CN107295013A - A kind of method, first server, second server and the communication system of VDI communications - Google Patents
A kind of method, first server, second server and the communication system of VDI communications Download PDFInfo
- Publication number
- CN107295013A CN107295013A CN201710672299.9A CN201710672299A CN107295013A CN 107295013 A CN107295013 A CN 107295013A CN 201710672299 A CN201710672299 A CN 201710672299A CN 107295013 A CN107295013 A CN 107295013A
- Authority
- CN
- China
- Prior art keywords
- server
- data
- preset
- strategy
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000006854 communication Effects 0.000 title claims abstract description 44
- 238000004891 communication Methods 0.000 title claims abstract description 40
- 238000007726 management method Methods 0.000 claims description 97
- 238000012795 verification Methods 0.000 claims description 14
- 238000012550 audit Methods 0.000 claims description 9
- 238000011217 control strategy Methods 0.000 claims description 9
- 239000011800 void material Substances 0.000 claims 1
- 230000015654 memory Effects 0.000 description 15
- 230000005540 biological transmission Effects 0.000 description 13
- 238000013475 authorization Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 10
- 230000000694 effects Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000012546 transfer Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000012384 transportation and delivery Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000013524 data verification Methods 0.000 description 2
- 230000009172 bursting Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000004549 pulsed laser deposition Methods 0.000 description 1
- 238000011069 regeneration method Methods 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/131—Protocols for games, networked simulations or virtual reality
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a kind of VDI communication means, first server, second server and communication system, the security of data in the fluency and communication process for improving communication.Present invention method includes:The connection with second server is set up, first server runs multiple virtual machines;Receive the request of data sent by second server;Data are sent to second server according to preset management strategy.Present invention also offers first server, second server and communication system, the security of data in the fluency and communication process for improving communication.
Description
Technical field
The present invention relates to computer communication field, more particularly to the methods of VDI communications a kind of, first server, the second clothes
Business device and communication system.
Background technology
With the development of computer technology, communication speed is more and more faster, but the security of thing followed communication data
More and more paid attention to.
Existing enterprise generally requires to set up head factory and subsidiary factory in different places because scale and user's request, and total
Data signaling rate and communication security between factory and subsidiary factory also turn into a significant problem.Number between existing head factory and subsidiary factory
Mostly according to communication is to send head factory data to subsidiary factory, or head factory using the method for encrypted tunnel data passing through file-sharing system
System is shared, and subsidiary factory downloads from shared system and consults the data.
The method of existing encrypted tunnel transmission data method or shared system shared data, can all cause subsidiary factory under
Carry and obtain the data, and after the data are downloaded by subsidiary factory, often because the informatization security of subsidiary factory builds weak, cause number
According to uncontrollability, and the data due to a lack of protection the problem of cause to divulge a secret.
The content of the invention
The embodiments of the invention provide method, first server, second server and the communication system of a kind of VDI communications,
The security of data in fluency and communication process for improving communication.
First aspect of the embodiment of the present invention provides a kind of method that VDI communicates, applied to first server, including:
The connection with second server is set up, first server runs multiple virtual machines;
Receive the request of data sent by second server;
Data are sent to second server according to preset management strategy.
Optionally, the connection with second server is set up, including:
According to the identity information of second server, the connection strategy of second server and first server virtual machine is determined;
The preset virtual machine of second server and first server is attached according to connection strategy.
Optionally, after the request of data sent by second server is received, methods described also includes:
Request of data is verified;
If verification passes through, preset management strategy is sent to second server.
Optionally, preset management strategy includes:
Preset transmits tactful, preset file management strategy and preset Data Security.
Optionally, preset file management strategy includes:
Document management strategy, border management and control strategy and audit strategy.
Second aspect of the embodiment of the present invention provides a kind of method that VDI communicates, applied to second server, including:
The data sent by first server are received, second server runs multiple virtual machines;
The connection set up between terminal;
Operation of the receiving terminal to data.
Optionally, the connection set up between terminal, including:
According to the identity information of terminal, the connection strategy of terminal and second server virtual machine is determined;
The preset virtual machine of terminal and second server is attached according to connection strategy.
Optionally, before the data sent by first server are received, methods described also includes:
Receive the preset management strategy sent by first server.
Optionally, operation of the receiving terminal to data, including:
Operation of the receiving terminal by preset management strategy to data.
Optionally, preset management strategy includes:
Preset transmits tactful, preset file management strategy and preset Data Security.
Optionally, preset file management strategy includes:
Document management strategy, border management and control strategy and audit strategy.
Third aspect present invention provides first server, including:
First connection unit, for setting up the connection with second server, first server runs multiple virtual machines;
First receiving unit, for receiving the request of data sent by second server;
First transmitting element, for sending data to second server according to preset management strategy.
Optionally, the first connection unit includes:
First determining module, for the identity information according to second server, determines second server and first server
The connection strategy of virtual machine;
First link block, for being carried out second server and the preset virtual machine of first server according to connection strategy
Connection.
Optionally, first server also includes:
Verification unit, for being verified to request of data;
Second transmitting element, for when verification passes through, preset management strategy to be sent to second server.
Fourth aspect of the embodiment of the present invention provides second server, including:
Second receiving unit, for receiving the data sent by first server, second server runs multiple virtual machines;
Second connection unit, for the connection between foundation and terminal;
3rd receiving unit, the operation for receiving terminal to data.
Optionally, the second connection unit includes:
Second determining module, for the identity information according to terminal, determines the connection of terminal and second server virtual machine
Strategy;
Second link block, for being attached the preset virtual machine of terminal and second server according to connection strategy.
Optionally, second server also includes:
4th receiving unit, for receiving the preset management strategy sent by first server.
Optionally, the 3rd receiving unit includes:
Receiving module, the operation for receiving terminal by preset management strategy to data.
There is provided a kind of VDI communication systems in terms of the embodiment of the present invention the 5th, including the third aspect of the embodiment of the present invention
First server, and fourth aspect of the embodiment of the present invention second server, and terminal.
As can be seen from the above technical solutions, the embodiment of the present invention has advantages below:
In the present invention, first server is set up with second server and is connected, and first server receives second server and sent
Request of data after, then by preset management strategy to first server send data, it is ensured that the smoothness of data transfer
Property and security, and second server is connected by virtual machine with terminal, realizes terminal in the form of images to second service
The operation of device data, so as to ensure that the security of second server data.
Brief description of the drawings
Fig. 1 is the structural relation figure in the embodiment of the present invention between server and virtual machine;
The schematic diagram that Fig. 2 is connected for virtual machine in the embodiment of the present invention with terminal;
Fig. 3 is the network connection topological structure schematic diagram in the embodiment of the present invention between head factory and subsidiary factory;
Fig. 4 is a kind of one embodiment schematic diagram of VDI communication means in the embodiment of the present invention;
Fig. 5 is a kind of another embodiment schematic diagram of VDI communication means in the embodiment of the present invention
Fig. 6 is one embodiment schematic diagram of first server in the embodiment of the present invention;
Fig. 7 is another embodiment schematic diagram of first server in the embodiment of the present invention;
Fig. 8 is one embodiment schematic diagram of second server in the embodiment of the present invention;
Fig. 9 is another embodiment schematic diagram of second server in the embodiment of the present invention
Figure 10 is one embodiment schematic diagram of VDI communication systems in the embodiment of the present invention.
Embodiment
The embodiments of the invention provide method, first server, second server and the communication system of a kind of VDI communications,
The security of data in fluency and communication process for improving communication.
In order that those skilled in the art more fully understand the present invention program, below to the technology in the embodiment of the present invention
Scheme is clearly and completely described, it is clear that described embodiment is only the embodiment of a part of the invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, should all belong to the scope of protection of the invention.
Term " first ", " second ", " the 3rd " in description and claims of this specification and above-mentioned accompanying drawing, "
The (if present)s such as four " are for distinguishing similar object, without for describing specific order or precedence.It should manage
The data that solution is so used can be exchanged in the appropriate case, so that the embodiments described herein can be with except illustrating herein
Or the order beyond the content of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that
Covering is non-exclusive to be included, for example, the process, method, product or the equipment that contain series of steps or unit are not necessarily limited to clearly
Those steps or unit listed to Chu, but may include not list clearly or for these processes, method, product or
The intrinsic other steps of equipment or unit.
For convenience of the understanding of the present invention, the proprietary term in text and desktop virtualization organizational structure are explained such as below
Under:
Desktop virtualization, refers to be virtualized the terminal system of computer, i.e., user can use any equipment,
Any place, passes through the one's own desktop system of network access any time.Desktop virtualization depends on server virtualization,
It is, by server virtualization, to generate substantial amounts of only on the server of data center by desktop virtualization platform (virtual software)
Vertical desktop operating system (virtual machine or virtual desktop), sets while being sent to terminal according to proprietary virtual desktop agreement
It is standby.User terminal is logged on fictitious host computer by Ethernet, it is only necessary to remember username and password and gateway information, you can with
When the desktop system by network access oneself everywhere, so as to realize unit multi-user.
Virtual machine, is to be virtualized server (physical machine) by desktop virtualization platform, a large amount of obtained from
Independent desktop operating system, it can create a kind of operating environment for terminal user, and terminal user is then based on this
Operating environment operates software, and terminal can be smart mobile phone, tablet personal computer, desktop computer and dedicated for access
Electronic equipment (thin terminal) of VDI (Virtual Desktop Infrastructure) desktop etc..
Thin terminal:Thin terminal (Thin Client) refer to one in client-sever network system substantially without
Need the terminal of application program.It is by some agreements and server communication, and then access to LAN.It is used as application program
The Internet of platform arrival provides a brand-new field for enterprise application:One is based on Internet/
Intranet application program only includes the thin-client of a browser.This browser takes charge of the explanation, shows and handled should
With the graphic user interface (GUI) of program and its data.The input such as its mouse, keyboard is sent at server by thin terminal
Result is back to client again and shown by reason, server.Different clients can be signed in on server simultaneously, simulation
Go out a separate and working environment on the server.In contrast, normal client end is then to carry out this as much as possible
Ground data processing, necessary communication data is only transmitted in the communication with server (or other clients).
Fig. 1 is the structural relation figure between server and virtual machine, and server is (virtual soft by means of desktop virtualization platform
Part) by server virtual be multiple virtual machines (desktop operating system).
Fig. 2 is the connection diagram of virtual machine and user terminal in desktop virtualization, and desktop virtualization is to hand over virtual machine
That pays that user uses uses framework, finally provides the user desktop services, but its own delivery channel extremely relies on network, no net
Network does not work, in the case that network quality is bad, and the usage experience of user is poor.
At present, found by the network presence analysis to enterprise, the side that the network between general headquarters and subsidiary factory passes through wide area network
Formula is attached, and bandwidth is limited by operator's broadband access fee and uses the influence with geographic factor generally larger, is unsatisfactory for desktop cloud delivery
Network basic demand, and be then that network organizing, network transfer are carried out with the pattern of LAN inside subsidiary factory, inside general headquarters
It is wide usual in more than 100Mb, it is especially suitable for the delivery of desktop virtualization operating system.
Based on above-mentioned analysis, for the network presence of enterprise, in order to ensure security and head factory and the subsidiary factory of head factory data
The fluency of data transfer, sets up first server and second server in head factory and subsidiary factory respectively, in first server and
Desktop virtual technology, i.e. desktop virtualization platform (virtual software) are used on two servers, respectively by first server and the
Two server virtuals go out multiple virtual machines.
Wherein, the desktop virtualization platform of first server and the desktop virtualization platform of second server are attached,
So as to realize the connection between first server and second server.Multiple virtual machines of first server can be connected not respectively
Same subsidiary factory, the first virtual machine of such as first server connects the first subsidiary factory, the second virtual machine connection second of first server
Subsidiary factory etc., multiple virtual machines of second server can connect different departments, the first virtual machine connection of such as second server
First division department, the second virtual machine connects second division department etc., and Fig. 3 is network connection is opened up between head factory and subsidiary factory in the present invention
Flutter structure chart.
For convenience of understanding, the VDI communication means in the present invention will be described below, referring to Fig. 4, one in the embodiment of the present invention
One embodiment of VDI communication means is planted, including:
401st, first server sets up the connection with second server, and first service runs multiple virtual machines;
In order to be not only restricted to the network bandwidth, the embodiment of the present invention sets up first server and second respectively in head factory and subsidiary factory
Server, wherein first server are attached with second server by desktop virtualization platform in wide area network, wherein network
Interconnection technique has a detailed description in the prior art, and here is omitted.
For the connection strategy between different virtual machine in second server and first server, in the following embodiments
It is described in detail.
402nd, first server receives the request of data that second server is sent;
Second server from first server obtain data before, must to first server send request of data, for from
First server obtains corresponding data.First server can then receive the request of data after request of data transmission.
403rd, first server sends data according to preset management strategy to second server;
First server is received after the request of data of second server transmission, the management plan set according to first server
Slightly, corresponding data are sent to second server, wherein, specific management strategy is specifically described in the following embodiments.
404th, second server receives the data sent by first server, and second server runs multiple virtual machines;
First server is sent after data according to preset management strategy to second server, and second server can then connect
The data sent by first server are received, and the data are stored.Wherein, second server can be according to preset pipe
Reason strategy is managed to the data, and to prevent leakage of data, specific management strategy is described in detail in the following embodiments.
405th, the connection that second server is set up between terminal,;
Second server is after data are received, use for the convenience of the user, the connection that can be set up between user terminal,
To facilitate operation of the user to data storage on second server.Wherein, the connection between terminal and second server virtual machine
The detailed description in the following embodiments of mode.
406th, operation of the second server receiving terminal to data.
After second server is connected with terminal foundation, user then can be by way of logging in terminal, to access the second clothes
Business device, so as to further obtain the operation to second server data.
In the present embodiment, first server is set up with second server and is connected, and first server receives second server hair
After the request of data sent, data are sent to first server by preset management strategy, it is ensured that the fluency of data transfer
And security, and second server is connected by virtual machine with terminal, realizes terminal in the form of images to second server
The operation of data, so as to ensure that the security of second server data.
Embodiment based on Fig. 4, below with regard to the connection strategy of second server and first server virtual machine, and the first clothes
Preset management strategy is described in detail in business device, referring to Fig. 5, the present invention implement in a kind of VDI communication means another
Embodiment, including:
501st, first server sets up the connection with second server, and first server runs multiple virtual machines;
The first server of head factory and the second server of subsidiary factory, when wide area network is connected, are by desktop virtualization platform
The connection strategy of second server and the multiple virtual machines of first server is determined, the desktop virtualization platform of first server can
So that according to preset verification scheme, the identity to second server and second server user is verified, only in the second clothes
Be engaged in device and second server user proof of identity simultaneously by when, first server is just according to preset second server and the
The mapping table of one server virtual machine, the first virtual machine of second server and first server is attached, it is necessary to
Illustrate, the second virtual machine or the 3rd virtual machine of second server and first server can also be attached, this reality
Apply example to be merely illustrative for the corresponding relation between second server and the virtual machine of first server, do not do specific limit
It is fixed.
Verification scheme in the present embodiment can be mark and authentication mechanism, NS software mechanism, encryption mechanism, letter
The one or more in integrity mechanism and Audit Mechanism are ceased, have detailed Jie in the prior art for specific contents of mechanism
Continue, here is omitted.
502nd, first server receives the request of data that second server is sent;
The first server of head factory and the second server of subsidiary factory are set up after connection, and if desired subsidiary factory obtains number from head factory
According to, then need the virtual platform of second server to send request of data to the virtual platform of first server, for from
The first server of head factory obtains corresponding data.
Further, second server before request of data is sent, it is necessary to be estimated to the performing environment of itself, to protect
The management strategy that card second server can be set according to first server performs the operation to data, wherein the execution ring of itself
Border, which is assessed, to be included:Detect whether itself virtualization transport module, file management set of controls, data security module are normal, if entirely
Portion is normal, then sends request of data to first server;If occurring abnormal, it tries self-regeneration, if repairing abnormal, send
Warn and log recording is carried out to all processes.
503rd, first server is verified to the request of data of second server;
It is right after the request of data that the virtual platform that the virtual platform of first server receives second server is sent
The request of data is verified, wherein verification includes:Authorization check, safety check.
Authorization check includes:The authorization check of second server, the authorization check of request of data and second server are sent
The authorization check of the authorization check of the request of data, wherein second server is to be used to verify whether second server has transmission number
According to the authority of request, if the first subsidiary factory of regulation cannot send request of data to head factory, the authorization check of second server is not
Pass through;The authorization check of request of data is for verifying the request of data whether in preset prescribed limit, if regulation first
The second server of subsidiary factory may only carry out read operation after the first virtual machine is logged in the data stored on the first virtual machine,
And if second server sends the request for obtaining data, the request permissions verification of the acquisition data does not pass through;Second server
The authority for sending the request of data is for verifying whether second server has the authority for sending the request of data, such as second service
Device sends the request for obtaining data to first server, and preset authority regulation only allows second server to first server
Data carry out read operation, then the request permissions verification that second server sends acquisition data to first server does not pass through.
Safety check is that the security of request of data is verified, as first server verifies second server transmission
Whether wooden horse information is carried in request of data, if carrying wooden horse information, the request of data of rejection second server, together
When send information warning, for the protection to first server data safety, be also convenient for the artificial later stage enters to the request of data
The processing of one step.
It should be noted that the content of authorization check and safety check is only that the present embodiment is explained in the present embodiment
Bright, the content to authorization check and safety check does not make specific restriction.
If the 504, verification passes through, first server sends preset management strategy to second server;
If the request of data verification of second server passes through, first server sends preset management strategy to the second clothes
Business device so that the data that second server is sent according to preset management strategy management first server.
Wherein, preset management strategy includes:Preset transmits tactful, preset file management strategy and preset data
Security strategy;Preset file management strategy includes:Document management strategy, border management and control strategy and audit strategy.
Preset transmission strategy be for setting up the encrypted transmission passage between first server and second server, and
Log recording is carried out to the transmitting procedure.In the present embodiment, it can pass through between first server and second server
FileAgent control components set up encrypted transmission passage, and during to the executive agent in the transmitting procedure, execution object, execution
Between, the content such as the storage location of data content, data type, data recorded, the wherein foundation of encrypted tunnel can also lead to
Cross other control components to set up, specific daily record includes but is not limited to above-mentioned log content, is not specifically limited herein.
Preset file management strategy includes:Document management strategy, border control strategy and audit strategy, wherein document pipe
Reason strategy includes:Document Share Permissions management, that is, control document whether the scope that can be shared and share;Document access limit
Management, that is, control document whether can be read, it is whether writable, whether read-write;Document access right is managed, that is, controls document
Unfolding mode, including control document are opened with opening in the form of password or in the form of preview, and the number of times that document is opened, and can
Document is further limited after more than predetermined opening number of times, is deleted automatically;The storage management of document, that is, control document to be
It is no to store the precalculated position into second server in an encrypted form;The audit management of document, i.e. recording documents are transmitted across
The log informations such as journey, the use of document, the storage location change of document.
Wherein, border control strategy is the border management and control strategy to desktop virtualization terminal, including:USB flash disk is inserted to terminal
Management and control Deng external equipment, the management and control to virtual machine network access rights and the management and control to document transmission flow.Such as:First service
Device is sent to second server by document, can be limited the document and not received USB flash disk operation, only receive second server virtual
The cryptographic acess and the document of machine user does not support the operation sent to outside.
Audit strategy is in the biography according to preset transmission strategy to the data between first server and second server
The bursting tube of defeated process, the file implementation procedure according to preset file management strategy and preset Data Security data
Reason process is recorded, while being recorded to the information warning occurred during all, to ensure first server and second
The security of data between server.
Preset Data Security is that occur to data during transmitting procedure, file implementation procedure, border control
Problem of data safety taken precautions against and protected, to ensure the security of data between first server and second server.
505th, second server receives the preset management strategy that first server is sent;
First server is sent to second server after preset management strategy, and it is pre- that second server can then receive this
The management strategy put, and control the transport module of second server, file management set of controls and security module preset according to this
Management strategy is managed to the data received.
506th, first server sends data according to preset management strategy to second server;
First server sends preset management strategy to second server, the data sent according to second server
Request, the management strategy set with first server sends data to second server, i.e., with first server set it is preset
Transmission strategy, profile management strategy, preset security strategy send the data, specific policy content to second server
As described in step 504, here is omitted.
507th, second server receives the data sent by first server, and second server runs multiple virtual machines;
First server is sent data to after second server according to preset management strategy, second server
The data sent by first server are received, because first server is before data are sent, first by the preset management strategy of data
Send to second server, for example:The first server of head factory is before data (design document) are sent, first by the biography of design document
Defeated strategy (encryption method of transmission channel), file management strategy (document sharing, read-write, access right, the storage management of document
And the border control strategy of document), Data Security sent to second server so that the terminal user of second server is only
Operational design file can be removed according to preset management strategy.
508th, the connection that second server is set up between terminal, second server runs multiple virtual machines;
Second server is received after data, data is stored according to preset transmission strategy, to facilitate second service
Operation of the terminal user of device to data.
Terminal user before operation to data is obtained, it is necessary to the connection set up between terminal and second server, because of the
Two servers fictionalize multiple virtual machines with desktop virtualization software, so terminal is being connected preceding, it is necessary to really with second server
Determine terminal and the connection strategy of virtual machine.
Because virtual machine is to input certain user name, password and gateway information by user, obtained by logging in terminal
Connection, so in actual applications, user is bound with virtual machine, terminal is during then user's acquisition is connected with virtual machine
Between medium, therefore user is after terminal inputs certain user name, password and gateway information, the desktop virtualization of second server
Platform is authenticated to the information inputted in terminal, if certification passes through, and the virtual machine that terminal is then bound with user automatically is connected
Connect, so as to realize the autoconnect function of terminal and second server.
509th, operation of the second server receiving terminal by preset management strategy to data.
Terminal is after the corresponding virtual machine of connection second server, and user can be according to preset management strategy, to second
The data of server are operated, such as:Preset file management strategy limits the shared of file, read-write, access right and document
Border authority, outgoing authority so that limiting terminal user can only be gone according to preset administration authority operate the data, so as to protect
The security of data is hindered.
Meanwhile, because of the characteristic of virtual machine itself, the data of end users operation be all be transmitted in the form of images with
Display, it is therefore prevented that terminal user distorts to data, has further ensured the security of data.
In the present embodiment, first server is set up with second server and is connected, and first server receives second server hair
After the request of data sent, preset management strategy is sent to second server, and by preset management strategy to first service
Device sends data, it is ensured that the fluency and security of data transfer, and second server have received preset management strategy
And after data, be connected by being set up with terminal, realize terminal and taken in the form of images to second by preset management strategy
The operation for device data of being engaged in, so as to further ensure the security of second server data.
The method that described above is a kind of VDI communications in the embodiment of the present invention, will be described below first in the present invention
Server, referring to Fig. 6, the first server in the embodiment of the present invention, including:
First connection unit 601, for setting up the connection with second server, first server runs multiple virtual machines;
First receiving unit 602, for receiving the request of data sent by second server;
First transmitting element 603, for sending data to second server according to preset management strategy.
It should be noted that in the present embodiment in embodiment described in the effect of each unit and Fig. 4 first server effect
Similar, here is omitted.
In the present embodiment, first server is set up with second server by the first connection unit 601 and is connected, first service
Device is received after the request of data that second server is sent by the first receiving unit 602, by the first transmitting element 603 with preset
Management strategy to second server send data, it is ensured that the fluency and security of data transfer.
For convenience of understanding, the first server in the embodiment of the present invention is described below in detail, referring to Fig. 7, the present invention is real
Another embodiment of first server in example is applied, including:
First connection unit 701, for setting up the connection with second server, first server runs multiple virtual machines;
First receiving unit 702, for receiving the request of data sent by second server;
First transmitting element 703, for sending data to second server according to preset management strategy.
Optionally, the first connection unit includes 701:
First determining module 7011, for the identity information according to second server, determines second server and the first clothes
The connection strategy of business device virtual machine;
First link block 7012, for according to connection strategy by second server and the preset virtual machine of first server
It is attached.
Optionally, first server also includes:
Verification unit 704, for being verified to request of data;
Second transmitting element 705, for when verification passes through, preset management strategy to be sent to second server.
It should be noted that first service in embodiment described in the effect of each unit and each module and Fig. 5 in the present embodiment
The effect of device is similar, and here is omitted.
In the present embodiment, first server is set up with second server by the first connection unit 701 and is connected, first service
Device is received after the request of data that second server is sent by the first receiving unit 702, and after request of data verification passes through, is led to
Cross the second transmitting element 705 and preset management strategy is sent to second server, and by the first transmitting element 703 with preset
Management strategy sends data to first server, it is ensured that the fluency and security of data transfer,
Second server in the embodiment of the present invention is then described below, referring to Fig. 8, in the embodiment of the present invention
One embodiment of two servers, including:
Second receiving unit 801, for receiving the data sent by first server, second server operation is multiple virtual
Machine;
Second connection unit 802, for the connection between foundation and terminal;
3rd receiving unit 803, the operation for receiving terminal to data.
It should be noted that in this implementation in embodiment described in the effect of each unit and Fig. 4 second server effect class
Seemingly, here is omitted.
In the present embodiment, second server passes through the second connection unit after data are received by the second receiving unit 801
802 are attached with terminal, operation of the terminal in the form of images to second server data are realized, so as to ensure that second
The security of server data.
For convenience of understanding, the second server in the embodiment of the present invention is described below in detail, referring to Fig. 9, the present invention is real
Another embodiment of second server in example is applied, including:
Second receiving unit 901, for receiving the data sent by first server, second server operation is multiple virtual
Machine;
Second connection unit 902, for the connection between foundation and terminal;
3rd receiving unit 903, the operation for receiving terminal to data.
Further, the second connection unit 902 includes:
Second determining module 9021, for the identity information according to terminal, determines terminal and second server virtual machine
Connection strategy;
Second link block 9022, for being connected the preset virtual machine of terminal and second server according to connection strategy
Connect.
Further, second server also includes:
4th receiving unit 904, for receiving the preset management strategy sent by first server.
Further, the 3rd receiving unit 903 includes:
Receiving module 9031, the operation for receiving terminal by preset management strategy to data.
It should be noted that second service in embodiment described in the effect of each unit and each module and Fig. 5 in the present embodiment
The effect of device is similar, and here is omitted.
In the present embodiment, second server by the second receiving unit 901 and the 4th receiving unit 904 have received it is preset
Management strategy and data after, set up and be connected by the second connection unit 902 and terminal, realized terminal and pass through preset management
The operation of strategy in the form of images to second server data, so as to further ensure the safety of second server data
Property.
Present invention also offers a kind of VDI communication systems, referring to Fig. 10, the communication system includes the in described above
One service 1001, second server 1002 and sets up the terminal 1003 that be connected with second server, passes through first server and the
The cooperation of two servers, realizes head factory data and is sent to the safety of subsidiary factory, by the connection of terminal and second server, realized
Safety operation of the different user of subsidiary factory to data, further ensures the security of data.
It is understood that in the embodiment of the present invention, first server and second server can also go out from hardware point of view
Hair is described, and the first server and second server of the embodiment of the present invention include respectively:Processor, memory and storage
In memory and the computer program that can run on a processor, each above-mentioned side is realized during computing device computer program
The step of being operated in method embodiment based on first server and second server, or, it is real during computing device computer program
The function of first server and each module of second server in existing above-described embodiment, same section can refer to above, herein not
Repeat again.
Exemplary, computer program can be divided into one or more module/units, and one or more module/
Unit is stored in memory, and by computing device, to complete the present invention.One or more module/units can be energy
The series of computation machine programmed instruction section of specific function is enough completed, the instruction segment is used to describe computer program in first server
And the implementation procedure in second server, the explanation of first server and each module of second server is specifically can refer to, herein
Repeat no more.
Wherein, first server and second server may include but be not limited only to processor, memory, people in the art
Member is not constituted to first server and the it is appreciated that the explanation is only first server and the example of second server
The restriction of two servers, can include parts more more or less than the explanation, either combine some parts or different portions
Part, such as first server and second server can also include input-output equipment, network access equipment, bus.
Alleged processor can be CPU (Central Processing Unit, CPU), can also be it
His general processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit
(Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-
Programmable Gate Array, FPGA) or other PLDs, discrete gate or transistor logic,
Discrete hardware components etc..General processor can be microprocessor or the processor can also be any conventional processor
Deng processor is the control centre of first server and second server, utilizes various interfaces and the whole server of connection
Various pieces.
Memory can be used for storage computer program and/or module, and processor is stored in memory by operation or execution
Interior computer program and/or module, and the data being stored in memory are called, realize first server and second service
The various functions of device.Memory can mainly include storing program area and storage data field, wherein, storing program area can store operation
Application program needed for system, at least one function etc.;Storage data field can be stored uses created data according to mobile phone
(such as patch library) etc..In addition, memory can include high-speed random access memory, non-volatile memories can also be included
Device, such as hard disk, internal memory, plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure
Digital, SD) card, flash card (Flash Card), at least one disk memory, flush memory device or other volatibility are solid
State memory device.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
In several embodiments provided herein, it should be understood that disclosed system, apparatus and method can be with
Realize by another way.For example, device embodiment described above is only schematical, for example, the division of unit,
It is only a kind of division of logic function, there can be other dividing mode when actually realizing, such as multiple units or component can be with
With reference to or be desirably integrated into another system, or some features can be ignored, or not perform.It is another, it is shown or discussed
Coupling each other or direct-coupling or communication connection can be by some interfaces, the INDIRECT COUPLING of device or unit or
Communication connection, can be electrical, machinery or other forms.
The unit illustrated as separating component can be or may not be physically separate, be shown as unit
Part can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple networks
On unit.Some or all of unit therein can be selected to realize the purpose of this embodiment scheme according to the actual needs.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If integrated unit is realized using in the form of SFU software functional unit and is used as independent production marketing or in use, can
To be stored in a computer read/write memory medium.Based on it is such understand, technical scheme substantially or
Saying all or part of the part contributed to prior art or the technical scheme can be embodied in the form of software product
Out, the computer software product is stored in a storage medium, including some instructions are to cause a computer equipment
(can be personal computer, server, or network equipment etc.) performs all or part of each embodiment method of the invention
Step.And foregoing storage medium includes:It is USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), random
Access memory (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with Jie of store program codes
Matter.
More than, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to foregoing reality
Example is applied the present invention is described in detail, it will be understood by those within the art that:It still can be to foregoing each
Technical scheme described in embodiment is modified, or carries out equivalent substitution to which part technical characteristic;And these are changed
Or replace, the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (19)
1. a kind of VDI communication means, it is characterised in that applied to first server, including:
The connection with second server is set up, the first server runs multiple virtual machines;
Receive the request of data sent by the second server;
Data are sent to the second server according to preset management strategy.
2. according to the method described in claim 1, it is characterised in that the foundation and the connection of second server, including:
According to the identity information of the second server, the company of the second server and the first server virtual machine is determined
Connect strategy;
The second server and the preset virtual machine of the first server are attached according to the connection strategy.
3. according to the method described in claim 1, it is characterised in that in the data for receiving and being sent by the second server
After request, methods described also includes:
The request of data is verified;
If verification passes through, preset management strategy is sent to the second server.
4. according to the method in any one of claims 1 to 3, it is characterised in that the preset management strategy includes:
Preset transmits tactful, preset file management strategy and preset Data Security.
5. method according to claim 4, it is characterised in that the preset file management strategy includes:
Document management strategy, border management and control strategy and audit strategy.
6. a kind of VDI communication means, it is characterised in that applied to second server, including:
The data sent by first server are received, the second server runs multiple virtual machines;
The connection set up between terminal;
Receive the operation of data described in the terminal-pair.
7. method according to claim 6, it is characterised in that the connection between the foundation and terminal, including:
According to the identity information of the terminal, the connection strategy of the terminal and the second server virtual machine is determined;
The terminal and the preset virtual machine of the second server are attached according to the connection strategy.
8. method according to claim 6, it is characterised in that it is described receive the data that are sent by first server it
Before, methods described also includes:
Receive the preset management strategy sent by the first server.
9. method according to claim 8, it is characterised in that the operation of data described in the reception terminal-pair, bag
Include:
Receive operation of the terminal by preset management strategy to the data.
10. method according to claim 9, it is characterised in that the preset management strategy includes:
Preset transmits tactful, preset file management strategy and preset Data Security.
11. method according to claim 10, it is characterised in that the preset file management strategy includes:
Document management strategy, border management and control strategy and audit strategy.
12. first server, it is characterised in that including:
First connection unit, for setting up the connection with second server, the first server runs multiple virtual machines;
First receiving unit, for receiving the request of data sent by the second server;
First transmitting element, for sending data to the second server according to preset management strategy.
13. first server according to claim 12, it is characterised in that first connection unit includes:
First determining module, for the identity information according to the second server, determines the second server and described the
The connection strategy of one server virtual machine;
First link block, for according to the connection strategy by the preset void of the second server and the first server
Plan machine is attached.
14. first server according to claim 12, it is characterised in that the first server also includes:
Verification unit, for being verified to the request of data;
Second transmitting element, for when verification passes through, preset management strategy to be sent to the second server.
15. second server, it is characterised in that including:
Second receiving unit, for receiving the data sent by first server, the second server runs multiple virtual machines;
Second connection unit, for the connection between foundation and terminal;
3rd receiving unit, the operation for receiving data described in the terminal-pair.
16. second server according to claim 15, it is characterised in that second connection unit includes:
Second determining module, for the identity information according to the terminal, determines that the terminal and the second server are virtual
The connection strategy of machine;
Second link block, for being entered the terminal and the preset virtual machine of the second server according to the connection strategy
Row connection.
17. second server according to claim 15, it is characterised in that the second server also includes:
4th receiving unit, for receiving the preset management strategy sent by the first server.
18. the second server according to any one of claim 15 to 17, it is characterised in that the 3rd receiving unit
Including:
Receiving module, for receiving operation of the terminal by preset management strategy to the data.
19. a kind of VDI communication systems, it is characterised in that including:First service any one of claim 12 to 14
Device, and the second server any one of claim 15 to 18, and set up the terminal being connected with the second server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710672299.9A CN107295013B (en) | 2017-08-08 | 2017-08-08 | VDI communication method, first server, second server and communication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710672299.9A CN107295013B (en) | 2017-08-08 | 2017-08-08 | VDI communication method, first server, second server and communication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107295013A true CN107295013A (en) | 2017-10-24 |
| CN107295013B CN107295013B (en) | 2021-02-05 |
Family
ID=60104604
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710672299.9A Active CN107295013B (en) | 2017-08-08 | 2017-08-08 | VDI communication method, first server, second server and communication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107295013B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103377330A (en) * | 2012-04-23 | 2013-10-30 | 佛山市智慧岛信息技术有限公司 | Virtual resource distribution method and virtual resource distribution system |
| CN103544453A (en) * | 2013-10-23 | 2014-01-29 | 成都卫士通信息产业股份有限公司 | USB (universal serial bus) KEY based virtual desktop file protection method and device |
| US8769011B2 (en) * | 2011-06-21 | 2014-07-01 | Cisco Technology, Inc. | Survivable browsing in virtualized desktop environment when host connectivity is lost |
| CN104023014A (en) * | 2014-06-04 | 2014-09-03 | 深圳市深信服电子科技有限公司 | Method and system of controlling data access permission |
| CN104202680A (en) * | 2014-08-11 | 2014-12-10 | 福建星网锐捷网络有限公司 | Method and device for acquiring stream media |
| CN106295341A (en) * | 2016-08-11 | 2017-01-04 | 浪潮电子信息产业股份有限公司 | Enterprise data center security solution method based on virtualization |
-
2017
- 2017-08-08 CN CN201710672299.9A patent/CN107295013B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8769011B2 (en) * | 2011-06-21 | 2014-07-01 | Cisco Technology, Inc. | Survivable browsing in virtualized desktop environment when host connectivity is lost |
| CN103377330A (en) * | 2012-04-23 | 2013-10-30 | 佛山市智慧岛信息技术有限公司 | Virtual resource distribution method and virtual resource distribution system |
| CN103544453A (en) * | 2013-10-23 | 2014-01-29 | 成都卫士通信息产业股份有限公司 | USB (universal serial bus) KEY based virtual desktop file protection method and device |
| CN104023014A (en) * | 2014-06-04 | 2014-09-03 | 深圳市深信服电子科技有限公司 | Method and system of controlling data access permission |
| CN104202680A (en) * | 2014-08-11 | 2014-12-10 | 福建星网锐捷网络有限公司 | Method and device for acquiring stream media |
| CN106295341A (en) * | 2016-08-11 | 2017-01-04 | 浪潮电子信息产业股份有限公司 | Enterprise data center security solution method based on virtualization |
Non-Patent Citations (1)
| Title |
|---|
| 郑兴艳: "安全虚拟桌面系统的设计与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107295013B (en) | 2021-02-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106599694B (en) | Security protection management method, computer system and computer readable storage medium | |
| JP6718530B2 (en) | Image analysis and management | |
| US12105805B2 (en) | Binding secure keys of secure guests to a hardware security module | |
| CN105308923B (en) | Data management to the application with multiple operating mode | |
| CN105340309B (en) | Application with multiple operator schemes | |
| CN104903910B (en) | Control access of the mobile device to secure data | |
| CN105308573B (en) | Generally existing cooperation in managed application | |
| CN106031128B (en) | Method and apparatus for mobile device management | |
| JP2018116708A (en) | Network connection automation | |
| CN105141614B (en) | A kind of access right control method and device of movable storage device | |
| CN105379223A (en) | Validating the identity of a mobile application for mobile application management | |
| CN108768963A (en) | The communication means and system of trusted application and safety element | |
| CN102307114A (en) | Management method of network | |
| CN103581196A (en) | Distributed file transparent encryption method and transparent decryption method | |
| CN106295374B (en) | A kind of encryption Hub device for supporting multiple UFS equipment | |
| US20200042578A1 (en) | Document Object Model (DOM) Element Location Platform | |
| CN106462423A (en) | System and method for integrating web and native applications from web-based contexts | |
| JP7445358B2 (en) | Secure Execution Guest Owner Control for Secure Interface Control | |
| CN108156232A (en) | Data sharing method and device | |
| CN108881299A (en) | The safe O&M method and device thereof of private clound platform information system | |
| CN106487770A (en) | Method for authenticating and authentication device | |
| CN110633172A (en) | USB flash disk and data synchronization method thereof | |
| CN102694667A (en) | Method supporting user autonomous deployment of network and system thereof | |
| CN106603567A (en) | WEB administrator login management method and device | |
| CN107295013A (en) | A kind of method, first server, second server and the communication system of VDI communications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |