[go: up one dir, main page]

CN103179104B - A kind of access method of remote service, system and equipment thereof - Google Patents

A kind of access method of remote service, system and equipment thereof Download PDF

Info

Publication number
CN103179104B
CN103179104B CN201110444777.3A CN201110444777A CN103179104B CN 103179104 B CN103179104 B CN 103179104B CN 201110444777 A CN201110444777 A CN 201110444777A CN 103179104 B CN103179104 B CN 103179104B
Authority
CN
China
Prior art keywords
control device
level control
remote service
information
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201110444777.3A
Other languages
Chinese (zh)
Other versions
CN103179104A (en
Inventor
种璟
唐本亭
陈源
赵立君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201110444777.3A priority Critical patent/CN103179104B/en
Publication of CN103179104A publication Critical patent/CN103179104A/en
Application granted granted Critical
Publication of CN103179104B publication Critical patent/CN103179104B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种远程服务的访问方法、系统及其设备,该方法包括:第一网络内的第一级控制设备接收客户端发出的远程服务请求,并将所述远程服务请求通知给外部系统,由所述外部系统利用所述远程服务请求为所述客户端确定内网服务器;第二网络内的第二级控制设备接收所述外部系统发送的所述内网服务器的信息,并通过所述内网服务器的信息与所述内网服务器建立连接;所述第二级控制设备利用所述连接从所述内网服务器获得远程服务,并将所述远程服务返回给所述第一级控制设备;所述第一级控制设备将所述远程服务返回给所述客户端。本发明中提高了远程服务访问的安全性。

The invention discloses a remote service access method, system and equipment thereof. The method includes: a first-level control device in the first network receives a remote service request sent by a client, and notifies the remote service request to the outside system, wherein the external system utilizes the remote service request to determine an intranet server for the client; the second-level control device in the second network receives the information of the intranet server sent by the external system, and passes The information of the intranet server establishes a connection with the intranet server; the second-level control device uses the connection to obtain remote services from the intranet server, and returns the remote services to the first level A control device; the first-level control device returns the remote service to the client. The invention improves the security of remote service access.

Description

一种远程服务的访问方法、系统及其设备A remote service access method, system and device thereof

技术领域 technical field

本发明涉及通信技术领域,尤其涉及一种远程服务的访问方法、系统及其设备。The present invention relates to the field of communication technology, in particular to a remote service access method, system and equipment thereof.

背景技术 Background technique

在实际应用中,需要远程访问或控制另外一台或多台设备来完成工作。现有技术中,Windows操作系统下可采用VNC(VirtualNetworkComputing,虚拟网络计算机)或远程桌面方式实现远程访问或控制;Unix操作系统下可采用SSH(SecureShell,安全外壳)或VNC方式实现远程访问或控制。In practical applications, one or more other devices need to be remotely accessed or controlled to get work done. In the prior art, under the Windows operating system, VNC (Virtual Network Computing, virtual network computer) or remote desktop mode can be used to realize remote access or control; under the Unix operating system, SSH (SecureShell, safe shell) or VNC mode can be used to realize remote access or control .

(1)SSH方式,如图1所示,为远程SSH服务器与本地SSH客户端之间的工作流程示意图,包括:SSH客户端请求连接SSH服务器;SSH服务器检查SSH客户端是否通过安全验证;如果通过安全验证,SSH服务器发送密钥给SSH客户端;SSH客户端本地的远程服务器守护进程将密钥回送到SSH服务器。(1) SSH mode, as shown in Figure 1, is a schematic diagram of the workflow between the remote SSH server and the local SSH client, including: the SSH client requests to connect to the SSH server; the SSH server checks whether the SSH client passes the security verification; if After security verification, the SSH server sends the key to the SSH client; the local remote server daemon process of the SSH client sends the key back to the SSH server.

(2)VNC方式,a、屏幕控制原理:VNC将被控制端的屏幕做成图像,经过压缩后传送到控制端;以及将控制端的控制信息(如鼠标信息)传送到被控制端后,进入消息队列;上述控制过程是基于TCP(TransmissionControlProtocol,传输控制协议)/IP协议的。b、截屏方式:使用钩子自动报告需要截屏的区域或轮询某一区域(如前景窗口);截屏后使用某种压缩算法压缩后发送。c、传输方式:其包括RFB协议(RemoteFrameBuffer,远程帧缓冲)传输或X视窗系统协议(X协议)传输。(2) VNC mode, a, screen control principle: VNC makes the screen of the controlled terminal into an image, and transmits it to the control terminal after compression; and after transmitting the control information (such as mouse information) of the control terminal to the controlled terminal, enter the message Queue; the above control process is based on the TCP (Transmission Control Protocol, Transmission Control Protocol)/IP protocol. b. Screen capture method: Use the hook to automatically report the area that needs to be screened or poll a certain area (such as the foreground window); use a certain compression algorithm to compress the screen and send it. c. Transmission mode: it includes RFB protocol (Remote Frame Buffer, remote frame buffer) transmission or X Window System protocol (X protocol) transmission.

(3)远程桌面方式,当某设备开启了远程桌面连接功能后,即可以在网络的另一端控制该设备,通过远程桌面功能可实时的操作该设备;例如,通过该远程桌面功能,网络管理员可以在家中安全的控制单位的设备。(3) Remote desktop mode, when the remote desktop connection function is enabled on a certain device, the device can be controlled at the other end of the network, and the device can be operated in real time through the remote desktop function; for example, through the remote desktop function, network management Employees can control the unit's equipment from the safety of their homes.

在实现本发明的过程中,发明人发现现有技术中至少存在以下问题:In the process of realizing the present invention, the inventor finds that there are at least the following problems in the prior art:

在VNC方式和远程桌面方式中,基于TCP/IP协议,需要建立外网与内网实体的映射,为用户提供被访问设备的用户名和密码(在网络上通过明文传输),这种方式既繁琐又不安全,给用户和提供服务者带来了麻烦。在SSH方式中,SSH不能为远程访问提供完全的在线保护,不能堵住所有其他端口上的全部漏洞(包括NFS(NetworkFileSystem,网络文件系统)攻击等)。In the VNC mode and the remote desktop mode, based on the TCP/IP protocol, it is necessary to establish a mapping between the external network and the internal network entity, and provide the user with the user name and password of the accessed device (transmitted in clear text on the network), which is cumbersome It is not safe, which brings troubles to users and service providers. In the SSH mode, SSH cannot provide complete online protection for remote access, and cannot block all vulnerabilities on all other ports (including NFS (NetworkFileSystem, network file system) attacks, etc.).

发明内容 Contents of the invention

本发明实施例提供一种远程服务的访问方法、系统及其设备,以提高远程服务访问的安全性。Embodiments of the present invention provide a remote service access method, system and equipment thereof, so as to improve the security of remote service access.

为了达到上述目的,本发明实施例提供一种远程服务的访问方法,包括:In order to achieve the above purpose, an embodiment of the present invention provides a remote service access method, including:

第一网络内的第一级控制设备接收客户端发出的远程服务请求,并将所述远程服务请求通知给外部系统,由所述外部系统利用所述远程服务请求为所述客户端确定内网服务器;The first-level control device in the first network receives the remote service request sent by the client, and notifies the external system of the remote service request, and the external system uses the remote service request to determine the intranet for the client server;

第二网络内的第二级控制设备接收所述外部系统发送的所述内网服务器的信息,并通过所述内网服务器的信息与所述内网服务器建立连接;The second-level control device in the second network receives the information of the internal network server sent by the external system, and establishes a connection with the internal network server through the information of the internal network server;

所述第二级控制设备利用所述连接从所述内网服务器获得远程服务,并将所述远程服务返回给所述第一级控制设备;The second-level control device obtains remote services from the intranet server by using the connection, and returns the remote services to the first-level control device;

所述第一级控制设备将所述远程服务返回给所述客户端。The first-level control device returns the remote service to the client.

本发明实施例提供一种远程服务的访问系统,包括:第一网络内的第一级控制设备和第二网络内的第二级控制设备;其中:An embodiment of the present invention provides a remote service access system, including: a first-level control device in the first network and a second-level control device in the second network; wherein:

所述第一级控制设备,用于接收客户端发出的远程服务请求,并将所述远程服务请求通知给外部系统,由所述外部系统利用所述远程服务请求为所述客户端确定内网服务器;The first-level control device is configured to receive a remote service request sent by a client, and notify an external system of the remote service request, and the external system uses the remote service request to determine an intranet for the client. server;

以及将来自所述第二级控制设备的远程服务返回给所述客户端;and returning the remote service from the second-level control device to the client;

所述第二级控制设备,用于接收所述外部系统发送的所述内网服务器的信息,并通过所述内网服务器的信息与所述内网服务器建立连接;The second-level control device is configured to receive the information of the intranet server sent by the external system, and establish a connection with the intranet server through the information of the intranet server;

以及利用所述连接从所述内网服务器获得远程服务,并将所述远程服务返回给所述第一级控制设备。And using the connection to obtain remote services from the intranet server, and return the remote services to the first-level control device.

本发明实施例提供一种远程服务的访问设备,该设备为位于第一网络内的第一级控制设备,且该设备包括:An embodiment of the present invention provides a remote service access device, the device is a first-level control device located in the first network, and the device includes:

第一接收模块,用于接收客户端发出的远程服务请求;The first receiving module is configured to receive the remote service request sent by the client;

第一发送模块,用于将所述远程服务请求通知给外部系统,由所述外部系统利用所述远程服务请求为所述客户端确定内网服务器。The first sending module is configured to notify an external system of the remote service request, and the external system uses the remote service request to determine an intranet server for the client.

第二接收模块,用于接收第二网络内的第二级控制设备返回的其从内网服务器获得的远程服务;The second receiving module is used to receive the remote service obtained from the intranet server returned by the second-level control device in the second network;

第二发送模块,用于将所述远程服务返回给所述客户端。The second sending module is configured to return the remote service to the client.

本发明实施例提供一种远程服务的访问设备,该设备为位于第二网络内的第二级控制设备,且该设备包括:An embodiment of the present invention provides a remote service access device, the device is a second-level control device located in the second network, and the device includes:

接收模块,用于接收外部系统发送的内网服务器的信息;The receiving module is used to receive the information of the intranet server sent by the external system;

处理模块,用于通过所述内网服务器的信息与所述内网服务器建立连接,并利用所述连接从所述内网服务器获得远程服务;A processing module, configured to establish a connection with the intranet server through the information of the intranet server, and use the connection to obtain remote services from the intranet server;

发送模块,用于将所述远程服务返回给第一网络内的第一级控制设备。A sending module, configured to return the remote service to the first-level control device in the first network.

与现有技术相比,本发明实施例至少具有以下优点:通过采用两级控制机制来保护提供远程服务的内网服务器,将客户端与真实提供服务的内网服务器分隔开,从而提高远程服务访问的安全性。Compared with the prior art, the embodiment of the present invention has at least the following advantages: by using a two-level control mechanism to protect the intranet server that provides remote services, the client is separated from the intranet server that actually provides services, thereby improving remote access. Security of Service Access.

附图说明 Description of drawings

为了更清楚地说明本发明的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solution of the present invention more clearly, the accompanying drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings in the following description are only some embodiments of the present invention. Ordinary technicians can also obtain other drawings based on these drawings on the premise of not paying creative work.

图1是现有技术中远程SSH服务器与本地SSH客户端之间的工作流程示意图;Fig. 1 is a schematic diagram of the workflow between a remote SSH server and a local SSH client in the prior art;

图2是本发明实施例一提供的远程服务的访问方法的应用场景示意图;FIG. 2 is a schematic diagram of an application scenario of a remote service access method provided in Embodiment 1 of the present invention;

图3是本发明实施例一提供的一种远程服务的访问方法流程示意图;FIG. 3 is a schematic flowchart of a remote service access method provided in Embodiment 1 of the present invention;

图4和图5分别是本发明实施例一提供的第一级控制设备的功能模块示意图和第二级控制设备的功能模块示意图;FIG. 4 and FIG. 5 are respectively a schematic diagram of functional modules of the first-level control device and a schematic diagram of functional modules of the second-level control device provided by Embodiment 1 of the present invention;

图6是本发明实施例三提供的一种远程服务的访问设备结构示意图;FIG. 6 is a schematic structural diagram of a remote service access device provided by Embodiment 3 of the present invention;

图7是本发明实施例四提供的一种远程服务的访问设备结构示意图。FIG. 7 is a schematic structural diagram of a remote service access device provided by Embodiment 4 of the present invention.

具体实施方式 detailed description

下面将结合本发明中的附图,对本发明中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明的一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solution of the present invention in conjunction with the accompanying drawings of the present invention. Obviously, the described embodiments are only some of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

实施例一Embodiment one

本发明实施例一提供一种远程服务的访问方法,以图2为本发明实施例应用场景示意图,该方法应用于包括位于公网的客户端、位于内网的内网服务器、位于隔离网的第一网络内的第一级控制设备、以及位于隔离网的第二网络内的第二级控制设备的系统中;在第一网络内的资源池中会存在多个第一级控制设备,且在在第二网络内的资源池中会存在多个第二级控制设备。Embodiment 1 of the present invention provides a method for accessing remote services. Figure 2 is a schematic diagram of the application scenario of the embodiment of the present invention. In the system of the first-level control device in the first network and the second-level control device in the second network of the isolated network; there will be multiple first-level control devices in the resource pool in the first network, and There will be multiple second-level control devices in the resource pool in the second network.

基于上述应用场景,如图3所示,该远程服务的访问方法包括以下步骤:Based on the above application scenario, as shown in Figure 3, the method for accessing the remote service includes the following steps:

步骤301,客户端在公网发送远程服务请求,该远程服务请求为基于远程控制的服务请求(如申请桌面服务的请求)。In step 301, the client sends a remote service request on the public network, and the remote service request is a service request based on remote control (such as a request for applying for a desktop service).

该远程服务请求中携带的内容包括但不限于:客户端信息(如客户端的IP地址、端口等)、此次远程服务请求对应的会话(session)标识、远程服务所需资源的描述信息(如提供资源的内网服务器所需要的配置)等。The content carried in the remote service request includes, but is not limited to: client information (such as the client's IP address, port, etc.), the session (session) identifier corresponding to the remote service request, and description information of resources required by the remote service (such as The configuration required by the intranet server that provides resources), etc.

本发明实施例中,基于不同的远程控制方式,客户端可基于不同的方式发送远程服务请求;例如,基于SSH方式发送远程服务请求;或者,基于VNC方式发送远程服务请求;或者,基于RDP(RemoteDesktopProtocol,远程桌面协议)方式发送远程服务请求。In the embodiment of the present invention, based on different remote control methods, the client can send remote service requests based on different methods; for example, send remote service requests based on SSH; or send remote service requests based on VNC; or, send remote service requests based on RDP ( RemoteDesktopProtocol, Remote Desktop Protocol) to send remote service requests.

步骤302,第一网络内的第一级控制设备接收客户端发出的远程服务请求。其中,在第一网络内的资源池中会存在多个第一级控制设备,对于来自客户端的远程服务请求,某一个第一级控制设备可接收到该远程服务请求。Step 302, the first-level control device in the first network receives the remote service request sent by the client. There may be multiple first-level control devices in the resource pool in the first network, and for a remote service request from a client, a certain first-level control device may receive the remote service request.

需要注意的是,在第一级控制设备接收到来自客户端的远程服务请求之前,客户端首先需要将远程服务请求发送到服务接收系统;例如,客户端的远程服务请求需要到WEB认证系统进行认证等处理时,则客户端需要将远程服务请求发送到WEB认证系统,由WEB认证系统对客户端的远程服务请求进行认证(如判断接收到的远程服务请求是否为内网客户端所发送的),如果通过认证,则确定可以将远程服务请求发送给第一级控制设备;否则,确定不可以将远程服务请求发送给第一级控制设备。It should be noted that before the first-level control device receives the remote service request from the client, the client first needs to send the remote service request to the service receiving system; for example, the remote service request of the client needs to go to the WEB authentication system for authentication, etc. When processing, the client needs to send the remote service request to the WEB authentication system, and the WEB authentication system will authenticate the remote service request of the client (such as judging whether the received remote service request is sent by the intranet client), if If the authentication is passed, it is determined that the remote service request can be sent to the first-level control device; otherwise, it is determined that the remote service request cannot be sent to the first-level control device.

如果可以将远程服务请求发送给第一级控制设备,则服务接收系统可以直接将远程服务请求发送给第一级控制设备,也可以通知客户端将远程服务请求发送给第一级控制设备(例如,WEB认证系统将客户端的远程服务请求重定向到第一级控制设备)。If the remote service request can be sent to the first-level control device, the service receiving system can directly send the remote service request to the first-level control device, or notify the client to send the remote service request to the first-level control device (such as , the WEB authentication system redirects the client's remote service request to the first-level control device).

本发明实施例中,由于远程服务请求中携带有客户端信息和会话标识,因此第一级控制设备在接收到客户端发出的远程服务请求后,可直接利用远程服务请求中携带的信息建立映射关系表,该映射关系表用于记录远程服务请求中携带的会话标识与客户端信息之间的对应关系。In the embodiment of the present invention, since the remote service request carries the client information and the session identifier, after receiving the remote service request sent by the client, the first-level control device can directly use the information carried in the remote service request to establish a mapping A relationship table, the mapping relationship table is used to record the corresponding relationship between the session identifier carried in the remote service request and the client information.

步骤303,第一级控制设备将远程服务请求通知给外部系统,由外部系统利用远程服务请求为客户端确定内网服务器。该外部系统(即现有各类信息管理系统或门户等)可实现的功能包括但不限于:鉴权功能、服务申请流程管理功能、服务器账号密码申请功能等。Step 303, the first-level control device notifies the external system of the remote service request, and the external system uses the remote service request to determine an intranet server for the client. The functions that can be realized by the external system (that is, various existing information management systems or portals, etc.) include but are not limited to: authentication function, service application process management function, server account password application function, etc.

本发明实施例中,由于远程服务请求中携带有远程服务所需资源的描述信息(如提供资源的内网服务器所需要的配置),因此外部系统利用服务申请流程管理功能,可以为客户端确定内网服务器。例如,提供资源的内网服务器所需要的配置为内存配置要求、CPU配置要求时,则外部系统可从内网服务器中选择符合内存配置和CPU配置要求的内容服务器。具体的,内网中会存在多个内网服务器为客户端提供相关服务,外部系统可通过提供资源的内网服务器所需要的配置为客户端确定一个内网服务器。In the embodiment of the present invention, since the remote service request carries the description information of the resources required by the remote service (such as the configuration required by the intranet server providing the resource), the external system can use the service application process management function to determine the Intranet server. For example, when the configuration required by the intranet server providing resources is memory configuration requirements and CPU configuration requirements, the external system can select a content server that meets the memory configuration and CPU configuration requirements from the intranet servers. Specifically, there will be multiple intranet servers in the intranet to provide related services for the client, and the external system can determine an intranet server for the client through the configuration required by the intranet server that provides resources.

本发明实施例中,在第一级控制设备将远程服务请求通知给外部系统之前,该第一级控制设备还可以将客户端的鉴权信息和/或第一级控制设备的鉴权信息通知给外部系统;因此外部系统可通过鉴权功能,以及利用客户端的鉴权信息和/或第一级控制设备的鉴权信息对客户端和/或第一级控制设备进行鉴权;在鉴权通过后,外部系统可以将鉴权通过的信息通知给第一级控制设备,由第一级控制设备将远程服务请求通知给外部系统;在鉴权未通过后,外部系统可以将鉴权未通过的信息通知给第一级控制设备,由第一级控制设备丢弃远程服务请求。In the embodiment of the present invention, before the first-level control device notifies the remote service request to the external system, the first-level control device may also notify the authentication information of the client and/or the authentication information of the first-level control device to External system; therefore, the external system can authenticate the client and/or the first-level control device through the authentication function and use the authentication information of the client and/or the authentication information of the first-level control device; Afterwards, the external system can notify the first-level control device of the information of passing the authentication, and the first-level control device will notify the external system of the remote service request; after the authentication fails, the external system can notify the The information is notified to the first-level control equipment, and the first-level control equipment discards the remote service request.

本发明实施例中,在第一级控制设备将远程服务请求通知给外部系统的过程中,该第一级控制设备还可以将自身的描述信息与远程服务请求一起通知给外部系统,该第一级控制设备的描述信息包括但不限于第一级控制设备的地址信息以及远程服务请求对应的链路信息。In the embodiment of the present invention, when the first-level control device notifies the remote service request to the external system, the first-level control device may also notify the external system of its own description information together with the remote service request. The description information of the level control device includes but not limited to the address information of the first level control device and the link information corresponding to the remote service request.

以下结合图4所示的第一级控制设备的功能模块示意图对第一级控制设备的处理进行进一步说明。该第一级控制设备包括:用户会话管理模块、服务管理模块、链路管理及转发模块;该用户会话管理模块用于对客户端的远程服务请求、鉴权信息以及通信的各类内容进行状态保持和管理;该服务管理模块用于对所有客户端的服务进行分类管理,并维护会话标识与客户端信息之间的对应关系;该链路管理及转发模块用于对远程服务请求进行转发。The processing of the first-level control device will be further described below with reference to the functional module schematic diagram of the first-level control device shown in FIG. 4 . The first-level control device includes: a user session management module, a service management module, a link management and forwarding module; the user session management module is used to maintain the state of the client's remote service request, authentication information and various communication contents and management; the service management module is used to classify and manage all client services, and maintain the correspondence between session identifiers and client information; the link management and forwarding module is used to forward remote service requests.

具体的,用户会话管理模块在接收到来自客户端的远程服务请求后,可以将客户端的鉴权信息(在远程服务请求中携带)和/或第一级控制设备的鉴权信息(自身可获得)通知给外部系统;且在客户端和/或第一级控制设备通过鉴权后,用户会话管理模块将远程服务请求发送给服务管理模块。Specifically, after receiving the remote service request from the client, the user session management module may send the authentication information of the client (carried in the remote service request) and/or the authentication information of the first-level control device (obtainable by itself) Notify the external system; and after the client and/or the first-level control device pass the authentication, the user session management module sends the remote service request to the service management module.

服务管理模块在接收到来自用户会话管理模块的远程服务请求后,利用远程服务请求中携带的信息建立映射关系表,该映射关系表用于记录远程服务请求中携带的会话标识与客户端信息之间的对应关系;在映射关系表建立完成后,服务管理模块将远程服务请求发送给链路管理及转发模块。After receiving the remote service request from the user session management module, the service management module uses the information carried in the remote service request to establish a mapping relationship table, and the mapping relationship table is used to record the relationship between the session identifier carried in the remote service request and the client information. The corresponding relationship among them; after the mapping relationship table is established, the service management module sends the remote service request to the link management and forwarding module.

链路管理及转发模块在接收到来自服务管理模块的远程服务请求后,将远程服务请求发送到外部系统,由外部系统利用服务申请流程管理功能执行服务申请流程(即确定内网服务器);以及将第一级控制设备的描述信息与远程服务请求一起通知给外部系统,该第一级控制设备的描述信息包括但不限于第一级控制设备的地址信息以及远程服务请求对应的链路信息。After the link management and forwarding module receives the remote service request from the service management module, it sends the remote service request to the external system, and the external system uses the service application process management function to execute the service application process (ie, determine the intranet server); and The description information of the first-level control device is notified to the external system together with the remote service request, the description information of the first-level control device includes but not limited to the address information of the first-level control device and the link information corresponding to the remote service request.

步骤304,第二网络内的第二级控制设备接收外部系统发送的内网服务器的信息(如内网服务器的IP地址和端口、CA证书信息(如账号密码等信息)等)。具体的,外部系统在为客户端确定了内网服务器之后,可以获得内网服务器的信息,并将内网服务器的信息发送给第二级控制设备;其中,在第二网络内的资源池中会存在多个第二级控制设备,根据实际的情况,外部系统可任意选择一个第二级控制设备,以将内网服务器的信息通知给选择的第二级控制设备。Step 304, the second-level control device in the second network receives the information of the intranet server (such as the IP address and port of the intranet server, CA certificate information (such as account password, etc.)) sent by the external system. Specifically, after the external system determines the intranet server for the client, it can obtain the information of the intranet server, and send the information of the intranet server to the second-level control device; wherein, in the resource pool in the second network There may be multiple second-level control devices. According to the actual situation, the external system can arbitrarily select a second-level control device to notify the selected second-level control device of the information of the intranet server.

本发明实施例中,外部系统在接收到来自第一级控制设备的描述信息后,该外部系统还需要将第一级控制设备的描述信息通知给第二级控制设备;基于此,第二级控制设备可接收到外部系统发送的内网服务器的信息以及第一级控制设备的描述信息,该第一级控制设备的描述信息包括但不限于第一级控制设备的地址信息以及远程服务请求对应的链路信息。In the embodiment of the present invention, after the external system receives the description information from the first-level control device, the external system also needs to notify the second-level control device of the description information of the first-level control device; based on this, the second-level The control device can receive the information of the intranet server and the description information of the first-level control device sent by the external system. The description information of the first-level control device includes but not limited to the address information of the first-level control device and the corresponding remote service request link information.

步骤305,第二级控制设备通过内网服务器的信息与内网服务器建立连接。由于内网服务器的信息包括内网服务器的IP地址和端口,因此第二级控制设备可直接通过内网服务器的IP地址和端口与内网服务器建立连接。Step 305, the second-level control device establishes a connection with the intranet server through the information of the intranet server. Because the information of the intranet server includes the IP address and port of the intranet server, the second-level control device can directly establish a connection with the intranet server through the IP address and port of the intranet server.

具体的,基于不同的远程控制方式,第二级控制设备可根据需求与内网服务器建立基于SSH或VNC或RDP的连接,并保持这些建立的连接,从而可以利用这些建立的连接从内网服务器获得远程服务。其中,当客户端基于SSH方式发送远程服务请求时,则第二级控制设备可与内网服务器建立SSH连接;客户端基于VNC方式发送远程服务请求时,则第二级控制设备可与内网服务器建立VNC连接;客户端基于RDP方式发送远程服务请求时,则第二级控制设备可与内网服务器建立RDP连接。Specifically, based on different remote control methods, the second-level control device can establish SSH or VNC or RDP-based connections with the intranet server according to requirements, and maintain these established connections, so that these established connections can be used from the intranet server. Get remote services. Among them, when the client sends a remote service request based on SSH, the second-level control device can establish an SSH connection with the intranet server; when the client sends a remote service request based on VNC, the second-level control device can communicate with the intranet server. The server establishes a VNC connection; when the client sends a remote service request based on RDP, the second-level control device can establish an RDP connection with the intranet server.

需要注意的是,在第二级控制设备与内网服务器建立连接的过程中,内网服务器还可以要求第二级控制设备进行认证。具体的,第二级控制设备在与内网服务器建立连接之前,可向外部系统申请内网服务器的账号密码等信息;由于外部系统具有服务器账号密码申请功能(即将提供服务的内网服务器的账号密码等信息都存储在外网系统的某服务器上,从而可提供账号密码等信息给第二级控制设备),因此外部系统可以将内网服务器对应的账号密码等信息返回给第二级控制设备,由第二级控制设备利用该账号密码等信息与内网服务器建立连接。It should be noted that, during the process of establishing a connection between the second-level control device and the intranet server, the intranet server may also require the second-level control device to perform authentication. Specifically, before the second-level control device establishes a connection with the intranet server, it can apply to the external system for information such as the account password of the intranet server; Information such as passwords are stored on a certain server of the external network system, so that information such as account passwords can be provided to the second-level control equipment), so the external system can return information such as account passwords corresponding to the internal network server to the second-level control equipment. The second-level control device uses the account password and other information to establish a connection with the intranet server.

以下结合图5所示的第二级控制设备的功能模块示意图对第二级控制设备的处理进行进一步说明。第二级控制设备包括:链接服务接口模块、鉴权认证模块、服务物理链路管理模块;该链接服务接口模块用于对所有的链路进行接入、监控和管理;该鉴权认证模块用于根据链路接口服务动态申请服务器资源的账号密码;该服务物理链路管理模块用于与内网服务器建立连接。The processing of the second-level control device will be further described below with reference to the functional module schematic diagram of the second-level control device shown in FIG. 5 . The second-level control equipment includes: a link service interface module, an authentication module, and a service physical link management module; the link service interface module is used to access, monitor and manage all links; the authentication module uses The account password for dynamically applying for server resources according to the link interface service; the service physical link management module is used to establish a connection with the intranet server.

具体的,链接服务接口模块在接收到来自外部系统的内网服务器的信息以及第一级控制设备的描述信息之后,向外部系统的服务申请流程管理发送确认请求,且在确认了当前申请为有效服务申请后,向鉴权认证模块发送需要从内网服务器获得远程服务的请求。Specifically, after receiving the information from the intranet server of the external system and the description information of the first-level control device, the link service interface module sends a confirmation request to the service application process management of the external system, and after confirming that the current application is valid After the service application, a request to obtain remote services from the intranet server is sent to the authentication module.

鉴权认证模块在接收到来自链接服务接口模块的请求后,从外部系统的服务器账号密码申请机制中获得可用的资源;且当得到可用资源的账号密码时,向服务物理链路管理模块发送需要从内网服务器获得远程服务的请求。After receiving the request from the link service interface module, the authentication module obtains available resources from the server account password application mechanism of the external system; Obtain a remote service request from an intranet server.

服务物理链路管理模块在接收到来自鉴权认证模块的请求后,根据需求与实体的内网服务器建立基于SSH或VNC或RDP的连接,并保持这些建立的连接,从而可以利用这些建立的连接从内网服务器获得远程服务。After receiving the request from the authentication and authentication module, the service physical link management module establishes a connection based on SSH or VNC or RDP with the intranet server of the entity as required, and maintains these established connections, so that these established connections can be used Obtain remote services from intranet servers.

需要说明的是,第二级控制设备屏蔽了内网服务器的信息,在默认情况下,每一台内网服务器都是完全断连的,用户只知道这台内网服务器可以使用了,但是具体细节并不知道;且在关掉服务连接之后,客户端再次请求连接时不一定还是之前的内网服务器提供服务,如果需要继续访问之前提供服务的内网服务器,则客户端需要根据上一次的会话标识来解释清楚自身是谁,使得第二级控制设备可以分配给客户端。It should be noted that the second-level control device shields the information of the intranet server. By default, each intranet server is completely disconnected, and the user only knows that this intranet server can be used, but the specific The details are not known; and after closing the service connection, the client may not necessarily provide services from the previous intranet server when requesting a connection again. If the client needs to continue to access the previous intranet server Session ID to explain who it is, so that the second-level control device can be assigned to the client.

步骤306,第二级控制设备利用建立的连接从内网服务器获得远程服务(如桌面服务等)。In step 306, the second-level control device uses the established connection to obtain remote services (such as desktop services, etc.) from the intranet server.

步骤307,第二级控制设备将远程服务返回给第一级控制设备。In step 307, the second-level control device returns the remote service to the first-level control device.

具体的,由于第二级控制设备之前接收到第一级控制设备的描述信息,且第一级控制设备的描述信息包括但不限于第一级控制设备的地址信息以及远程服务请求对应的链路信息;因此,第二级控制设备在获得远程服务后,可以直接利用远程服务请求对应的链路信息确定需要将远程服务返回给第一级控制设备,且进一步通过第一级控制设备的地址信息将远程服务返回给第一级控制设备。Specifically, since the second-level control device has previously received the description information of the first-level control device, and the description information of the first-level control device includes but is not limited to the address information of the first-level control device and the link corresponding to the remote service request Therefore, after the second-level control device obtains the remote service, it can directly use the link information corresponding to the remote service request to determine that the remote service needs to be returned to the first-level control device, and further pass the address information of the first-level control device Return the remote service to the first level control device.

步骤308,第一级控制设备将远程服务返回给客户端。Step 308, the first-level control device returns the remote service to the client.

具体的,由于第一级控制设备之前已经建立用于记录远程服务请求中携带的会话标识与客户端信息之间的对应关系的映射关系表,因此第一级控制设备在获得远程服务后,可以获得该远程服务对应的会话标识(第二级控制设备发送给第一级控制设备的远程服务中可携带该会话标识,其与远程服务请求中携带的会话标识相同),并可利用该会话标识查询映射关系表中记录的对应关系,以得到客户端信息,并通过客户端信息将远程服务返回给客户端。Specifically, since the first-level control device has previously established a mapping relationship table for recording the correspondence between the session identifier carried in the remote service request and the client information, after the first-level control device obtains the remote service, it can Obtain the session identifier corresponding to the remote service (the remote service sent by the second-level control device to the first-level control device may carry the session identifier, which is the same as the session identifier carried in the remote service request), and use the session identifier Query the corresponding relationship recorded in the mapping relationship table to obtain the client information, and return the remote service to the client through the client information.

综上所述,本发明实施例中提供了两级控制机制(分别由第一级控制设备和第二级控制设备实现相关处理),两级控制机制均可采用集群的方式独立设置和运行;两级控制机制的方式指的是外网到内网的控制机制(即客户端与第一级控制设备之间的处理过程)和内网之间设备互连的控制机制(即第二级控制设备与内网服务器之间的处理过程);其中,外网到内网的控制机制是将外网的地址映射为内网地址,是进入内网访问的渠道;内网之间设备互连的控制机制是将提供服务的内网服务器的账号密码等都存储在某服务器上,通过内网之间设备互连的控制机制可以直接访问提供服务的内网服务器。In summary, the embodiment of the present invention provides a two-level control mechanism (respectively by the first-level control device and the second-level control device to achieve related processing), and the two-level control mechanism can be set and operated independently in a cluster mode; The two-level control mechanism refers to the control mechanism from the external network to the internal network (that is, the processing process between the client and the first-level control device) and the control mechanism for the interconnection of devices between the internal network (that is, the second-level control The processing process between the device and the intranet server); among them, the control mechanism from the external network to the internal network is to map the address of the external network to the internal network address, which is the access channel to enter the internal network; the interconnection of devices between the internal network The control mechanism is to store the account and password of the intranet server that provides the service on a certain server, and the intranet server that provides the service can be directly accessed through the control mechanism of device interconnection between the intranets.

与现有技术相比,本发明实施例至少具有以下优点:在SSH方式、VNC方式或远程桌面方式的基础上增加了两级保护机制;第一级保护机制是从外网到内网的控制机制,通过第一级保护机制,外网地址访问请求获取了进入内网的许可证,可以对内网中的内网服务器发起请求服务的操作,从而对外网访问者的可靠性做验证,杜绝木马,黑客等恶意网络攻击;第二级保护机制是内网之间设备互连的控制机制,可以安全保护提供服务的内网服务器,且能够提高访问提供服务的内网服务器的速度,在业务繁忙的大型系统中,可以并行建立多个第二级保护机制来提升服务的效率。Compared with the prior art, the embodiment of the present invention has at least the following advantages: a two-level protection mechanism is added on the basis of the SSH mode, VNC mode or remote desktop mode; the first level protection mechanism is the control from the external network to the internal network Mechanism, through the first-level protection mechanism, the external network address access request obtains the license to enter the internal network, and can initiate the operation of requesting services to the internal network server in the internal network, so as to verify the reliability of external network visitors and prevent Trojans, hackers and other malicious network attacks; the second-level protection mechanism is the control mechanism for the interconnection of devices between intranets, which can safely protect the intranet servers that provide services, and can increase the speed of access to the intranet servers that provide services. In a busy large system, multiple second-level protection mechanisms can be established in parallel to improve service efficiency.

进一步,本发明实施例中,将远程桌面控制转化为一种服务提供给客户端(即将远程访问和控制作为一个服务提供客户端),方便快捷;且在访问过程中无需使用者记录用户名密码等信息,简单方便;且采用两级控制机制来保护提供远程服务的内网服务器,屏蔽这些内网服务器的底层信息(如真实IP地址等信息),无需告知客户端内网服务器底层的信息,保护提供服务的内网服务器,提高了安全性;且两级控制机制联合处理,可提高效率。Further, in the embodiment of the present invention, the remote desktop control is converted into a service and provided to the client (that is, remote access and control are provided to the client as a service), which is convenient and quick; and the user does not need to record the user name and password during the access process and other information, simple and convenient; and a two-level control mechanism is used to protect the intranet servers that provide remote services, shielding the underlying information of these intranet servers (such as real IP addresses, etc.), without informing the client of the underlying information of the intranet server, The intranet server that provides the service is protected to improve security; and the joint processing of the two-level control mechanism can improve efficiency.

实施例二Embodiment two

基于与上述方法同样的发明构思,本发明实施例二提供一种远程服务的访问系统,该系统包括第一网络内的第一级控制设备和第二网络内的第二级控制设备;其中:Based on the same inventive concept as the above method, Embodiment 2 of the present invention provides a remote service access system, the system includes a first-level control device in the first network and a second-level control device in the second network; wherein:

所述第一级控制设备,用于接收客户端发出的远程服务请求,并将所述远程服务请求通知给外部系统,由所述外部系统利用所述远程服务请求为所述客户端确定内网服务器;以及将来自所述第二级控制设备的远程服务返回给所述客户端;The first-level control device is configured to receive a remote service request sent by a client, and notify an external system of the remote service request, and the external system uses the remote service request to determine an intranet for the client. server; and returning the remote service from the second-level control device to the client;

所述第二级控制设备,用于接收所述外部系统发送的所述内网服务器的信息,并通过所述内网服务器的信息与所述内网服务器建立连接;以及利用所述连接从所述内网服务器获得远程服务,并将所述远程服务返回给所述第一级控制设备。The second-level control device is configured to receive the information of the internal network server sent by the external system, and establish a connection with the internal network server through the information of the internal network server; and use the connection to obtain information from the internal network server The intranet server obtains the remote service, and returns the remote service to the first-level control device.

本发明实施例中,所述第一级控制设备,还用于在接收到所述客户端发出的远程服务请求后,建立所述远程服务请求中携带的会话标识与客户端信息之间的对应关系;并进一步用于获得所述远程服务对应的会话标识,利用所述会话标识查询所述对应关系得到客户端信息,并通过所述客户端信息将所述远程服务返回给所述客户端。In the embodiment of the present invention, the first-level control device is further configured to, after receiving the remote service request sent by the client, establish a correspondence between the session identifier carried in the remote service request and the client information relationship; and further used to obtain the session identifier corresponding to the remote service, use the session identifier to query the corresponding relationship to obtain client information, and return the remote service to the client through the client information.

本发明实施例中,所述第一级控制设备,进一步用于将所述客户端的鉴权信息和/或所述第一级控制设备的鉴权信息通知给所述外部系统,由所述外部系统利用所述客户端的鉴权信息和/或所述第一级控制设备的鉴权信息对所述客户端和/或所述第一级控制设备进行鉴权;且在鉴权通过后,将所述远程服务请求通知给所述外部系统。In the embodiment of the present invention, the first-level control device is further configured to notify the external system of the authentication information of the client and/or the authentication information of the first-level control device, and the external system The system uses the authentication information of the client and/or the authentication information of the first-level control device to authenticate the client and/or the first-level control device; The remote service request is notified to the external system.

本发明实施例中,所述第一级控制设备,进一步用于将所述远程服务请求以及自身的描述信息通知给所述外部系统;In the embodiment of the present invention, the first-level control device is further configured to notify the external system of the remote service request and its own description information;

所述第二级控制设备,进一步用于接收所述外部系统发送的所述内网服务器的信息以及所述第一级控制设备的描述信息。The second-level control device is further configured to receive the information of the intranet server and the description information of the first-level control device sent by the external system.

本发明实施例中,所述第一级控制设备的描述信息包括所述第一级控制设备的地址信息以及所述远程服务请求对应的链路信息;所述第二级控制设备,进一步用于利用所述远程服务请求对应的链路信息确定需要将所述远程服务返回给所述第一级控制设备,并通过所述第一级控制设备的地址信息将所述远程服务返回给所述第一级控制设备。In the embodiment of the present invention, the description information of the first-level control device includes the address information of the first-level control device and the link information corresponding to the remote service request; the second-level control device is further used to Determining that the remote service needs to be returned to the first-level control device by using the link information corresponding to the remote service request, and returning the remote service to the second-level control device through the address information of the first-level control device Level 1 control equipment.

实施例三Embodiment three

基于与上述方法同样的发明构思,本发明实施例三还提供了一种远程服务的访问设备,该设备为位于第一网络内的第一级控制设备,如图6所示,该第一级控制设备包括:Based on the same inventive concept as the above method, Embodiment 3 of the present invention also provides a remote service access device, which is a first-level control device located in the first network, as shown in Figure 6, the first-level Control equipment includes:

第一接收模块11,用于接收客户端发出的远程服务请求;The first receiving module 11 is configured to receive a remote service request sent by a client;

第一发送模块12,用于将所述远程服务请求通知给外部系统,由所述外部系统利用所述远程服务请求为所述客户端确定内网服务器;The first sending module 12 is configured to notify an external system of the remote service request, and the external system uses the remote service request to determine an intranet server for the client;

第二接收模块13,用于接收第二网络内的第二级控制设备返回的其从内网服务器获得的远程服务;The second receiving module 13 is used to receive the remote service obtained from the intranet server returned by the second-level control device in the second network;

第二发送模块14,用于将所述远程服务返回给所述客户端。The second sending module 14 is configured to return the remote service to the client.

所述第二发送模块14,具体用于在接收到所述客户端发出的远程服务请求后,建立所述远程服务请求中携带的会话标识与客户端信息之间的对应关系;以及获得所述远程服务对应的会话标识,所述会话标识查询所述对应关系得到客户端信息,通过所述客户端信息将所述远程服务返回给所述客户端。The second sending module 14 is specifically configured to, after receiving the remote service request sent by the client, establish a correspondence between the session identifier carried in the remote service request and client information; and obtain the The session identifier corresponding to the remote service, the session identifier queries the corresponding relationship to obtain client information, and returns the remote service to the client through the client information.

所述第一发送模块12,具体用于将所述客户端的鉴权信息和/或第一级控制设备的鉴权信息通知给所述外部系统,由所述外部系统利用所述客户端的鉴权信息和/或第一级控制设备的鉴权信息对所述客户端和/或第一级控制设备进行鉴权;且在鉴权通过后,将所述远程服务请求通知给所述外部系统。The first sending module 12 is specifically configured to notify the external system of the authentication information of the client and/or the authentication information of the first-level control device, and the external system utilizes the authentication information of the client information and/or the authentication information of the first-level control device to authenticate the client and/or the first-level control device; and after passing the authentication, notify the external system of the remote service request.

所述第一发送模块12,具体用于将所述远程服务请求以及自身的描述信息通知给所述外部系统;所述第一级控制设备的描述信息包括所述第一级控制设备的地址信息以及所述远程服务请求对应的链路信息。The first sending module 12 is specifically configured to notify the external system of the remote service request and its own description information; the description information of the first-level control device includes address information of the first-level control device And the link information corresponding to the remote service request.

其中,本发明装置的各个模块可以集成于一体,也可以分离部署。上述模块可以合并为一个模块,也可以进一步拆分成多个子模块。Wherein, each module of the device of the present invention can be integrated into one body, or can be deployed separately. The above modules can be combined into one module, or can be further split into multiple sub-modules.

实施例四Embodiment four

基于与上述方法同样的发明构思,本发明实施例四提供了一种远程服务的访问设备,该设备为位于第二网络内的第二级控制设备,如图7所示,该第二级控制设备包括:Based on the same inventive concept as the above method, Embodiment 4 of the present invention provides a remote service access device, which is a second-level control device located in the second network, as shown in Figure 7, the second-level control Equipment includes:

接收模块21,用于接收外部系统发送的内网服务器的信息;The receiving module 21 is used to receive the information of the intranet server sent by the external system;

处理模块22,用于通过所述内网服务器的信息与所述内网服务器建立连接,并利用所述连接从所述内网服务器获得远程服务;A processing module 22, configured to establish a connection with the intranet server through the information of the intranet server, and use the connection to obtain remote services from the intranet server;

发送模块23,用于将所述远程服务返回给第一网络内的第一级控制设备。The sending module 23 is configured to return the remote service to the first-level control device in the first network.

所述接收模块21,具体用于接收所述外部系统发送的所述内网服务器的信息以及所述第一级控制设备的描述信息。The receiving module 21 is specifically configured to receive the information of the intranet server and the description information of the first-level control device sent by the external system.

所述第一级控制设备的描述信息包括所述第一级控制设备的地址信息以及所述远程服务请求对应的链路信息;所述发送模块23,具体用于利用所述远程服务请求对应的链路信息确定需要将所述远程服务返回给所述第一级控制设备,并通过所述第一级控制设备的地址信息将所述远程服务返回给所述第一级控制设备。The description information of the first-level control device includes the address information of the first-level control device and the link information corresponding to the remote service request; the sending module 23 is specifically configured to use the link information corresponding to the remote service request The link information determines that the remote service needs to be returned to the first-level control device, and the remote service is returned to the first-level control device through the address information of the first-level control device.

其中,本发明装置的各个模块可以集成于一体,也可以分离部署。上述模块可以合并为一个模块,也可以进一步拆分成多个子模块。Wherein, each module of the device of the present invention can be integrated into one body, or can be deployed separately. The above modules can be combined into one module, or can be further split into multiple sub-modules.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is a better implementation Way. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions to make a A computer device (which may be a personal computer, a server, or a network device, etc.) executes the methods described in various embodiments of the present invention.

本领域技术人员可以理解附图只是一个优选实施例的示意图,附图中的模块或流程并不一定是实施本发明所必须的。Those skilled in the art can understand that the drawing is only a schematic diagram of a preferred embodiment, and the modules or processes in the drawing are not necessarily necessary for implementing the present invention.

本领域技术人员可以理解实施例中的装置中的模块可以按照实施例描述进行分布于实施例的装置中,也可以进行相应变化位于不同于本实施例的一个或多个装置中。上述实施例的模块可以合并为一个模块,也可以进一步拆分成多个子模块。Those skilled in the art can understand that the modules in the device in the embodiment can be distributed in the device in the embodiment according to the description in the embodiment, or can be located in one or more devices different from the embodiment according to corresponding changes. The modules in the above embodiments can be combined into one module, and can also be further split into multiple sub-modules.

上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the above embodiments of the present invention are for description only, and do not represent the advantages and disadvantages of the embodiments.

以上公开的仅为本发明的几个具体实施例,但是,本发明并非局限于此,任何本领域的技术人员能思之的变化都应落入本发明的保护范围。The above disclosures are only a few specific embodiments of the present invention, however, the present invention is not limited thereto, and any changes conceivable by those skilled in the art shall fall within the protection scope of the present invention.

Claims (17)

1.一种远程服务的访问方法,其特征在于,包括:1. A method for accessing remote services, comprising: 第一网络内的第一级控制设备接收客户端发出的远程服务请求,并将所述远程服务请求通知给外部系统,由所述外部系统利用所述远程服务请求为所述客户端确定内网服务器;The first-level control device in the first network receives the remote service request sent by the client, and notifies the external system of the remote service request, and the external system uses the remote service request to determine the intranet for the client server; 第二网络内的第二级控制设备接收所述外部系统发送的所述内网服务器的信息,并通过所述内网服务器的信息与所述内网服务器建立连接;The second-level control device in the second network receives the information of the internal network server sent by the external system, and establishes a connection with the internal network server through the information of the internal network server; 所述第二级控制设备利用所述连接从所述内网服务器获得远程服务,并将所述远程服务返回给所述第一级控制设备;The second-level control device obtains remote services from the intranet server by using the connection, and returns the remote services to the first-level control device; 所述第一级控制设备将所述远程服务返回给所述客户端。The first-level control device returns the remote service to the client. 2.如权利要求1所述的方法,其特征在于,所述第一级控制设备在接收到所述客户端发出的远程服务请求后,建立所述远程服务请求中携带的会话标识与客户端信息之间的对应关系;2. The method according to claim 1, characterized in that, after receiving the remote service request sent by the client, the first-level control device establishes the session identifier carried in the remote service request with the client Correspondence between information; 所述第一级控制设备将所述远程服务返回给所述客户端,包括:所述第一级控制设备获得所述远程服务对应的会话标识,利用所述会话标识查询所述对应关系得到客户端信息,并通过所述客户端信息将所述远程服务返回给所述客户端。The first-level control device returns the remote service to the client, including: the first-level control device obtains a session identifier corresponding to the remote service, uses the session identifier to query the corresponding relationship to obtain the client end information, and return the remote service to the client through the client information. 3.如权利要求1所述的方法,其特征在于,所述第一级控制设备将所述远程服务请求通知给外部系统,包括:3. The method according to claim 1, wherein the first-level control device notifies the remote service request to an external system, comprising: 所述第一级控制设备将所述客户端的鉴权信息和/或所述第一级控制设备的鉴权信息通知给所述外部系统,由所述外部系统利用所述客户端的鉴权信息和/或所述第一级控制设备的鉴权信息对所述客户端和/或所述第一级控制设备进行鉴权;且在鉴权通过后,所述第一级控制设备将所述远程服务请求通知给所述外部系统。The first-level control device notifies the external system of the authentication information of the client and/or the authentication information of the first-level control device, and the external system utilizes the authentication information of the client and /or the authentication information of the first-level control device authenticates the client and/or the first-level control device; and after passing the authentication, the first-level control device sends the remote The service request is notified to the external system. 4.如权利要求1所述的方法,其特征在于,所述第一级控制设备将所述远程服务请求通知给外部系统,包括:所述第一级控制设备将所述远程服务请求以及自身的描述信息通知给所述外部系统;4. The method according to claim 1, wherein the first-level control device notifies the remote service request to an external system, comprising: the first-level control device notifies the remote service request and its own The description information of the notification is notified to the external system; 所述第二级控制设备接收所述外部系统发送的所述内网服务器的信息,包括:所述第二级控制设备接收所述外部系统发送的所述内网服务器的信息以及所述第一级控制设备的描述信息。The second-level control device receiving the information of the intranet server sent by the external system includes: the second-level control device receiving the information of the intranet server sent by the external system and the first Description information of level control equipment. 5.如权利要求4所述的方法,其特征在于,所述第一级控制设备的描述信息包括所述第一级控制设备的地址信息以及所述远程服务请求对应的链路信息;所述第二级控制设备将所述远程服务返回给所述第一级控制设备包括:5. The method according to claim 4, wherein the description information of the first-level control device includes address information of the first-level control device and link information corresponding to the remote service request; The second-level control device returning the remote service to the first-level control device includes: 所述第二级控制设备利用所述远程服务请求对应的链路信息确定需要将所述远程服务返回给所述第一级控制设备,并通过所述第一级控制设备的地址信息将所述远程服务返回给所述第一级控制设备。The second-level control device uses the link information corresponding to the remote service request to determine that the remote service needs to be returned to the first-level control device, and sends the remote service to the first-level control device through the address information of the first-level control device. Remote service is returned to the first level control device. 6.一种远程服务的访问系统,其特征在于,包括:第一网络内的第一级控制设备和第二网络内的第二级控制设备;其中:6. An access system for remote services, comprising: a first-level control device in the first network and a second-level control device in the second network; wherein: 所述第一级控制设备,用于接收客户端发出的远程服务请求,并将所述远程服务请求通知给外部系统,由所述外部系统利用所述远程服务请求为所述客户端确定内网服务器;The first-level control device is configured to receive a remote service request sent by a client, and notify an external system of the remote service request, and the external system uses the remote service request to determine an intranet for the client. server; 以及将来自所述第二级控制设备的远程服务返回给所述客户端;and returning the remote service from the second-level control device to the client; 所述第二级控制设备,用于接收所述外部系统发送的所述内网服务器的信息,并通过所述内网服务器的信息与所述内网服务器建立连接;The second-level control device is configured to receive the information of the intranet server sent by the external system, and establish a connection with the intranet server through the information of the intranet server; 以及利用所述连接从所述内网服务器获得远程服务,并将所述远程服务返回给所述第一级控制设备。And using the connection to obtain remote services from the intranet server, and return the remote services to the first-level control device. 7.如权利要求6所述的系统,其特征在于,7. The system of claim 6, wherein: 所述第一级控制设备,还用于在接收到所述客户端发出的远程服务请求后,建立所述远程服务请求中携带的会话标识与客户端信息之间的对应关系;The first-level control device is further configured to, after receiving the remote service request sent by the client, establish a correspondence between the session identifier carried in the remote service request and the client information; 并进一步用于获得所述远程服务对应的会话标识,利用所述会话标识查询所述对应关系得到客户端信息,并通过所述客户端信息将所述远程服务返回给所述客户端。It is further used to obtain a session identifier corresponding to the remote service, use the session identifier to query the corresponding relationship to obtain client information, and return the remote service to the client through the client information. 8.如权利要求6所述的系统,其特征在于,8. The system of claim 6, wherein: 所述第一级控制设备,进一步用于将所述客户端的鉴权信息和/或所述第一级控制设备的鉴权信息通知给所述外部系统,由所述外部系统利用所述客户端的鉴权信息和/或所述第一级控制设备的鉴权信息对所述客户端和/或所述第一级控制设备进行鉴权;且在鉴权通过后,将所述远程服务请求通知给所述外部系统。The first-level control device is further configured to notify the external system of the authentication information of the client and/or the authentication information of the first-level control device, and the external system uses the client's authentication information and/or authentication information of the first-level control device to authenticate the client and/or the first-level control device; and after the authentication is passed, notify the remote service request to the external system. 9.如权利要求6所述的系统,其特征在于,9. The system of claim 6, wherein: 所述第一级控制设备,进一步用于将所述远程服务请求以及自身的描述信息通知给所述外部系统;The first-level control device is further configured to notify the external system of the remote service request and its own description information; 所述第二级控制设备,进一步用于接收所述外部系统发送的所述内网服务器的信息以及所述第一级控制设备的描述信息。The second-level control device is further configured to receive the information of the intranet server and the description information of the first-level control device sent by the external system. 10.如权利要求9所述的系统,其特征在于,所述第一级控制设备的描述信息包括所述第一级控制设备的地址信息以及所述远程服务请求对应的链路信息;10. The system according to claim 9, wherein the description information of the first-level control device includes address information of the first-level control device and link information corresponding to the remote service request; 所述第二级控制设备,进一步用于利用所述远程服务请求对应的链路信息确定需要将所述远程服务返回给所述第一级控制设备,并通过所述第一级控制设备的地址信息将所述远程服务返回给所述第一级控制设备。The second-level control device is further configured to use the link information corresponding to the remote service request to determine that the remote service needs to be returned to the first-level control device, and pass the address of the first-level control device A message returns the remote service to the first level control device. 11.一种远程服务的访问设备,其特征在于,该设备为位于第一网络内的第一级控制设备,且该设备包括:11. An access device for remote services, characterized in that the device is a first-level control device located in the first network, and the device includes: 第一接收模块,用于接收客户端发出的远程服务请求;The first receiving module is configured to receive the remote service request sent by the client; 第一发送模块,用于将所述远程服务请求通知给外部系统,由所述外部系统利用所述远程服务请求为所述客户端确定内网服务器;A first sending module, configured to notify an external system of the remote service request, and the external system uses the remote service request to determine an intranet server for the client; 第二接收模块,用于接收第二网络内的第二级控制设备返回的其从内网服务器获得的远程服务;The second receiving module is used to receive the remote service obtained from the intranet server returned by the second-level control device in the second network; 第二发送模块,用于将所述远程服务返回给所述客户端。The second sending module is configured to return the remote service to the client. 12.如权利要求11所述的设备,其特征在于,12. The apparatus of claim 11 wherein, 所述第二发送模块,具体用于在接收到所述客户端发出的远程服务请求后,建立所述远程服务请求中携带的会话标识与客户端信息之间的对应关系;The second sending module is specifically configured to, after receiving the remote service request sent by the client, establish a correspondence between the session identifier carried in the remote service request and the client information; 以及获得所述远程服务对应的会话标识,所述会话标识查询所述对应关系得到客户端信息,通过所述客户端信息将所述远程服务返回给所述客户端。And obtain the session identifier corresponding to the remote service, query the corresponding relationship with the session identifier to obtain client information, and return the remote service to the client through the client information. 13.如权利要求11所述的设备,其特征在于,13. The apparatus of claim 11 wherein, 所述第一发送模块,具体用于将所述客户端的鉴权信息和/或第一级控制设备的鉴权信息通知给所述外部系统,由所述外部系统利用所述客户端的鉴权信息和/或第一级控制设备的鉴权信息对所述客户端和/或第一级控制设备进行鉴权;且在鉴权通过后,将所述远程服务请求通知给所述外部系统。The first sending module is specifically configured to notify the external system of the authentication information of the client and/or the authentication information of the first-level control device, and the external system uses the authentication information of the client and/or the authentication information of the first-level control device to authenticate the client and/or the first-level control device; and after passing the authentication, notify the external system of the remote service request. 14.如权利要求11所述的设备,其特征在于,14. The apparatus of claim 11, wherein 所述第一发送模块,具体用于将所述远程服务请求以及自身的描述信息通知给所述外部系统;所述第一级控制设备的描述信息包括所述第一级控制设备的地址信息以及所述远程服务请求对应的链路信息。The first sending module is specifically configured to notify the external system of the remote service request and its own description information; the description information of the first-level control device includes address information of the first-level control device and Link information corresponding to the remote service request. 15.一种远程服务的访问设备,其特征在于,该设备为位于第二网络内的第二级控制设备,且该设备包括:15. An access device for remote services, characterized in that the device is a second-level control device located in the second network, and the device includes: 接收模块,用于接收外部系统发送的内网服务器的信息;The receiving module is used to receive the information of the intranet server sent by the external system; 处理模块,用于通过所述内网服务器的信息与所述内网服务器建立连接,并利用所述连接从所述内网服务器获得远程服务;A processing module, configured to establish a connection with the intranet server through the information of the intranet server, and use the connection to obtain remote services from the intranet server; 发送模块,用于将所述远程服务返回给第一网络内的第一级控制设备。A sending module, configured to return the remote service to the first-level control device in the first network. 16.如权利要求15所述的设备,其特征在于,16. The apparatus of claim 15, wherein 所述接收模块,具体用于接收所述外部系统发送的所述内网服务器的信息以及所述第一级控制设备的描述信息。The receiving module is specifically configured to receive the information of the intranet server and the description information of the first-level control device sent by the external system. 17.如权利要求16所述的设备,其特征在于,所述第一级控制设备的描述信息包括所述第一级控制设备的地址信息以及所述远程服务请求对应的链路信息;17. The device according to claim 16, wherein the description information of the first-level control device includes address information of the first-level control device and link information corresponding to the remote service request; 所述发送模块,具体用于利用所述远程服务请求对应的链路信息确定需要将所述远程服务返回给所述第一级控制设备,并通过所述第一级控制设备的地址信息将所述远程服务返回给所述第一级控制设备。The sending module is specifically configured to use the link information corresponding to the remote service request to determine that the remote service needs to be returned to the first-level control device, and use the address information of the first-level control device to send the The remote service is returned to the first-level control device.
CN201110444777.3A 2011-12-23 2011-12-23 A kind of access method of remote service, system and equipment thereof Active CN103179104B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110444777.3A CN103179104B (en) 2011-12-23 2011-12-23 A kind of access method of remote service, system and equipment thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110444777.3A CN103179104B (en) 2011-12-23 2011-12-23 A kind of access method of remote service, system and equipment thereof

Publications (2)

Publication Number Publication Date
CN103179104A CN103179104A (en) 2013-06-26
CN103179104B true CN103179104B (en) 2016-04-27

Family

ID=48638730

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110444777.3A Active CN103179104B (en) 2011-12-23 2011-12-23 A kind of access method of remote service, system and equipment thereof

Country Status (1)

Country Link
CN (1) CN103179104B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105282258B (en) * 2015-11-10 2019-03-19 福建星网视易信息系统有限公司 Control the method and system of remote desktop
CN109257392B (en) * 2018-11-30 2021-09-17 广州市百果园信息技术有限公司 Command processing method, device, server and storage medium
CN110311970B (en) * 2019-06-27 2022-05-10 乐安县云智易联科技有限公司 A remote debugging system and method thereof
CN112039849B (en) * 2020-08-06 2022-03-29 成都安恒信息技术有限公司 SSH-based dual-network safety synchronization system and method
CN114268459A (en) * 2021-11-23 2022-04-01 贵州电网有限责任公司 Data security access method based on service side
CN114615248A (en) * 2022-02-25 2022-06-10 大唐软件技术股份有限公司 Remote operation control method and device, electronic equipment and storage medium
CN114629889B (en) * 2022-03-15 2024-03-15 北京天融信网络安全技术有限公司 Remote control link establishment method, device, equipment and medium
CN115643109B (en) * 2022-12-21 2023-03-14 四川汉科计算机信息技术有限公司 Remote control method, system, equipment and medium based on virtualization platform

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1780219A (en) * 2004-11-22 2006-05-31 株式会社东芝 Information terminal remote operation system and method, gateway server, information terminal, information terminal control apparatus, information terminal apparatus
CN101361082A (en) * 2005-12-15 2009-02-04 雷曼兄弟有限公司 Systems and methods for secure remote desktop access
CN101473628A (en) * 2006-04-12 2009-07-01 思杰系统有限公司 System and method for accelerating delivery of a computing environment to a remote user
CN101626292A (en) * 2008-07-09 2010-01-13 上海格尔软件股份有限公司 Linux log-on protection method
CN102217243A (en) * 2008-11-17 2011-10-12 高通股份有限公司 Remote access to local networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1780219A (en) * 2004-11-22 2006-05-31 株式会社东芝 Information terminal remote operation system and method, gateway server, information terminal, information terminal control apparatus, information terminal apparatus
CN101361082A (en) * 2005-12-15 2009-02-04 雷曼兄弟有限公司 Systems and methods for secure remote desktop access
CN101473628A (en) * 2006-04-12 2009-07-01 思杰系统有限公司 System and method for accelerating delivery of a computing environment to a remote user
CN101626292A (en) * 2008-07-09 2010-01-13 上海格尔软件股份有限公司 Linux log-on protection method
CN102217243A (en) * 2008-11-17 2011-10-12 高通股份有限公司 Remote access to local networks

Also Published As

Publication number Publication date
CN103179104A (en) 2013-06-26

Similar Documents

Publication Publication Date Title
CN103179104B (en) A kind of access method of remote service, system and equipment thereof
US10630784B2 (en) Facilitating a secure 3 party network session by a network device
JP6656157B2 (en) Network connection automation
US8478872B2 (en) Delegated network management system and method of using the same
JP5714078B2 (en) Authentication for distributed secure content management systems
US7886339B2 (en) Radius security origin check
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
CN104168304B (en) Single-node login system and method under VDI environment
JP2017535877A (en) Conditional login promotion
Maksutov et al. Detection and prevention of DNS spoofing attacks
EP4351086A1 (en) Access control method, access control system and related device
WO2018010146A1 (en) Response method, apparatus and system in virtual network computing authentication, and proxy server
CN111935276B (en) Remote host access method, device and device
CN107295312A (en) A kind of wireless video safety access system based on SSL VPN
US12452286B2 (en) Methods, systems, and computer readable media for zero trust network access (ZTNA) testing using test system with simulated or emulated identity provider
CN115913583A (en) Service data access method, device and equipment, and computer storage medium
ELHejazi et al. Improving the security and reliability of sdn controller rest apis using json web token (jwt) with openid and auth2. 0
CN111726328B (en) Method, system and related device for remotely accessing a first device
CN112825521A (en) Trusted identity management method, system, equipment and storage medium for block chain application
CN118694608B (en) PORTAL authentication method, device and storage medium applied to FTTR gateway
CN112087427B (en) Communication verification method, electronic device, and storage medium
CN109040225A (en) A kind of dynamic port desktop access management method and system
CN115130116A (en) Business resource access method, device, equipment, readable storage medium and system
CN112422395A (en) Data transmission method, device, terminal equipment and storage medium
CN115695218A (en) Operation and maintenance management method and device based on zero trust mechanism and related equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant