The present invention relates to a firewall passing technique. Particularly, the present invention relates to a communication method for establishing a VPN (virtual private network) to a specific internal network, such as the Intranet, in response to an access from an external network, a communication system therefor, and a device therefor, and a program therefor.
VPN connection is known (for example, refer to non-patent documents 1 and 2) that is utilized as a private dedicated network an open external network such as the Internet. That is, a firewall and a dedicated router or a bridge (a VPN gateway (VPN-GW) that link a connection between the outsides of companies and an intra-company connection) are disposed between an internal network (such as intranet) and an open external network (such as the Internet). The firewall manages data, protects the internal network from attack or illegal access from the outside, and links the Internet and intranet. Moreover, personal computers (take-out PCs), such as notebook computers, compatible with the internal network, can access from an external network to the internal network.
FIG. 37 is a diagram illustrating a network configuration in a prior art. This network configuration includes a firewall/VPN gateway (Firewall & VPN-GW) 30 , which has an authentication device (an authentication module) disposed between the intranet 2 in “A” company (or “A” company's intranet) and the Internet 1 , and a business server 23 on the “A” company intranet. A staff member of the “A” company can access the intranet 2 , using a PC (personal computer) 102 , in which a dedicated VPN software is installed via the Internet, taken out from his company.
An application (or a business client application) for realizing a linkage to the in-house business server 23 and the processing of predetermined affairs is installed to the (take-out) PC 102 . An application (or a business server application), corresponding to the business client application in the PC 102 , is installed into the in-house business server 23 . (Both applications may be called a business application) The firewall & VPN-GW 30 is installed with an application (a relay application) having the function of linking the authentication module and the PC and the business server.
The procedure of the VPN connection in the prior art is as follows:
In the PC 102 taken out with a staff member of “A” company, a high-level administrator provides the member with a predetermined ID and a password to access the “A” company's intranet. At the same time, a default setting process (a), such as authentication setting regarding ID or password, is previously performed to the firewall & VPN-GW 30 to authorize access from the PC 102 .
A staff member uses the PC 102 to access from his home or the outside of the “A” company's intranet to the intranet 2 using the ID and password. Thus, the PC 102 implements VPN connection to firewall & VPN-GW 30 , for example, VPN connection (SSL connection) (b) where encryption between WWW browser and the WWW server and encryption based on the protocol (SSL (secure sockets layer)) regarding authentication function is performed.
When the authentication module performs the authentication process (c) to the access and determines that the password is correct, the firewall & VPN-GW 30 permits connection to the “A” company's Intranet 2 , thus performing the address/frame conversion of packets through the VPN connection. Thus, the business application of PC 102 can bi-directionally communicate with the business application of the business server 23 .
FIG. 38 is a diagram illustrating another network configuration in the prior art. The network configuration includes a firewall 30 disposed between an “A” company's intranet 2 and the Internet 1 , a VPN gateway (VPN-GW) 210 connected to the firewall 30 , and a business server 23 connected to the VPN-GW 210 . Moreover, the Internet side includes a PC 102 including a VPN-GW, and a relay server (virtual HUB, SIP server and the like) 101 disposed for VPN connection of the Intranet 2 .
The take-out PC 102 is installed with a business client application for connecting an office business server 23 and processing predetermined business, a relay application for relaying VPN connection to the business client application, and an application (setting application) for setting VPN connection with VPN-GW 210 . The office business server 23 is installed with an application (business server application) corresponding to the business client application of the PC 102 . The VPN-GW 210 is installed with a setting application for setting VPN connection to the PC 102 and a relay application for relaying VPN connection to the business server application for the business server 23 . The vertical hub 101 is installed with an authentication module and a relay application.
The procedure of the VPN connection in the prior art is as follows:
The VPN connection (a) between the VPN-GW 210 and the relay server 101 is established previously. When the PC 102 provides access for VPN connection to the relay server 101 , using the setting application and the relay application, the relay server 101 performs authentication (c) to the access. If the authentication is correct, the VPN connection from the VPN-GW 210 and the VPN connection (b) from the PC 102 are linked. Thus, the VPN connection between the PC 102 and the VPN-GW 210 is established. Using the two VPN connections, the relay application enables communications between the business application in PC 102 and the business application in the business server 23 .
FIG. 39 is a diagram illustrating a further another network configuration in the prior art. The network configuration is similar to that in FIG. 38. The network configuration includes a firewall 30 disposed between the “A” company's Intranet 2 and the Internet 1 and a VPN gateway (VPN-GW) 220 and a business server 23 , compatible with UPnP, which are connected to the firewall 30 on the Intranet. Moreover, the network configuration includes a relay server 103 , such as a directory server, for VPN connection between the PC 102 , including VPN-GW on the Internet side, and the VPN-GW 220 of the “A” company's Intranet 2 .
The office business server 23 is installed with a business server application. The VPN-GW 220 is installed with a setting application for setting VPN connection, an UPnP application for receiving a universal plug and play (UPnP) advertisement to hardware connected thereto and capturing necessary setting information and performing the perforation setting to the firewall 30 , and a relay application for relaying VPN connection to the business server application of the business server 23 . The directory server 103 is installed with an authentication module. The PC 102 taken out of the company is installed with a setting application for setting VPN connection, a business client application corresponding to the business server 23 , and a relay application for establishing the connection between business applications through VPN connection.
The procedure of VPN connection in the prior art is as follows:
The firewall 30 is previously set to perform UPnP advertisement where address information on the firewall itself and information on access operational procedure are transmitted to a UPnP compatible device such as VPN-GW 220 connected to the intranet, through an IP broadcast.
When being connected to the “A” company's intranet, the VPN-GW 220 receives (a) an UPnP advertisement from the firewall 30 and captures the setting address of the firewall 30 itself to set the firewall 30 based on the received information. Moreover, the VPN-GW 220 previously establishes connection (b) between the VPN-GW 220 and the relay server 103 .
When the connection (c) is set up between the PC 102 and the relay server 103 , using the VPN software, the relay server 103 authenticates the PC 102 . When the authentication is correct, the relay server 103 links the connection from the VPN-GW 220 to the connection from the PC 102 (d).
Next, when the PC 102 requests VPN connection (a VPN connection request) (e) through a series of connections linked to the VPN-GW 220 via the relay server 103 , the VPN-GW 220 performs the perforating setting (f) to the firewall 30 using the setting address obtained with the UPnP advertisement. Moreover, when the setting is completed, the VPN-GW 220 posts a completion of the perforating setting via the relayed connections to the PC 102 . When the PC 102 receives the completion of the perforating setting (f), it performs the new VPN connection (g), through which the firewall 30 can pass through externally, based on the result of the perforating setting to the VPN-GW 220 . Thus, the communication between business applications can be established via the VPN connection (g).
[Non-Patent Document 1]
“SSL-VPN appliance multi-application portable SAFEBORDER AP 100 ”, retrieved on Jun. 8, 2004” and Internet <URL:http//ccsd.biglobe.ne.jp/security/lineup/SAFEBORDER/ #top>
[Non-Patent Document 2]
“SoftEther.com-SoftEther Web page, safe, simple, high-performance VPN SoftEther Virtual Ethernet System”, retrieved on Jun. 8, 2004, Internet <URL:http://www.softether.com/jp/>
In the prior art shown in FIG. 37, the management of the firewall is under the strict control of a high-level administrator (or a firewall manager) in the intranet management department. Hence, even staff members of the “A” company cannot set the firewall, allowing access from the outside of the company, with no permission of the firewall administrator. In other words, the setting of the firewall requires a district, vexatious approval procedure to obtain the firewall administrator's approval. Moreover, the setting of firewall, requiring an advanced technique, makes the work difficult and time-consuming.
The prior art shown in FIG. 38 can simply built VPN connection (VPN establishment) with the outside of a company, without performing the setting of firewall requiring the strict approval procedure. However, this prior art requires installation of a relay server outside the company. The installation of the relay server requires acquisition of a global IP address and reservation of a spot for server installation.
Moreover, an official approval has to be obtained from predetermined facilities to obtain one global IP address and requires a more difficult, complicated procedure requiring an application procedure including confirmation of an applicant. Moreover, in order to utilize the relay server, some VPN application for PC often requires transmission and reception of large amount of data and the burden of data transfer by the relay server becomes very heavy. Moreover, there is the problem that utilizing the relay server of an existing dealer causes a large amount of expenses according to the data transfer amount.
In contrast, the prior art shown in FIG. 39 is a communication system recently in widespread use. This art can realize the original data transfer without the relay server due to VPN connection by the perforating setting of the firewall and can relieve the burden in data transfer of the relay server installed outside the company. However, there is the problem that the communication system has to be compatible with UPnP, such as an introduction of the procedure of UPnP advertisement to the firewall and that the relay server is required.
(Object)
The present invention aims at solving the above-mentioned problems. An object of the present invention is to provide a communication method capable of eliminating the setting of a firewall and the installation of a relay server and establishing communications with the inside of the firewall in response to a connection request from the outside of the firewall. Another object of the present invention is to provide a communication system, a device, and a communication program, each which realizes the above method.
An aspect of the present invention relates to a connection method that establishes connection between an information processing terminal on an external network and a gateway device on an internal network connected to the external network via a firewall. The connection method comprises the step of issuing a connection request from the information processing terminal on the external network to the internal network by means of accessible means and the step of performing such that the gateway device calls back a connection request to the information processing terminal, which has issued the connection request via the firewall, in response to the connection request.
Another aspect of the present invention relates to a connection method for establishing connection (for example, VPN connection) between an information processing terminal on an external network and a gateway device (for example, 20 in FIG. 1) of an internal network connected to the external terminal via a firewall. The connection method comprises the step of transmitting a control mail issuing a connection request from the information processing terminal on the external network to a mail server of the internal network and the step of performing such that the gateway device of the internal network calls back a connection request to the transmission source of the control mail via the firewall in response to the control mail.
Moreover, the connection method comprises the step of performing such that a gateway device regularly inquires about reception of a control mail from the mail server, the step of acquiring and authenticating a received control mail, and the step of performing connection to the information processing terminal based on the control mail when authentication is correct.
Moreover, the connection method comprises the step of transmitting control information requiring connection (for example, VPN connection) from the information processing terminal on the external network to the gateway device (for example, 20 in FIG. 1) on the internal network via a telephone line and the step of performing such that the gateway device of the internal network calls back connection (for example, VPN connection) to the transmission source of the control information via the firewall in response to transmission of control information. The connection method further comprises the step of transmitting control information requesting connection from the information processing terminal on the external network to the gateway device on the internal network via the radio line and the step of performing such that the gateway device on the internal network calls back connection to the transmission source of the control information via the firewall in response to transmission of the control information.
The connection method comprises the step of performing such that the gateway device on the internal network authenticates the control information and the step of performing connection to the information processing terminal based on the control information when authentication is correct.
In the connection method, a plurality of gateway devices are on the internal network or a gateway device is provided every person whose access to the internal network is permitted or one gateway device is provided for plural persons whose access to the internal network is permitted.
A plurality of firewalls are disposed the internal network.
The control mail posts an IP address acquired by UPnP and the information processing terminal performs service registration to the firewall.
The control mail posts VLAN information of a desired connection source and the gateway device inserts or deletes a tag of VLAN described on the control mail.
In another aspect of the present invention, a communication system establishes connection between an information processing terminal on an external terminal and a gateway device on an internal network connected to the external network via a firewall. Accessible means issues a connection request from the information processing terminal on the external network to the internal network. The gateway device calls back a connection request to the information processing terminal, which has issued the connection request, via the firewall in response to the connection request. Thus, connection between the information processing terminal and the gateway device is established.
Moreover, in another aspect of the present invention, a communication system establishes communication between an information processing terminal on an external network and a gateway device of an internal network connected to an external network via a firewall. The information processing terminal transmits a control mail requiring connection to a mail server on the internal network. The gateway device acquires a control mail from the mail server and calls back connection to the information processing terminal via the firewall based on the control mail. Thus, the connection between the information processing terminal and the gateway device is established.
Moreover, in the communication system, a plurality of gateway devices are disposed on the internal network. The gateway device is provided for each person whose access to the internal network is allowed. One gateway device is provided for plural persons to the internal network whose access is allowed.
In the communication system, plural firewalls are on the internal network.
In the communication system, the control mail posts an IP address acquired by UPnP and the information processing terminal performs service registration to the firewall.
In the communication system, the control mail posts VLAN information of a desired connection destination and the gateway device inserts or deletes a tag of VLAN described in the control mail.
According to the present invention, the gateway device and the information processing terminal have the following means (functions), respectively.
That is, the gateway device has the function of receiving access requiring connection from an information processing terminal on an external network and the function of calling back a connection request to the information processing terminal, which has issued a connection request via the firewall, in response to the access, and performing connection with the information processing terminal. As to the access means, the gateway device regularly inquires of the mail server about reception of an e-mail addressed to self. The gateway device acts as the mail server. The gateway device decides whether or not the e-mail is a control mail, every time the mail server receives an e-mail, and captures an e-mail to self, decides whether or not the e-mail is a control mail, and authenticates the control mail. Whether or not the e-mail is a control mail depends on whether or not the main body or header of the mail includes a predetermined arbitrary letter string.
Moreover, the information processing terminal requires connection with means accessible from a terminal on the external network to the internal network and makes the gateway device call back connection via the firewall in response to the connection request, thus establishing connection between the information processing terminal and the gateway device. The information processing terminal transmits control information requiring connection to the gateway device via a telephone line. The gateway device calls back connection to the information processing terminal via the firewall based on the control information. Thus, the connection between the information processing terminal and the gateway device is established. The information processing terminal transmits control information requiring connection to the gateway device via a radio line. The gateway device calls back connection to the information processing terminal via the firewall based on the control information. Thus, the connection between the information processing terminal and the gateway device is established. The gateway device authenticates the telephone number of the information processing terminal or the control information, captured with a caller ID.
Another aspect of the present invention relates to a control program for a gateway device on an internal network connected to an external network via a firewall to establish connection between the external terminal and information processing terminal. The control program instructs a controller of the gateway device to realize the function of receiving access requiring connection from the information processing terminal and the function calling back the connection request to the information processing terminal, which has issued the connection request via the firewall, in response to the connection request.
The control program instructs the controller of the gateway device to realize the function of capturing from a mail server a control mail requiring connection transmitted from the information processing terminal and the function of calling back connection to the information processing terminal via the firewall based on the control mail.
The program instructs the mail server to realize the function of regularly inquiring reception of an e-mail to self and the function of capturing the e-mail to self and deciding whether or not the e-mail is a control mail, and the function of authenticating the control mail.
The program instructs the controller to realize, as the function acting as the mail server, the function of deciding whether or not the e-mail is a control mail every time the mail server receives an e-mail and the function of authenticating the control mail.
Another aspect of the present invention relates to a control program for a gateway on an internal network connected to an external network via a firewall to establish connection between the gateway device on the internal network and the information processing terminal on the external network. The control program instructs the controller of the gateway device to realize the function of receiving control information requiring connection transmitted from the information processing terminal via a telephone line and the function of calling back connection to the information processing terminal via the firewall based on the control information.
The program realizes the function of performing authentication based on a telephone number captured based on a caller ID from the information processing terminal.
Another aspect of the present invention relates to a control program for a gateway device on an internal network connected to an external network via a firewall to establish connection between the information processing terminal on the external network and the gateway device on the internal network. The control program instructs the controller of the gateway device to realize the function of receiving control information requiring connection transmitted from the information processing terminal via a radio line and the function of calling back connection to the information processing terminal via the firewall based on the control information.
The control program instructs the controller to realize the function of authenticating the control information and the function of performing connection to the information processing terminal when authentication is correct.
Another aspect of the present invention relates to a control program for an information processing terminal on an external network to establish connection between the external network and a gateway device on the internal network connected via a firewall. The control program instructs the controller in the information processing terminal to realize the function of requiring connection by means of means accessible to the internal network and the function of instructing the gateway device to call back a connection request to the information processing terminal, which has issued the connection request via the firewall in response to the connection request.
The program instructs the controller in the information processing terminal to realize the function of transmitting a connection request control mail to a mail server and the function of calling back connection to the gateway device via the firewall based on the control mail of the mail server.
Another aspect of the present invention relates to a control program for an information processing terminal on an external network to establish connection between the external network and a gateway device on the internal network connected via a firewall. The program instructs the controller in the information processing terminal to realize the function of transmitting control information requiring connection via a telephone line and the function of instructing the gateway device to call back connection via the firewall based on the control information.
Another aspect of the present invention relates to a control program for an information processing terminal on an external network to connect the external network and a gateway device on the internal network connected via a firewall. The program instructs the controller in the information processing terminal to realize the function of transmitting control information requiring connection via a radio line and the function of instructing the gateway device to call back connection via the firewall based on the control information.
The control mail notifies an IP address captured with UPnP and the information processing terminal performs a service registration to the firewall.
The control mail notifies VLAN information of a desired connection destination and the gateway device inserts or deletes a tag of VLAN described in the control mail.
(Function)
The firewall disposed at the junction with the external network on an internal network can gain access by an e-mail from the outside of the firewall (an external network) to a mail server in the firewall (an internal network). The firewall can also gain access by a telephone line or radio, which does not pass through the firewall. As to the firewall, access through connection from the outside of the firewall to the inside thereof is very difficult but access through connection in the reverse direction can be simply performed. In this configuration, using access means such as mail servers, telephone lines or radio lines, the internal network receives access by an e-mail for control or control information requiring connection from the external network and calls back connection to the transmission source of the e-mail. As a result, that configuration enables access passing through the firewall from the external network (or establishing VPN connection).
The present invention does not require the setting operation for the firewall itself to establish connection from the firewall to the outside of the firewall. The information processing terminal (a take-out PC) and the gateway device are directly linked via the firewall. This feature eliminates the setting of the firewall and the installation of the relay server. This can solve the problems involved in approval of the firewall administrator, capture of global IP address, and expenses corresponding to the data transfer amount.
By transmitting a connection request into the firewall using an e-mail for control, connection from the firewall to the inside of the firewall can be realized as a result. Particularly, there is the significant advantage in that an extra communication charge is not charged because the use of an e-mail does not require the telephone line upon connection.
Because the control information on a connection request is transmitted to the inside of the firewall using a telephone line or radio line, on behalf of e-mails, the connection from the outside of the firewall to the inside thereof can be realized.
Moreover, according to the present invention, one gateway device may be installed for each staff member or for plural staff members (e.g. of 2 to 50 or 2 to 100) in the Intranet. Moreover, the gateway may be constructed such that access from the outside of the firewall is authenticated and the gateway device rewrites IDs for authentication and the setting of passwords for each staff member. Thus, the communication system with high convenience can be realized to secure security and to enable connection from the outside of a company with PCs comparatively simplified.
FIG. 1 is a diagram illustrating a network configuration, according to a first embodiment of the present invention.
FIG. 2 is a diagram illustrating an operational procedure in the first embodiment.
FIG. 3 is a flowchart showing an operation of a gateway device, in the first embodiment.
FIG. 4 is a diagram illustrating VPN connection in a second embodiment.
FIG. 5 is a diagram illustrating VPN connection for IP telephones in a third embodiment.
FIG. 6 is diagram illustrating a network configuration according to a forth embodiment of the present invention.
FIG. 7 is a diagram showing software installed in the fourth embodiment and a communication processing on a protocol.
FIG. 8 is a diagram showing an operational procedure in the fourth embodiment.
FIG. 9 shows an operational flowchart of a gateway device in the fourth embodiment.
FIG. 10 is a diagram illustrating a network configuration according to a fifth embodiment of the present invention.
FIG. 11 is a diagram showing software installed in each device in the fifth embodiment and a communication processing on a protocol.
FIG. 12 shows an operational procedure in the fifth embodiment.
FIG. 13 shows an operational flowchart of a gateway device in the fifth embodiment.
FIG. 14 is a diagram illustrates a network configuration according to a sixth embodiment of the present invention.
FIG. 15 shows software installed in each device in the sixth embodiment and a communication processing on a protocol.
FIG. 16 shows an operational procedure in the sixth embodiment.
FIG. 17 shows an operational flowchart of a gateway device in the sixth embodiment.
FIG. 18 is a diagram illustrating a network configuration (Internet) according to a seventh embodiment of the present invention.
FIG. 19 is a diagram showing software installed in each device in the seventh embodiment and a communication processing on a protocol.
FIG. 20 shows an operational procedure in the seventh embodiment.
FIG. 21 shows an operational flowchart of a gateway device in the seventh embodiment.
FIG. 22 is a diagram illustrating a network configuration according to an eighth embodiment of the present invention.
FIG. 23 is a diagram illustrating software installed in each device of the eighth embodiment and a communication processing on a protocol.
FIG. 24 shows an operational procedure in the eighth embodiment.
FIG. 25 shows an operational flowchart of a gateway device in the eighth embodiment.
FIG. 26 is a diagram illustrating a network configuration according to a ninth embodiment of the present invention.
FIG. 27 shows an operational procedure in the ninth embodiment.
FIG. 28 shows an operational flowchart of a gateway device in the ninth embodiment.
FIG. 29 is a diagram illustrating a network configuration according to a tenth embodiment of the present invention.
FIG. 30 shows an operational procedure in the tenth embodiment.
FIG. 31 shows an operational flowchart of a gateway device in the tenth embodiment.
FIG. 32 is a diagram illustrating a network configuration according to an eleventh embodiment of the present invention.
FIG. 33 shows an operational procedure of the eleventh embodiment.
FIG. 34 shows an operational flowchart of a gateway device in the eleventh embodiment.
FIG. 35 is a diagram illustrating a take-out PC configuration according to a twelfth embodiment of the present invention.
FIG. 36 is a diagram illustrating the configuration of a gateway device according to a twelfth embodiment of the present invention.
FIG. 37 is a diagram illustrating an example in a related art.
FIG. 38 is a diagram illustrating another example in a related art.
FIG. 39 is a diagram illustrating further another example in a related art.
FIG. 40 is a diagram illustrating a network configuration according to a thirteenth embodiment of the present invention.
FIG. 41 is a diagram partially illustrating software installed in the thirteenth embodiment and a communication processing on a protocol.
FIG. 42 is a diagram partially illustrating software installed in the thirteenth embodiment and a communication processing on a protocol.
FIG. 43 is a diagram partially illustrating software installed in the thirteenth embodiment and a communication processing on a protocol.
FIG. 44 is a diagram illustrating an operational procedure in the thirteenth embodiment.
FIG. 45 is a diagram illustrating a network configuration according to a fourteenth embodiment of the present invention.
FIG. 46 is a diagram partially illustrating software installed in the fourteenth embodiment and a communication processing on a protocol.
FIG. 47 is a diagram partially illustrating software installed in the fourteenth embodiment and a communication processing on a protocol.
FIG. 48 is a diagram partially illustrating software installed in the fourteenth embodiment and a communication processing on a protocol.
FIG. 49 is a diagram illustrating an operational procedure in the fourteenth embodiment.
FIG. 50 is a diagram illustrating a network configuration according to a fifteenth embodiment of the present invention.
FIG. 51 is a diagram partially illustrating software installed in the fifteenth embodiment and a communication processing on a protocol.
FIG. 52 is a diagram partially illustrating software installed in the fifteenth embodiment and a communication processing on a protocol.
A connection method, communication system, communication device, and program, according to embodiments of the present invention, will be explained below for VPN connection.
(Explanation of Configuration)
FIG. 1 is a diagram illustrating a network configuration according to a first embodiment of the present invention. The network configuration comprises the Internet 1 , an intranet 2 (“A” company's intranet), and a firewall 3 disposed between the Internet 1 and the intranet 2 . The intranet 2 includes a gateway device 20 connected to the firewall 3 through a HUB and to which an object application, which establishes connection to the Internet according to a connection request, is installed. An information processing terminal 10 is provided on the Internet side. The information processing terminal can be taken out of “A” company by a staff member employer (to which access to the “A” company's intranet is authorized). The information processing terminal is installed with dedicated software, including a setting application (often called a connection request application) that requires connection to the gateway device 20 and an object application that receives connection from the gateway device 20 to execute certain processing. An information processing terminal 10 has access means for delivering a connection request to the gateway device 20 . The firewall 3 may be configured with a proxy server. This is applicable to the following embodiments.
Here, the information processing terminal 10 is a portable terminal such as a notebook PC. The information processing terminal 10 may be used in the Internet 1 , as shown in FIG. 1. The information processing terminal 10 may be used in the intranet 2 , in place of the gateway device 20 , as shown in FIG. 1. When the information processing terminal 10 is used in the intranet 2 , it communicates with the firewall 3 or a business server in the intranet via HUB. In the use of the information processing terminal 10 on the Internet (or outside the intranet), the gateway device 20 is disposed in the intranet 2 via the HUB and the connection between the gateway device 20 and the information processing terminal 10 is set via the firewall 3 . Thus, communication between the information processing terminal 10 and the gateway device 20 can be established.
In the present embodiment, the connection request application installed in the outside information processing terminal 10 is the software issuing a connection request by means (access means) accessible to the inside of the firewall from the Internet. For example, an application for transmitting an e-mail accessible via the firewall or an application for transmission, such as telephone lines or radio lines, accessible via no the firewall is applicable. An object application installed in the gateway device 20 can establish the connection state via the firewall in response to access of a connection request from the outside information processing terminal 10 . Various applications including address conversion for VPN, Web proxy, IP telephone, video streaming, file server, FTP, and file swapping, in addition to encapsulation for VPN (a relay client application, a relay server application, or the like), being frame conversion software for the Internet and intranet, are applicable as the object application.
Using a connection request application in the information processing terminal 10 , the gateway device 20 is accessed for connection request (a). Using the object application, the connection (b) between the gateway device 20 and the information processing terminal 10 is established in response to the access.
In various applications according to the present invention, the client means an application on a connection requiring side and the server means an application on a connection receiving side.
(Explanation of Operation)
FIG. 2 is a diagram illustrating the procedure of the present embodiment. The operation of the present embodiment is as follows:
(1) Using the connection request application in the information processing terminal 10 , a staff member of “A” company sends a connection request to the gateway device 20 via access means such as an e-mail or telephone line (or to the mail address of the staff member when the access means is an e-mail). Information necessary for connection from the gateway device installed on the “A” company's intranet side to the information processing terminal 10 , such as ID information representing an access for a connection request, IP address of the information processing terminal 10 , and the like, are added to the connection request (a).
(2) When receiving access for a connection request, the gateway device 20 establishes connection to the IP address of a connection request source based on information contained in the connection request, using the connection application (b). In this case, in order to establish connection between the inside of the intranet 2 and the Internet 1 , the firewall 3 can be passed through without any special setting.
(3) After establishment of the connection, the object application in the information processing terminal 10 can communicate bi-directionally with the object application in the gateway device 20 inside the intranet till the connection is cut.
FIG. 3 is an operational chart of the gateway device according to the first embodiment. The gateway device 20 waits for access from other equipment (steps S 1 and S 2 ) and decides the ID information of the access (steps S 3 and S 4 ) when it receives the access (step S 2 , YES). When there is access for a connection request (step S 4 , YES), the gateway device 20 connects to the IP address of the information processing terminal 10 , being a connection requesting source, based on information contained in the connection request (S 5 ). After the connection, the object application in the information processing terminal 10 can be communicated with the object application in the gateway device 20 or the connection device in the intranet till the connection is disconnected. When there is no connection request in the step S 4 (NO), the gateway device 20 becomes a waiting state (step S 1 ).
As described above, according to the present invention, the Internet 1 , or an outside network, can connect to the intranet 2 , in response to a connection request from the Internet 1 , without changing the setting of the firewall 3 and the gateway device or without installing a relay server in the outside network. Hence, there is no difficulty in an approval procedure of the firewall administrator or the installation and use of a relay server.
FIG. 4 is a diagram illustrating VPN connection having a relay connection function (relay application) as an object application, according to a more concrete example of the first embodiment. The configuration of the present embodiment is similar to that of the first embodiment shown in FIG. 1. However, the intranet 2 includes the gateway device 20 , which is connected to the firewall 3 via the HUB and is installed with an object application. The object application includes a setting application for establishing connection to the Internet side based on a connection request from the Internet side and a relay application having a relay connection function to equipment in the intranet 2 . The gateway device 20 connects the information processing terminal 10 to a device, for example, the business server 23 , in the intranet 2 wherein the business application in the gateway device 20 can be communicated to the business application in the information processing terminal 10 .
The information processing terminal 10 has a connection request application, a business application, and a relay application (called a relay server application) for relaying the business application and the gateway device. The gateway device 20 has a relay application (called a relay client application) for relaying the information processing terminal 10 and the business server 23 .
The operation of the present embodiment is as follows. The gateway device 20 is accessed for a connection request (a) using the connection request application of the information processing terminal 10 . In response to the access, the gateway device 20 establishes VPN connection (b) to the information processing terminal 10 using the relay client application. Next, using the relay client application, the gateway device 20 relays packets exchanged between the information processing terminal 10 and the business server 23 through the VPN connection (b). The business client application in the information processing terminal 10 and the business server application in the business server 23 can be communicated bi-directionally.
FIG. 5 is a more concrete example of the first embodiment and illustrates an example of VPN connection for an IP telephone between the information processing terminal 10 and the gateway device 22 when an IP telephone application is used as an object application. In the gateway device 22 , a handset or a telephone set is connected to the gateway device 20 shown in FIG. 4. The configuration of the present embodiment is similar to that shown in FIG. 1. However, the information processing terminal 10 and the gateway device 22 have object applications for IP telephones, respectively, and are connected to the IP telephone handset or telephone (called handset). Thus, the IP telephone call enables through the connection between the information processing terminal 10 and the gateway device 22 . The information processing terminal 10 has a connection request application and an object application for IP telephone. The gateway device 22 has a connection acceptance application (such as a control mail reception application) and an object application for IP telephone to the information processing terminal 10 .
The operation of the present embodiment is as follows. Using the connection request application of the information processing terminal 10 , the gateway device 22 is accessed for a connection request (a) by e-mail or by telephone line or a radio line. Using the IP telephone application, the gateway device 22 establishes the connection (b) to the information processing terminal 10 in response to the access. The connection between the information processing terminal 10 and the gateway device 22 is established, so that the call between the handset of the information processing terminal 10 and the handset of the gateway device 22 enables.
(Explanation of Configuration)
FIG. 6 is a diagram illustrating a network configuration according to a fourth embodiment of the present invention. This network configuration is configured of the Internet 1 , an intranet 2 (in “A” company intranet), and a firewall 3 disposed between the Internet 1 and the intranet 2 . The intranet 2 includes a gateway device 20 , for VPN connection to the Internet, connected to the firewall 3 via HUB, and a business server 23 connected to the gateway device 20 via HUB. The Internet further includes a SMTP server 11 for e-mail transmission (or an outside SMTP server), a POP server (an outside POP server) 13 for e-mail reception, an information processing terminal 12 (called a take-out PC), such as a personal computer, which can be taken out by a staff member of “A” company. The PC 12 is a mode of the information processing terminal 10 according to the first to third embodiments.
The gateway device 20 can be installed at any point of the intranet. Typically, a single gateway device is disposed in an office or on a server rack in a department and for each staff member or for plural staff members (e.g. 2 to 50 or 2 to 100). At the use in the intranet, the PC 12 is connected to the firewall 3 and the business server 23 via the HUB. At the use on the Internet (outside the intranet), the gateway device 20 is connected to the firewall 3 and the business server 23 of the intranet 2 via HUB and the VPN connection between the gateway device 20 and the PC 12 are set. Thus, communications can be established between the business sever 23 and the PC 12 .
FIG. 7 is a diagram illustrating software installed in each device of the present embodiment and a communication process on a protocol.
Each of the PC 12 , the gateway device 20 , the SMTP server 11 , the POP server 13 , the business server 23 , and the firewall 3 , according to the present embodiment, has a predetermined OS, an application for realizing various functions, a NIC (network interface card) of hardware for OS-to-OS communications, and a software driver. Each of the PC 12 and the gateway device 20 has a virtual driver and a virtual NIC for software.
FIG. 7 illustrates VPN connection established between the PC 12 and the gateway device 20 and a communication process on in-house business between the PC 12 and the business server 23 . The PC 12 is installed with the in-house business application A 1 (called a business client application) and the business server 23 is installed with a corresponding application C 1 (called a business server application). Each of the PC 12 and the gateway device 22 are installed with transmission/reception software for e-mails for enabling access from the Internet to the firewall. The software includes an application (called a control mail transmission application) A 3 for realizing an e-mail transmission function, an application (called a control mail reception application) B 1 for realizing an e-mail reception function, an application (called a relay server application) A 2 for realizing a relay function to the business client application A 1 , and an application (called a relay client application) B 2 for realizing a relay function to the business server application C 1 .
The business client application A 1 is an application for communicating bi-directionally with the business server application C 1 . The WEB browser software is typically applicable to the business client application A 1 . In this case, the WEB server application is applied to the business server application C 1 . In addition to the WEB browser software, various applications, including TELNET client software, FTP client software, accounting client software, file shared client software, database client software, and the like, are applicable as the business client application A 1 . In this case, the business server application C 1 corresponds to the business application A 1 . TELNET server software, FTP server software, accounting server software, file shared server software, database server software, and the like are applicable as the business server application C 1 .
The relay server application A 2 executes the following operations.
(1) The relay server application A 2 carries the frame arriving from the virtual NIC A 9 as data over the communication through VPN connection P 4 between the relay server application A 2 and the relay client application B 2 and then transfers it to the SSL A 10 .
(2) The relay server application A 2 transfers data arriving over communication through VPN connection P 4 from SSL A 10 as a frame to the virtual NIC A 9 .
(3) The relay server application A 2 receives an instruction for waiting communication through the VPN connection P 4 , using the control mail transmission application A 3 , and posts it to the control mail transmission application A 3 after completion of the VPN connection P 4 .
(4) The relay server application A 2 receives an instruction for cutting communication through the VPN connection P 4 , using the control mail transmission application A 3 and transmits a disconnection signal to the relay client application B 2 .
The control mail transmission application A 3 executes the following operations.
(1) When receiving a connection command from a user, the application A 3 creates a control mail for connection request and then transmits it to SSL A 15 . This mail is transferred to the SMTP server application D 1 via the connection P 4 . At the same time, the application A 3 issues a connection waiting instruction to the relay server application A 2 and instructs to wait communication connection via the VPN connection P 4 .
(2) When receiving a disconnection instruction from the user, the application A 3 sends it to the relay server application A 2 .
The SMTP server application D 1 has the function for transferring an e-mail received, according to a SMTP (Send Mail Transfer Protocol), to a suitable SMTP server or POP server. Referring to FIG. 7, the SMTP server D 1 directly transfers an e-mail to the POP server E 1 . However, another SMTP server may be disposed between the servers D 1 and E 1 , such that the e-mail arrives at POP server E 1 through several transfer operations. Referring to FIG. 7, the mail received from the control mail transmission application A 3 is transferred through the connection P 1 by referring to destination mail address and using the connection P 2 to the POP server E 1 .
The POP server application E 1 performs the following operations.
(1) The application E 1 saves an e-mail from the SMTP server D 1 through connection P 2 .
(2) When the control mail reception application B 1 requires a list of e-mails saved through the connection P 3 , the saved e-mail list is transferred through the connection P 3 .
(3) When the POP server application E 1 receives a reception request specifying part of e-mails from the control mail reception application B 1 through the connection P 3 , the specified e-mail is transferred through the connection P 3 .
(4) When the POP server application E 1 receives a deletion request specifying part of e-mails from the control mail reception application B 1 through the connection P 3 , the specified e-mail is deleted.
(5) When the POP server application E 1 receives a batch reception request of all archived e-mails (or all saved e-mails) from the control mail reception application B 1 through the connection P 3 , all the saved e-mails are transferred through the connection P 3 .
(6) When the POP server application E 1 receives a batch deletion request of all saved e-mails from the control mail reception application B 1 through the connection P 3 , all the saved e-mails are deleted.
The control mail reception application B 1 performs the following operation.
(1) The control reception application B 1 regularly requests a list of saved e-mails from the POP server application E 1 through the connection P 3 . When the list includes a control mail, the control mail reception application B 1 sends a control mail reception request to the POP server application E 1 through the connection P 3 , in response to a reception request of part of specified e-mails. At the same time, the control mail is deleted by a request of partially deleting the specified e-mails.
(2) When the control mail includes a connection request, the control mail reception application B 1 instructs the relay client application B 2 to set communication through the VPN connection P 4 to the destination included in the mail (the relay server application A 2 in FIG. 7).
The relay client application B 2 is performed the following operation.
(1) The relay client application B 2 receives a connection instruction from the control mail reception application B 1 and sets communication through the VPN connection P 4 to the destination (A 2 in FIG. 7) included in the connection instruction.
(2) The relay client application B 2 caries a frame arriving from the virtual NIC B 13 as data over the communication through the VPN connection P 4 between the relay server application A 2 and the relay client application B 2 and transfers the data to SSL B 10 .
(3) The relay client application B 2 transfers data, as a frame, received over the communication through the VPN connection P 4 from the SSL B 10 to the virtual NIC B 13 .
(4) When the relay client application B 2 receives the disconnection signal through the VPN connection P 4 from the relay server application A 2 , the communication through the VPN connection P 4 ends. The relay client application B 2 informs the control mail reception application B 1 of the end of the communication.
The business server application C 1 is an application communicating bi-directionally with the business client application A 1 . A WEB server application is typically applied to the business server application C 1 . The business server application C 1 corresponds to the business client application A 1 . Various applications including TELNET server software, FTP server software, accounting server software, file shared server software, database server software and the like are applicable as the business server application C 1 .
According to the present embodiment, the SMTP server 11 , or a mail server on the e-mail transmission side, and the POP server 13 , or a mail server on an e-mail reception side, are installed as outside servers. The SMTP server is installed with a SMTP server application as an application realizing the e-mail relay function and the POP server is installed with a POP server application as an application realizing the e-mail reception function. In addition to the outside POP server, the mail news server, DNS server, SIP server, bulletin board (WWW) server, and FTP server may be utilized as the outside server 13 so long as the firewall 3 does not limit access from the office.
Next, the PC 12 may be installed with various modules, as OS contained software, including SSL A 4 , SSL A 10 , SSL A 15 , TCP A 5 , TCP A 11 , TCP A 16 , IP routing A 6 , IP stack (Private IP) A 7 , IP stack (Global IP) A 12 .
The gateway device 20 may be installed with various modules, as OS included software, including SSL B 3 , SSL B 10 , TCP B 4 , TCP B 11 , IP routing B 5 , IP stack (Private IP) B 6 , and bridge B 7 .
The SMTP server 11 includes various modules, as OS included software, including SSL D 2 , TCP D 3 , IP routing D 4 , and IP stack (global IP) D 5 .
The POP server 13 includes various modules, as OS included software, including SSL E 2 , TCP E 3 , IP routing E 4 , and IP stack (global IP) E 5 .
The business server 23 includes various modules, as OS contained software, including SSL C 2 , TCP C 3 , IP routing C 4 , and IP stack (private stack) C 5 . The firewall 3 includes various modules, as OS contained software, including IP routing F 1 , IP stack (global IP) F 2 , IP stack (private IP) F 5 .
The PC 12 includes as software other than OS, a virtual driver A 8 , a virtual NIC A 9 , and a driver A 13 . The gateway device 20 includes a virtual driver B 12 , a virtual NIC B 13 , and a driver B 8 . The SMTP server 11 includes a driver D 6 . The POP server 13 includes a driver E 6 . The business server 23 includes a driver C 6 . The firewall 3 includes a driver F 3 and a driver F 6 .
The PC 12 includes, as hardware, NIC A 14 . The gateway device 20 includes NIC B 9 . The SMTP server 11 includes NIC D 7 . The POP server 13 includes NIC E 7 . The business server 23 includes NIC C 7 . The firewall 3 includes NIC F 4 and NIC F 7 .
Outline of each module shown in FIG. 7 will be explained below. In the following explanation, business client applications, relay server applications, control mail transmission applications, SMTP server applications, POP server applications, control mail reception applications, relay client applications, and business server applications are included as applications to be described with various module functions.
(SSL)
SSL has the function of receiving and encrypting data from an application and transmitting it to TCP and receiving and decrypting data from TCP and transmitting it to the application and the function of exchanging certificates or information about as secret keys and public keys used for encryption. Whether or not to use SSL depends on the setting from the application. When SSL is not used, data from the application is not encrypted and is sent without any change. Moreover, data from the TCP is not decoded and is sent to the application without any change.
(TCP)
TCP data are arranged and packetized in a fixed formatted frame through the following process (1) to (4), or are decoded from the packet into data.
(1) TCP receives data from SSL or from the application, when SSL is not used, and adds a TCP header to detect a missing of a packet or a reversed order, thus sending the resultant data to the IP routing. When data is large, a division (fragmentation) process is carried out.
(2) TCP receives packets from the IP routing and detects a reversed order or a missing of a packet is detected by referring to the TCP header. When there is not a reversed order or an occurrence of missing, TCP removes the header from the packet and sends the resultant packet to the SSL or sends it to the application when SSL is not used. In this case, an ACK packet, which acknowledges an arrival of a packet, is sent back to the packet transmission source.
(3) In the item (2), if missing of a packet occurs, TCP transmits a retransmission request packet. If reversed order or fragmentation occurs, TCP wait for subsequent packets and decodes data.
(4) TCP receives an ACK packet and adjusts the transmission rate of the packet in the item (1).
(IP Routing)
The IP routing module receives a packet from TCP and transfers the packet to the IP stack (private IP), IP stack (global IP) or TCP by referring to the destination IP address and destination port number. Moreover, the IP routing module receives a packet from the IP stack (private IP) and sends the packet to the IP stack (global IP) or TCP by referring to the destination IP address and the destination port number. Moreover, the IP routing module receives a packet from the IP stack (global IP), refers to a destination IP address and a destination port number, and transfers the packet to the IP stack (private IP) or TCP.
(Bridge)
The bridge module receives a frame from the IP stack, refers to a destination MAC address, and transfers the frame to the driver or virtual driver. The bridge module also receives a frame from the driver, refers to a destination MAC address, and transfers the frame to the virtual driver or IP stack. The bridge module receives a frame from the virtual driver, refers to a destination MAC address, and transfers the frame to the driver or the IP stack.
Moreover, the bridge module refers to a transmission source MAC address upon reception of a frame, learns the MAC address, and records whether or not which terminal having the MAC address are connected to which NIC. If the MAC address is not learnt in the reference of the destination MAC address upon reception of a frame, the bridge module broadcasts the frame to the IP stack, to which a frame is input, or to a driver other than the driver or to IP stack.
(Driver)
The driver is software inter-mediating NIC and OS. The driver receives a packet from NIC. The driver also sends it to OS, and receives packets from OS and them to NIC.
(NIC)
NIC (network interface card) is hardware installed into a computer to connect a network cable such as Ethernet (trademark). NIC sends data received from the cable, to the driver, and transmits data received from the driver, to the cable.
(Virtual Driver)
A virtual driver is software inter-mediating the virtual NIC with OS. The virtual driver receives a frame from the virtual NIC, sends it to OS. The virtual driver also receives the frame from OS and sends back it to the virtual NIC.
(Virtual NIC)
A virtual NIC is software inter-mediating the virtual driver with the relay server application or the relay client application (hereinafter referred to as relay applications). The virtual NIC receives a frame from the virtual driver and hands over it to the relay application. Moreover, the virtual NIC receives a frame from the relay application and sends it to the virtual driver. Originally, NIC is formed of hardware but the virtual NIC is formed of software. OS recognizes the virtual NIC as if it is hardware.
As understood from the following function of each module, each device has the communication processing function of executing the downstream process output from the application. That is, SSL encrypts data output from the application and sends it to TCP. TCP checks the data and adds a TCP header to the data and sends it to the IP routing. The IP routing compares the packet received from the TCP with the destination IP address and the destination port number and then sends it to the IP stack (private IP) or the IP stack (global IP). NIC sends data stored in the IP stack (private IP) or the IP stack (global IP) to a cable such as Ethernet via the driver.
Moreover, each device has the communication processing function as an up-stream processing function. That is, the NIC stores the frame received from the cable such as Ethernet into the IP stack (private IP) or IP stack (global IP) of OS via the driver. The IP routing refers to the IP header based on the packet received from the IP stack (private IP) or IP stack (global IP) and transfers it to a suitable TCP. TCP refers to the TCP header of the packet received from the IP routing, checks the packet, removes the header from the normal packet, and sends the resultant packet to SSL. SSL decodes the received data and sends it to the application.
Each device shown in FIG. 7 does not execute the communication process of the module function in the communication via the module (not described) or in the communication not streamed via the module. For example, the firewall 3 does not include application itself, SSL, and TCP but uses only the function of IP routing F 1 between IP stack (private IP) and IP stack (global IP).
The gateway device 20 includes the bridge B 7 , having a MAC address learning function, that records whether or not a terminal having which MAC address is connected to which NIC, between IP stack (private IP) B 6 and driver B 8 (virtual driver B 12 ). The gateway device 20 bridges three bridges, that is, the virtual driver B 12 , NIC B 9 , and IP stack B 6 .
Paying attention to the IP stack, each of the SMTP server 11 and the POP server 13 includes only the IP stack (global IP). The business server 23 includes only the IP stack (private IP).
In the embodiment described above, the communication through VPN connection P 4 between the relay server application A 2 and the relay client application B 2 , each being a mode of an object application, is set such that encryption is basically performed with the SSL protocol (via SSL) even in an office or at the outside. The setting is performed to prevent a leakage of secret information because VPN connection P 4 is configured via the outside facilities such as the Internet. Generally, the encryption (SSL) is performed over the zone of the outside (the outside of the firewall) but is not essential in the present invention.
Both the region between the business client application A 1 and the relay server application A 2 and the region between the relay client application B 2 and the business server application C 1 belong to the office area (the inside of the firewall). Therefore, the encryption is optional. The setting of encryption is determined every use. The encryption is not essential because the connection P 5 is used for the communication within the PC and the possibility of a leakage of the secret information in the office is low. The connection P 6 is used for communication within the Intranet and the possibility of a leakage of secret information in the office is low. Therefore, encryption is not essential.
(Explanation of Operation)
FIG. 8 is a diagram illustrating the operational procedure of the present embodiment. The operation of the present embodiment will be described below by referring to FIGS. 7 and 8.
(1) Using the control mail transmission application (e-mail transmission software) A 3 in the PC 12 , a staff member of “A” company transmits a control mail to the mail address of the staff's himself set in the POP server 13 via the outside SMTP server 11 . The control mail includes VPN connection request ID information (for example, VPN connection request ID information may be included to a header) to distinguish from ordinary e-mails. Moreover, information, such as IP address of the PC 12 , necessary for VPN connection is added to the PC 12 carried out of the “A” company's intranet. That mail is first transferred to the SMTP server application D 1 through the connection P 1 .
(2) Using the SMTP server application D 1 , the outside SMTP server 11 receives the control mail via the connection P 1 and transfers the control mail to the outside POP server 13 through the connection P 2 by referring to the header information. When the outside POP server 13 receives the e-mail (control mail) transmitted from the outside SMTP server, it memorizes and stores the e-mail (control mail) by mail address, using the POP server application E 1 .
(3) On the other hand, the gateway device 20 regularly accesses the outside and the office POP servers 13 via the firewall 3 using the control mail reception application B 1 and inquires the e-mail whether or not the e-mail to self has arrived, through the connection P 3 . Moreover, the gateway device 20 captures the e-mail when the e-mail to self has arrived, and decides whether or not the e-mail is a control mail (only the header is checked when the header includes ID information about a VPN connection request).
(4) When the e-mail to self is a control mail, the control mail reception application B 1 inside the gateway device 20 instructs the outside POP sever 13 to delete the control mail. The authentication module B 14 authenticates through the connection P 7 based on the ID and password in the captured control mail. When the authentication is correct, the application B 1 instructs the relay client application B 2 to set the VPN connection P 4 of the relay server application A 2 to the IP address of the VPN connection request source (PC 12 ). The relay client application B 2 sets the VPN connection P 4 with the relay server application A 2 to the IP address, to the VPN connection request source (PC 12 ) based on the instruction from the control mail reception application B 1 .
(5) When the VPN connection P 4 is established, the relay server application A 2 in the PC 12 relays the connection P 5 and the VPN connection P 4 and relays communication between the business client application A 1 and the business server application C 1 through the connection P 4 . The relay client application B 2 in the gateway device 20 relays the connection P 6 and the VPN connection P 4 and relays the communication between the business server application C 1 and the business client application A 1 of the business server 23 through the VPN connection P 4 .
As a result, till the VPN communication P 4 is cut, the PC 12 enables the communication between the business applications of the business servers 23 in “A” company's intranet.
FIG. 9 is an operational flowchart of the gateway device according to the fourth embodiment. The gateway device 20 inquires of the outside POP server 13 about whether or not an e-mail to self (“A” company's staff) has arrived (step S 1 ). When the e-mail to self has arrived (YES in step S 2 ), the gateway device 20 captures a list of the subjects (headlines) of e-mails or the whole of e-mail and decides whether or not an e-mail is a control mail (steps S 3 and S 4 ). When the e-mail to self is a control mail (YES in step S 4 ), the gateway device 20 deletes the control mail from the office POP server 21 (step S 5 ) and establishes the VPN connection to the IP address of a VPN connection request source based on the control mail (step S 6 ). After the VPN connection, till the connection is cut (step S 7 ), the business application of the PC 12 can communicate with the business application of the connection device inside the “A” company's intranet. When the mail to self (“A” company's staff) does not exist in the step S 2 (NO) and is not a control mail in the step S 4 (NO), the inquiry in the step S 1 is repeated again after a fixed period of time (step S 8 ).
As described above, without changing the setting of the firewall 3 and VPN-GW or without installing the relay server in the external network, the VPN connection can be established between the Internet 1 , or an external network, and the “A” company's intranet 2 , or an office network. Hence, the VPN connection can be simply constructed using e-mails, which are advantageous in communication charges, without difficulties in the approval procedure of a firewall's administrator and the installation and use of a relay server. Servers used for an exchange of ordinary e-mails can be utilized as the outside POP server 13 and the outside SMTP server 11 , without any change. Accounts used for an exchange of ordinary e-mails can be utilized as the account of the POP server 13 without any change. However, this is limited to the case where the firewall 3 is set in such a way that the company authorizes an access from the intranet 2 to the outside POP server 13 .
Next, as a specific embodiment of the present invention, the case will be explained below where e-mails are utilized as access means and VPN connection is established between an information processing terminal and a gateway device having an authentication function.
(Explanation of Configuration)
FIG. 10 is a diagram illustrating a network configuration according to the fifth embodiment of the present invention. The network configuration comprises the Internet 1 , an intranet 2 of “A” company, and a firewall 3 disposed between the Internet 1 and the intranet 2 . The intranet 2 comprises a gateway device 20 connected to the firewall 3 via the HUB and having a VPN connection authentication function for VPN connection to the Internet side and a business server 23 connected to the gateway device 20 via the HUB. The Internet side includes an outside SMTP server 11 , an outside POP server 13 and a PC 12 taken out by “A” company's staff member.
The gateway device 20 may be installed in any place within the Intranet. Typically, a single gateway device 20 is installed in the office for each staff member or for plural staff members (of, for example, 2 to 50 or 20 to 100). In each gateway device 20 , the user (a staff member) can set the authentication function and can set ID and password for authentication for access from the PC 12 . When being used on the intranet, the PC 12 is connected to the firewall 3 and the business server 23 via HUB. When being used on the Internet 1 (outside the intranet 2 ), the gateway device 20 is connected to the firewall 3 and the business server 23 in the Intranet 2 via HUB. Thus, VPN connection is established between the PC 12 and the gateway device 20 . The VPN connection can relay communication between the PC 12 and the business server 23 .
FIG. 11 is a diagram illustrating software installed in each device and a communication process on a protocol, according to the present embodiment.
The present embodiment is similar to the fourth embodiment (FIG. 7). That is, each of the PC 12 , the gateway device 20 , the SMTP server 11 , the POP server 13 , the business server 23 , and the firewall 3 includes a predetermined OS, applications realizing various functions, hardware NIC for performing communication between OSs, a software driver, a virtual driver, and a virtual NIC. However, in the present embodiment, the gateway device 20 includes an authentication module B 14 that realizes the authentication function in response to an access by an e-mail from the PC 12 .
FIG. 11 illustrates an example of establishing VPN connection after authentication by both the PC 12 and the gateway device 20 and performing communication processes on office affairs between the PC 12 and the business server 23 . The PC 12 is installed with the business client application A 1 for office affairs and the business server 23 is installed with the corresponding business server application C 1 . Moreover, the PC 12 is installed with the control mail transmission application A 3 for realizing an e-mail transmission function enabling access from the Internet to the firewall 3 for realizing a relay function to the business client application A 1 . The gateway device 20 is installed with the control mail reception application B 1 for realizing an e-mail reception function and the relay client application B 2 for realizing a relay function to the business server application C 1 .
In a manner similar to the fourth embodiment show in FIG. 7, the VPN capsulation application, or frame conversion processing software for the Internet and the Intranet, is applied to the relay server application A 2 . In the present embodiment, the SMTP server 11 , or a mail server on the e-mail transmission side, and the POP server 13 , or a mail server on the e-mail reception side, are installed as outside servers. The SMTP server 11 is installed with the SMTP server application D 1 as an application realizing the e-mail transfer/reception function. The POP server 13 is installed with the POP server application E 1 as an application realizing the e-mail reception/reception function.
The outline of each module and the function shown in FIG. 11 is similar to those in the fourth embodiment. However, the present embodiment differs from the fourth embodiment in that the control mail reception application B 1 in the gateway device 20 extracts the ID and the password stored in a captured control mail and in that the authentication module B 14 authenticates the IP and the password previously set by the user.
(Explanation of Operation)
FIG. 12 is a diagram illustrating the procedure of the operation of the present embodiment. The operation of the present embodiment will be explained below by referring to FIGS. 11 and 12.
(1) In the control mail transmission application (e-mail transmission software) A 3 of the PC 12 , a staff member of “A” company transmits a control mail to the mail address of the staff member set to the POP server 13 via the outside SMTP server 11 . The control mail includes information including ID information for VPN connection request (for example, the header includes ID information for a VPN connection request) to distinguish from ordinary e-mails. Moreover, information, such as the IP address, ID, and password of the PC 12 , necessary for authentication on the intranet side and for VPN connection from the intranet side to the PC 12 are added to the control mail. That mail is first transferred to the SMTP server application D 1 through the connection P 1 .
(2) The outside SMTP server 11 receives the control mail via the connection P 1 using the SMTP server application D 1 , refers to the header information, and transfers the control mail to the outside POP server 13 via the connection P 2 . When receiving the e-mail (control mil) transmitted from the outside SMTP server, the outside POP server 13 records and stores it by mail address using the POP server application E 1 .
(3) The gateway device 20 regularly accesses the outside and office POP server 13 via the connection P 3 and via the firewall 3 , using the control mail reception application B 1 . Moreover, the gateway device 20 inquires whether or not there is an e-mail to self and captures it when there is the e-mail, and decides whether or not the e-mail is a control mail (when the header includes VPN connection request ID information, only the header is checked).
(4) When the e-mail to self is a control mail, the control mail reception application B 1 in the gateway device 20 instructs the outside POP server 13 to delete the control mail. The authentication module B 14 executes authentication via the connection P 7 based on the ID and password of the captured control mail. When the authentication is correct, the control mail reception application B 1 instructs the relay client application B 2 to set the VPN connection P 4 to the relay server application A 2 to the IP address of the VPN connection request source (or PC 12 ). The relay client application B 2 sets the VPN connection P 4 to the relay server application A 2 to the IP address of the VPN connection request source (PC 12 ) according to the instruction from the control mail reception application B 1 .
(5) When the VPN connection P 4 is established, the relay server application A 2 in the PC 12 relays the connection P 5 and the VPN connection P 4 and relays communication between the business client application A 1 and the business server application C 1 via the VPN connection P 4 . The relay client application B 2 in the gateway device 20 relays the connection P 6 and the VPN connection P 4 and relays the communication between the business server application C 1 of the business server 23 and the business client application A 1 via the VPN connection P 4 .
As a result, till the VPN connection P 4 is cut, the PC 12 enables connection between the business applications of the business servers 23 in the intranet.
FIG. 13 shows the operational chart of the gateway device 20 according to the fifth embodiment. The gateway device 20 inquires of the outside POP server 13 about whether or not there is an e-mail to self (a staff member of “A” company) (step S 1 ). The gateway device 20 captures a list of the subjects (headlines) of the e-mail or the whole of e-mails when there is the e-mail (YES in step S 2 ) and decides whether or not the e-mail is a control mail (steps S 3 and S 4 ). When the e-mail is a control mail (YES in step S 4 ), the gateway device 20 deletes the control mail from the outside POP server 13 (step S 5 ) and the authentication module B 14 performs authorization based on the captured control mail (step S 6 ). When the authentication is correct (YES in step S 6 ), VPN connection is established to the IP address of the VPN connection request source based on the control mail (step S 7 ). Thereafter, until the VPN connection is cut (step S 8 ), the PC 12 enables connection between the business applications for the connection devices in the intranet. When there is not e-mails to self (a staff member of “A” company) in the step S 2 (NO), when the e-mail is not a control mail in the step S 4 (NO), and when authentication is not correct in the step S 6 (NO), the inquiry operation in the step S 1 is repeated after a fixed period of time (step S 9 ).
As described above, VPN connection can be established between the Internet 1 , or an external network, and the intranet 2 , or an intra-network, without changing the setting of the firewall 3 and VPN-GW or without installing a relay server to the external network. Hence, VPN configuration can be simply performed through the e-mails advantageous in communication charge, without an approval procedure of the firewall administrator and without installation and use of the relay server. Particularly, the present embodiment can retain the security through authentication. Conventional means used for the exchange of e-mails may be utilized for the outside POP server 13 and the outside SMTP server 11 , without any change. Conventional means for exchange of e-mails may be utilized for the account of the POP server 13 , without any change. However, that is limited to the case where the firewall 3 is set such that the company authorizes access from the intranet 2 to the outside POP server 13 .
Next, the example where the VPN connection for IP telephones is established between the information processing terminal and the gateway device by utilizing e-mails as access means will be explained below as a specific embodiment of the present invention.
(Explanation of Configuration)
FIG. 14 is a network configuration according to the sixth embodiment of the present invention. The network configuration comprises the Internet 1 , an intranet 2 of “A” company, and a firewall 3 disposed between the Internet 1 and the intranet 2 . The intranet 2 includes the gateway device 22 connected to the firewall 3 via HUB and has a handset for an IP telephone to the Internet side. The Internet side includes an outside SMTP server 11 for e-mail transmission, an outside POP server 13 for e-mail reception, and a PC 12 with a handset, which is carried out by a staff member of “A” company.
The gateway device 22 with an IP telephone handset can be installed in any place within the intranet. Typically, a single gateway device 22 is installed for each staff member or plural staff members (of, for example, 2 to 50 or 2 to 100) in the office. In the use within the intranet, the PC 12 with an IP telephone handset is connected to the firewall 3 via HUB. In the use within the Internet (outside the Intranet 2 ), the gateway device 22 is connected to the firewall 3 in the intranet 2 via the HUB. Thus, the IP telephone can be constructed through the VPN connection between the PC 12 and the gateway device 22 .
FIG. 15 is a diagram illustrating a software installed in each device according to the present embodiment and a communication process on protocol.
According to the present embodiment, each of the PC 12 , the gateway device 22 , and the SMTP server 11 , and the POP server 13 , and the firewall 3 has a predetermined OS, an application realizing various functions, NIC of hardware for OS to OS communications, and a software driver.
FIG. 15 shows an example of establishing VPN connection for an IP telephone between the PC 12 and the gateway device 22 to perform IP telephone communications therebetween. The PC 12 is installed with the IP telephone server application A 22 that receives audio from the telephone transmitter of the handset A 21 or transmits audio to the telephone receiver of the handset A 21 . The gateway device 22 is installed with the IP telephone client application B 22 for receiving audio from the telephone transmitter of the handset B 21 or issuing audio to the telephone receiver of the handset B 21 . Both the IP telephone client application B 22 and the IP telephone server application A 22 are connected together through the VPN connection and exchanges audio data bi-directionally. Moreover, the PC 12 is installed with the control mail transmission application A 3 realizing an e-mail transmission function, which is transmission/reception software for e-mails accessible from the Internet to the firewall. The gateway device 22 is installed with the control mail reception application B 1 realizing an e-mail reception function, which is transmission/reception software for e-mails accessible from the Internet to the firewall.
In the present embodiment, the SMTP server 11 , which is a mail server on the e-mail transmission side, is installed as an outside server. The POP server 13 , which is a mail server on the e-mail reception side, is installed as an outside server. The SMTP server 11 is installed with the SMTP server application D 1 as an application which realizes an e-mail transmission function. The POP server 13 is installed with the POP server application E 1 as an application which realizes an e-mail reception function.
The present embodiment can employ the configuration similar to those in the above-mentioned embodiments, as software inside and outside OS. However, the IP stack of the PC 12 may include only the IP stack (global IP). The gateway device 22 does not require the bridge because the relay processing is unnecessary. In the explanation of the present embodiment, the configuration through the VPN connection for IP telephone based on the IP telephone server application A 22 and the IP telephone client application B 22 of the object application is set such that encryption is performed with the SSL protocol even inside and outside the company. However, encryption by SSL is not essential.
(Explanation of Operation)
FIG. 16 is a diagram illustrating the procedure of the operation of the present embodiment. The operation of the embodiment will be explained below by referring to FIGS. 15 and 16.
(1) Using the control mail transmission application (e-mail transmission software) A 3 of the PC 12 , the staff member of the “A” company transmits a control mail to the mail address to the staff set to the POP server 13 via the outside SMTP server 11 . The control mail includes ID information about a VPN connection request for IP telephone (for example, ID information about a VPN connection request for the Intranet relay like the fourth embodiment may be added to the header) to distinguish from common e-mails. Necessary information for VPN connection by IP telephone from the intranet side to the PC 12 , such as the IP address of the PC 12 , is added to the control mail. This mail first is transferred to the SMTP server application D 1 through the connection P 1 .