[go: up one dir, main page]

WO2007036160A1 - An apparatus, system and method for realizing communication between the client and the server - Google Patents

An apparatus, system and method for realizing communication between the client and the server Download PDF

Info

Publication number
WO2007036160A1
WO2007036160A1 PCT/CN2006/002574 CN2006002574W WO2007036160A1 WO 2007036160 A1 WO2007036160 A1 WO 2007036160A1 CN 2006002574 W CN2006002574 W CN 2006002574W WO 2007036160 A1 WO2007036160 A1 WO 2007036160A1
Authority
WO
WIPO (PCT)
Prior art keywords
port
server
transit
component
address
Prior art date
Application number
PCT/CN2006/002574
Other languages
French (fr)
Chinese (zh)
Inventor
Tao Jiang
Weihua Chen
Original Assignee
Tencent Technology (Shenzhen) Company Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology (Shenzhen) Company Limited filed Critical Tencent Technology (Shenzhen) Company Limited
Priority to BRPI0616627-0A priority Critical patent/BRPI0616627A2/en
Publication of WO2007036160A1 publication Critical patent/WO2007036160A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal

Definitions

  • the present invention relates to network information interaction technologies, and in particular, to an apparatus, system and method for implementing communication between a client and a server. Background of the invention
  • the forwarding devices mainly refer to: Network Address Translation (NAT). Device / Proxy / Firewall.
  • the target server dynamically allocates a communication port with the client main application component
  • the target server and the client main application component dynamically negotiate the communication ports of the two parties
  • TCP or UDP communication ports between the target server and the client main application component are required during a complete communication process
  • the communication protocols used are relatively complex.
  • the communication protocols commonly used in these applications are: H.323, Session Initiation Protocol (SIP), Media Gateway Control Protocol (MGCP, Media Gateway Control Protocol; or Complex protocols such as H.248/MeGaCo, Media Gateway Control Protocol), and such complex protocols are generally not supported on forwarding devices, and thus may hinder end-to-end communication between the main application component and the target server.
  • the interaction method of some complex communication protocols (such as the H.323 protocol) is as follows: The packet sent by the client main application component to the target server, except the source/destination IP address and port carried in the packet header, is reported. The data part of the file also includes the source IP address and port. After receiving the packet, the target server parses the source IP address and port from the data part of the packet, and returns a response packet to the parsed IP address and port.
  • This interaction method requires the client main application component to be directly connected to the target server to communicate normally;
  • the network environment in which the application is located is diversified, and the network settings are not allowed or difficult to change;
  • the target server is relatively fixed, directly on the Internet
  • the forwarding device introduced between the private network and the Internet is a firewall, and the firewall restricts the communication port, and generally only opens a limited number of ports.
  • the port is dynamically allocated during the communication between the client main application component and the target server, and the communication port is dynamically changed, and is easily allocated to a port that is not open to the firewall, thus easily causing communication failure;
  • the client main application component and the target server may negotiate multiple communication ports, and the number of ports open by the firewall is only a limited number, and the port configuration of the firewall is difficult to change, so it is difficult to allow the message to pass through the open communication port, the ordinary user It is often difficult or impossible to change the network settings, so it is difficult for these applications to communicate through the firewall.
  • the forwarding device introduced between the private network and the Internet is a NAT/proxy server
  • the IP address of the client's main application component is the IP address of the private network.
  • the client main application component and the target server interact with each other using a complex communication protocol (such as H.323, SIP, MGCP, H.248/MeGaCo, etc.) having the above characteristic 4.
  • the packet sent by the client main application component to the target server first arrives at the NAT/proxy server, and the NAT/proxy server converts the source IP address and port in the packet header into the NAT IP address and port and sends the packet to the target server.
  • the target server parses the source IP address and port from the packet data part, and returns a response message to the source IP address and port; however, the source IP address and port included in the data part are not public.
  • the IP address and port on the network are the IP addresses and ports on the client's private network. Therefore, the response packets returned are not routed to the correct destination IP address and port, and thus cannot reach the client's main application component, causing communication failure.
  • the protocol adopted by the above main application component is a protocol that requires end-to-end communication, and does not support a proxy protocol that interacts through the proxy server, so the client's main application component cannot communicate with the proxy server. It is even more incapable of communicating with the target server through the proxy server.
  • the main purpose of the present invention is to provide a device and a communication system for implementing communication between a client and a server.
  • a forwarding device is introduced between a client and a server, the interaction information can be transmitted through the device. And normal communication.
  • the present invention discloses a device for implementing communication between a client and a server, and is applied to a communication system including a client, a server, and a forwarding device between the two;
  • the device comprises: a transit component, establishing a dedicated channel between the transit server and the forwarding device, establishing a communication connection between the client and the client, and establishing a dedicated connection between the client and the server with the transit server Logical channel of the channel;
  • the transit server establishes a dedicated channel that penetrates the forwarding device with the transit component, establishes a communication connection between itself and the server, and establishes a logical channel based on the dedicated channel between the client and the server with the transit component .
  • the dedicated channel between the transit component and the transit server is a transmission control protocol.
  • TCP or User Datagram Protocol UDP communication connection uses the open port of the forwarding device.
  • the transit server includes: a port allocation module, configured to receive a port request from a main application component and allocate a local port, and establish the reverse channel according to the port request and the local port.
  • a port allocation module configured to receive a port request from a main application component and allocate a local port, and establish the reverse channel according to the port request and the local port.
  • the port allocation module includes: an allocation module for allocating a single TCP port, an allocation module for allocating a single UDP port, an allocation module for allocating two consecutive UDP ports; and the allocation module for allocating a single TCP port; An allocation module, an allocation module for allocating a single UDP port, and an allocation module for allocating two consecutive UDP ports receive a port request and assign a corresponding type of local port.
  • the device further includes: a conversion module for negotiating an address port, configured in the transit component or the relay server, configured to parse the negotiation data packet sent by the client to the server, and negotiate the IP address of the client of the data packet portion And the port translates to the IP address and port of the transit server for the current logical channel.
  • a conversion module for negotiating an address port configured in the transit component or the relay server, configured to parse the negotiation data packet sent by the client to the server, and negotiate the IP address of the client of the data packet portion And the port translates to the IP address and port of the transit server for the current logical channel.
  • the invention also discloses a communication system, comprising: a client, a server and both a forwarding device connected between the client, the client includes: a main application component, the server side includes at least one target server; the system further includes: a transit component and a transit server;
  • a transit component establishing a dedicated channel that penetrates the forwarding device with the transit server, establishing a communication connection between itself and the main application component, and establishing a dedicated channel between the main application component and the target server with the transit server Logical channel
  • the transit server establishes a dedicated channel that penetrates the forwarding device with the transit component, establishes a communication connection between itself and the target server, and establishes a logic based on the dedicated channel between the main application component and the target server with the transit component aisle.
  • the invention further discloses a method for realizing communication between a client and a server, which is applied to a communication system comprising: a client, a server and a forwarding device connected between the two, the method comprises: - a client and a server Establishing a dedicated channel that penetrates the forwarding device; when the main application component of the client communicates with the target server of the server, establishing a logical channel based on the dedicated channel between the main application component and the target server and communicating.
  • the private channel that penetrates the forwarding device is established between the client and the server, and includes: setting a transit component on the client, setting a relay server on the server; establishing the server by the transit component and the transit server Dedicated channel
  • the main application component establishes a logical channel based on the dedicated channel with the target server, including: the transit component establishes a communication connection between itself and the main application component, and the transit server establishes a communication connection between itself and the target server; the main application component
  • the transit component, the transit server, and the target server respectively allocate respective communication ports, establish correspondences of the communication ports, and form a logical channel.
  • the transit component and the relay server establish a dedicated channel-based logical channel between the main application component and the target server, including:
  • the main application component sends a port request carrying the IP address and port of the main application component and the IP address and port of the target server to the transit component;
  • the transit component encapsulates the port request using an internal protocol, forwards the encapsulated port request to the transit server through the dedicated channel, and locally allocates a forwarding interface for data forwarding; the transit server allocates the local port according to the received port request;
  • the transit server returns the established logical channel number, the IP address and port of the transit server, and the correspondence between the IP address and the port of the target server to the transit component through the dedicated channel, and the transit component establishes the logical channel number and the main application component.
  • the IP address and port, the transit component forwarding interface, the IP address and port of the transit server, and the IP relationship between the IP address and port of the target server;
  • the transit component and the relay server establish a dedicated channel-based logical channel between the main application component and the target server, including:
  • the main application component sends a port request to the transit component that carries the IP address and port of the main application component;
  • the transit component encapsulates the port request by using an internal protocol, forwards the encapsulated port request to the transit server through the dedicated channel, and locally allocates a forwarding interface for data forwarding; the transit server allocates the local port according to the received port request;
  • the main application component sends the IP address and port of the target server to the transit component and the transit server through communication data or notification;
  • the transit server establishes the logical channel number, the IP address and port of the transit server, and the destination Correspondence between the IP address and port of the target server;
  • the transit server returns the established logical channel number, the IP address and port of the transit server, and the correspondence between the IP address and the port of the target server to the transit component, and the transit component establishes the logical channel number, the IP address of the main application component, and Port, transit component forwarding interface, IP address and port of the relay server, and the correspondence between the IP address and port of the target server;
  • the method further includes: when the main application component performs port negotiation with the target server, the relay server parses the negotiation data packet sent by the main application component to the target server, and converts the negotiated IP address and port of the main application component in the data portion of the negotiation data packet.
  • the IP address and port of the transit server of the logical channel are sent to the target server by the converted negotiation packet.
  • the logical channel corresponding to the dynamically allocated port or the dynamically negotiated port uses a dedicated channel to traverse the firewall, regardless of the number of ports allocated or negotiated.
  • the corresponding logical channel uses the dedicated channel to traverse the firewall, and the dedicated channel is a single Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) connection, and the port to which the application is applied is a port open by the firewall, which can be implemented.
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • the interaction protocol used is only a simple internal protocol, and is generally not hindered by the forwarding device, so that successful penetration can be achieved.
  • the forwarding device communicates.
  • the forwarding device is a NAT/proxy server, due to the transition between the transit component and the transit server
  • the interaction protocol is just a simple internal protocol. It does not need to return a response according to the source IP address and port included in the packet data part, such as the ⁇ .323 and SIP complex protocols, but according to the source IP address in the packet header. And the port returns a response, and the IP address and port in the header are converted by the NAT/proxy server, so the returned response can successfully penetrate the NAT/proxy server, enabling smooth communication between the main application component and the target server.
  • the forwarding device introduced between the private network and the Internet is a proxy server (for example, a proxy server such as HTTP/SOCKS4/SOCKS5)
  • a proxy server for example, a proxy server such as HTTP/SOCKS4/SOCKS5
  • the function of the proxy protocol is relatively easy to implement on the client's transit component, so even if the main application component does not support the proxy.
  • the interactive information can also successfully penetrate the proxy server.
  • the invention does not need to make any changes to the hardware and software of the target server; in the case that the transit component or the relay server supports the same protocol as the main application component, the hardware and software of the main application component need not be changed; and, there is no need to upgrade or replace the NAT/
  • the hardware and software of the proxy server/firewall generally do not need to change the settings of the NAT/proxy server/firewall. Therefore, while successfully traversing the NAT/proxy server/firewall, the existing hardware and software resources can be retained to the greatest extent, and the implementation cost is low.
  • the solution adopted by the present invention has nothing to do with the communication protocol adopted by the main application component and the target server itself, and does not need to consider the complexity of the communication protocol, and is simple to implement.
  • the port request has traversed the forwarding device for communication, including "out” communication and "in” communication, so when the communication is initiated from the public network to the private network, since the forwarding device has recorded the private network to The process of "outbound” communication of the public network, and the logical channel has been established, so the forwarding device does not hinder the communication from the public network to the private network through the logical channel.
  • 1 is a schematic structural view of an embodiment of the device according to the present invention
  • 2 is a flow chart of an embodiment of the method of the present invention. Mode for carrying out the invention
  • the core technical solution of the present invention is: setting a relay device on the client and the server respectively, and the two transit devices communicate through a dedicated channel, and all information exchanged between the client and the server is forwarded through the two transfer devices to other side.
  • FIG. 1 is a block diagram showing an embodiment of the apparatus of the present invention.
  • the entire Internet application is divided into two major physical parts: A large entity part is the part of the local area network (LAN) located in the forwarding device (ie NAT/proxy/firewall), this entity part is the client; the other entity part is located The part of the Internet that is outside the forwarding device (that is, NAT/Proxy/Firewall). This entity part is the server side.
  • the client includes: The main application component 11 is mainly used to complete the actual functions of the client part of the entire Internet application, such as the VoIP application component and the network conference application component.
  • the server side mainly includes:
  • the target server 14, such as a network telephone server and a web conference server, is the actual destination for completing the entire communication with the client.
  • the apparatus of the present invention includes a relay unit 12 at the client and a relay server 13 at the server end.
  • the relay unit 12 and the relay server 13 communicate by establishing a dedicated channel 15, which is a single TCP/UDP connection, and the port used for the dedicated channel is a port opened by a forwarding device such as a firewall.
  • the relay component 12 and the relay server 13 are configured to establish a logical channel between the main application component and the target server, the logical channel is established on a dedicated channel between the transit component and the transit server; the main application component and the target server pass the transit component Communicates with the logical channel established in the relay server.
  • Step 201 When the client starts, a dedicated channel is established between the client relay component and the transit server.
  • the dedicated channel can be a single TCP UDP communication connection, established using an open port of a forwarding device such as a firewall. If the establishment of the dedicated channel is unsuccessful at a time, the open port of the forwarding device can be detected by two or more heuristics, thereby establishing the dedicated channel on the open port.
  • the TCP UDP communication port of the terminal performs communication through the forwarding device to convert the communication to the forwarding device by a single dedicated channel, so as to maintain the original security of the network as much as possible, and at most, a fixed communication port needs to be opened on the forwarding device to complete the entire
  • the communication process makes it very easy to penetrate the firewall.
  • the port of the main application component communicates with the port of the target server through the transit component and the relay server, when the main application component port is to communicate with the target server port, the type and number of communication ports need to be established in the transit component and the transit server.
  • the communication data between the main application component port and the target server port is transmitted in the transit component and the transit server through the logical channel corresponding to the port, and finally sent to the other party.
  • the port of the target server may be an open port configured by the main application component and configured on the main application component, or may be a port allocated by the target server as a main application component (the allocated port information may be sent to the open port through the foregoing open port)
  • the main application component can also be a dynamically negotiated port between the main application component and the target server.
  • the process of establishing a logical channel on the transit component and the relay server is the following steps 202 to 207.
  • Step 202 The client main application component first sends a port request to the transit component before sending data to the target server.
  • the port request can be requested in the form of a message (such as a TCP/IP socket message and a message in the form of a Windows message), or can be requested by calling a function.
  • the subsequent data forwarding process corresponds to the port request, and may also use the message form or the call function mode.
  • the data is sent in the form of a port message, the data is returned in the form of a port message; , when returning data, it can be returned as a port message, or it can be returned by a callback function.
  • the port request is performed in the form of a message.
  • the port request here carries the type and number of ports to be requested, and the IP address and port number of the target server to which the main application component will communicate, where the port numbers are 140 and 141.
  • the type and number of ports to be requested correspond to the type and number of ports that the main application component will communicate with.
  • the port type can be a TCP port or a UDP port.
  • the target server port to be communicated is two consecutive UDP ports 140 and 141.
  • the port request also carries the IP address of the main application component and the port information to be communicated with the target server port.
  • the port is two consecutive UDP ports 110 and 111, and the transit component needs to record the main application component. IP address and port number and the IP address and port number of the target server.
  • the port request may not carry the IP address and port number of the target server, but in subsequent data communication, the IP address and port number of the target server are carried in the data packet.
  • Step 203 After receiving the port request message, the transit component encapsulates the port request message through the internal protocol between the transit component and the transit server, and then sends the message to the relay server through the dedicated channel. At the same time, the transit component allocates the local port according to the type and number of ports requested in the port request message, that is, allocates two consecutive local UDP ports, which are assumed to be port 120 and port 121, for subsequent packet forwarding. This local port is called the forwarding interface of the transit unit.
  • the internal protocol is a communication protocol with simple encapsulation and decapsulation processing, and the protocol only responds according to the IP address and port number in the packet header, but not to the data portion.
  • the protocol packet can successfully penetrate the forwarding device in both directions when traversing a forwarding device such as NAT that translates the IP address and port number of the header.
  • a forwarding device such as NAT that translates the IP address and port number of the header.
  • Step 204 After receiving the port request message sent by the client transit component, the transit server allocates the local port according to information such as the type and quantity of the communication port included in the request message, that is, allocates two consecutive local UP ports, The port is assumed to be port 130 and port 131; then the logical channel number, the transit server IP address and port number, the destination server IP address and the port number are established, that is, the correspondence between the following Table 1 is established, and the IP address of the transit server is assumed to be C, the IP address of the target server is D:
  • the relay server also maintains information such as the auxiliary port information data and communication status in Table 1 in the subsequent process.
  • the transit server also establishes a communication connection between the local port 130 and the port 140 corresponding to the target server, and the local port 131 and the port 141 corresponding to the target server, so as to reach the target server. Transmitting the communication data sent by the client and receiving the communication data sent back to the client by the target server.
  • the transit server may first allocate the port locally, and wait until the packet carrying the IP address and port number of the target server is received, or is known in the main application component. After the IP address and port of the target server have not been sent, the relay server notifies the relay server, and then establishes the correspondence described in Table 1. Step 205: The relay server then returns a response message encapsulated by the internal protocol to the transit component through the dedicated channel 15, including information on whether the port request is successful, and if successful, the IP address of the transit server and the allocated port information, that is, The local port numbers 130 and 131 assigned by the transit server.
  • Step 206 After receiving the response message, the transit component establishes the logical channel number, the IP address and port number of the main application component, the IP address and port number of the transit component, the IP address and port number of the transit server, and the IP address and port of the target server.
  • the correspondence between the numbers, as shown in Table 2, is that the BP address of the main application component is A, and the IP address of the transit component is B:
  • the relay component returns a response message to the main application component, including the contents of Table 2 above. If the port request does not carry the IP address and port of the target server, the transit component here waits until receiving the data packet carrying the IP address and port number of the target server or receiving the notification of the main application component. Establish the correspondence described in Table 2.
  • the main application component can establish a local communication connection between the port 110 to be communicated locally and the port 120 of the transit component, and also establish a client local between the port 111 and the port 121 of the transit component. Communication connection; the main application component can send and receive data through port 110 and port 111.
  • Step 207 Correspond to the type and number of ports requested by the main application component, the IP address and port of the main application component, the forwarding interface of the transit component, the IP address and port of the transit server, and the IP address and port of the target server.
  • the relationship acts as a logical channel for the port-to-port communication.
  • the communication port is the starting port, and the logical channel that can traverse the forwarding device is established through the transit component and the transit server to the communication port of the target server, that is, the IP address and port through which the logical channel 0 passes are: A/port 110 - B/ 120 - Dedicated Channel 15 - C/Port 130 - D/Port 140, The IP address and port through which Logical Channel 1 passes are: A/Port 111 - B/121 - Dedicated Channel 15 - C/Port 131-D/141.
  • the transit component and the transit server forward the packets sent by the port of the main application component to the corresponding port of the target server through the logical channels recorded in Tables 1 and 2.
  • the main application component and the target server can communicate using these channels.
  • Step 208 The data sent by the main application component from the port 110 is finally sent to the target server through the logical channel 0, and the data sent from the port 111 is finally sent to the target server through the logical channel 1.
  • the following describes the data transmission process from the main application component to the target server by taking logical channel 0 as an example:
  • the main application component 11 transmits the data packet transmitted from the port 110 to the port 120 of the relay component 12 according to the logical channel content in Table 2; the relay component 12 determines the logic for transmitting the data packet according to the correspondence relationship in the port 110 lookup table 2
  • the channel is 0, and the IP address and port of the corresponding transit server are C and 130; then the internal protocol encapsulation is performed on the data to be sent, and the logical channel information corresponding to the data is encapsulated into the data packet, where the logical channel information is The logical channel number 0; the relay unit 12 forwards the encapsulated data packet to the relay server 13 through the dedicated channel 15 between the relay server 13 and the relay server 13 after receiving the encapsulated data packet.
  • the protocol is decapsulated, and the logical channel information, that is, the logical channel number 0, is obtained, and the IP address D and the port 140 of the port 130 and the target server are further obtained through the query table 1. Then, the decapsulated data packet is sent to the target through the local port 130. Port 140 of server 14, such that port 140 of target server 14 receives the actual data to be sent by the client. 2574 Similarly, packets sent from port 111 are sent through logical channel 1 to port 141 of the target server.
  • Step 209 When the target server 14 wants to return the data packet to the main application component 11, the data packet returned from the port 140 is finally sent to the port 110 of the main application component 11 through the logical channel 0; the data packet returned from the port 141 passes the logic Channel 1 is ultimately sent to port 111 of main application component 11.
  • the following describes the data transmission process from the target server to the main application component by taking logical channel 0 as an example.
  • the target server returns a data packet from the port 140, and the data packet is returned to the port 130 of the transit server 13; the transit server looks up the correspondence in Table 1, and determines that the logical channel of the data is 0; then, the data packet to be sent
  • the internal channel protocol encapsulation the logical channel information corresponding to the data packet is encapsulated into the data packet, where the logical channel information is the logical channel number 0; the transit server forwards the encapsulated data packet to the transit component 12 through the dedicated channel 15
  • the transit component 12 After receiving the encapsulated data packet, the transit component 12 performs internal protocol decapsulation to obtain logical channel information, that is, a logical channel number, and the query table 2 obtains the IP address A and the port number 110 of the local port 120 and the main application component.
  • the decapsulated data packet is then sent through the local port 120 to port 110 of the main application component 11, such that the port of the main application component receives the actual data returned by the target server.
  • the main application component initiates a port request to the transit component using a function call mode and transmits the data in a function call.
  • the function call for the port request includes the requested port type and number, as well as the port parameters, which are used to indicate the port number of the main application component that sent the data, such as port 110 and port 111.
  • step 203 after receiving the port request message, the transit component encapsulates the port request message through the internal protocol between the transit component and the transit server, and then sends the message to the transit server through the dedicated channel. At the same time, the transit component allocates the local port according to the type and number of ports requested in the port request message, that is, allocates two consecutive local UDP ports, which are assumed to be port 120 and port 121, for subsequent packet forwarding.
  • the callback function can be two, which are respectively used to return the data to the port 110 and the port 111; or, the callback function can be one, but needs to be in the callback function
  • the port parameter indicates the port number 110 or 111 returned by the data.
  • the port or callback function assigned by the relay component may be collectively referred to as a forwarding interface used by the relay component to forward data. There are two forwarding interfaces here, which are set to forwarding interface 0 and forwarding interface 1.
  • the transit component After receiving the response message, the transit component establishes the logical channel number, the IP address and port number of the main application component, the IP address and forwarding interface number of the transit component, the IP address and port number of the transit server, and the IP address of the target server.
  • the IP address of the main application component is A
  • the IP address of the transit component is B:
  • the relay component returns a response message to the main application component, including the contents of Table 3 above.
  • the communication port of the main application component is used as the starting port
  • the transit component and the transit server reach the communication port of the target server, and establish a logical channel that can traverse the forwarding device, that is, the IP address and port through which the logical channel 0 passes are: A/port 110 - B/forward interface 0 - dedicated channel 15 - C /port 130 - D/port 140, the IP address and port through which logical channel 1 passes are: A/port 111 - B/forward interface 1 - dedicated channel 15 - C/port 131-D/14L transit part and transit server pass table
  • the logical channels recorded in 1 and Table 2 forward the packets sent by the main application component port to the corresponding ports of the target server.
  • step 208 the data sent by the main application component from the port 110 is sent to the relay component 12 by the calling function, and the relay component 12 finally sends the data packet to the port 140 of the target server 14 through the logical channel 0; similarly, the data sent from the port 111 It is finally sent to the port 141 of the target server 14 through the logical channel 1.
  • the data packet sent from the port 140 is finally sent to the port 110 of the main application component 11 through the logical channel 0, and when the transit component forwards the data, it can be forwarded through the port 120, It can be forwarded by callback function 0, and can also be forwarded by its port parameter indicating the callback function targeted to port 110; similarly, the packet sent from port 141 is finally sent to port 111 of main application component 11 via logical channel 1.
  • the port requested by the main application component is divided into multiple situations. There are typically three cases: 1) requesting a single TCP port; 2) requesting a single UDP port; 3) requesting two consecutive UDP ports. Therefore, a special standardized processing module can be made on the relay server for the above situation. For example, module 1 is dedicated to assigning a single TCP port, module 2 is dedicated to assigning a single UDP port, and module 3 is dedicated to allocating two consecutive UDP ports; when performing port allocation, directly calling the above processing module can make the process More integrated and improved processing efficiency.
  • step 202 to step 207 may be repeatedly executed and the standard processing module is called to allocate ports, and multiple ports are respectively established.
  • step 202 to step 207 the allocation of two consecutive UDP ports is completed by using module 3, and two UDP logical channels are established correspondingly.
  • the requested port is divided into a plurality of cases, it is not limited to the above three types, and may be extended according to actual application changes.
  • a dedicated standardized processing module may be configured for each case to perform port allocation. Make the process more integrated and improve processing efficiency.
  • the client main application component can also use the port number assigned by the received relay server to complete the communication port through the corresponding complex communication protocol of the main application component (for example, H.323, SIP, MGCP, H.248/MeGaCo, etc.).
  • the negotiation process There are two situations in which the negotiation process is implemented:
  • the transit component and the transit server do not support the complex protocols that the main application component has to transmit data by parsing the contents of the packet (for example, protocols such as H.323, SIP, MGCP, H.248/MeGaCo).
  • a conversion module is further disposed in the main application component, and is configured to convert the negotiated IP address and port of the main application component carried in the data part of the data packet of the complex protocol into the IP address and port of the corresponding transit server. For example, if the negotiation port number of the main application component is 110, the IP address and port 110 of the main application component are replaced with the IP address and port number 130 of the transit server, and the data packet is sent to the target server through the corresponding reverse channel 0. The target server obtains the IP address and port 130 of the transit server from the data portion of the data packet, returns the negotiation response to the port 130 of the transit server, and returns to the main application component through the logical channel 0, and ends the negotiation process.
  • the relay component or the relay server supports the complex protocol of the main application component to transmit data by parsing the data packet content.
  • the transformation module is placed in a transit component or a relay server that supports the complex protocol for parsing the components from the main application.
  • the IP address and port are converted into the IP address and port of the corresponding transit server; and the converted data packet is sent to the target server, and the target server processes the same communication protocol as the main application component, and obtains the transit server from the data portion of the data packet.
  • the IP address and port return the negotiation response to the port of the transit server, and then return to the main application component through the corresponding logical channel, and the negotiation process ends.
  • the client when the client is closed, the client first sends a revocation port message to the transit server, requests to close the connection of the logical channel, and then dismantles the dedicated channel 15 established between the retransmission server and releases all related resources; similarly, in When the server is closed, the transit server sends a revocation port message to the client, requests to close the connection of the logical channel, and then removes the dedicated channel 15 established between the transit component and releases all related resources.
  • the information exchanged between the main application component and the target server can successfully penetrate the forwarding device introduced between the private network and the public network.
  • the reason is as follows.
  • the forwarding device is a firewall
  • the logical channel of the port-to-port communicates by using a dedicated channel 15 when the firewall traverses the firewall, and the dedicated channel is a single TCP or UDP connection, and the port uses the open port of the firewall, The information between the main application component and the target server is successfully penetrated the firewall.
  • the interaction protocol used is only a simple internal protocol, and is generally not hindered by the forwarding device, so that successful penetration can be achieved.
  • the forwarding device communicates.
  • the forwarding device is a NAT/proxy server
  • the interaction protocol between the transit component and the transit server is only a simple internal protocol, it does not need to be based on packet data like complex protocols (such as H.323 and SIP protocols).
  • Some of the included source IP addresses and ports return responses, but instead return responses based on the source IP address and port in the packet header.
  • the IP address and port in the header are translated by the NAT/proxy server, so the returned response can successfully penetrate the NAT/proxy server, enabling smooth communication between the main application component and the target server.
  • the forwarding device is a proxy server, such as a proxy server such as HTTP/SOCKS4/SOCKS5, the function of the proxy protocol is relatively easy to implement on the relay component of the client, so even if the main application component does not support the proxy protocol, the proxy device can be used.
  • the interactive information successfully penetrates the proxy server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

An apparatus for realizing communication between the client and the server which is applied to a communication system including a client, a server and a transmitting device between them. The apparatus includes: a transferring unit which establishes a private channel penetrating through said transmitting unit with the transferring server, and establishes a communication channel between the client and itself, and establishes a logical channel based on the private channel between the client and the server with the transferring server; a transferring server which establishes a private channel penetrating through said transmitting unit with the transferring unit, and establishes a communication link between the server and itself, and establishes a logical channel based on the private channel between the client and the server with the transferring unit. There are a system and a method. It will realize the communication between the client and the server penetrating through the transmitting unit by this invention.

Description

实现客户端与服务器端通信的装置、 系统和方法  Device, system and method for realizing communication between client and server
技术领域  Technical field
本发明涉及网络信息交互技术, 尤其涉及一种实现客户端与服务器 端通信的装置、 系统和方法。 发明背景  The present invention relates to network information interaction technologies, and in particular, to an apparatus, system and method for implementing communication between a client and a server. Background of the invention
随着因特网 (Internet ) 的快速发展, 各种新兴 Internet应用层出不 穷, Internet业务量迅猛增长, IP地址资源也越来越紧张, 网络安全问 题也日渐突出。为了解决 IP地址资源日益匮乏、提高企业网络的安全性 , 许多企事业单位或城域网通过使用转发设备间接接入 Internet,所述的转 发设备主要指: 网络地址转换 ( NAT, Network Address Translation )设 备 /代理服务器 /防火墙。  With the rapid development of the Internet (Internet), various emerging Internet applications are emerging, Internet traffic is growing rapidly, IP address resources are becoming more and more tense, and network security issues are becoming increasingly prominent. In order to solve the problem of the increasingly scarce IP address resources and the security of the enterprise network, many enterprises or metropolitan area networks access the Internet indirectly through the use of forwarding devices. The forwarding devices mainly refer to: Network Address Translation (NAT). Device / Proxy / Firewall.
然而, 当前某些较复杂的 Internet应用需要端到端的直连网络才能 完成通信, 例如: Internet上进行诸如网络电话、 网络会议等多媒体通信 应用的应用, 这些应用要求客户终端的主应用部件与 Internet上的目标 服务器进行端到端的信息交互, 并且, 这类复杂的 Internet应用通常具 有以下一条或几条特性:  However, some of today's more complex Internet applications require an end-to-end direct-connection network to complete communications, such as applications for multimedia communication applications such as VoIP, web conferencing, etc. on the Internet that require the main application components of the client terminal and the Internet. The target server on the end performs end-to-end information interaction, and such complex Internet applications usually have one or more of the following characteristics:
目标服务器动态分配与客户端主应用部件的通信端口; The target server dynamically allocates a communication port with the client main application component;
2、 目标服务器与客户端主应用部件动态协商双方的通信端口;2. The target server and the client main application component dynamically negotiate the communication ports of the two parties;
3、 一次完整通信过程中需要使用目标服务器与客户端主应用部件 之间的一个或一个以上 TCP或 UDP通信端口; 3. One or more TCP or UDP communication ports between the target server and the client main application component are required during a complete communication process;
4、 所采用的通信协议都较为复杂, 例如这些应用普遍采用的通信 协议有: H.323、 初始化协议(SIP, Session Initiation Protocol ), 媒 体网关控制协议 ( MGCP , Media Gateway Control Protocol; 或 H.248/MeGaCo, Media Gateway Control Protocol )等复杂的协议, 而转 发设备上一般不支持这种复杂的协议, 因此可能阻碍主应用部件与目标 服务器间端到端的通信。 另外, 某些复杂的通信协议(例如 H.323协议) 的交互方法为: 客户端主应用部件向目标服务器发送的报文中, 除了报 文头中携带源 /目标 IP地址和端口, 在报文的数据部分还包括源 IP地址 和端口 , 目标服务器收到报文后,从报文的数据部分解析出源 IP地址和 端口, 向解析出的 IP地址和端口返回响应报文。这种交互方法要求客户 端主应用部件与目标服务器直连才能正常通信; 4. The communication protocols used are relatively complex. For example, the communication protocols commonly used in these applications are: H.323, Session Initiation Protocol (SIP), Media Gateway Control Protocol (MGCP, Media Gateway Control Protocol; or Complex protocols such as H.248/MeGaCo, Media Gateway Control Protocol), and such complex protocols are generally not supported on forwarding devices, and thus may hinder end-to-end communication between the main application component and the target server. In addition, the interaction method of some complex communication protocols (such as the H.323 protocol) is as follows: The packet sent by the client main application component to the target server, except the source/destination IP address and port carried in the packet header, is reported. The data part of the file also includes the source IP address and port. After receiving the packet, the target server parses the source IP address and port from the data part of the packet, and returns a response packet to the parsed IP address and port. This interaction method requires the client main application component to be directly connected to the target server to communicate normally;
5、 涉及公网主动发起的从公网到私网的通信;  5. Communication from the public network to the private network initiated by the public network;
6、 应用所处的网络环境多样化, 网络设置不允许或艮难改动; 6. The network environment in which the application is located is diversified, and the network settings are not allowed or difficult to change;
7、 目标服务器相对固定, 直接处于 Internet上; 7, the target server is relatively fixed, directly on the Internet;
8、 目标服务器的软硬件很难变动。  8. The hardware and software of the target server are difficult to change.
在 Internet中,由于许多私网和公网即 Internet之间引入了转发设备, 而依照现有的通信方法客户端主应用部件与目标服务器交互的信息无 法穿透转发设备, 因此会阻碍上述这些端到端应用的正常通信。 以下根 据上述应用的特性具体分析无法穿透转发设备的原因。  On the Internet, because many private networks and public networks, that is, the Internet, introduce forwarding devices, the information that the client's main application component interacts with the target server cannot penetrate the forwarding device according to the existing communication method, thus hindering these terminals. Normal communication to the end application. The following is a detailed analysis of the reasons why the forwarding device cannot be penetrated based on the characteristics of the above application.
首先, 假设: 私网与 Internet之间引入的转发设备是防火墙, 而防 火墙要对通信端口进行限制, 一般只开放有限的几个端口。 然而上述复 杂的应用中 , 客户端主应用部件与目标服务器之间的通信过程中要动态 分配端口,通信端口在动态变化,很容易分配到防火墙没有开放的端口, 因此容易导致通信失败; 并且, 客户端主应用部件与目标服务器可能协 商多个通信端口, 而防火墙开放的端口只是数量有限的几个, 且防火墙 的端口配置很难改变, 因此难以通过开放通信端口来允许报文通行, 普 通用户通常也很难或根本不能更改网络设置, 因此这些应用难以穿越防 火墙进行通信。 其次, 假设: 私网与 Internet之间引入的转发设备是 NAT/代理服务 器, 客户端主应用部件的 IP地址为私网的 IP地址。 客户端主应用部件 与目标服务器之间采用复杂的具有上述特性 4的通信协议 (例如 H.323、 SIP、 MGCP、 H.248/MeGaCo等协议)进行交互。 客户端主应用部件向 目标服务器发送的报文首先到达该 NAT/代理服务器 , 该 NAT/代理服务 器将报文头中的源 IP地址和端口转换为本 NAT的 IP地址和端口再发送 给目标服务器; 按照具有特性 4的协议的要求, 目标服务器从报文数据 部分解析出源 IP地址和端口, 向该源 IP地址和端口返回响应 ^艮文; 但 是, 数据部分包括的源 IP和端口不是公网上的 IP地址和端口, 而是客 户端私网上的 IP地址和端口 ,因此返回的响应报文路由不到正确的目的 IP地址和端口, 从而不能到达客户端主应用部件, 导致通信失败。 First, assume that: The forwarding device introduced between the private network and the Internet is a firewall, and the firewall restricts the communication port, and generally only opens a limited number of ports. However, in the above complex application, the port is dynamically allocated during the communication between the client main application component and the target server, and the communication port is dynamically changed, and is easily allocated to a port that is not open to the firewall, thus easily causing communication failure; The client main application component and the target server may negotiate multiple communication ports, and the number of ports open by the firewall is only a limited number, and the port configuration of the firewall is difficult to change, so it is difficult to allow the message to pass through the open communication port, the ordinary user It is often difficult or impossible to change the network settings, so it is difficult for these applications to communicate through the firewall. Secondly, assume that: The forwarding device introduced between the private network and the Internet is a NAT/proxy server, and the IP address of the client's main application component is the IP address of the private network. The client main application component and the target server interact with each other using a complex communication protocol (such as H.323, SIP, MGCP, H.248/MeGaCo, etc.) having the above characteristic 4. The packet sent by the client main application component to the target server first arrives at the NAT/proxy server, and the NAT/proxy server converts the source IP address and port in the packet header into the NAT IP address and port and sends the packet to the target server. According to the requirement of the protocol with feature 4, the target server parses the source IP address and port from the packet data part, and returns a response message to the source IP address and port; however, the source IP address and port included in the data part are not public. The IP address and port on the network are the IP addresses and ports on the client's private network. Therefore, the response packets returned are not routed to the correct destination IP address and port, and thus cannot reach the client's main application component, causing communication failure.
另外, 如果转发设备为代理服务器, 则上述主应用部件所采用的协 议是要求端到端通信的协议, 不支持通过代理服务器进行交互的代理协 议, 因此客户端的主应用部件无法与代理服务器进行通信, 更无法穿越 代理服务器与目标服务器进行通信了。  In addition, if the forwarding device is a proxy server, the protocol adopted by the above main application component is a protocol that requires end-to-end communication, and does not support a proxy protocol that interacts through the proxy server, so the client's main application component cannot communicate with the proxy server. It is even more incapable of communicating with the target server through the proxy server.
还有, 上述三种转发设备都会阻止主动从公网发起的到私网的通信 过程。 发明内容  In addition, the above three forwarding devices block the communication process initiated from the public network to the private network. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种实现客户端与服务器端 通信的装置及通信系统, 当客户端与服务器端之间引入转发设备时, 可 以通过该装置使交互信息穿透转发设备而进行正常通信。  In view of the above, the main purpose of the present invention is to provide a device and a communication system for implementing communication between a client and a server. When a forwarding device is introduced between a client and a server, the interaction information can be transmitted through the device. And normal communication.
本发明的另一目的在于提供一种实现客户端与服务器端通信的方 法, 当客户端与服务器端之间引入转发设备时, 可以使交互信息穿透转 发设备而进行正常通信。 为了实现上述发明目的, 本发明的主要技术方案为: 本发明公开了一种实现客户端与服务器端通信的装置, 应用于包括 客户端、 服务器端以及二者之间的转发设备的通信系统; 该装置包括: 中转部件, 建立与中转服务器之间穿透所述转发设备的专用信道, 建立自身与客户端之间的通信连接, 并与中转服务器建立客户端与服务 器端之间的基于该专用信道的逻辑通道; Another object of the present invention is to provide a method for implementing communication between a client and a server. When a forwarding device is introduced between the client and the server, the interaction information can be transmitted through the forwarding device for normal communication. In order to achieve the above object, the main technical solution of the present invention is: The present invention discloses a device for implementing communication between a client and a server, and is applied to a communication system including a client, a server, and a forwarding device between the two; The device comprises: a transit component, establishing a dedicated channel between the transit server and the forwarding device, establishing a communication connection between the client and the client, and establishing a dedicated connection between the client and the server with the transit server Logical channel of the channel;
中转服务器, 建立与中转部件之间穿透所述转发设备的专用信道, 建立自身与服务器端之间的通信连接, 并与中转部件建立客户端与服务 器端之间的基于该专用信道的逻辑通道。  The transit server establishes a dedicated channel that penetrates the forwarding device with the transit component, establishes a communication connection between itself and the server, and establishes a logical channel based on the dedicated channel between the client and the server with the transit component .
其中, 所述中转部件与中转服务器之间的专用信道为传输控制协议 The dedicated channel between the transit component and the transit server is a transmission control protocol.
TCP或用户数据报协议 UDP的通信连接, 且该专用信道的端口采用转 发设备的开放端口。 TCP or User Datagram Protocol UDP communication connection, and the port of the dedicated channel uses the open port of the forwarding device.
其中, 所述中转服务器包括: 端口分配模块, 用于接收来自主应用 部件的端口请求并分配本地端口, 按该端口请求以及本地端口建立所述 逆辑通道。  The transit server includes: a port allocation module, configured to receive a port request from a main application component and allocate a local port, and establish the reverse channel according to the port request and the local port.
其中,所述端口分配模块包括:用于分配单个 TCP端口的分配模块、 用于分配单个 UDP端口的分配模块、 用于分配两个连续 UDP端口的分 配模块; 所述用于分配单个 TCP端口的分配模块、 用于分配单个 UDP 端口的分配模块和用于分配两个连续 UDP端口的分配模块中的任一者 接收端口请求并分配对应类型的本地端口。  The port allocation module includes: an allocation module for allocating a single TCP port, an allocation module for allocating a single UDP port, an allocation module for allocating two consecutive UDP ports; and the allocation module for allocating a single TCP port; An allocation module, an allocation module for allocating a single UDP port, and an allocation module for allocating two consecutive UDP ports receive a port request and assign a corresponding type of local port.
该装置进一步包括: 用于协商地址端口的转换模块, 设置在中转部 件或者中转服务器之中, 用于解析客户端向服务器端发送的协商数据 包 ,将该数据包数据部分的客户端的协商 IP地址和端口转换为当前逻辑 通道的中转服务器的 IP地址和端口。  The device further includes: a conversion module for negotiating an address port, configured in the transit component or the relay server, configured to parse the negotiation data packet sent by the client to the server, and negotiate the IP address of the client of the data packet portion And the port translates to the IP address and port of the transit server for the current logical channel.
本发明还公开了一种通信系统, 包括: 客户端、 服务器端以及二者 之间连接的转发设备, 所述客户端包括: 主应用部件, 所述服务器端包 括至少一个目标服务器; 该系统还包括: 中转部件和中转服务器; The invention also discloses a communication system, comprising: a client, a server and both a forwarding device connected between the client, the client includes: a main application component, the server side includes at least one target server; the system further includes: a transit component and a transit server;
中转部件, 建立与中转服务器之间穿透所述转发设备的专用信道, 建立自身与主应用部件之间的通信连接, 并与中转服务器建立主应用部 件与目标服务器之间的基于该专用信道的逻辑通道;  a transit component, establishing a dedicated channel that penetrates the forwarding device with the transit server, establishing a communication connection between itself and the main application component, and establishing a dedicated channel between the main application component and the target server with the transit server Logical channel
中转服务器, 建立与中转部件之间穿透所述转发设备的专用信道, 建立自身与目标服务器之间的通信连接, 并与中转部件建立主应用部件 与目标服务器之间的基于该专用信道的逻辑通道。  The transit server establishes a dedicated channel that penetrates the forwarding device with the transit component, establishes a communication connection between itself and the target server, and establishes a logic based on the dedicated channel between the main application component and the target server with the transit component aisle.
本发明又公开了一种实现客户端与服务器端通信的方法, 应用于包 括: 客户端、 服务器端以及二者之间连接的转发设备的通信系统, 该方 法包括: - 客户端与服务器端之间建立起穿透所述转发设备的专用信道; 在客户端的主应用部件与服务器端的目标服务器进行通信时, 建立 该主应用部件与目标服务器之间基于所述专用信道的逻辑通道并进行 通信。  The invention further discloses a method for realizing communication between a client and a server, which is applied to a communication system comprising: a client, a server and a forwarding device connected between the two, the method comprises: - a client and a server Establishing a dedicated channel that penetrates the forwarding device; when the main application component of the client communicates with the target server of the server, establishing a logical channel based on the dedicated channel between the main application component and the target server and communicating.
其中, 所述客户端与服务器端之间建立起穿透所述转发设备的专用 信道, 包括: 在客户端设置中转部件, 在服务器端设置中转服务器; 由 所述中转部件和中转服务器建立起所述专用信道;  The private channel that penetrates the forwarding device is established between the client and the server, and includes: setting a transit component on the client, setting a relay server on the server; establishing the server by the transit component and the transit server Dedicated channel
所述主应用部件与目标服务器建立基于所述专用信道的逻辑通道, 包括: 中转部件建立自身与主应用部件之间的通信连接, 中转服务器建 立自身与目标服务器之间的通信连接; 主应用部件、 中转部件、 中转月良 务器和目标服务器分别分配各自的通信端口, 建立这些通信端口的对应 关系, 形成逻辑通道。  The main application component establishes a logical channel based on the dedicated channel with the target server, including: the transit component establishes a communication connection between itself and the main application component, and the transit server establishes a communication connection between itself and the target server; the main application component The transit component, the transit server, and the target server respectively allocate respective communication ports, establish correspondences of the communication ports, and form a logical channel.
其中 , 所述中转部件和中转服务器建立该主应用部件与目标服务器 之间的基于专用信道的逻辑通道, 包括: 主应用部件向中转部件发送携带主应用部件的 IP地址和端口以及 目标服务器的 IP地址和端口的端口请求; The transit component and the relay server establish a dedicated channel-based logical channel between the main application component and the target server, including: The main application component sends a port request carrying the IP address and port of the main application component and the IP address and port of the target server to the transit component;
中转部件使用内部协议封装该端口请求, 通过专用信道转发送封装 后的端口请求给中转服务器, 并在本地分配用于数据转发的转发接口; 中转服务器根据收到的端口请求分配本地端口; 建立逻辑通道号、 中转服务器的 IP地址和端口、 以及目标服务器的 IP地址和端口之间的 对应关系;  The transit component encapsulates the port request using an internal protocol, forwards the encapsulated port request to the transit server through the dedicated channel, and locally allocates a forwarding interface for data forwarding; the transit server allocates the local port according to the received port request; The channel number, the IP address and port of the transit server, and the correspondence between the IP address and port of the target server;
中转服务器将所建立的逻辑通道号、 中转服务器的 IP地址和端口、 以及目标服务器的 IP地址和端口之间的对应关系通过专用信道返回给 中转部件, 中转部件建立逻辑通道号、主应用部件的 IP地址和端口、 中 转部件转发接口、 中转服务器的 IP地址和端口以及目标服务器的 IP地 址和端口之间的 3于应关系;  The transit server returns the established logical channel number, the IP address and port of the transit server, and the correspondence between the IP address and the port of the target server to the transit component through the dedicated channel, and the transit component establishes the logical channel number and the main application component. The IP address and port, the transit component forwarding interface, the IP address and port of the transit server, and the IP relationship between the IP address and port of the target server;
将所述主应用部件的 IP地址和端口、 中转部件的转发接口、 中转服 务器的 IP地址和端口以及目标服务器的 IP地址和端口之间的对应关系 作为该主应用部件与目标服务器间通信的逻辑通道。  Corresponding relationship between the IP address and port of the main application component, the forwarding interface of the transit component, the IP address and port of the transit server, and the IP address and port of the target server as the communication between the main application component and the target server aisle.
其中, 所述中转部件和中转服务器建立该主应用部件与目标服务器 之间的基于专用信道的逻辑通道, 包括:  The transit component and the relay server establish a dedicated channel-based logical channel between the main application component and the target server, including:
主应用部件向中转部件发送携带主应用部件的 IP地址和端口的端 口清求;  The main application component sends a port request to the transit component that carries the IP address and port of the main application component;
中转部件使用内部协议封装该端口请求, 通过专用信道转发该封装 后的端口请求给中转服务器, 并在本地分配用于数据转发的转发接口; 中转服务器根据收到的端口请求分配本地端口;  The transit component encapsulates the port request by using an internal protocol, forwards the encapsulated port request to the transit server through the dedicated channel, and locally allocates a forwarding interface for data forwarding; the transit server allocates the local port according to the received port request;
主应用部件通过通信数据或通知发送目标服务器的 IP地址和端口 给中转部件以及中转服务器;  The main application component sends the IP address and port of the target server to the transit component and the transit server through communication data or notification;
中转服务器建立逻辑通道号、 中转服务器的 IP地址和端口、 以及目 标服务器的 IP地址和端口之间的对应关系; The transit server establishes the logical channel number, the IP address and port of the transit server, and the destination Correspondence between the IP address and port of the target server;
中转服务器将所建立的逻辑通道号、 中转服务器的 IP地址和端口、 以及目标服务器的 IP地址和端口之间的对应关系返回给中转部件,中转 部件建立逻辑通道号、主应用部件的 IP地址和端口、中转部件转发接口、 中转 务器的 IP地址和端口以及目标服务器的 IP地址和端口之间的对 应关系;  The transit server returns the established logical channel number, the IP address and port of the transit server, and the correspondence between the IP address and the port of the target server to the transit component, and the transit component establishes the logical channel number, the IP address of the main application component, and Port, transit component forwarding interface, IP address and port of the relay server, and the correspondence between the IP address and port of the target server;
将所述主应用部件的 IP地址和端口、 中转部件转发接口、 中转服务 器的 IP地址和端口以及目标服务器的 IP地址和端口之间的对应关系作 为所述主应用部件与目标服务器间通信的逻辑通道。  Corresponding relationship between the IP address and port of the main application component, the transit component forwarding interface, the IP address and port of the transit server, and the IP address and port of the target server as the communication between the main application component and the target server aisle.
该方法进一步包括: 当主应用部件与目标服务器进行端口协商时, 中转服务器解析主应用部件向目标服务器发送的协商数据包, 将该协商 数据包数据部分内的主应用部件的协商 IP地址和端口转换为逻辑通道 的中转服务器的 IP地址和端口 ,再将转换后的协商数据包发送给目标服 务器。  The method further includes: when the main application component performs port negotiation with the target server, the relay server parses the negotiation data packet sent by the main application component to the target server, and converts the negotiated IP address and port of the main application component in the data portion of the negotiation data packet. The IP address and port of the transit server of the logical channel are sent to the target server by the converted negotiation packet.
当私网与 Internet之间引入的转发设备为防火墙时, 由于动态分配 的端口或动态协商的端口所对应的逻辑通道在穿越防火墙时采用专用 信道进行通信, 不论分配或协商的端口的数量是多少, 其对应逻辑通道 都利用该专用信道穿越防火墙, 并且该专用信道是单一的传输控制协议 ( TCP )或用户数据报协议 ( UDP )连接, 且其所应用的端口为防火墙 开放的端口, 可以实现主应用部件和目标服务器之间的信息成功穿透防 火墙。  When the forwarding device introduced between the private network and the Internet is a firewall, the logical channel corresponding to the dynamically allocated port or the dynamically negotiated port uses a dedicated channel to traverse the firewall, regardless of the number of ports allocated or negotiated. The corresponding logical channel uses the dedicated channel to traverse the firewall, and the dedicated channel is a single Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) connection, and the port to which the application is applied is a port open by the firewall, which can be implemented. The information between the main application component and the target server successfully penetrates the firewall.
由于中转部件与中转服务器之间的通信是一种符合转发设备特性 的简单通信, 所采用的交互协议也只是一种简单的内部协议, 一般不会 受到转发设备的阻碍, 因此可以实现成功穿透转发设备进行通信。另夕卜, 如果转发设备为 NAT/代理服务器, 则由于中转部件与中转服务器之间 的交互协议只是一种简单的内部协议, 不需像诸如 Η.323和 SIP复杂协 议那样根据数据包数据部分包括的源 IP地址和端口返回响应,而是根据 数据包的包头中的源 IP地址和端口返回响应, 而包头中的 IP地址和端 口是经过 NAT/代理服务器转换的, 因此返回的响应可以成功穿透 NAT/ 代理服务器, 实现主应用部件与目标服务器的畅通通信。 Since the communication between the transit component and the transit server is a simple communication conforming to the characteristics of the forwarding device, the interaction protocol used is only a simple internal protocol, and is generally not hindered by the forwarding device, so that successful penetration can be achieved. The forwarding device communicates. In addition, if the forwarding device is a NAT/proxy server, due to the transition between the transit component and the transit server The interaction protocol is just a simple internal protocol. It does not need to return a response according to the source IP address and port included in the packet data part, such as the Η.323 and SIP complex protocols, but according to the source IP address in the packet header. And the port returns a response, and the IP address and port in the header are converted by the NAT/proxy server, so the returned response can successfully penetrate the NAT/proxy server, enabling smooth communication between the main application component and the target server.
当私网与 Internet 之间引入的转发设备为代理服务器 (例如 HTTP/SOCKS4/SOCKS5 等代理服务器) 时, 则在客户端的中转部件上 相对容易实现代理协议的功能, 因此即使主应用部件不支持代理协议的 情况下也可使交互信息成功地穿透代理服务器。  When the forwarding device introduced between the private network and the Internet is a proxy server (for example, a proxy server such as HTTP/SOCKS4/SOCKS5), the function of the proxy protocol is relatively easy to implement on the client's transit component, so even if the main application component does not support the proxy. In the case of the protocol, the interactive information can also successfully penetrate the proxy server.
本发明对目标服务器的软硬件无需做任何改动; 在中转部件或中转 服务器支持与主应用部件相同协议的情况下, 对主应用部件的软硬件也 无需改动; 并且, 不需要升级或更换 NAT/代理服务器 /防火墙的软硬件, 一般不需要改动 NAT/代理服务器 /防火墙的设置。 因此, 在成功穿越 NAT/代理服务器 /防火墙的同时, 可以最大程度地保留现有软硬件资源, 实施成本低。  The invention does not need to make any changes to the hardware and software of the target server; in the case that the transit component or the relay server supports the same protocol as the main application component, the hardware and software of the main application component need not be changed; and, there is no need to upgrade or replace the NAT/ The hardware and software of the proxy server/firewall generally do not need to change the settings of the NAT/proxy server/firewall. Therefore, while successfully traversing the NAT/proxy server/firewall, the existing hardware and software resources can be retained to the greatest extent, and the implementation cost is low.
本发明采用的方案与主应用部件和目标服务器本身采用的通信协 议无关, 无需考虑通信协议的复杂性, 实现简单。 之前, 通过端口请求已经穿越了所述转发设备进行通信, 包括"出"通信 和"入"通信, 因此当从公网主动到私网发起通信时, 由于转发设备中已 经记录了从私网到公网的"出"通信的过程, 且已经建立了逻辑通道, 因 此转发设备不会阻碍通过该逻辑通道从公网主动到私网的通信。 附图简要说明  The solution adopted by the present invention has nothing to do with the communication protocol adopted by the main application component and the target server itself, and does not need to consider the complexity of the communication protocol, and is simple to implement. Previously, the port request has traversed the forwarding device for communication, including "out" communication and "in" communication, so when the communication is initiated from the public network to the private network, since the forwarding device has recorded the private network to The process of "outbound" communication of the public network, and the logical channel has been established, so the forwarding device does not hinder the communication from the public network to the private network through the logical channel. BRIEF DESCRIPTION OF THE DRAWINGS
图 1为本发明所述装置一实施例的结构示意图; 图 2为本发明所述方法一实施例的流程图。 实施本发明的方式 1 is a schematic structural view of an embodiment of the device according to the present invention; 2 is a flow chart of an embodiment of the method of the present invention. Mode for carrying out the invention
下面通过具体实施例和附图对本发明做进一步详细说明。  The present invention will be further described in detail below by way of specific embodiments and the accompanying drawings.
本发明的核心技术方案为: 在客户端与服务器端分别设置中转设 备, 这两个中转设备之间通过专用信道进行通信, 客户端与服务器端交 互的所有信息都通过这两个中转设备转发到对方。  The core technical solution of the present invention is: setting a relay device on the client and the server respectively, and the two transit devices communicate through a dedicated channel, and all information exchanged between the client and the server is forwarded through the two transfer devices to other side.
首先说明本发明所述装置的一种实施例。 图 1为本发明所述装置一 实施例的结构示意图。 参见图 1 , 整个 Internet应用分为两大实体部分: 一大实体部分为位于转发设备(即 NAT/代理 /防火墙)内局域网(LAN ) 的部分, 这个实体部分为客户端; 另一实体部分位于转发设备(即 NAT/ 代理 /防火墙)外的处于 Internet上的部分, 这个实体部分为服务器端。 客户端中包括: 主应用部件 11 , 主要用于完成整个 Internet应用的客户 端部分的实际功能, 例如网络电话应用部件和网络会议应用部件等。 服 务器端主要包括: 目标服务器 14, 例如网络电话服务器和网络会议服务 器等, 是与客户端完成整个通信的实际目的地。 本发明所述的装置包括 位于客户端的中转部件 12和位于服务器端的中转服务器 13。 中转部件 12和中转服务器 13之间通过建立专用信道 15进行通信, 该专用信道 15为一个单一的 TCP/UDP连接,该专用信道所用的端口为转发设备(例 如防火墙)所开放的端口。 中转部件 12和中转服务器 13用于建立主应 用部件到目标服务器之间的逻辑通道, 该逻辑通道建立在所述中转部件 和中转服务器间的专用信道之上; 主应用部件和目标服务器通过中转部 件和中转服务器中所建立的逻辑通道进行通信。  First, an embodiment of the apparatus of the present invention will be described. BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a block diagram showing an embodiment of the apparatus of the present invention. Referring to Figure 1, the entire Internet application is divided into two major physical parts: A large entity part is the part of the local area network (LAN) located in the forwarding device (ie NAT/proxy/firewall), this entity part is the client; the other entity part is located The part of the Internet that is outside the forwarding device (that is, NAT/Proxy/Firewall). This entity part is the server side. The client includes: The main application component 11 is mainly used to complete the actual functions of the client part of the entire Internet application, such as the VoIP application component and the network conference application component. The server side mainly includes: The target server 14, such as a network telephone server and a web conference server, is the actual destination for completing the entire communication with the client. The apparatus of the present invention includes a relay unit 12 at the client and a relay server 13 at the server end. The relay unit 12 and the relay server 13 communicate by establishing a dedicated channel 15, which is a single TCP/UDP connection, and the port used for the dedicated channel is a port opened by a forwarding device such as a firewall. The relay component 12 and the relay server 13 are configured to establish a logical channel between the main application component and the target server, the logical channel is established on a dedicated channel between the transit component and the transit server; the main application component and the target server pass the transit component Communicates with the logical channel established in the relay server.
以下说明本发明所述方法的具体实施例。  Specific embodiments of the method of the present invention are described below.
图 2为本发明所述方法一实施例的流程图。 参见图 2, 该流程包括: 步骤 201 : 客户端启动时, 在客户端中转部件和中转服务器之间建 立一个专用信道。 2 is a flow chart of an embodiment of the method of the present invention. Referring to Figure 2, the process includes: Step 201: When the client starts, a dedicated channel is established between the client relay component and the transit server.
该专用信道可以为单一的 TCP UDP通信连接, 利用转发设备(例 如防火墙) 的开放端口建立。 如果一次建立该专用信道不成功, 则可以 通过两次或两次以上试探检测转发设备的开放端口, 从而在该开放端口 上建立所述专用信道。 该专用信道建立之后, 客户端中转部件和中转服 务器之间的所有通信数据均通过此专用信道进行传输, 这样就将主应用 部件与目标服务器之间原本需要动态分配并协商一个或一个以上端到 端的 TCP UDP通信端口进行穿越转发设备的通信转化成由单一专用信 道穿越转发设备来完成通信, 从而尽量维持网络原有的安全性, 在转发 设备上至多需要开放一个固定的通信端口即可完成整个通信过程, 因此 可以非常容易地穿透防火墙。  The dedicated channel can be a single TCP UDP communication connection, established using an open port of a forwarding device such as a firewall. If the establishment of the dedicated channel is unsuccessful at a time, the open port of the forwarding device can be detected by two or more heuristics, thereby establishing the dedicated channel on the open port. After the dedicated channel is established, all communication data between the client transit component and the transit server is transmitted through the dedicated channel, so that the main application component and the target server need to be dynamically allocated and negotiated one or more ends to The TCP UDP communication port of the terminal performs communication through the forwarding device to convert the communication to the forwarding device by a single dedicated channel, so as to maintain the original security of the network as much as possible, and at most, a fixed communication port needs to be opened on the forwarding device to complete the entire The communication process makes it very easy to penetrate the firewall.
由于主应用部件的端口与目标服务器的端口通过中转部件和中转 服务器进行通信, 所以主应用部件端口将要与目标服务器端口进行通信 时, 需要在中转部件和中转服务器中建立与通信端口的类型和数量对应 的逻辑通道, 以后主应用部件端口与目标服务器端口之间的通信数据在 中转部件和中转服务器中通过该端口对应的逻辑通道传输, 最终发送给 对方。 目标服务器的端口可以是主应用部件已知的、 并在主应用部件上 配置好的开放端口, 也可以是目标服务器为主应用部件分配的端口 (该 分配的端口信息可通过上述开放端口发送给主应用部件), 还可以是主 应用部件和目标服务器之间动态协商的端口。  Since the port of the main application component communicates with the port of the target server through the transit component and the relay server, when the main application component port is to communicate with the target server port, the type and number of communication ports need to be established in the transit component and the transit server. Corresponding logical channel, the communication data between the main application component port and the target server port is transmitted in the transit component and the transit server through the logical channel corresponding to the port, and finally sent to the other party. The port of the target server may be an open port configured by the main application component and configured on the main application component, or may be a port allocated by the target server as a main application component (the allocated port information may be sent to the open port through the foregoing open port) The main application component) can also be a dynamically negotiated port between the main application component and the target server.
在中转部件和中转服务器上建立逻辑通道的过程为以下步骤 202到 步骤 207。  The process of establishing a logical channel on the transit component and the relay server is the following steps 202 to 207.
步骤 202: 客户端主应用部件在向目标服务器发送数据前, 首先向 中转部件发送端口请求。 该端口请求可以采用消息的形式进行请求(例如 TCP/IP的 socket 消息以及 Windows消息等形式的消息), 也可以采用调用函数的方式来 请求。 一般后续的数据转发过程中与端口请求相对应, 也可利用消息形 式或调用函数方式, 但是如果通过端口消息的形式发送数据, 则还是通 过端口消息的形式返回数据; 如果通过函数调用方式发送数据, 则返回 数据时可以通过端口消息形式返回, 也可以通过回调函数的方式返回。 Step 202: The client main application component first sends a port request to the transit component before sending data to the target server. The port request can be requested in the form of a message (such as a TCP/IP socket message and a message in the form of a Windows message), or can be requested by calling a function. Generally, the subsequent data forwarding process corresponds to the port request, and may also use the message form or the call function mode. However, if the data is sent in the form of a port message, the data is returned in the form of a port message; , when returning data, it can be returned as a port message, or it can be returned by a callback function.
本实施例中, 采用消息的形式进行端口请求。 此处的端口请求中携 带所要请求的端口类型和数量、 以及主应用部件将要通信的目标服务器 的 IP地址和端口号, 此处的端口号为 140和 141。 所要请求的端口的类 型和数量与主应用部件将要进行通信的端口的类型及数量对应, 所述端 口类型可以是 TCP端口或 UDP端口。 例如: 将要通信的目标服务器端 口是两个连续的 UDP端口 140和 141。所述端口请求中还携带有主应用 部件的 IP地址和将要与目标服务器端口对应通信的端口信息,此处假设 端口为两个连续的 UDP端口 110和 111 ,中转部件需记录该主应用部件的 IP地址和端口号以及目标服务器的 IP地址和端口号。 此处, 所述端口 请求中也可以不携带所述目标服务器的 IP地址和端口号,而在后续数据 通信中, 将该目标服务器的 IP地址和端口号携带在数据包中。  In this embodiment, the port request is performed in the form of a message. The port request here carries the type and number of ports to be requested, and the IP address and port number of the target server to which the main application component will communicate, where the port numbers are 140 and 141. The type and number of ports to be requested correspond to the type and number of ports that the main application component will communicate with. The port type can be a TCP port or a UDP port. For example: The target server port to be communicated is two consecutive UDP ports 140 and 141. The port request also carries the IP address of the main application component and the port information to be communicated with the target server port. Here, it is assumed that the port is two consecutive UDP ports 110 and 111, and the transit component needs to record the main application component. IP address and port number and the IP address and port number of the target server. Here, the port request may not carry the IP address and port number of the target server, but in subsequent data communication, the IP address and port number of the target server are carried in the data packet.
步驟 203: 中转部件收到端口请求消息后, 将该端口请求消息经过 中转部件与中转服务器间的内部协议封装后, 通过所述专用信道发送到 中转^^务器。 同时, 中转部件根据端口请求消息中所请求的端口类型和 数量分配本地端口, 即: 分配两个连续的本地 UDP端口, 假设为端口 120和端口 121 , 用于后续数据包的转发。 该本地端口称为中转部件的 转发接口。  Step 203: After receiving the port request message, the transit component encapsulates the port request message through the internal protocol between the transit component and the transit server, and then sends the message to the relay server through the dedicated channel. At the same time, the transit component allocates the local port according to the type and number of ports requested in the port request message, that is, allocates two consecutive local UDP ports, which are assumed to be port 120 and port 121, for subsequent packet forwarding. This local port is called the forwarding interface of the transit unit.
所述内部协议为一种具有简单封装以及解封装处理的通信协议, 该 协议只根据报文头内的 IP地址和端口号进行响应处理,而不对数据部分  The internal protocol is a communication protocol with simple encapsulation and decapsulation processing, and the protocol only responds according to the IP address and port number in the packet header, but not to the data portion.
I I 的内容进行处理。基于此特点,该协议报文在穿越诸如 NAT等通过转换 4艮文头的 IP地址和端口号进行转发的转发设备时,可以实现成功地双向 穿透该转发设备。 对于具有上述功能的内部协议, 本领域的技术人员依 照现有技术就可以实现, 本文对该内部协议不再进一步说明。 II The content is processed. Based on this feature, the protocol packet can successfully penetrate the forwarding device in both directions when traversing a forwarding device such as NAT that translates the IP address and port number of the header. For an internal protocol having the above functions, those skilled in the art can implement the same according to the prior art, and the internal protocol will not be further described herein.
步骤 204: 中转服务器在收到客户端中转部件发送的端口请求消息 后, 才艮据请求消息中包含的通信端口类型及数量等信息分配本地端口 , 即: 分配两个连续的本地 U P端口, 此处假设为端口 130和端口 131; 接着建立逻辑通道号、 中转服务器 IP地址和端口号、 目标服务器 IP地 址和端口号的对应关系, 即: 建立以下表 1的对应关系, 假设中转服务 器 IP地址为 C, 目标服务器的 IP地址为 D:  Step 204: After receiving the port request message sent by the client transit component, the transit server allocates the local port according to information such as the type and quantity of the communication port included in the request message, that is, allocates two consecutive local UP ports, The port is assumed to be port 130 and port 131; then the logical channel number, the transit server IP address and port number, the destination server IP address and the port number are established, that is, the correspondence between the following Table 1 is established, and the IP address of the transit server is assumed to be C, the IP address of the target server is D:
Figure imgf000014_0002
Figure imgf000014_0002
Figure imgf000014_0001
Figure imgf000014_0001
中转服务器在后续过程中还要对表 1中的辅助端口信息数据、 通信 状态等信息进行维护。  The relay server also maintains information such as the auxiliary port information data and communication status in Table 1 in the subsequent process.
如果所请求的端口类型为 TCP端口,则中转服务器同时还在本地端 口 130与目标服务器对应的端口 140之间、 以及本地端口 131与目标服 务器对应的端口 141之间建立通信连接, 以便向目标服务器传送客户端 发送过来的通信数据并接收目标服务器发回给客户端的通信数据。  If the requested port type is a TCP port, the transit server also establishes a communication connection between the local port 130 and the port 140 corresponding to the target server, and the local port 131 and the port 141 corresponding to the target server, so as to reach the target server. Transmitting the communication data sent by the client and receiving the communication data sent back to the client by the target server.
如果所述端口请求中不带目标服务器的 IP地址和端口,则中转服务 器可以先在本地分配端口,等到接收到携带有目标服务器的 IP地址和端 口号的数据包时、或在主应用部件知道了目标服务器的 IP地址和端口后 而尚未发送数据之前, 通过中转部件通知中转服务器, 再建立表 1所述 的对应关系。 步骤 205: 中转服务器接着通过专用信道 15向中转部件返回利用内 部协议封装的响应消息, 其中包括端口请求是否成功的信息, 如果成功 则还包括中转服务器的 IP地址以及所分配的端口信息, 即: 中转服务器 分配的本地端口号 130和 131。 If the port request does not carry the IP address and port of the target server, the transit server may first allocate the port locally, and wait until the packet carrying the IP address and port number of the target server is received, or is known in the main application component. After the IP address and port of the target server have not been sent, the relay server notifies the relay server, and then establishes the correspondence described in Table 1. Step 205: The relay server then returns a response message encapsulated by the internal protocol to the transit component through the dedicated channel 15, including information on whether the port request is successful, and if successful, the IP address of the transit server and the allocated port information, that is, The local port numbers 130 and 131 assigned by the transit server.
步骤 206: 中转部件收到响应消息后建立逻辑通道号、 主应用部件 的 IP地址和端口号、 中转部件的 IP地址和端口号、 中转服务器的 IP地 址和端口号、 目标服务器的 IP地址和端口号的对应关系, 如表 2所示, 支设主应用部件的 BP地址为 A, 中转部件的 IP地址为 B:  Step 206: After receiving the response message, the transit component establishes the logical channel number, the IP address and port number of the main application component, the IP address and port number of the transit component, the IP address and port number of the transit server, and the IP address and port of the target server. The correspondence between the numbers, as shown in Table 2, is that the BP address of the main application component is A, and the IP address of the transit component is B:
Figure imgf000015_0001
Figure imgf000015_0001
表 2  Table 2
中转部件向主应用部件返回响应消息, 其中包括上述表 2的内容。 如果所述端口请求中不带目标服务器的 IP地址和端口 ,则此处的中 转部件等到接收到携带有目标服务器的 IP地址和端口号的数据包时或 收到主应用部件的通知时, 再建立表 2所述的对应关系。  The relay component returns a response message to the main application component, including the contents of Table 2 above. If the port request does not carry the IP address and port of the target server, the transit component here waits until receiving the data packet carrying the IP address and port number of the target server or receiving the notification of the main application component. Establish the correspondence described in Table 2.
主应用部件收到响应消息后, 可以在本地将要进行通信的端口 110 与中转部件的端口 120之间建立客户端本地的通信连接,同样在端口 111 与中转部件的端口 121之间建立客户端本地的通信连接; 主应用部件可 通过端口 110和端口 111发送和接收数据。  After receiving the response message, the main application component can establish a local communication connection between the port 110 to be communicated locally and the port 120 of the transit component, and also establish a client local between the port 111 and the port 121 of the transit component. Communication connection; the main application component can send and receive data through port 110 and port 111.
步骤 207: 针对主应用部件所请求的端口类型和数量, 将所述主应 用部件的 IP地址和端口、 中转部件的转发接口、 中转服务器的 IP地址 和端口以及目标服务器的 IP地址和端口的对应关系作为所述端口到端 口通信的逻辑通道。 即按照上述表 1和表 2的对应关系, 从主应用部件 的通信端口为起始端口, 通过中转部件和中转服务器直到目标服务器的 通信端口, 建立可以穿越转发设备的逻辑通道, 即, 逻辑通道 0经过的 IP地址和端口为: A/端口 110 - B/120 -专用信道 15 - C/端口 130 - D/ 端口 140, 逻辑通道 1经过的 IP地址和端口为: A/端口 111 - B/121 -专 用信道 15 - C/端口 131-D/141。 中转部件和中转服务器通过表 1和表 2 所记录的逻辑通道将主应用部件的端口发送的数据包转发给目标服务 器的对应端口。 Step 207: Correspond to the type and number of ports requested by the main application component, the IP address and port of the main application component, the forwarding interface of the transit component, the IP address and port of the transit server, and the IP address and port of the target server. The relationship acts as a logical channel for the port-to-port communication. That is, according to the correspondence between Table 1 and Table 2 above, from the main application component The communication port is the starting port, and the logical channel that can traverse the forwarding device is established through the transit component and the transit server to the communication port of the target server, that is, the IP address and port through which the logical channel 0 passes are: A/port 110 - B/ 120 - Dedicated Channel 15 - C/Port 130 - D/Port 140, The IP address and port through which Logical Channel 1 passes are: A/Port 111 - B/121 - Dedicated Channel 15 - C/Port 131-D/141. The transit component and the transit server forward the packets sent by the port of the main application component to the corresponding port of the target server through the logical channels recorded in Tables 1 and 2.
在建立好不同端口的逻辑通道后, 主应用部件和目标服务器就可以 利用这些通道通信了。  After the logical channels of different ports are established, the main application component and the target server can communicate using these channels.
步骤 208: 主应用部件从端口 110发送的数据通过逻辑通道 0最终 发送给目标服务器, 从端口 111发送的数据通过逻辑通道 1最终发送给 目标服务器。 以下以逻辑通道 0为例对主应用部件到目标服务器的数据 传输过程进行说明:  Step 208: The data sent by the main application component from the port 110 is finally sent to the target server through the logical channel 0, and the data sent from the port 111 is finally sent to the target server through the logical channel 1. The following describes the data transmission process from the main application component to the target server by taking logical channel 0 as an example:
主应用部件 11根据表 2中的逻辑通道内容将从端口 110发送的数据 包传输给中转部件 12的端口 120; 中转部件 12根据端口 110查找表 2 中的对应关系, 确定传输该数据包的逻辑通道为 0, 其对应的中转服务 器的 IP地址和端口为 C和 130;接着对要发送的数据进行内部协议封装, 将该数据对应的逻辑通道信息封装到数据包中, 此处的逻辑通道信息为 逻辑通道号 0; 中转部件 12通过与中转服务器 13之间的专用信道 15将 封装好后的数据包转送给中转服务器 13 , 中转服务器 13收到该封装好 的数据包后则对其进行内部协议解封装, 得到逻辑通道信息即逻辑通道 号 0,并通过查询表 1进一步得到端口 130和目标服务器的 IP地址 D和 端口 140; 接着, 将解封装出的数据包通过本地端口 130发送到目标服 务器 14的端口 140, 这样目标服务器 14的端口 140就收到了客户端要 发送的实际数据。 2574 类似的, 从端口 111发送的数据包通过逻辑通道 1发送到目标服务 器的端口 141。 The main application component 11 transmits the data packet transmitted from the port 110 to the port 120 of the relay component 12 according to the logical channel content in Table 2; the relay component 12 determines the logic for transmitting the data packet according to the correspondence relationship in the port 110 lookup table 2 The channel is 0, and the IP address and port of the corresponding transit server are C and 130; then the internal protocol encapsulation is performed on the data to be sent, and the logical channel information corresponding to the data is encapsulated into the data packet, where the logical channel information is The logical channel number 0; the relay unit 12 forwards the encapsulated data packet to the relay server 13 through the dedicated channel 15 between the relay server 13 and the relay server 13 after receiving the encapsulated data packet. The protocol is decapsulated, and the logical channel information, that is, the logical channel number 0, is obtained, and the IP address D and the port 140 of the port 130 and the target server are further obtained through the query table 1. Then, the decapsulated data packet is sent to the target through the local port 130. Port 140 of server 14, such that port 140 of target server 14 receives the actual data to be sent by the client. 2574 Similarly, packets sent from port 111 are sent through logical channel 1 to port 141 of the target server.
步骤 209: 当目标服务器 14要返回数据包给主应用部件 11时, 将 从端口 140返回的数据包通过逻辑通道 0最终发送给主应用部件 11的 端口 110; 从端口 141返回的数据包通过逻辑通道 1最终发送给主应用 部件 11的端口 111。 以下以逻辑通道 0为例对目标服务器到主应用部件 的数据传输过程进行说明 .·  Step 209: When the target server 14 wants to return the data packet to the main application component 11, the data packet returned from the port 140 is finally sent to the port 110 of the main application component 11 through the logical channel 0; the data packet returned from the port 141 passes the logic Channel 1 is ultimately sent to port 111 of main application component 11. The following describes the data transmission process from the target server to the main application component by taking logical channel 0 as an example.
目标服务器从端口 140返回数据包, 该数据包原路返回给中转服务 器 13的端口 130; 中转服务器查找表 1中的对应关系, 确定该数据的逻 辑通道为 0; 接着, 对要发送的数据包利用内部协议封装, 将该数据包 对应的逻辑通道信息封装到数据包中, 此处的逻辑通道信息为逻辑通道 号 0; 中转服务器通过专用信道 15 将封装好的数据包转送给中转部件 12, 中转部件 12收到该封装好的数据包后则对其进行内部协议解封装, 得到逻辑通道信息即逻辑通道号, 查询表 2得到本地端口 120和主应用 部件的 IP地址 A和端口号 110,然后将解封装出的数据包通过本地端口 120发送到主应用部件 11的端口 110, 这样主应用部件的端口就收到了 目标服务器返回的实际数据。  The target server returns a data packet from the port 140, and the data packet is returned to the port 130 of the transit server 13; the transit server looks up the correspondence in Table 1, and determines that the logical channel of the data is 0; then, the data packet to be sent The internal channel protocol encapsulation, the logical channel information corresponding to the data packet is encapsulated into the data packet, where the logical channel information is the logical channel number 0; the transit server forwards the encapsulated data packet to the transit component 12 through the dedicated channel 15 After receiving the encapsulated data packet, the transit component 12 performs internal protocol decapsulation to obtain logical channel information, that is, a logical channel number, and the query table 2 obtains the IP address A and the port number 110 of the local port 120 and the main application component. The decapsulated data packet is then sent through the local port 120 to port 110 of the main application component 11, such that the port of the main application component receives the actual data returned by the target server.
类似的 , 从端口 141返回的数据包(目的 IP地址和端口号为 A和 端口 111 )通过逻辑通道 1最终发送给主应用部件的端口 111。  Similarly, the packets returned from port 141 (destination IP address and port number A and port 111) are finally sent to port 111 of the main application unit via logical channel 1.
在本发明所述方法的另一实施例中, 主应用部件利用函数调用方式 向中转部件发起端口请求, 并用函数调用的方式发送数据。 用于端口请 求的函数调用中包括所请求的端口类型和数量, 还包括端口参数, 其用 于指明发出数据的主应用部件的端口号, 例如端口 110和端口 111。  In another embodiment of the method of the present invention, the main application component initiates a port request to the transit component using a function call mode and transmits the data in a function call. The function call for the port request includes the requested port type and number, as well as the port parameters, which are used to indicate the port number of the main application component that sent the data, such as port 110 and port 111.
本实施例与上一实施例的各个实施步骤基本类似, 因此下面只介绍 与上一实施例相比的不同之处: 步驟 203中, 中转部件收到端口请求消息后, 将该端口请求消息经 过中转部件与中转服务器间的内部协议封装后, 通过所述专用信道发送 到中转服务器。 同时, 中转部件根据端口请求消息中所请求的端口类型 和数量分配本地端口, 即分配两个连续的本地 UDP端口, 假设为端口 120和端口 121,用于后续数据包的转发。 或者设置回调函数, 通过回调 函数对后续数据包进行转发; 该回调函数可以为两个, 分别用于将数据 返回给端口 110和端口 111 ; 或者, 该回调函数可以为一个, 但需在回 调函数的端口参数中指明数据返回的端口号 110或 111。 所述中转部件 分配的端口或回调函数可以统称为中转部件用于转发数据的转发接口。 此处有两个转发接口, 设为转发接口 0和转发接口 1。 其中转发接口 0 为端口 120、 或者回调函数 0、 或者端口参数为端口 110的回调函数; 转发接口 1为端口 121、或者回调函数 1、或者端口参数为端口 111的回 调函数。 This embodiment is basically similar to the various implementation steps of the previous embodiment, so only the differences compared with the previous embodiment will be described below: In step 203, after receiving the port request message, the transit component encapsulates the port request message through the internal protocol between the transit component and the transit server, and then sends the message to the transit server through the dedicated channel. At the same time, the transit component allocates the local port according to the type and number of ports requested in the port request message, that is, allocates two consecutive local UDP ports, which are assumed to be port 120 and port 121, for subsequent packet forwarding. Or set the callback function, and forward the subsequent data packet through the callback function; the callback function can be two, which are respectively used to return the data to the port 110 and the port 111; or, the callback function can be one, but needs to be in the callback function The port parameter indicates the port number 110 or 111 returned by the data. The port or callback function assigned by the relay component may be collectively referred to as a forwarding interface used by the relay component to forward data. There are two forwarding interfaces here, which are set to forwarding interface 0 and forwarding interface 1. The forwarding interface 0 is a callback function of the port 120, or the callback function 0, or the port parameter is the port 110; the forwarding interface 1 is the port 121, or the callback function 1, or the port parameter is the callback function of the port 111.
步骤 206中, 中转部件收到响应消息后建立逻辑通道号、 主应用部 件的 IP地址和端口号、 中转部件的 IP地址和转发接口号、 中转服务器 的 IP地址和端口号、 目标服务器的 IP地址和端口号的对应关系, 如表 3所示, ϋ殳主应用部件的 IP地址为 A, 中转部件的 IP地址为 B:  In step 206, after receiving the response message, the transit component establishes the logical channel number, the IP address and port number of the main application component, the IP address and forwarding interface number of the transit component, the IP address and port number of the transit server, and the IP address of the target server. Correspondence with the port number, as shown in Table 3, the IP address of the main application component is A, and the IP address of the transit component is B:
Figure imgf000018_0002
Figure imgf000018_0002
Figure imgf000018_0001
Figure imgf000018_0001
中转部件向主应用部件返回响应消息, 其中包括上述表 3的内容。 本实施例中, 针对主应用部件所请求的端口类型和数量, 根据上述 表 1和表 3的对应关系, 以主应用部件的通信端口为起始端口, 通过中 转部件和中转服务器直到目标服务器的通信端口 , 建立起可以穿越转发 设备的逻辑通道, 即逻辑通道 0经过的 IP地址和端口为: A/端口 110 - B/转发接口 0 -专用信道 15 - C/端口 130 - D/端口 140,逻辑通道 1经过 的 IP地址和端口为: A/端口 111 - B/转发接口 1 -专用信道 15 - C/端口 131-D/14L中转部件和中转服务器通过表 1和表 2所记录的逻辑通道将 主应用部件端口发送的数据包转发给目标服务器的对应端口。 The relay component returns a response message to the main application component, including the contents of Table 3 above. In this embodiment, for the type and number of ports requested by the main application component, according to the correspondence between Table 1 and Table 3, the communication port of the main application component is used as the starting port, and The transit component and the transit server reach the communication port of the target server, and establish a logical channel that can traverse the forwarding device, that is, the IP address and port through which the logical channel 0 passes are: A/port 110 - B/forward interface 0 - dedicated channel 15 - C /port 130 - D/port 140, the IP address and port through which logical channel 1 passes are: A/port 111 - B/forward interface 1 - dedicated channel 15 - C/port 131-D/14L transit part and transit server pass table The logical channels recorded in 1 and Table 2 forward the packets sent by the main application component port to the corresponding ports of the target server.
步骤 208中, 主应用部件从端口 110发送的数据通过调用函数发送 给中转部件 12, 中转部件 12通过逻辑通道 0最终发送数据包给目标服 务器 14的端口 140; 类似的, 从端口 111发送的数据通过逻辑通道 1最 终发送给目标服务器 14的端口 141。 目标服务器要返回数据包给主应用 部件时, 则从端口 140发送的数据包通过逻辑通道 0最终发送给主应用 部件 11的端口 110, 其中在中转部件转发数据时, 可以通过端口 120转 发, 也可以通过回调函数 0转发, 还可以通过其端口参数指明目标为端 口 110的回调函数转发; 类似的, 从端口 141发送的数据包通过逻辑通 道 1最终发送给主应用部件 11的端口 111。  In step 208, the data sent by the main application component from the port 110 is sent to the relay component 12 by the calling function, and the relay component 12 finally sends the data packet to the port 140 of the target server 14 through the logical channel 0; similarly, the data sent from the port 111 It is finally sent to the port 141 of the target server 14 through the logical channel 1. When the target server wants to return the data packet to the main application component, the data packet sent from the port 140 is finally sent to the port 110 of the main application component 11 through the logical channel 0, and when the transit component forwards the data, it can be forwarded through the port 120, It can be forwarded by callback function 0, and can also be forwarded by its port parameter indicating the callback function targeted to port 110; similarly, the packet sent from port 141 is finally sent to port 111 of main application component 11 via logical channel 1.
一般情况下, 主应用部件所请求的端口分多种情况, 典型的有三种 情况: 1 )请求单个的 TCP端口; 2 )请求单个的 UDP端口; 3 )请求两 个连续的 UDP端口。 因此, 在中转服务器上可以针对上述情况做成专 门的标准化处理模块。 例如模块 1专门用于分配单个 TCP端口, 模块 2 专门用于分配单个 UDP端口 , 模块 3专门用于分配两个连续的 UDP端 口; 在进行端口分配时, 直接调用上述的处理模块, 可以使流程更加集 成化, 提高处理效率。 如果主应用部件与目标服务器间的整个通信过程 中需要多个 TCP UDP通信端口来完成, 则可以重复执行步驟 202到步 骤 207的方法并调用上述标准的处理模块来分配端口, 并分别建立多个 TCP/UDP通信端口对应的逻辑通道, 以完成整个通信要求。例如整个通 信过程需要三个端口, 其中一个为 TCP端口, 另两个为连续的 UDP端 口, 则首先执行一遍步骤 202到步骤 207, 利用模块 1完成对一个 TCP 端口的分配, 并建立一个 TCP逻辑通道, 再执行一般步骤 202到步骤 207, 利用模块 3 完成对两个连续 UDP端口的分配, 并对应建立两个 UDP逻辑通道。 另外, 由于请求的端口分多种情况, 不限于上述三种, 可以根据实际应用变化进行扩展, 在中转服务器上可以针对每种情况做 成专门的标准化处理模块进行端口分配。 使流程更加集成化, 提高处理 效率。 In general, the port requested by the main application component is divided into multiple situations. There are typically three cases: 1) requesting a single TCP port; 2) requesting a single UDP port; 3) requesting two consecutive UDP ports. Therefore, a special standardized processing module can be made on the relay server for the above situation. For example, module 1 is dedicated to assigning a single TCP port, module 2 is dedicated to assigning a single UDP port, and module 3 is dedicated to allocating two consecutive UDP ports; when performing port allocation, directly calling the above processing module can make the process More integrated and improved processing efficiency. If multiple TCP UDP communication ports are required to complete the entire communication process between the main application component and the target server, the method of step 202 to step 207 may be repeatedly executed and the standard processing module is called to allocate ports, and multiple ports are respectively established. The logical channel corresponding to the TCP/UDP communication port to complete the entire communication requirement. For example, the whole pass The signaling process requires three ports, one of which is a TCP port and the other two are consecutive UDP ports. Then, step 202 to step 207 are performed first, and module 1 is used to complete the allocation of a TCP port, and a TCP logical channel is established. Then, in general step 202 to step 207, the allocation of two consecutive UDP ports is completed by using module 3, and two UDP logical channels are established correspondingly. In addition, since the requested port is divided into a plurality of cases, it is not limited to the above three types, and may be extended according to actual application changes. On the relay server, a dedicated standardized processing module may be configured for each case to perform port allocation. Make the process more integrated and improve processing efficiency.
客户端主应用部件也可以使用所收到的中转服务器分配的端口号 通过主应用部件相应的复杂通信协议 (例如 H.323、 SIP、 MGCP、 H.248/MeGaCo 等协议)来完成通信端口的协商过程。 实现协商过程分 两种情况:  The client main application component can also use the port number assigned by the received relay server to complete the communication port through the corresponding complex communication protocol of the main application component (for example, H.323, SIP, MGCP, H.248/MeGaCo, etc.). Negotiation process. There are two situations in which the negotiation process is implemented:
第一种情况: 中转部件和中转服务器不支持主应用部件具备的复杂 的、 通过解析数据包内容传输数据的协议(例如 H.323、 SIP, MGCP、 H.248/MeGaCo等协议)。 此时, 在主应用部件中进一步设置一个转换模 块, 用于将所述复杂协议的数据包内数据部分携带的主应用部件的协商 IP地址和端口转换为对应的中转服务器的 IP地址和端口。 例如, 如果 主应用部件的协商端口号为 110, 则将主应用部件的 IP地址和端口 110 替换为中转服务器的 IP地址和端口号 130,该数据包通过对应的逆辑通 道 0发送给目标服务器, 目标服务器从数据包的数据部分得到中转服务 器的 IP地址和端口 130, 将协商响应返回给该中转服务器的端口 130, 再通过逻辑通道 0返回到主应用部件, 结束协商过程。  The first case: The transit component and the transit server do not support the complex protocols that the main application component has to transmit data by parsing the contents of the packet (for example, protocols such as H.323, SIP, MGCP, H.248/MeGaCo). At this time, a conversion module is further disposed in the main application component, and is configured to convert the negotiated IP address and port of the main application component carried in the data part of the data packet of the complex protocol into the IP address and port of the corresponding transit server. For example, if the negotiation port number of the main application component is 110, the IP address and port 110 of the main application component are replaced with the IP address and port number 130 of the transit server, and the data packet is sent to the target server through the corresponding reverse channel 0. The target server obtains the IP address and port 130 of the transit server from the data portion of the data packet, returns the negotiation response to the port 130 of the transit server, and returns to the main application component through the logical channel 0, and ends the negotiation process.
第二种情况: 中转部件或中转服务器支持所述主应用部件具备的复 杂的、 通过解析数据包内容传输数据的协议。 此时, 将转换模块置于支 持该复杂协议的中转部件或中转服务器中, 用于解析来自主应用部件 的、 用于协商的数据包内的数据部分, 将其中携带的主应用部件的协商The second case: The relay component or the relay server supports the complex protocol of the main application component to transmit data by parsing the data packet content. At this point, the transformation module is placed in a transit component or a relay server that supports the complex protocol for parsing the components from the main application. The data portion of the data packet used for negotiation, which will be negotiated between the main application components carried
IP地址和端口转换为对应的中转服务器的 IP地址和端口; 并将转换后 的数据包发送给目标服务器, 目标服务器利用与主应用部件相同的通信 协议处理,从数据包的数据部分得到中转服务器的 IP地址和端口,将协 商响应返回给该中转服务器的端口, 再通过对应的逻辑通道返回到主应 用部件, 结束协商过程。 The IP address and port are converted into the IP address and port of the corresponding transit server; and the converted data packet is sent to the target server, and the target server processes the same communication protocol as the main application component, and obtains the transit server from the data portion of the data packet. The IP address and port return the negotiation response to the port of the transit server, and then return to the main application component through the corresponding logical channel, and the negotiation process ends.
最后, 在客户端关闭时, 客户端首先向中转服务器发送撤销端口消 息, 申请关闭所述逻辑通道的连接, 然后拆除与中转服务器之间建立的 专用信道 15, 释放所有相关资源; 同理, 在服务器端关闭时, 由中转服 务器向客户端发送撤销端口消息, 申请关闭所述逻辑通道的连接, 然后 拆除与中转部件之间建立的专用信道 15, 释放所有相关资源。  Finally, when the client is closed, the client first sends a revocation port message to the transit server, requests to close the connection of the logical channel, and then dismantles the dedicated channel 15 established between the retransmission server and releases all related resources; similarly, in When the server is closed, the transit server sends a revocation port message to the client, requests to close the connection of the logical channel, and then removes the dedicated channel 15 established between the transit component and releases all related resources.
通过本发明的方案, 可以使主应用部件和目标服务器之间交互的信 息成功地穿透私网和公网之间引入的转发设备, 其原因参见以下具体分 析。  With the solution of the present invention, the information exchanged between the main application component and the target server can successfully penetrate the forwarding device introduced between the private network and the public network. The reason is as follows.
如果转发设备为防火墙, 则由于所述的端口对端口的逻辑通道在穿 越防火墙时采用专用信道 15进行通信, 而该专用信道是单一的 TCP或 UDP连接, 且其端口使用防火墙的开放端口, 可以实现主应用部件和目 标服务器之间的信息成功穿透防火墙。  If the forwarding device is a firewall, the logical channel of the port-to-port communicates by using a dedicated channel 15 when the firewall traverses the firewall, and the dedicated channel is a single TCP or UDP connection, and the port uses the open port of the firewall, The information between the main application component and the target server is successfully penetrated the firewall.
由于中转部件与中转服务器之间的通信是一种符合转发设备特性 的简单通信, 所采用的交互协议也只是一种简单的内部协议, 一般不会 受到转发设备的阻碍, 因此可以实现成功穿透转发设备进行通信。  Since the communication between the transit component and the transit server is a simple communication conforming to the characteristics of the forwarding device, the interaction protocol used is only a simple internal protocol, and is generally not hindered by the forwarding device, so that successful penetration can be achieved. The forwarding device communicates.
另外, 如果转发设备为 NAT/代理服务器, 则由于中转部件与中转 服务器之间的交互协议只是一种简单的内部协议, 不需像复杂协议(例 如 H.323和 SIP协议)那样根据数据包数据部分包括的源 IP地址和端口 返回响应, 而是根据数据包的包头中的源 IP地址和端口返回响应, 而包 头中的 IP地址和端口是经过 NAT/代理服务器转换的, 因此返回的响应 可以成功穿透 NAT/代理服务器, 实现主应用部件与目标服务器的畅通 通信。 In addition, if the forwarding device is a NAT/proxy server, since the interaction protocol between the transit component and the transit server is only a simple internal protocol, it does not need to be based on packet data like complex protocols (such as H.323 and SIP protocols). Some of the included source IP addresses and ports return responses, but instead return responses based on the source IP address and port in the packet header. The IP address and port in the header are translated by the NAT/proxy server, so the returned response can successfully penetrate the NAT/proxy server, enabling smooth communication between the main application component and the target server.
当转发设备为代理服务器时, 例如 HTTP/SOCKS4/SOCKS5等代理 服务器, 则在客户端的中转部件上相对容易实现代理协议的功能, 因此 即使在主应用部件不支持代理协议的情况下也可使所交互的信息成功 地穿透代理服务器。  When the forwarding device is a proxy server, such as a proxy server such as HTTP/SOCKS4/SOCKS5, the function of the proxy protocol is relatively easy to implement on the relay component of the client, so even if the main application component does not support the proxy protocol, the proxy device can be used. The interactive information successfully penetrates the proxy server.
以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围 并不局限于此, 任何熟悉该技术的人在本发明所揭露的技术范围内, 可 轻易想到的变化或替换, 都应涵盖在本发明的保护范围之内。  The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or replacements within the technical scope of the present invention. All should be covered by the scope of the present invention.

Claims

权利要求书 Claim
1、 一种实现客户端与服务器端通信的装置, 应用于包括客户端、 服务器端以及二者之间的转发设备的通信系统; 其特征在于, 该装置包 括: A device for implementing communication between a client and a server, applied to a communication system including a client, a server, and a forwarding device therebetween; wherein the device comprises:
中转部件, 建立与中转服务器之间穿透所述转发设备的专用信道, 建立自身与客户端之间的通信连接, 并与中转服务器建立客户端与服务 器端之间的基于该专用信道的逻辑通道;  a transit component, establishing a dedicated channel that penetrates the forwarding device with the transit server, establishing a communication connection between the client and the client, and establishing a logical channel based on the dedicated channel between the client and the server with the transit server ;
中转服务器, 建立与中转部件之间穿透所述转发设备的专用信道, 建立自身与服务器端之间的通信连接, 并与中转部件建立客户端与服务 器端之间的基于该专用信道的逻辑通道。  The transit server establishes a dedicated channel that penetrates the forwarding device with the transit component, establishes a communication connection between itself and the server, and establishes a logical channel based on the dedicated channel between the client and the server with the transit component .
2、 根据权利要求 1 所述的装置, 其特征在于, 所述中转部件与中 转服务器之间的专用信道为传输控制协议 TCP或用户数据报协议 UDP 的通信连接, 且该专用信道的端口采用转发设备的开放端口。  2. The device according to claim 1, wherein the dedicated channel between the transit component and the relay server is a communication connection of a Transmission Control Protocol TCP or a User Datagram Protocol UDP, and the port of the dedicated channel is forwarded. The open port of the device.
3、 根据权利要求 1 所述的系统, 其特征在于, 所述中转服务器包 括: 端口分配模块, 用于接收来自主应用部件的端口请求并分配本地端 口, 按该端口请求以及本地端口建立所述逻辑通道。  3. The system according to claim 1, wherein the relay server comprises: a port assignment module, configured to receive a port request from a main application component and allocate a local port, and establish the port according to the port request and the local port. Logical channel.
4、 根据权利要求 3 所述的装置, 其特征在于, 所述端口分配模块 包括: 用于分配单个 TCP端口的分配模块、 用于分配单个 UDP端口的 分配模块、 用于分配两个连续 UDP端口的分配模块;  4. The apparatus according to claim 3, wherein the port assignment module comprises: an allocation module for allocating a single TCP port, an allocation module for allocating a single UDP port, and for allocating two consecutive UDP ports. Distribution module;
所述用于分配单个 TCP端口的分配模块、 用于分配单个 UDP端口 的分配模块和用于分配两个连续 UDP端口的分配模块中的任一者接收 端口请求并分配对应类型的本地端口。  The allocation module for allocating a single TCP port, the allocation module for allocating a single UDP port, and the allocation module for allocating two consecutive UDP ports receive a port request and assign a corresponding type of local port.
5、 根据权利要求 1所述的装置, 其特征在于, 该装置进一步包括: 用于协商地址端口的转换模块, 设置在中转部件或者中转服务器之 中, 用于解析客户端向服务器端发送的协商数据包, 将该数据包数据部 分的客户端的协商 IP地址和端口转换为当前逻辑通道的中转服务器的 IP地址和端口。 The device according to claim 1, wherein the device further comprises: a conversion module for negotiating an address port, configured in a transit component or a relay server The method is used to parse the negotiation data packet sent by the client to the server, and convert the negotiated IP address and port of the client in the data portion of the data packet into the IP address and port of the transit server of the current logical channel.
6、 一种通信系统, 包括: 客户端、 服务器端以及二者之间连接的 转发设备, 所述客户端包括: 主应用部件, 所述服务器端包括至少一个 目标月良务器; 其特征在于, 该系统还包括: 中转部件和中转服务器; 中转部件, 建立与中转服务器之间穿透所述转发设备的专用信道, 建立自身与主应用部件之间的通信连接, 并与中转服务器建立主应用部 件与目标服务器之间的基于该专用信道的逻辑通道;  A communication system, comprising: a client, a server, and a forwarding device connected between the two, the client includes: a main application component, the server end includes at least one target server; The system further includes: a transit component and a relay server; a transit component, establishing a dedicated channel that penetrates the forwarding device with the transit server, establishing a communication connection between itself and the main application component, and establishing a main application with the transit server a logical channel based on the dedicated channel between the component and the target server;
中转服务器, 建立与中转部件之间穿透所述转发设备的专用信道, 建立自身与目标服务器之间的通信连接, 并与中转部件建立主应用部件 与目标服务器之间的基于该专用信道的逻辑通道。  The transit server establishes a dedicated channel that penetrates the forwarding device with the transit component, establishes a communication connection between itself and the target server, and establishes a logic based on the dedicated channel between the main application component and the target server with the transit component aisle.
7、 根据权利要求 6所述的系统, 其特征在于, 所述中转部件与中 转服务器之间的专用信道为 TCP或 UDP的通信连接, 且该专用信道的 端口采用转发设备的开放端口。  The system according to claim 6, wherein the dedicated channel between the relay component and the relay server is a TCP or UDP communication connection, and the port of the dedicated channel adopts an open port of the forwarding device.
8、 根据权利要求 6所述的系统, 其特征在于, 所述中转服务器包 括: 端口分配模块, 用于接收来自主应用部件的端口请求并分配本地端 口, 按该端口请求以及本地端口建立所述逻辑通道。  The system according to claim 6, wherein the relay server comprises: a port assignment module, configured to receive a port request from a main application component and allocate a local port, and establish the port according to the port request and the local port Logical channel.
9、 根据权利要求 8 所述的系统, 其特征在于, 所述端口分配模块 包括: 用于分配单个 TCP端口的分配模块、 用于分配单个 UDP端口的 分配模块、 用于分配两个连续 UDP端口的分配模块;  9. The system according to claim 8, wherein the port allocation module comprises: an allocation module for allocating a single TCP port, an allocation module for allocating a single UDP port, and for allocating two consecutive UDP ports. Distribution module;
所述用于分配单个 TCP端口的分配模块、 用于分配单个 UDP端口 的分配模块和用于分配两个连续 UDP端口的分配模块中的任一者用于 收端口请求并分配对应类型的本地端口。  Any one of the allocation module for allocating a single TCP port, the allocation module for allocating a single UDP port, and the allocation module for allocating two consecutive UDP ports for receiving a port request and allocating a corresponding type of local port .
10、根据权利要求 6所述的系统, 其特征在于,该系统进一步包括: 用于协商地址端口的转换模块, 设置在主应用部件、 支持主应用部 件通信协议的中转部件、 或者支持主应用部件通信协议的中转服务器之 中, 用于解析主应用部件向目标服务器发送的协商数据包, 将该数据包 数据部分的主应用部件的协商 IP 地址和端口转换为当前逻辑通道的中 转服务器的 IP地址和端口。 10. The system of claim 6 wherein the system further comprises: The conversion module for negotiating the address port is set in the main application component, the transit component supporting the communication protocol of the main application component, or the transit server supporting the communication protocol of the main application component, and is used for parsing the negotiation sent by the main application component to the target server The data packet, which translates the negotiated IP address and port of the main application component of the data portion of the packet into the IP address and port of the transit server of the current logical channel.
11、 根据权利要求 6至 10任一项所述的系统, 其特征在于, 所述 转发设备为网络地址转换设备、 代理服务器、 或者防火墙。  The system according to any one of claims 6 to 10, wherein the forwarding device is a network address translation device, a proxy server, or a firewall.
12、一种实现客户端与服务器端通信的方法,应用于包括: 客户端、 服务器端以及二者之间连接的转发设备的通信系统, 其特征在于, 该方 法包括:  A method for implementing communication between a client and a server, which is applied to a communication system including: a client, a server, and a forwarding device connected between the two, wherein the method includes:
客户端与服务器端之间建立起穿透所述转发设备的专用信道; 在客户端的主应用部件与服务器端的目标服务器进行通信时, 建立 该主应用部件与目标服务器之间基于所述专用信道的逻辑通道并进行 通信。  Establishing a dedicated channel between the client and the server to penetrate the forwarding device; when the primary application component of the client communicates with the target server at the server, establishing a dedicated channel between the primary application component and the target server Logical channels and communicate.
13、 根据权利要求 12 所述的方法, 其特征在于, 所述客户端与服 务器端之间建立起穿透所述转发设备的专用信道, 包括: 在客户端设置 中转部件, 在服务器端设置中转服务器; 由所述中转部件和中转服务器 建立起所述专用信道;  The method according to claim 12, wherein the client and the server establish a dedicated channel that penetrates the forwarding device, including: setting a relay component on the client, and setting a relay on the server end a server; the dedicated channel is established by the transit component and the relay server;
所述主应用部件与目标服务器建立基于所述专用信道的逻辑通道, 包括: 中转部件建立自身与主应用部件之间的通信连接, 中转服务器建 立自身与目标服务器之间的通信连接; 主应用部件、 中转部件、 中转服 务器和目标服务器分别分配各自的通信端口, 建立这些通信端口的对应 关系, 形成逻辑通道。  The main application component establishes a logical channel based on the dedicated channel with the target server, including: the transit component establishes a communication connection between itself and the main application component, and the transit server establishes a communication connection between itself and the target server; the main application component The transit component, the transit server, and the target server respectively allocate respective communication ports, establish correspondences of the communication ports, and form a logical channel.
14、 根据权利要求 13 所述的方法, 其特征在于, 所述中转部件和 中转服务器建立该主应用部件与目标服务器之间的基于专用信道的逻 辑通道, 包括: 14. The method according to claim 13, wherein the relay component and the relay server establish a dedicated channel-based logic between the main application component and the target server. Channel, including:
主应用部件向中转部件发送携带主应用部件的 IP地址和端口以及 目标服务器的 IP地址和端口的端口请求;  The main application component sends a port request carrying the IP address and port of the main application component and the IP address and port of the target server to the transit component;
中转部件使用内部协议封装该端口请求, 通过专用信道转发送封装 后的端口请求给中转服务器, 并在本地分配用于数据转发的转发接口; 中转服务器根据收到的端口请求分配本地端口; 建立逻辑通道号、 中转服务器的 IP地址和端口、 以及目标服务器的 IP地址和端口之间的 对应关系;  The transit component encapsulates the port request using an internal protocol, forwards the encapsulated port request to the transit server through the dedicated channel, and locally allocates a forwarding interface for data forwarding; the transit server allocates the local port according to the received port request; The channel number, the IP address and port of the transit server, and the correspondence between the IP address and port of the target server;
中转服务器将所建立的逻辑通道号、 中转服务器的 IP地址和端口、 以及目标服务器的 IP地址和端口之间的对应关系通过专用信道返回给 中转部件, 中转部件建立逻辑通道号、 主应用部件的 IP地址和端口、 中 转部件转发接口、 中转服务器的 IP地址和端口以及目标服务器的 IP地 址和端口之间的对应关系;  The transit server returns the established logical channel number, the IP address and port of the transit server, and the correspondence between the IP address and the port of the target server to the transit component through the dedicated channel, and the transit component establishes the logical channel number and the main application component. The correspondence between the IP address and port, the transit component forwarding interface, the IP address and port of the transit server, and the IP address and port of the target server;
将所述主应用部件的 IP地址和端口、 中转部件的转发接口、 中转服 务器的 IP地址和端口以及目标服务器的 IP地址和端口之间的对应关系 作为该主应用部件与目标服务器间通信的逻辑通道。  Corresponding relationship between the IP address and port of the main application component, the forwarding interface of the transit component, the IP address and port of the transit server, and the IP address and port of the target server as the communication between the main application component and the target server aisle.
15、 根据权利要求 13 所述的方法, 其特征在于, 所述中转部件和 中转服务器建立该主应用部件与目标服务器之间的基于专用信道的逻 辑通道, 包括:  The method according to claim 13, wherein the relay component and the relay server establish a dedicated channel-based logical channel between the main application component and the target server, including:
主应用部件向中转部件发送携带主应用部件的 IP地址和端口的端 口请求;  The main application component sends a port request carrying the IP address and port of the main application component to the transit component;
中转部件使用内部协议封装该端口请求, 通过专用信道转发该封装 后的端口请求给中转服务器, 并在本地分配用于数据转发的转发接口; 中转服务器根据收到的端口请求分配本地端口;  The transit component encapsulates the port request by using an internal protocol, forwards the encapsulated port request to the transit server through the dedicated channel, and locally allocates a forwarding interface for data forwarding; the transit server allocates the local port according to the received port request;
主应用部件通过通信数据或通知发送目标服务器的 IP地址和端口 给中转部件以及中转服务器; The main application component sends the IP address and port of the target server through communication data or notification. For transit parts and transit servers;
中转服务器建立逻辑通道号、 中转服务器的 IP地址和端口、 以及目 标服务器的 IP地址和端口之间的对应关系;  The transit server establishes a logical channel number, an IP address and port of the transit server, and a correspondence between the IP address and the port of the target server;
中转服务器将所建立的逻辑通道号、 中转服务器的 IP地址和端口、 以及目标服务器的 BP地址和端口之间的对应关系返回给中转部件,中转 部件建立逻辑通道号、主应用部件的 IP地址和端口、中转部件转发接口、 中转服务器的 IP地址和端口以及目标服务器的 IP地址和端口之间的对 应关系;  The transit server returns the established logical channel number, the IP address and port of the transit server, and the correspondence between the BP address and the port of the target server to the transit component, and the transit component establishes the logical channel number, the IP address of the main application component, and Port, transit component forwarding interface, IP address and port of the transit server, and the correspondence between the IP address and port of the target server;
将所述主应用部件的 IP地址和端口、 中转部件转发接口、 中转服务 器的 IP地址和端口以及目标服务器的 IP地址和端口之间的对应关系作 为所述主应用部件与目标服务器间通信的逻辑通道。  Corresponding relationship between the IP address and port of the main application component, the transit component forwarding interface, the IP address and port of the transit server, and the IP address and port of the target server as the communication between the main application component and the target server aisle.
16、 根据权利要求 14或 15所述的方法, 其特征在于, 所述端口请 求中携带所请求的端口类型和端口数量, 中转服务器根据该端口请求分 配对应类型和数量的本地端口。  The method according to claim 14 or 15, wherein the port request carries the requested port type and the number of ports, and the transit server allocates the corresponding type and number of local ports according to the port request.
17、 根据权利要求 16所述的方法, 其特征在于, 所述请求的端口 类型和数量包括以下三种之一或任意组合: 单个 TCP端口、 单个 UDP 端口、 或者两个连续的 UDP端口。  The method according to claim 16, wherein the requested port type and number comprise one or any combination of the following three: a single TCP port, a single UDP port, or two consecutive UDP ports.
18、 根据权利要求 14或 15所述的方法, 其特征在于, 所述主应用 部件以请求消息的形式给中转部件发送端口请求; 中转部件所分配的转 发接口为本地端口。  The method according to claim 14 or 15, wherein the main application component sends a port request to the relay component in the form of a request message; the forwarding interface allocated by the relay component is a local port.
19、 根据权利要求 14或 15所述的方法, 其特征在于, 所述主应用 部件以调用函数的形式给中转部件发送端口请求; 中转部件所分配的转 发接口为本地端口。  The method according to claim 14 or 15, wherein the main application component sends a port request to the relay component in the form of a call function; the forwarding interface allocated by the relay component is a local port.
20、根据权利要求 14或 15所述的方法, 其特征在于, 所述主应用 部件以调用函数的形式给中转部件发送端口请求; 中转部件所分配的转 发接口为回调函数。 The method according to claim 14 or 15, wherein the main application component sends a port request to the relay component in the form of a call function; The send interface is a callback function.
21、 根据权利要求 12所述的方法, 其特征在于, 该方法进一步包 .括: 当主应用部件与目标服务器进行端口协商时, 中转服务器解析主应 用部件向目标服务器发送的协商数据包, 将该协商数据包数据部分内的 主应用部件的协商 IP地址和端口转换为逻辑通道的中转服务器的 IP地 址和端口, 再将转换后的协商数据包发送给目标服务器。  The method according to claim 12, wherein the method further comprises: when the main application component performs port negotiation with the target server, the relay server parses the negotiation data packet sent by the main application component to the target server, and The negotiated IP address and port of the main application component in the negotiation data packet part are converted into the IP address and port of the logical channel transit server, and the converted negotiation data packet is sent to the target server.
22、根据权利要求 12所述的方法, 其特征在于, 所述转发设备为网 络地址转换设备、 代理服务器或防火墙。  The method according to claim 12, wherein the forwarding device is a network address translation device, a proxy server or a firewall.
PCT/CN2006/002574 2005-09-29 2006-09-29 An apparatus, system and method for realizing communication between the client and the server WO2007036160A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
BRPI0616627-0A BRPI0616627A2 (en) 2005-09-29 2006-09-29 equipment, system, and method for client-server communication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2005101080610A CN100477636C (en) 2005-09-29 2005-09-29 Apparatus and method for communication between client main application component and target server
CN200510108061.0 2005-09-29

Publications (1)

Publication Number Publication Date
WO2007036160A1 true WO2007036160A1 (en) 2007-04-05

Family

ID=37899382

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/002574 WO2007036160A1 (en) 2005-09-29 2006-09-29 An apparatus, system and method for realizing communication between the client and the server

Country Status (4)

Country Link
CN (1) CN100477636C (en)
BR (1) BRPI0616627A2 (en)
RU (1) RU2396716C2 (en)
WO (1) WO2007036160A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116320641A (en) * 2023-05-19 2023-06-23 河北网新科技集团股份有限公司 Video data transmission method and system

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090319674A1 (en) * 2008-06-24 2009-12-24 Microsoft Corporation Techniques to manage communications between relay servers
CN102571697B (en) * 2010-12-17 2015-05-13 中兴通讯股份有限公司 Method and device for transmitting real time protocol message
CN102186257A (en) * 2011-03-09 2011-09-14 华为终端有限公司 Communication method of wireless terminal and host equipment, wireless terminal and host equipment
CN103699367B (en) * 2012-09-27 2017-07-07 中国电信股份有限公司 HTTP application programming interfaces call method and device
CN102932487B (en) * 2012-11-26 2016-09-14 福建伊时代信息科技股份有限公司 Data processing method and system
CN102984167B (en) * 2012-12-07 2015-02-18 北京邮电大学 Traversal method for universal firewall based on Socks5 protocol
RU2609086C2 (en) * 2014-05-07 2017-01-30 Общество С Ограниченной Ответственностью "Яндекс" Network device for forwarding packets (versions), method of setting up network device for forwarding packets (versions) and method for forwarding packet
DE102015223229A1 (en) * 2015-05-11 2016-11-17 Volkswagen Aktiengesellschaft Method for communication between a communication unit of a device and an external communication unit via a mobile telephone unit
CN105611226B (en) * 2015-10-30 2018-07-13 浙江宇视科技有限公司 Packet loss position method and device in a kind of video surveillance network
CN105337808B (en) * 2015-11-30 2019-01-04 网宿科技股份有限公司 The method, apparatus and system of data transmission
CN107197005B (en) * 2017-05-12 2020-12-29 广州视源电子科技股份有限公司 Data transmission method and device, client, server and data transmission system
CN107168210B (en) * 2017-06-22 2020-09-01 无锡乐伏能源科技有限公司 Monitoring system and monitoring method of distributed photovoltaic power station
CN109618014B (en) * 2018-11-12 2021-12-24 杭州数梦工场科技有限公司 Message forwarding method and device
CN110891008A (en) * 2019-11-21 2020-03-17 成都云智天下科技股份有限公司 IP proxy method based on L2TP/IPSEC
CN111327614A (en) * 2020-02-21 2020-06-23 浙江德迅网络安全技术有限公司 Method for realizing conversion of socket protocol connection into other protocol connection
CN111491126A (en) * 2020-04-10 2020-08-04 贵州新致普惠信息技术有限公司 Method, system and equipment for improving stability of multi-person online video voice
CN114205402B (en) * 2021-11-18 2024-04-30 阿里云计算有限公司 Connection establishment method, system, device and storage medium
CN115695525A (en) * 2022-10-28 2023-02-03 网络通信与安全紫金山实验室 Link establishment method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1570904A (en) * 2003-07-23 2005-01-26 张恒 Mobile remote computer access and control system and method thereof
CN1588901A (en) * 2004-09-30 2005-03-02 西安西电捷通无线网络通信有限公司 Method for realizing double layer tunnel in flexible IP network technology system
WO2005057882A1 (en) * 2003-12-11 2005-06-23 Tandberg Telecom As Communication systems for traversing firewalls and network address translation (nat) installations
CN1633100A (en) * 2003-12-24 2005-06-29 华为技术有限公司 Method and system for multimedia service network address translation traversal

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2118051C1 (en) * 1996-04-30 1998-08-20 Лихачев Александр Геннадьевич Method for access to world-wide web resources using proxy servers
US5778174A (en) * 1996-12-10 1998-07-07 U S West, Inc. Method and system for providing secured access to a server connected to a private computer network
US7293108B2 (en) * 2001-03-15 2007-11-06 Intel Corporation Generic external proxy

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1570904A (en) * 2003-07-23 2005-01-26 张恒 Mobile remote computer access and control system and method thereof
WO2005057882A1 (en) * 2003-12-11 2005-06-23 Tandberg Telecom As Communication systems for traversing firewalls and network address translation (nat) installations
CN1633100A (en) * 2003-12-24 2005-06-29 华为技术有限公司 Method and system for multimedia service network address translation traversal
CN1588901A (en) * 2004-09-30 2005-03-02 西安西电捷通无线网络通信有限公司 Method for realizing double layer tunnel in flexible IP network technology system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116320641A (en) * 2023-05-19 2023-06-23 河北网新科技集团股份有限公司 Video data transmission method and system
CN116320641B (en) * 2023-05-19 2023-08-04 河北网新科技集团股份有限公司 Video data transmission method and system

Also Published As

Publication number Publication date
RU2008115139A (en) 2009-11-10
BRPI0616627A2 (en) 2011-06-28
CN1941738A (en) 2007-04-04
RU2396716C2 (en) 2010-08-10
CN100477636C (en) 2009-04-08

Similar Documents

Publication Publication Date Title
WO2007036160A1 (en) An apparatus, system and method for realizing communication between the client and the server
EP1650916B1 (en) The system and method for realize multimedia call crossover the private network
EP2034666B1 (en) Method and system for realizing media stream interaction and media gateway controller and media gateway
JP3757399B2 (en) Communications system
TWI408936B (en) Network traversal method and network communication system
CN100454905C (en) Method of Traversing Network Address Translation
JP5972398B2 (en) ICE-based NAT traversal
US20050066038A1 (en) Session control system, communication terminal and servers
WO2005062546A1 (en) A method for achieving the conversion and traverse of network address and system thereof
WO2010127610A1 (en) Method, equipment and system for processing visual private network node information
US20130007291A1 (en) MEDIA INTERWORKING IN IPv4 AND IPv6 SYSTEMS
WO2012034309A1 (en) Method, terminal and system for file transfers between session initiation protocol (sip) terminals in network address translation (nat) network
WO2015096302A1 (en) Nat traversal method based on sip media capability re-negotiation, proxy server and system
CN100403729C (en) The method of call control and media flow traversing private network in SIP softswitch system
CN100493048C (en) Multimedia communication proxy system and method for traversing network address translation and firewall
KR101606142B1 (en) Apparatus and method for supporting nat traversal in voice over internet protocol system
WO2008003214A1 (en) Method, device and system for media flow traversing nat
CN101179468A (en) Method for communication between isomerized network SIP terminal and H.323 terminal
CN107634954B (en) Soft switch calling method and system
CN100401700C (en) A method for point-to-point calling of multimedia terminals in two private networks
US8774163B2 (en) Communication system and method for implementing IP cross-domain interconnecting via border media gateway
KR100438182B1 (en) Method of different IP-address attaching for gatekeeper and NAT-PT
WO2007012233A1 (en) A method for multi-media services travel through nat
WO2006116933A1 (en) A method, system and equipment for realizing intercommunication between the ip domains
KR100660123B1 (en) Vpn server system and vpn terminal for a nat traversal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 1446/CHENP/2008

Country of ref document: IN

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2008115139

Country of ref document: RU

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO 112(1) EPC OF 130808

122 Ep: pct application non-entry in european phase

Ref document number: 06791160

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: PI0616627

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20080331