JP2011211400A - Information system and program - Google Patents

Abstract

In a thin client system, when a connection of a terminal device to a thin client server device is disconnected, the server device immediately reconnects to the server device before the disconnection.
When a connection is made from a thin client terminal (TCa) 50a to a management server (MS) 20, the connection information (IP address) of the terminal 50a and the thin client server (TS) 30 are connected to the management server (MS) 20. Filter information including connection information (IP address) and band control information is generated, added to the filter information table already set in the FW 40, and reflected in the filtering process. At the same time, the generated filter information is transmitted to and stored in the terminal 50a and reflected in the filtering process at the terminal. When the connection between the terminal 50a and the thin client server 30 is cut off, the terminal 50a is immediately connected to the server 30 based on the connection information of the thin client server 30 included in the filter information generated and stored in the management server 20. Reconnect.
[Selection] Figure 1

Description

  The present invention relates to an information system such as a server / client system in which a terminal device is connected to a server device via a firewall device, and a control program therefor.

  When connecting a network network of a company or a data center to the Internet line, it is common practice to install a fire wall (hereinafter referred to as “FW”) in order to eliminate useless packets and illegal packets.

  At this time, a policy for controlling the packet is generated in order to perform filtering at the FW.

  In a system in which FW is installed and filtered between a server device and a client terminal device to be accessed, the IP address of the access-side terminal device is dynamically allocated by a DHCP (dynamic host configuration protocol) server.

  If the client terminal device is a mobile phone or the like and communication with the server device has been disconnected once, the IP address will start again after the release time of the originally assigned IP address has passed. Is dynamically changed.

  In this case, on the basis of the changed IP address, the client terminal device performs reconnection with the server device again in a predetermined procedure including the authentication processing of the terminal device, as in the first access, and the FW You will also have to redo the creation and configuration of policies for.

  A firewall dynamic control method that appropriately sets FW filter information for a mobile terminal that is dial-up connected to an Internet service provider (ISP) has been considered (see, for example, Patent Document 1).

  In this firewall dynamic control method, when a terminal device connected to the ISP by dial-up accesses the internal network in the FW via the Internet, user information on the terminal device is sent from the ISP to the internal network. Thus, the internal network determines whether or not the terminal device has moved from the internal network based on the user information. If the terminal device is a mobile terminal device, FW filter information is set so as to allow communication between the terminal device and the internal network.

  However, when the terminal device is not operated for a certain period of time or wireless communication is interrupted, and the connection between the terminal device and the server device is temporarily disconnected, the IP address of the terminal device is Since it is dynamically changed, it cannot be determined that the mobile terminal apparatus is the same, and appropriate filter information that permits communication between the terminal apparatus and the internal network cannot be set.

JP-A-10-070576

  In the conventional system, when the connection of the terminal device to the server device is disconnected, it is not possible to immediately reconnect to the server device before disconnection.

  The present invention has been made in view of such problems, and when a connection of a terminal device to a server device is disconnected, an information system that can immediately reconnect to the server device before disconnection and a control program therefor The purpose is to provide.

  The information system according to claim 1 is an information system including a server device to which a terminal device is connected via a firewall device, the server device authenticating the terminal device, and the terminal Filter information generating means for generating filter information including connection information of the specific connection destination for permitting access to the specific connection destination of the terminal device authenticated by the authentication means, and generated by the filter information generation means Filter information transmitting means for transmitting the received filter information to the firewall device and the authenticated terminal device, wherein the terminal device receives and stores the filter information transmitted from the server device; The specific connection destination connection means for connecting to the specific connection destination of the server device, and the specific connection destination connection means Specification for reconnecting to a specific connection destination according to connection information of the specific connection destination included in the filter information stored in the filter information storage unit when the connection is disconnected after connection with the specific connection destination And a connection destination reconnecting means.

  The information system according to claim 2 is the information system according to claim 1, wherein the server device includes a management server device and a thin client server device that is the specific connection destination. It has the said terminal authentication means, the said filter information generation means, and the said filter information transmission means, It is characterized by the above-mentioned.

  The information system according to a third aspect is the information system according to the second aspect, wherein the terminal device further includes the thin client server device as a result of reconnection with the thin client server device by the specific connection destination reconnection means. A management server reconnecting means is provided for reconnecting to the management server device when the connection is not possible because the connection information of the client server device has been changed.

  The program according to claim 4 is a program for controlling a computer of an information system provided with a server device to which a terminal device is connected via a firewall device, the computer of the server device being controlled by the terminal device. Terminal authentication means for authenticating, filter information generating means for generating filter information including connection information of the specific connection destination for permitting access to the specific connection destination of the terminal device authenticated by the terminal authentication means, Filter information transmitting means for transmitting the filter information generated by the filter information generating means to the firewall device and the authenticated terminal device, the computer of the terminal device receiving the filter information transmitted from the server device, and the memory Filter information storage means to be stored in the server device A specific connection destination connection means to be connected to the destination, and a specification included in the filter information stored by the filter information storage means when the connection is disconnected after connection with the specific connection destination by the specific connection destination connection means It is characterized by functioning as a specific connection destination reconnection means for reconnecting with the specific connection destination according to the connection information of the connection destination.

  ADVANTAGE OF THE INVENTION According to this invention, when the connection with respect to the server apparatus of a terminal device is cut | disconnected, the information system which can be reconnected to the server apparatus before a disconnection immediately, and its control program can be provided.

The block diagram which shows the structure of the thin client system which concerns on embodiment of the information system of this invention. The figure which shows ID registration data 20Da registered into ID authentication and terminal number registration DB20D in the internal network NL of the said thin client system. The figure which shows the terminal number and IP address registration data 20Db which were registered into ID authentication and terminal number registration DB20D in the internal network NL of the said thin client system. It is a figure which shows the specific example of the filter information set in each step of the said thin client system, The figure (A) is a figure which shows the filter information table [TFId] set by default in the FW apparatus 40, FIG. (B) is a diagram showing filter information [FIa] generated when the thin client terminal device (TCa) 50a accesses the management server device (MS) 20 and set in the terminal device (TCa) 50a. FIG. (C) is a diagram showing filter information [FIb] generated by the thin client terminal device (TCb) 50b accessing the management server device (MS) 20 and set in the terminal device (TCb) 50b. The figure (D) shows each policy generated by the thin client terminal devices (TCa) 50a and (TCb) 50b accessing the management server device (MS) 20. The figure which shows the filter information table [TFI] which adds a policy rule and is set to FW device 40. The block diagram which shows the circuit structure of the Web server apparatus (WS) 10 in the internal network NL of the said thin client system. The block diagram which shows the circuit structure of the management server apparatus (MS) 20 in the internal network NL of the said thin client system. The block diagram which shows the circuit structure of the thin client server apparatus (TS) 30 in the internal network NL of the said thin client system. FIG. 2 is a block diagram showing a circuit configuration of a firewall (FW) device 40 installed at an input / output terminal of an internal network NL in the thin client system. FIG. 3 is a block diagram showing a circuit configuration of thin client terminal devices (TCa) 50a, (TCb) 50b,... In an external network NW of the thin client system. 6 is a flowchart showing Web server processing by the Web server device (WS) 10 of the thin client system. The flowchart which shows the management server process by the management server apparatus (MS) 20 of the said thin client system. The flowchart which shows FW processing by the firewall apparatus (FW) 40 of the said thin client system. The flowchart which shows the terminal process by the thin client terminal device (TCa) 50a, (TCb) 50b, ... of the said thin client system. The flowchart which shows the thin client server process by the thin client server apparatus (TS) 30 of the said thin client system.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 is a block diagram showing a configuration of a thin client system according to an embodiment of an information system of the present invention.

  This thin client system includes an internal network NL such as an in-house LAN (Local Area Network) to which a Web server device (WS) 10, a management server device (MS) 20, and a thin client server device (TS) 30 are connected. A FW (firewall) device 40 interposed between an input / output terminal of the internal network NL and an external network NW composed of a wired or wireless WAN (Wide Area Network), a mobile phone that can be appropriately connected to the external network NW, and the like Are provided with thin client terminal devices (TCa) 50a, (TCb) 50n.

  The NL Web server device (WS) 10 of the internal network causes the terminal devices (TCa) 50a, (TCb) 50n, ... accessed from the external network NW to operate as thin client devices. It has a program server function (Wa) that downloads and installs (thin client control program PRt), and includes a download data memory (DL) 10P in which the installation program is stored.

  The user ID and password for authenticating the terminal devices (TCa) 50a, (TCb) 50n,... Accessible to the Web server device (WS) 10 are the Web server device (WS) 10 and the management server device (MS). 20 is registered in a shared ID authentication / terminal number registration DB (Data base) 20D.

  The management server device (MS) 20 includes the terminal number, IP address, and bandwidth control information (QOS) of the terminal device (TC) 50 that has been accessed according to the thin client control program PRt installed from the Web server device (WS) 10. : quality of service) and filter information [FI] that permits packet passage between the corresponding terminal device (TC) 50 and the thin client server device (TS) 30 (see FIGS. 3B and 3C) ) Policy rule generation function (Ma), and a filter information table [TFI] (see FIG. 3D) to which the filter information [FI] of the generated policy rule is added is transmitted to the FW device 40 and reflected. (Mb) and the connection information (IP address) and bandwidth control information (QOS) of the thin client server device (TS) 30 included in the filter information [FI]. Alternatively or transmitted to function to store the filter information [FI] as the access source terminal device to the (TC) 50 having (Mc).

  The terminal numbers, IP addresses, and bandwidth control information (QOS) of the terminal devices (TCa) 50a, (TCb) 50n... Acquired by the management server device (MS) 20 are the terminal devices (TCa) 50a, (TCb). ) Are registered in the ID authentication / terminal number registration DB 20D shared with the Web server apparatus (WS) 10 in association with the user ID of 50n.

  FIG. 2A is a diagram showing ID registration data 20Da registered in the ID authentication / terminal number registration DB 20D in the internal network NL of the thin client system.

  FIG. 2B is a diagram showing the terminal number and IP address registration data 20Db registered in the ID authentication / terminal number registration DB 20D in the internal network NL of the thin client system.

  The terminal devices (TCa) 50a, (TCb) 50b,... Have a function (Ta) for installing the thin client control program PRt downloaded by accessing the Web server device (WS) 10, and installed thin client control. The management server device (MS) 20 is accessed according to the program PRt, and the connection information (IP address) and bandwidth control information (thinner information) of the thin client server device (TS) 30 included in the generated filter information [FIa] [FIb]. QOS) individually or the same filter information [FIa] [FIb]... Is received and stored as it is and connected to the thin client server device (TS) 30 (Tb), connection with the thin client server device (TS) 30 Thin client while filtering based on the stored filter information [FIa] [FIb] ... Function (Tc), the thin client server device (TS) 30 when it is unnecessarily disconnected from the thin client server device (TS) 30 according to the stored connection information (IP address) of the server device (TS) 30 immediately When the IP address of the terminal device (TC) 50 itself is changed in accordance with the reconnection process with the thin client server device (TS) 30, the installed thin client control It has a function (Te) for reconnecting to the management server device (MS) 20 according to the program PRt.

  The FW device 40 performs a filtering process according to a default setting or a filter information table [TFId] (see FIG. 3A) or [TFI] (see FIG. 3D) set by the management server device (MS) 20. Function (Fa), and a function (Fb) for transmitting current filter information [TFId] or [TFI] in response to a request from the management server device (MS) 20.

  The thin client server device (TS) 30 executes predetermined application processes according to user input events with the connected thin client terminal devices (TCa) 50a, (TCb) 50b,. It has a function (Sa) for executing thin client server processing.

  In the thin client server device (TS) 30, drawing is generated on the client virtual frame buffer 37 (see FIG. 6) in accordance with the execution of the application program corresponding to the input event signal from the thin client terminal device (TC) 50. The display screen drawing data G is transferred to the thin client terminal device (TC) 50 that is the access source.

  In the thin client terminal device (TC) 50, the drawing data G of the display screen transferred from the thin client server device 30 is developed in the frame buffer 55 (see FIG. 8) and displayed on the display screen of the display device 56. The

  That is, the thin client terminal device (TC) 50 (see FIG. 8) in this thin client system is connected to an input function according to a user operation such as a keyboard and a mouse, an output function to an LCD display unit, etc., and a LAN. A wired or wireless short-range communication function, and a wireless communication function for connecting to a public line network NW such as a cellular phone network as main functions, and at least the thin client server device (TS) 30 has Does not have various application functions or data file management functions.

  FIG. 3 is a diagram showing a specific example of filter information set at each stage of the thin client system. FIG. 3A shows a filter information table [TFId] set as default in the FW device 40. FIG. 5B shows filter information [FIa] generated by the thin client terminal device (TCa) 50a accessing the management server device (MS) 20 and set in the terminal device (TCa) 50a. FIG. 6C shows filter information [FIb] generated by the thin client terminal device (TCb) 50b accessing the management server device (MS) 20 and set in the terminal device (TCb) 50b. The figure shown in the figure, (D) is generated when each of the thin client terminal devices (TCa) 50a and (TCb) 50b accesses the management server device (MS) 20. It is a figure which shows the filter information table [TFI] which is added to each policy rule and is set to the FW device 40.

  In the thin client system of the present embodiment, the filter information table [TFId] set as default in the FW device 40 is the same as the Web server device (WS) 10 of the internal network NL, as shown in FIG. Permits the passage of packets from all transmission sources having the management server device (MS) 20 as a transmission destination, and prohibits the passage of packets from all transmission sources having the thin client server device (TS) 30 as a transmission destination. Policy rules are described.

  Further, filter information [FIa] generated by the thin client terminal device (TCa) 50a accessing the management server device (MS) 20 and set in the terminal device (TCa) 50a is shown in FIG. As shown, a policy rule for permitting the passage of packets having the terminal device (TCa) 50a as a transmission source and the thin client server device (TS) 30 as a transmission destination and setting bandwidth control [qos] is described. .

  Further, filter information [FIb] generated when the thin client terminal device (TCb) 50b accesses the management server device (MS) 20 and set in the terminal device (TCb) 50b is shown in FIG. As shown, a policy rule that permits the passage of a packet having the terminal device (TCb) 50b as a transmission source and the thin client server device (TS) 30 as a transmission destination is described.

  A filter information table set in the FW device 40 by adding each policy rule generated by the thin client terminal devices (TCa) 50a and (TCb) 50b accessing the management server device (MS) 20 As [TFI], as shown in FIG. 3D, in addition to the default policy rule (see FIG. 3A), the thin client server device (TS) 30 and each thin client terminal device ( A policy rule for permitting packet passage between the TCa) 50a and (TCb) 50b and setting bandwidth control [qos] with the thin client terminal device (TCa) 50a is added.

  FIG. 4 is a block diagram showing a circuit configuration of the Web server device (WS) 10 in the internal network NL of the thin client system.

  The Web server device (WS) 10 includes a CPU 11 as a computer, and an HDD 13, a memory 14, and a network control unit 15 are connected to the CPU 11 via a bus 12.

  In accordance with the Web server control program PRw stored in the HDD 13, the CPU 11 performs operations of each part of the circuit using the memory 14, the download data memory (DL) 10P, and the ID authentication / terminal number registration DB (Data base) 20D as work areas. Control and operate software and hardware in cooperation. The Web server control program PRw is activated and executed in response to access signals from the thin client terminal devices (TCa) 50a, (TCb) 50b,... Received via the network control unit 15.

  Thereby, the Web server device (WS) 10 has at least the function (Wa) of the program server described above.

  All or part of the Web server control program PRw may be stored in the HDD 13 in advance, or may be read from a portable external storage medium such as a memory card, CD, or DVD and stored in the HDD 13. Alternatively, it may be downloaded from an external Web server (program server) via the communication networks NW and NL and stored in the HDD 13.

  FIG. 5 is a block diagram showing a circuit configuration of the management server device (MS) 20 in the internal network NL of the thin client system.

  The management server device (MS) 20 includes a CPU 21 as a computer, and an HDD 23, a memory 24, and a network control unit 25 are connected to the CPU 21 via a bus 22.

  In accordance with the management server control program PRm stored in the HDD 23, the CPU 21 controls the operation of each part of the circuit using the memory 24 and the ID authentication / terminal number registration DB (Data base) 20D as a work area. Operate together. The management server control program PRm is activated and executed in response to access signals from the thin client terminal devices (TCa) 50a, (TCb) 50b,... Received via the network control unit 25.

  As a result, the management server device (MS) 20 has at least the three functions (Ma), (Mb), and (Mc) described above.

  All or part of the management server control program PRm may be stored in the HDD 23 in advance, or may be read from a portable external storage medium such as a memory card, CD, or DVD and stored in the HDD 23. Alternatively, it may be downloaded from an external Web server (program server) via the communication networks NW and NL and stored in the HDD 23.

  FIG. 6 is a block diagram showing a circuit configuration of the thin client server device (TS) 30 in the internal network NL of the thin client system.

  The thin client server device (TS) 30 includes a CPU 31 as a computer. The CPU 31 includes an HDD 33, a memory 34, a network control unit 35, a connection information DB (Data base) 36, a virtual frame buffer via a bus 32. 37 is connected.

  The CPU 31 controls the operation of each part of the circuit using the memory 34 as a work area in accordance with the thin client server control program PRs such as the system program and various application programs stored in the HDD 33, and cooperates the software and hardware. Make it work. The thin client server control program PRs is activated and executed in response to an input event signal corresponding to a user operation from the thin client terminal devices (TCa) 50a, (TCb) 50b,... Received via the network control unit 35. The

  Accordingly, the thin client server device (TS) 30 has at least a function (Sa) for executing the predetermined thin client server process described above.

  The thin client server control program PRs may be stored in whole or in part in the HDD 33, or may be read from a portable external storage medium such as a memory card, CD, or DVD and stored in the HDD 33. Alternatively, it may be downloaded from an external Web server (program server) via the communication networks NW and NL and stored in the HDD 33.

  The thin client server device (TS) 30 is generated using the memory 34 in accordance with an application program that is activated and executed in response to input event signals from the thin client terminal devices (TCa) 50a, (TCb) 50b,. The various data are stored in the HDD 33 in association with the user ID, for example. The drawing data G for the client display screen is generated using the virtual frame buffer 37, and then compressed, and is sent from the network control unit 35 to the event input source thin client terminal device (TCa) 50a, (TCb). 50b,... Are transferred and displayed.

  In the connection information DB 36 of the thin client server device (TS) 30, connection information (client name) of the thin client terminal devices (TCa) 50a, (TCb) 50b,. / IP address / screen resolution) is stored in association with the user ID or the like.

  FIG. 7 is a block diagram showing a circuit configuration of a firewall (FW) device 40 installed at the input / output end of the internal network NL in the thin client system.

  The FW device 40 includes a CPU 41 as a computer, and a memory 43, a network control unit 44, and a policy rule DB (Data base) 45 are connected to the CPU 41 via a bus 42.

  In accordance with the firewall control program PRf stored in the memory 43, the CPU 41 controls the operation of each part of the circuit using the memory 43 as a work area, and operates the software and hardware in cooperation. The firewall control program PRf receives access signals from the thin client terminal devices (TCa) 50a, (TCb) 50b,... Received via the network control unit 44, the Web server device (WS) 10, and the management server device ( MS) 20 and thin client server apparatus (TS) 30 are activated and executed in response to each response signal.

  Thereby, the FW device 40 has at least the two functions (Fa) and (Fb) described above.

  All or part of the firewall control program PRf may be stored in the memory 43 in advance, or may be read from a portable external storage medium such as a memory card, CD, or DVD and stored in the memory 43. Alternatively, it may be downloaded from an external Web server (program server) via the communication networks NW and NL and stored in the memory 43.

  In the policy rule DB 45 of the FW device 40, the default filter information table [TFId] (see FIG. 3A) or the thin client terminal devices (TCa) 50a and (TCb) 50b are stored in the management server device (MS ) The filter information table [TFI] (see FIG. 3D) generated by accessing 20 is stored.

  FIG. 8 is a block diagram showing a circuit configuration of the thin client terminal devices (TCa) 50a, (TCb) 50b,... In the external network NW of the thin client system.

  Here, the thin client terminal device (TC) 50 will be described.

  The thin client terminal device (TC) 50 includes a CPU 51 as a computer, and a memory 53 and a frame buffer 55 are connected to the CPU 51 via a bus 52. The display screen drawing data G written in the frame buffer 55 is output to the display device 56 and displayed.

  Further, an input device (I / O) 54 such as a key and a pointer is connected to the CPU 51 via a bus 52, and further, a network control unit 57 for short-distance communication with other information devices, a mobile phone line, and the like. A transmission / reception unit 58 for accessing the external network NW and its antenna 59 are connected.

  In accordance with the thin client control program PRt stored in the memory 53, the CPU 51 controls the operation of each part of the circuit using the memory 53 as a work area, and operates the software and hardware in cooperation. The thin client control program PRt is a key input signal or pointer input signal from the input device (I / O) 54, the Web server transferred through the FW device 40 received via the network control unit 57 or the transmission / reception unit 58. It is activated and executed in response to each response signal from the device (WS) 10 or the management server device (MS) 20, an application response signal from the thin client server device (TS) 30, display screen drawing data G, and the like.

  Accordingly, the thin client terminal device (TC) 50 has at least the five functions (Ta) (Tb) (Tc) (Td) (Te) described above.

  The thin client control program PRt may be stored in whole or in part in the memory 53, or read from a portable external storage medium such as a memory card, CD, or DVD and stored in the memory 53. Alternatively, it may be downloaded from an external Web server (program server) 10 via the communication network NW and stored in the memory 53.

  In the thin client terminal device (TC) 50, various data generated by executing the application program in the thin client server device (TS) 30 is appropriately read and stored in the memory 53, and generated and transferred. The drawing data G on the display screen is decompressed and written in the frame buffer 55 and displayed on the display device 56.

  The memory 53 of the thin client terminal device (TC) 50 stores the connection information (IP address) of the thin client server device (TS) 30 generated by accessing the management server device (MS) 20. The included filter information [FI] (see FIGS. 3B and 3C) is stored.

  Accordingly, when the connection of the thin client terminal device (TC) 50 to the thin client server device (TS) 30 is disconnected, it is possible to immediately reconnect to the server device (TS) 30 before the disconnection.

  Next, the operation of the thin client system configured as described above will be described.

  First, in the FW device 40, as shown in FIG. 3A, the default filter information table [TFId] is stored in the policy rule DB 45 and managed with the Web server device (WS) 10 of the internal network NL. Filtering that permits the passage of packets from all transmission sources that have the server device (MS) 20 as a transmission destination and prohibits the passage of packets from all transmission sources that have the thin client server device (TS) 30 as a transmission destination Processing is executed.

  FIG. 9 is a flowchart showing Web server processing by the Web server device (WS) 10 of the thin client system.

  The Web server device (WS) 10 receives an authentication request signal from the thin client terminal device (TCa) 50a (step W1 (Yes)), and then receives a user ID and password from the terminal device (TCa) 50a. Then (step W2), an authentication process is executed based on the ID registration data 20Da (see FIG. 2A) registered in the ID authentication / terminal number registration DB 20D (step W3).

  Here, the authentication request source thin client terminal device (TCa) 50a is determined to be “authentication OK” (step W3 (Yes)), and thereafter, a request for downloading an application program is received from the terminal device (TCa) 50a. Then (step W4 (Yes)), an application program for functioning as a thin client device stored in the download data memory (DL) 10P is read, and the download request source terminal device (TCa) 50a is read. It is transmitted (step W5).

  When a normal response signal for program download is received from the terminal device (TCa) 50a that has transmitted this application program and it is determined that the transmission has been completed (step W6 (Yes)), for example, another terminal device (TCb) 50b,. In accordance with the determination that there is no access, it is determined that the process is terminated (step W7 (Yes)), and the disconnection process with the terminal device (TCa) 50a is executed (step W8).

  FIG. 10 is a flowchart showing management server processing by the management server device (MS) 20 of the thin client system.

  When the management server device (MS) 20 determines that a connection request signal has been received from the thin client terminal device (TCa) 50a (step M1 (Yes)), the connection request source terminal device (TCa) 50a On the other hand, a signal requesting notification of terminal information including the terminal number and the IP address is transmitted (step M2).

  When it is determined that the reception of the terminal information transmitted from the thin client terminal device (TCa) 50a is completed in response to the terminal information notification request signal (step M3 (Yes)), the FW device 40 is informed. Then, an acquisition request for the filter information table [TFI] currently stored in the policy rule DB 45 is transmitted (step M4).

  In response to the filter information acquisition request, when the filter information table (for example, [TFId] (see FIG. 3A)) transmitted from the FW device 40 is received and it is determined that the acquisition is completed (step M5 ( Yes)), the terminal number received from the connection request source terminal device (TCa) 50a in step M3 is the terminal number registered in the ID authentication / terminal number registration DB 20D, IP address registration data 20Db (FIG. 2B). It is determined whether or not it has already been registered (see step M6).

  If it is determined that the terminal number of the thin client terminal device (TCa) 50a is not registered in the terminal number and IP address registration data 20Db (step M6 (No)), the terminal device ( (TCa) 50a terminal number and IP address are newly registered (step M7).

  Further, it is determined whether or not the terminal information received from the terminal device (TCa) 50a includes band control information (QOS) (step M8).

  If it is determined that the bandwidth control information (QOS) is included (step M8 (Yes)), the terminal device (TCa) newly registered in the terminal number and IP address registration data 20Db (see FIG. 2B). In association with the terminal number and IP address of 50a, the bandwidth control information is set and registered as “present” (step M9).

  Then, in accordance with the IP address of the thin client terminal device (TCa) 50a newly registered in the terminal number and IP address registration data 20Db and the bandwidth control information “present”, the thin client server device of the terminal device (TCa) 50a Filter information [FIa] (see FIG. 3B) describing a policy rule permitting packet passage to (TS) 30 is generated, and the current filter information table obtained from the FW device 40 in step M5 [ TFId] (see FIG. 3A) (step M10).

  Then, the filter information table [TFI] to which the policy rule of the thin client terminal device (TCa) 50a is added is transmitted to the FW device 40 and is reflected in the setting of filtering (step M11).

  Here, when a reflection setting reflection completion signal is received from the FW device 40 (step M12 (Yes)), the filter information [FIa] generated based on the terminal information of the thin client terminal device (TCa) 50a ( The connection information (IP address) and bandwidth control information (QOS) of the thin client server device (TS) 30 included in FIG. 3B) or the filter information [FIa] itself is the thin client terminal. It is transmitted to and stored in the device (TCa) 50a, and is reflected in the filtering settings of the terminal body (step M13).

  When transmission of the connection information (IP address) and bandwidth control information (QOS) of the thin client server device (TS) 30 included in the filter information [FIa] or the filter information [FIa] is completed (step M14 (Yes )), For example, according to the determination that there is no access to another terminal device (TCb) 50b,... (Step M15 (Yes)), and the end processing is executed (step M19).

  In the management server device (MS) 20, when there is a new connection request from the thin client terminal device (TCb) 50b, the processes of steps M1 to M13 are executed as described above.

  In this case, in step M10, the terminal device according to the terminal number and the IP address of the thin client terminal device (TCb) 50b newly registered in the IP address registration data 20Db (see FIG. 2B) and the bandwidth control information “none”. (TCb) Filter information [Fib] (see FIG. 3C) describing policy rules permitting packet passage to the thin client server device (TS) 30 of 50b is generated, and the FW device 40 in step M5. It is further added to the acquired current filter information table (filter information table [TFI] to which the policy rule of the thin client terminal device (TCa) 50a described above is added).

  Then, in step M11, the filter information table [TFI] (see FIG. 3D), to which the policy rule of the thin client terminal device (TCb) 50b is further added, is transmitted to the FW device 40 and reflected in the filtering setting. Is done.

  In step M13, connection information of the thin client server device (TS) 30 included in the filter information [FIb] (see FIG. 3C) generated based on the terminal information of the thin client terminal device (TCb) 50b. (IP address) and bandwidth control information (QOS) individually or the filter information [FIb] itself is transmitted to and stored in the thin client terminal device (TCb) 50b and reflected in the filtering settings of the terminal body. The

  That is, at this stage, the filter information [FIa] shown in FIG. 3B is set in the thin client terminal device (TCa) 50a, and the thin client terminal device (TCb) 50b is set in FIG. ) Is set, and the FW device 40 is set to the filter information [TFI] shown in FIG. 3D.

  Then, the thin client terminal devices (TCa) 50a and (TCb) 50b can be connected to the thin client server device (TS) 30.

  Thereafter, for example, a connection between the thin client terminal device (TCa) 50a and the thin client server device (TS) 30 is established, and the server device (in accordance with the user event from the terminal device (TCa) 50a) In a state where the application program is executed by the TS) 30, the connection with the server device (TS) 30 is disconnected due to deterioration of the communication environment accompanying the movement of the terminal device (TCa) 50a. When there is a reconnection request from the terminal device (TCa) 50a whose IP address has been dynamically changed by DHCP to the management server device (MS) 20 (step M1 (Yes)), the terminal device (TCa) It is determined that the terminal number received from 50a is already registered in the terminal number and IP address registration data 20Db (see FIG. 2B) in the ID authentication / terminal number registration DB 20D (steps M2 to M6 ( Yes)).

  Here, the terminal number and the IP address corresponding to the terminal number of the terminal device (TCa) 50a registered in the IP address registration data 20Db and the current reconnection request from the terminal device (TCa) 50a. If it is determined that the received IP address is inconsistent and changed (steps M16 and M17 (Yes)), the registered IP address is changed to the currently received IP address, and the FW is received in step M4. The IP address of the corresponding terminal device (TCa) 50a in the filter information table [TFI] (see FIG. 3D) acquired this time from the device 40 is also changed to the IP address received this time (step M18).

  Then, the filter information table [TFI] in which the IP address of the reconnected thin client terminal device (TCa) 50a is changed is transmitted to the FW device 40 and reflected in the setting of filtering (steps M11 and M12).

  Further, the connection information (IP address) and bandwidth control information (QOS) of the thin client server device (TS) 30 included in the changed filter information [FIa] of the reconnected thin client terminal device (TCa) 50a The changed filter information [FIa] itself or individually is transmitted to and stored in the thin client terminal device (TCa) 50a and reflected in the filtering settings of the terminal body (step M13).

  FIG. 11 is a flowchart showing FW processing by the firewall device (FW) 40 of the thin client system.

  In the FW device 40, according to a preset initial routing process, a filter information table [TFId that permits passage of packets destined for the Web server device (WS) 10 and the management server device (MS) 20 on the internal network NL. ] (See FIG. 3A) is defaulted in the policy rule DB 45 and is judged normal (steps F1, F2 (Yes)), filtering according to the default-set filter information table [TFId] Processing is executed (step F3).

  Here, it is determined whether or not there is a notification regarding the filter information from the management server device (MS) 20 (step F4). When it is determined that there is a notification (step F4 (Yes)), a transmission request for the filter information is made. It is determined whether notification has been made or filter information has been received (step F5).

  When it is determined that a filter information transmission request has been notified from the management server device (MS) 20 (step F5 (Yes)), the filter information table (initially [TFId]) set in the policy rule DB 45 (See FIG. 3A)) is transmitted to the transmission request source management server device (MS) 20 (steps F6 and F7).

  On the other hand, if it is determined that the filter information table [TFI] (see FIG. 3D) is received from the management server device (MS) 20 (step F5 (No)), the reception process is executed (step S5). F8, F9), the received filter information table [TFI] is set in the policy rule DB 45 (step F10).

  Then, the policy rule of the filter information table [TFI] newly set in the policy rule DB 45 is reflected in the subsequent filtering processing (Steps F11, F12 (Yes)) and reflected in the management server device (MS) 20 A completion notification signal is transmitted (steps F13 and F14).

  In this way, each time the thin client terminal device (TCa) 50a, (TCb) 50b... Accesses the management server device (MS) 20, the filter information table generated and updated by the management server device (MS) 20 each time. [TFI] is sequentially acquired by the FW device 40 and reflected in the filtering process.

  Thereafter, when it is determined that an end operation has been performed (step F15 (Yes)), an end process is executed (step F16).

  FIG. 12 is a flowchart showing terminal processing by the thin client terminal devices (TCa) 50a, (TCb) 50b,... Of the thin client system.

  Here, the thin client terminal device (TCa) 50a will be described.

  When the thin client terminal device (TCa) 50a accesses the Web server device (WS) 10 on the internal network NL (step T1) and receives an ID authentication request from the Web server device (WS) 10 ( In step T2 (Yes), the user ID and password of the terminal device (TCa) 50a are transmitted to the Web server device (WS) 10 (step T3).

  Thereafter, when an “authentication OK” signal is received from the Web server device (WS) 10 (step T4 (Yes)), an application program for functioning as a thin client terminal is not installed in the memory 53. It is determined whether or not it is in a state (step T5).

  Here, if it is determined that an application program for functioning as the thin client terminal is not installed (not installed) (step T5 (Yes)), a signal requesting downloading of the application program is sent to the Web server device. (WS) 10 is transmitted (step T6).

  In response to the application program download request to the Web server device (WS) 10, an application program for functioning as the thin client terminal is downloaded from the Web server device (WS) 10 (step T7), and the program is normally executed. If it is determined that it has been installed (step T8 (Yes)), the installed application program is activated and a connection request signal is transmitted to the management server device (MS) 20 (step T9).

  When it is determined that a request signal for terminal information has been received from the management server device (MS) 20 (step T10 (Yes)), the terminal number and IP address of the terminal device (TCa) 50a are stored in the management server device. (MS) 20 (step T11).

  When the terminal device (TCa) 50a has bandwidth control (QOS) (step T12 (Yes)), a signal for turning on the bandwidth control (QOS) is sent to the management server device (MS) 20. It is transmitted (step T13).

  Then, the connection information (IP address) of the thin client server device (TS) 30 transmitted from the management server device (MS) 20 is in a standby state (step T14).

  Here, the thin client server device (TS) included in the filter information [FIa] (see FIG. 3B) generated from the management server device (MS) 20 based on the terminal information of the terminal device (TCa) 50a. ) When 30 connection information (IP address) and bandwidth control information (QOS) are received individually or when the filter information [FIa] itself is received (step T14 (Yes), T15), it is stored in the memory 53, This is reflected in the filtering settings of the terminal body (step T16).

  Then, according to the connection information (IP address) of the thin client server device (TS) 30 received from the management server device (MS) 20, a connection process with the thin client server device (TS) 30 is executed (step T17). ).

  When it is determined that the connection with the thin client server device (TS) 30 is completed (step T18 (Yes)), the filter information generated and received by the management server device (MS) 20 and stored in the memory 53 is stored. A filtering process is executed according to [FIa] (see FIG. 3B) (step T19), an input event signal transmission process according to a user operation, and a display screen drawing data G reception / display process in response thereto A predetermined thin client process is executed (step T20).

  Thus, in a predetermined thin client process execution state involving a filtering process according to the filter information [FIa] generated and received by the management server apparatus (MS) 20 (see FIG. 3B), a user operation is performed for a certain period of time. If it is determined that the connection with the thin client server device (TS) 30 has been disconnected due to the absence of the wireless communication state with the external network NW or the like (step T21 (Yes)), the user operation In response to this, it is determined whether it is determined that the “reconnect button” has been turned “ON” or whether an automatic connection command after a certain time has been output (step T22).

  Here, if it is determined that the “reconnect button” is turned “ON” in response to a user operation, or if it is determined that an automatic connection command after a predetermined time has been output (step T22 (Yes)), Connection information (IP) of the thin client server device (TS) 30 included in the filter information [FIa] (see FIG. 3B) set in the memory 53 of the terminal device (TCa) 50a according to the processing of steps T14 to T16. Based on the address, reconnection processing to the thin client server device (TS) 30 is executed (step T23).

  When the IP address of the terminal device (TCa) 50a is not yet changed by DHCP and reconnection to the thin client server device (TS) 30 is successful (step T24 (No)), the steps T19 to T19- The predetermined thin client process with the filtering process according to T21 is resumed.

  Thereby, even if the connection with the thin client server device (TS) 30 is unexpectedly disconnected, the thin client terminal device (TCa) 50a generates and sets the filter information generated by the management server device (MS) 20 In accordance with the connection information (IP address) of the thin client server device (TS) 30 included in [FIa] (see FIG. 3B), immediately reconnect to the thin client server device (TS) 30 to obtain a predetermined Thin client processing can be resumed.

  On the other hand, when the reconnection processing to the thin client server device (TS) 30 in step T23 is performed after the IP address of the terminal device (TCa) 50a is changed by DHCP, it is determined that reconnection is impossible (step T24 (Yes)), reconnection to the management server device (MS) 20 is executed (step T25).

  In this case, the terminal information (terminal number, IP address, bandwidth control information) of the terminal device (TCa) 50a is transmitted to the management server device (MS) 20, and the filter information table [TFI] is generated again. In addition, the terminal device (TCa) 50a acquires the information and reflects it on the filtering setting. The processing is re-executed (steps T10 to T16 (steps M1 to M13 in the management server device (MS) 20)).

  In step T22, an end operation is performed without determining that the “reconnect button” has been turned “ON” or that an automatic connection command has been output in accordance with a user operation (step T22 (No)). If it is determined that the process has been performed (step T26 (Yes)), the disconnection process is executed and the series of terminal processes are terminated (step T27).

  FIG. 13 is a flowchart showing a thin client server process by the thin client server device (TS) 30 of the thin client system.

  If it is determined in the thin client server device (TS) 30 that there is a connection from the thin client terminal device (TCa) 50a (step S1 (Yes)), predetermined thin client server processing is executed (step S2). That is, application processing corresponding to an input event signal from the connected thin client terminal device (TCa) 50a is executed, and display screen drawing data G generated thereby is transmitted to the terminal device (TCa) 50a and displayed. Is done.

  When an end signal is received from the thin client terminal device (TCa) 50a (step S3 (Yes)), a disconnection process is executed and the series of thin client server processes are ended (step S4).

  Therefore, according to the thin client system having the above configuration, when the thin client terminal device (TCa) 50a is connected to the management server device (MS) 20, the management server device (MS) 20 uses the terminal device (TCa). Filter information [FIa] including connection information (IP address) 50a, connection information (IP address) of the thin client server device (TS) 30 and bandwidth control information (QOS) is generated and already set in the FW device 40. Is added to the filter information table [TFId] and reflected in the filtering process. At the same time, the generated filter information [FIa] is transmitted to and stored in the terminal device (TCa) 50a and is reflected in the filtering process in the terminal device. When the connection between the thin client terminal device (TCa) 50a and the thin client server device (TS) 30 is disconnected, the terminal device (TCa) 50a is generated and stored in the management server device (MS) 20. Based on the connection information (IP address) of the thin client server device (TS) 30 included in the filter information [FIa], the server device (TS) 30 is immediately reconnected.

  For this reason, when the connection of the thin client terminal device (TCa) 50a to the thin client server device (TS) 30 is disconnected, it is possible to immediately reconnect to the server device (TS) 30 before the disconnection.

  In the above-described embodiment, the Web server device (WS) 10, the management server device (MS) 20, and the thin client server device (TS) 30 are provided separately, but these are configured as a single server device. The three server functions (WS; MS; TS) may be realized by software in this single server device.

  Of course, a configuration may be adopted in which a plurality of thin client server devices (TS) 30 are installed to achieve load distribution. In this case, when the management server device (MS) 20 generates the filter information [FI], the connection information of the thin client server devices (TS) 30.

  Note that the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the scope of the invention at the stage of implementation. Further, each of the embodiments includes inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent elements. For example, even if some constituent elements are deleted from all the constituent elements shown in each embodiment or some constituent elements are combined in different forms, the problems described in the column of the problem to be solved by the invention If the effects described in the column “Effects of the Invention” can be obtained, a configuration in which these constituent requirements are deleted or combined can be extracted as an invention.

NL ... Internal network NW ... External network 10 ... Web server device (WS)
PRw ... Web server control program 10P ... Download data memory (DL)
20 ... Management server device (MS)
PRm: Management server control program 20D: ID authentication / terminal number registration DB
20 Da: ID registration data 20 Db: terminal number, IP address registration data 30: Thin client server device (TS)
PRs ... Thin client server control program 36 ... Connection information DB
37 ... Virtual frame buffer 40 ... Firewall device (FW)
PRf ... Firewall control program 45 ... Policy rule DB
50a, 50b ... Thin client terminal devices (TCa, TCb)
PRt ... Thin client terminal control program 54 ... Input device 55 ... Frame buffer 56 ... Display device G ... Display screen drawing data
TFId ... Filter information table (default setting)
FIa: Filter information of thin client terminal (TCa)
Fib ... Thin client terminal device (TCb) filter information
TFI: Filter information table generated by the management server device (MS)

Claims (4)

An information system including a server device to which a terminal device is connected via a firewall device,
The server device
Terminal authentication means for authenticating the terminal device;
Filter information generating means for generating filter information including connection information of the specific connection destination for permitting access to the specific connection destination of the terminal device authenticated by the terminal authentication means;
Filter information transmitting means for transmitting the filter information generated by the filter information generating means to the firewall device and the authenticated terminal device,
The terminal device
Filter information storage means for receiving and storing filter information transmitted from the server device;
Specific connection destination connection means for connecting to a specific connection destination of the server device;
After the connection with the specific connection destination by the specific connection destination connection means, when the connection is disconnected, the specific connection destination according to the connection information of the specific connection destination included in the filter information stored by the filter information storage means A specific connection destination reconnection means for reconnecting to the connection destination;
An information system characterized by that. The server device comprises a management server device and a thin client server device that is the specific connection destination,
The management server device includes the terminal authentication unit, the filter information generation unit, and the filter information transmission unit.
The information system according to claim 1. The terminal device further includes:
When the connection with the thin client server device is changed as a result of reconnection with the thin client server device by the specific connection destination reconnecting means, reconnection to the management server device is made. Provided with a management server reconnection means
The information system according to claim 2. A program for controlling a computer of an information system provided with a server device to which a terminal device is connected via a firewall device,
A computer of the server device;
Terminal authentication means for authenticating the terminal device;
Filter information generating means for generating filter information including connection information of the specific connection destination for permitting access to the specific connection destination of the terminal device authenticated by the terminal authentication means;
Filter information transmitting means for transmitting the filter information generated by the filter information generating means to the firewall device and the authenticated terminal device;
A computer of the terminal device;
Filter information storage means for receiving the filter information transmitted from the server device and storing it in a memory;
Specific connection destination connection means for connecting to a specific connection destination of the server device;
After the connection with the specific connection destination by the specific connection destination connection means, when the connection is disconnected, the specific connection destination according to the connection information of the specific connection destination included in the filter information stored by the filter information storage means Specific connection destination reconnection means to reconnect to the connection destination,
Program to function as.

Images