
With
The controller is
The connection target device that can be connected by the operator who has made a login request based on connection permission information that is information that associates the identification information of the operator with the identification information of the connection target device that can be connected by the operator Connection target device acquisition control unit for acquiring
A VPN start control unit that performs a virtual private network start process on the connection target device selected from the acquired connection target devices;
The address of the communication device operated by the operator to make a login request is stored in the address filter information storage unit as address filter information associated with its own identification information, and the address filter information is transmitted to the connection target device. An address filter information communication control unit for storing address filter information received from the connection target device in the address filter information storage unit as address filter information associated with identification information of the connection target device;
A routing session establishment control unit for establishing a routing session for the selected connection target device;
When the destination of the received packet is specified in the address filter information associated with its own identification information, the packet is transmitted to the destination, and the destination of the received packet is the identification of the connection target device When specified in the address filter information associated with the information, a routing control unit that transmits a packet to the connection target device via a routing session established between itself and the connection target device;
A relay communication system comprising:

Images