JP2010183259A - Communication method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication method which allows proper users to easily access servers in local area networks even from wide area networks without degrading security functions for access to the local area networks. <P>SOLUTION: In a client terminal device 2, a user only specifies an application program to access a server in a local area network 19 with simple operation, and after that access data from the application program to the server in the local area network 19 is automatically transmitted to an authentication server 20 through an encrypted communication path. Thereby, the user can access servers in the local area network 19 not depending on browser functions that are used by the client terminal device 2. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a communication method between a server and a client via a wide area network and a local area network, and a program used for the communication method.

A LAN (local area network) in a company is often connected to the Internet (wide area network) via an authentication server having a firewall function.
In a LAN, a device such as a server is usually accessed using a local address.
If an attempt is made to access a server in the LAN using the above-mentioned local address from outside the Internet, the access is denied by the above-described authentication server.

However, in the conventional system described above, it is not possible to access a server in the LAN at home or on the go, in the same way as a LAN in a company, and there are large restrictions on data and applications that can be used, and the usability is poor. .
On the other hand, the function of the firewall is important from the viewpoint of security, and the function cannot be dropped.

  SUMMARY OF THE INVENTION The present invention has been made in view of such circumstances, and an object of the present invention is to provide a server in a local area network even from a wide area network to an appropriate user without deteriorating the security function for accessing the local area network. A communication method and program that can be easily accessed.

  In order to solve the above-described problems of the prior art and achieve the above-described object, a communication method according to a first aspect of the present invention is a communication method executed by a computer that performs communication via a wide area network. A program starting step for starting a communication program for performing encrypted communication with a communication server connected to the network, and the started communication program establishes an encrypted communication path with the communication server in the wide area network. A communication path establishment step, a designation step for designating an application having a function of communicating via the wide area network to the communication program, and a designation for a local server connected to the communication server via a local area network. When the application is accessed, the communication program passes through the encrypted communication path. Transmits and receives communication data between said application local server, and a server notification step of notifying the access information such as address of the local server on the local area network to the communication server.

According to the communication method of the first aspect of the invention, the local server in the local area network can be accessed from a computer on the wide area network with a simple operation.
In the communication method of the present invention, since the remote access is performed without using the browser function of the computer, the types of applications that can be accessed are not limited by the browser.

Preferably, the designation step of the communication method of the present invention displays an application designation window in response to a user operation, and an operation for moving an application icon on the screen into the application designation window is performed. In the communication method of the present invention, preferably, when the icon of the application displayed in the application designating window is designated, the icon name and the access permission from the application are designated. A setting screen for setting a range is displayed, and display of the icon and access control from an application are performed based on information set using the setting screen.
Preferably, when the communication method of the present invention detects that a storage device is attached to the computer, the communication method accesses the communication server via the wide area network based on the data stored in the storage device. It further has a download step of downloading the communication program.
Preferably, the communication method of the present invention further includes an authentication step of authenticating the computer by accessing the communication server via the wide area network using a function of a browser operating on the computer. The download step performs the download on the condition that the computer is authenticated in the authentication step, and the communication filter establishment step sets the encrypted communication path without using the browser function. Establish.
Preferably, in the notification step, before the application designated in the designated step starts access to the local server on the local area network, access information such as an address of the local server is sent to the communication server. Notify
The notifying step adds information related to the address of the local server to each packet of communication data when the application specified in the specified process accesses the local server on the local area network. It may be.

  A communication method according to a second aspect of the present invention is a communication method executed by a communication server connected to a local area network to which a local server is connected, which communicates via a wide area network. Upon receiving a download request, a download step of transmitting a communication program to the client computer that is the download request source, and an application designated by the communication program in response to a request from the communication program via the wide area network A communication path establishment step for establishing an encrypted communication path between the communication server, and when the designated application accesses a local server connected to the communication server via a local area network in the client computer, the encrypted communication path Through And a relay step of relaying the transmission and reception of communication data between said application local server.

In the communication method of the invention of the second aspect, the computer connected to the wide area network performing the communication method of the invention of the first aspect and the communication server communicate with each other, as described above, in the local area network. Can be accessed from a computer on a wide area network with a simple operation.
Further, since the remote access is performed without using the browser function of the computer, the types of applications that can be accessed are not limited by the browser.

  A program according to a third aspect of the invention is a program executed by a computer that communicates via a wide area network, and a communication path establishment procedure for establishing an encrypted communication path with the communication server in the wide area network A designation procedure for designating an application having a function of performing communication via the wide area network to the communication program, and the designated application accesses a local server connected to the communication server via a local area network. The communication program sends and receives communication data between the application and the local server via the encrypted communication path, and notifies the communication server of the address of the local server on the local area network. Server notification procedure To be executed by a serial computer.

  The program of the invention of the third aspect is executed by a computer that performs communication via the wide area network of the invention of the first aspect described above, and produces the same operations and effects as the invention of the first aspect.

  The program of the invention of the fourth aspect is a program executed by a communication server connected to a local area network to which a local server is connected, which communicates via a wide area network, and a download request is made via the wide area network Between the download procedure for transmitting the communication program to the download requesting client computer and the application specified in the communication program in response to a request from the communication program via the wide area network. When the designated application accesses a local server connected to the communication server via a local area network in the client computer, and a communication path establishment procedure for establishing an encrypted communication path, Te, to execute the relay instructions to relay transmission and reception of communication data between said application local server to the communication server.

  The program of the invention of the fourth aspect is executed by the communication server of the invention of the second aspect described above, and produces the same operations and effects as the invention of the second aspect.

  According to the present invention, there is provided a communication method and program capable of easily accessing a server in a local area network from a wide area network for an appropriate user without deteriorating the security function of access to the local area network. be able to.

FIG. 1 is an overall configuration diagram of a communication system according to an embodiment of the present invention. FIG. 2 is a block diagram of the client terminal device shown in FIG. FIG. 3 is a block diagram of the authentication server shown in FIG. FIG. 4 is a diagram for explaining an authentication process between the client terminal device and the authentication server. FIG. 5 is a diagram for explaining processing in which a client terminal device and an authentication server establish communication with an encrypted communication path. FIG. 6 is a diagram for explaining a screen when the communication program is activated in the client terminal device. FIG. 7 is a diagram for explaining a case where an application icon is dragged in the program designation screen in the client terminal device. FIG. 8 is a diagram for explaining a screen for setting communication attributes of a specified application program. FIG. 9 is a diagram for explaining a screen after the icon of the designated application is dragged in the client terminal device. FIG. 10 is a flowchart for explaining processing until the communication program is started in the client terminal device. FIG. 11 is a flowchart for explaining processing for designating a program for locally accessing the local area network in the client terminal device. FIG. 12 is a flowchart for explaining processing when an access from a program dragged in the program designation screen to a server in the local area network occurs.

Hereinafter, a communication system 1 according to an embodiment of the present invention will be described.
FIG. 1 is an overall configuration diagram of a communication system 1 according to an embodiment of the present invention.
As shown in FIG. 1, the communication system 1 includes, for example, a wide area network 9 and a local area network 19.

A client terminal device 2 and an authentication server 20 are connected to the wide area network 9.
For example, a Web server 10, an FTP server 12, a mail server 14, and a shared file server 16 are connected to the local area network 19.

  In the communication system 1, remote access is performed via the authentication server 20 from the client terminal device 2 to the server in the local area network 19 via the wide area network 9.

Here, the client terminal device 2 is an example of a computer used in the communication method of the first aspect of the invention, and the authentication server 20 is an example of a communication server used in the communication method of the second aspect of the invention.
The communication program 64 is an example of the program of the invention of the third aspect, and the program executed by the authentication server 20 is an example of the program of the invention of the fourth aspect.

Hereinafter, configurations of the client terminal device 2 and the authentication server 20 illustrated in FIG. 1 will be described.
[Client terminal apparatus 2]
FIG. 2 is a configuration diagram of the client terminal device 2 shown in FIG.
As illustrated in FIG. 2, the client terminal device 2 includes, for example, a display 22, an operation unit 24, a memory 26, a wide area network communication unit 28, a USB controller 30, and a processing circuit 32.

The display 22 displays a screen to be described later based on the image signal from the processing circuit 32.
The operation unit 24 is an operation unit such as a keyboard or a mouse, and outputs an operation signal corresponding to an operation by the user to the processing circuit 32.
The memory 26 stores a program executed by the processing circuit 32 and data used for processing of the processing circuit 32.
The wide area network communication unit 28 is an interface for communication via the wide area network 9.

When an external storage device such as a USB device is connected, the USB controller 30 performs access processing to the storage device.
In the present embodiment, a USB device 52 is mounted on the client terminal device 2, and the USB controller 30 accesses the USB device 52.
The processing circuit 32 reads out and executes the program from the memory 26, and controls the processing of the client terminal device 2 described later in an integrated manner. The processing contents of the processing circuit 32 are described in the program.

[Authentication Server 20]
FIG. 3 is a block diagram of the authentication server 20 shown in FIG.
As illustrated in FIG. 3, the authentication server 20 includes, for example, an operation unit 34, a memory 36, a wide area network communication unit 38, a local area network communication unit 40, and a processing circuit 42.

The operation unit 34 is an operation unit such as a keyboard or a mouse, and outputs an operation signal according to an operation by an administrator of the authentication server 20 to the processing circuit 32.
The memory 36 stores a program executed by the processing circuit 42 and data used for processing of the processing circuit 42.
The wide area network communication unit 38 is an interface for communication via the wide area network 9.
The local area network communication unit 40 is an interface for communication via the local area network 19.
The processing circuit 42 reads out and executes the program from the memory 36, and controls the processing of the authentication server 20 described later in an integrated manner. The processing contents of the processing circuit 42 are described in the program.

The authentication server 20 uses an ID, password, key information, and the like stored in the database 18 at the time of authentication.
The authentication server 20 stores key information necessary for establishing an encrypted communication path with the client terminal device 2.

Hereinafter, an outline of processing when the client terminal apparatus 2 remotely accesses a server on the local area network 19 in the communication system 1 will be described.
First, as shown in FIG. 4, when the user attaches the USB device 52 to the client terminal device 2, the processing circuit 32 automatically executes the program USB-PRG stored in the USB device 52 and functions of the browser 62. Is used to access the authentication server 20 via the wide area network 9.
Then, the client terminal device 2 communicates with the Web program 72 of the authentication server 20 to perform authentication processing. In the authentication process, the Web program 72 displays a screen for requesting an ID and password on the display 22 of the client terminal device 2 using the function of the browser 62, and uses the ID and password input on the screen. Authenticate.

If the authentication is successful, the client terminal device 2 automatically downloads the communication program 64 from the authentication server 20 and executes it.
Then, the communication program 64 displays the icon ICON0 of the communication program 64 on a part of the screen 221 of the display 22 of the client terminal device 2, as shown in FIG.
When the user clicks (designates) the icon ICON0, the communication program 64 displays a program designation window 224, for example, as shown in FIG.
For example, the user drags a shortcut (icon) S6 of an application program that can be used in the local area network 19 to the program designation window 224 with a mouse or the like.

In response to the drag operation, the communication program 64 displays a dragged setting window 226 shown in FIG. On the setting window 226, the user sets conditions such as the name of the dragged application program and parameters (addresses of applications permitted to be accessed).
As a result, the dragged program icon is displayed in the program designation window 224 as shown in FIG.

Thereafter, when access from the dragged program to the server in the local area network 19 occurs, the communication program 64 acquires (hooks) this access.
Then, as shown in FIG. 5, the communication program 64 encrypts and encapsulates the acquired data related to access and transmits it to the authentication server 20 via the encrypted communication path established on the wide area network 9.

  The authentication server 20 decrypts the encrypted capsule acquired from the client terminal device 2 via the wide area network 9 and acquires the address and port number of the access destination, and based on this, the local on the local area network 19 The decrypted data is transmitted to the server (Web server 10, FTP server 12, mail server 14, shared file server 16).

Hereinafter, processing of the client terminal device 2 and the authentication server 20 will be described in detail with reference to flowcharts.
[First operation example]
Hereinafter, processing until the communication program 64 is activated in the client terminal device 2 will be described.
FIG. 10 is a flowchart for explaining processing until the communication program 64 is activated in the client terminal device 2.

Step ST1:
When the installation of the USB device 52 is detected by the USB controller 30, the processing circuit 32 of the client terminal device 2 proceeds to step ST2.

Step ST2:
The processing circuit 32 executes the program USB-PRG read from the USB device 52 and accesses the authentication server 20 via the wide area network 9 using the function of the browser 62. Specifically, HTTPS communication of the browser 62 is used.
Then, the client terminal device 2 communicates with the Web program 72 of the authentication server 20 to display a screen for requesting an ID and password on the display 22 and inputs the ID and password on the screen.
For example, a one-time ID is used as the authentication.

Step ST3:
When the Web program 72 shown in FIG. 4 refers to the display 22 and succeeds in the authentication by comparing the ID and password based on the information stored in the database 18, the process proceeds to step ST4.
On the other hand, if the authentication fails, the process ends.

Step ST4:
The processing circuit 32 downloads the communication program 64 from the authentication server 20 via the wide area network communication unit 28 and the wide area network 9 and writes it in the memory 26.
Then, the processing circuit 32 reads the communication program 64 from the memory 26 and executes it.
As illustrated in FIG. 6, the communication program 64 displays an icon ICON0 of the communication program 64 on the screen 221 of the display 22 of the client terminal device 2.

As shown in FIG. 5, the communication program 64 establishes an encrypted communication path with the authentication server 20 via the wide area network 9.
The control program 74 uses the key information stored in the database 18 when establishing the encrypted communication path. Specifically, the communication program 64 communicates with the Web program 72 of the authentication server 20 by encrypting the common key information generated by either one based on the secret key information and the public key information. Share.
As will be described later, in the encrypted communication, the communication program 64 notifies the authentication server 20 of the address of the local server when the designated application program starts to access the local server of the local area network 19. To do.

[Second operation example]
Hereinafter, a process of designating a program for locally accessing the local area network 19 in the client terminal device 2 will be described.
FIG. 11 is a flowchart for explaining processing for designating a program for local access to the local area network 19 in the client terminal device 2.
Step ST11:
The communication program 64 of the client terminal device 2 monitors whether or not the user has clicked (designated) the icon ICON0, and proceeds to step ST12 when determining that the user has clicked.

Step ST12:
For example, the communication program 64 displays a program designation window 224 as shown in FIG.

Step ST13:
For example, the communication program 64 monitors whether or not the user has dragged a program shortcut (icon) that can be used in the local area network 19 to the program designation window 224 with a mouse or the like. Proceed to

Step ST14:
In response to the drag operation, the communication program 64 displays a dragged setting window 226 shown in FIG. On the setting window 226, the user sets conditions such as the name of the dragged application program and the parameters indicating the range of accessibility of the program. Thereafter, the communication program 64 performs access processing for the application according to the above parameters and the like.
As a result, the dragged program icon is displayed in the program designation window 224 as shown in FIG.

  Thereafter, the communication program 64 monitors access to the server in the local area network 19 by the dragged application program.

[Third operation example]
Hereinafter, a process when an application program dragged in the program designation window 224 is accessed to a server in the local area network 19 will be described.
FIG. 12 is a flowchart for explaining processing when an application program dragged in the program designation window 224 is accessed to a server in the local area network 19.
Step ST21:
The communication program 64 of the client terminal device 2 monitors whether or not an access to the server in the local area network 19 has occurred from the program dragged in the program designation window 224. If it is determined that the access has occurred, the process proceeds to step ST22. .
The communication program 64 is set to acquire data having an IP address indicating that the destination of data from the dragged program is the remote access terminal itself and the port number of the application set by the control program 74 of the authentication server 20. And monitoring data at the transport layer.

Step ST22:
The communication program 64 encrypts access information such as a local address using the above-described common key information before the dragged application program performs communication.
At this time, when the dragged (designated) application program starts accessing the local server of the local area network 19, the communication program 64 determines the address of the local server to be accessed (IP on the local area network 19). Address, port number) is notified to the authentication server 20.
That is, the client terminal device 2 does not access the server in the local area network 19 as a virtual terminal in the same network, but performs remote access via the authentication server 20.
Note that the communication program 64 may not add the address of the local server to the authentication server 20 as described above, but may add information related to the address of the local server to each packet of communication data. In this case, the authentication server 20 accesses the local server based on the address added to the packet.

Step ST23;
The communication program 64 transmits the encrypted data to the authentication server 20 via the wide area network 9. That is, the data is transmitted via the encrypted communication path established in the wide area network 9.

Step ST24:
If the control program 74 of the authentication server 20 determines that the data has been received from the client terminal device 2 via the wide area network 9, the process proceeds to step ST25.

Step ST25:
The control program 74 decrypts the received data using the common key information described above.

Step ST26:
The control program 74 uses the local data (Web server 10, FTP server 12, mail server) on the local area network 19 based on the local address notified from the communication program 64 as described above. 14. Send to shared file server 16).

As described above, according to the communication system 1, the client terminal device 2 can simply specify an application program for accessing a server in the local area network 19 with a simple operation. Access data to the server in the area network 19 is automatically transmitted to the authentication server 20 via the encrypted communication path. The access data is transmitted to the server in the local area network 19 by the authentication server 20. Thereby, the user of the client terminal device 2 can perform remote access to the server on the local area network 19 via the wide area network 9 without performing a complicated setting operation.
In other words, the same operability as a computer in the local area network 19 can be realized even from the wide area network 9 outside the local area network 19 by a simple operation (registration) of the application program by drag operation.
In the communication system 1, the application program of the client terminal device 2 does not construct a virtual local network for the local area network 19. That is, since the application program of the client terminal device 2 remotely accesses a server in the local area network 19 via the authentication server 20, even if the client terminal device 2 is infected with a virus, the effect is immediately affected by the local area. The network 19 can be avoided.

Further, according to the communication system 1, after the first authentication, the authentication server 20 is used by using the encryption communication path established on the wide area network 9 without using the function of the browser 62 used in the client terminal device 2. Since the access data is transmitted, the types of applications that can be accessed are not limited to the communication format supported by the browser 62, and remote access by various applications becomes possible.
That is, among the application programs installed in the server in the local area network 19, an application program not supported by the browser 62 can also be accessed from the wide area network 9.

  Further, according to the communication system 1 described above, it is not necessary to install a special program in advance in the client terminal device 2, and the local area can be obtained by simply mounting the USB device 52 in various computers connected to the wide area network 9. Remote access to the network 19 can be realized.

The present invention is not limited to the embodiment described above.
That is, those skilled in the art may make various changes, combinations, sub-combinations, and alternatives regarding the components of the above-described embodiments within the technical scope of the present invention or an equivalent scope thereof.
In the above-described embodiment, the case where information for accessing the authentication server 20 is stored in the USB device 52 is exemplified. However, for example, the information is stored in the client terminal device 2 in another method, for example, a wide area. It may be stored by a method such as receiving via the network 9.
In the above-described embodiment, the case where the communication program 64 is automatically downloaded from the authentication server 20 to the client terminal device 2 and executed is exemplified. However, the communication program 64 already stored in the client terminal device 2 is stored. The processing circuit 32 may be executed in response to an operation instruction from the user.

In the above-described embodiment, as described with reference to FIGS. 6 to 9, the communication program 64 is designated by moving the application program icon into the program designation window 224 by dragging. You may specify by other methods.
For example, the communication program 64, for example, designates an application on the screen 221 shown in FIG. 6 and performs a mouse operation (for example, right click operation), and “designation of application” in the menu screen displayed thereby is displayed. Designation may be performed by designating the item. The designation may be performed by inputting information such as an application name and a path in the designation window.

  In the above-described embodiment, the encrypted communication path is established between the client terminal device 2 and the authentication server 20 immediately after the communication program 64 is activated. For example, the application program specified by the communication program 64 When is activated, an encrypted communication path may be established.

  In the above-described embodiment, the Web server 10, FTP server 12, mail server 14, shared file server 16, and authentication server 20 that are finally accessed from the client terminal device 2 are physically separated. Although the case has been exemplified, the authentication server 20 may include at least a part of functions such as the Web server 10, the FTP server 12, the mail server 14, and the shared file server 16.

  The present invention is applicable to a system that performs communication between a server and a client via a wide area network and a local area network.

DESCRIPTION OF SYMBOLS 1 ... Communication system 2 ... Client terminal device 22 ... Display 24 ... Operation part 26 ... Memory 28 ... Wide area network communication part 30 ... USB controller 32 ... Processing circuit 52 ... USB apparatus 9 ... Wide area network 10 ... Web server 12 ... FTP server 14 ... Mail server 16 ... Shared file server 18 ... Database 20 ... Authentication server 34 ... Operation part 36 ... Memory 38 ... Wide area network communication part 40 ... Local area network communication part 42 ... Processing circuit 62 ... Browser 72 ... Web program 74 ... Control program 224 ... Program designation screen 226 ... Setting screen

Claims (9)

A communication method executed by a computer that communicates via a wide area network,
A program starting step of starting a communication program for performing encrypted communication with a communication server connected to the wide area network;
A communication path establishment step in which the activated communication program establishes an encrypted communication path with the communication server in the wide area network;
A designation step of designating the communication program with an application having a function of performing communication via the wide area network;
When the designated application accesses a local server connected to the communication server via a local area network, the communication program communicates between the application and the local server via the encrypted communication path. A server notification step of transmitting and receiving data and notifying the communication server of the address of the local server on the local area network. The designation step includes
The application designation window is displayed in response to a user operation, and when an operation for moving an application icon on the screen into the application designation window is performed, the application is designated in the communication program. The communication method described. When the icon of the application displayed in the application specifying window is specified, a setting screen for setting the icon name and the permitted access range of the application is displayed, and information set using the setting screen is displayed. The communication method according to claim 2, wherein display of the icon and access control of an application are performed. A download step of downloading the communication program by accessing the communication server via the wide area network based on the data stored in the storage device when detecting that the storage device is attached to the computer; The communication method according to claim 1 or 2. An authentication step of authenticating the computer by accessing the communication server via the wide area network using a function of a browser operating on the computer;
The download step performs the download on the condition that the computer is authenticated in the authentication step,
The communication method according to claim 4, wherein the communication path establishment step establishes the encrypted communication path without using a function of the browser. The notification step notifies the communication server of access information such as an address of the local server before the application designated in the designated step starts access to the local server on the local area network. Item 6. The communication method according to any one of Items 1 to 5. A communication method that is performed by a communication server that communicates via a wide area network and that is connected to a local area network to which the local server is connected,
When receiving a download request via the wide area network, a download step of transmitting a communication program to the download requesting client computer;
A communication path establishment step for establishing an encrypted communication path with an application designated in the communication program in response to a request from the communication program via the wide area network;
When the designated application accesses a local server connected to the communication server via a local area network in the client computer, communication between the application and the local server via the encrypted communication path And a relay process for relaying data transmission / reception. A program executed by a computer that communicates via a wide area network,
A communication path establishment procedure for establishing an encrypted communication path with the communication server in the wide area network;
A designation procedure for designating an application having a function of communicating via the wide area network to the communication program;
When the designated application accesses a local server connected to the communication server via a local area network, the communication program communicates between the application and the local server via the encrypted communication path. A program for causing the computer to execute a server notification procedure for transmitting and receiving data and for notifying the communication server of the address of the local server on the local area network. A program executed by a communication server connected to a local area network to which communication is performed via a wide area network and a local server is connected,
A download procedure for receiving a download request via the wide area network and transmitting a communication program to the client computer of the download request;
A communication path establishment procedure for establishing an encrypted communication path with an application designated in the communication program in response to a request from the communication program via the wide area network;
When the designated application accesses a local server connected to the communication server via a local area network in the client computer, communication between the application and the local server via the encrypted communication path A program for causing the communication server to execute a relay procedure for relaying data transmission / reception.