JP2009146306A - Server device, communication terminal device, access system, access method, and access program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To achieve access to a plurality of equipment in a home network even in a situation that allows access only to limited ports from an external communication terminal device. <P>SOLUTION: A server device is connected to a local network so as to provide services to a communication terminal device. The server device includes: a request receiving means 407 for receiving a request that specifies another server device 400; and a request relay means 410 for relaying the request to another server device specified by the request. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a server device, a communication terminal device, an access system, an access method, and an access program, and in particular, a server device, a communication terminal device, and an access system that enable access to a plurality of devices installed in a home network or the like. , An access method and an access program.

  In recent years, demand for home appliances corresponding to the network has increased due to network construction in the home. Examples of usage of such home appliances include operating the HDD recorder via the network to perform recording settings, or operating the air conditioner via the network to operate the air conditioner before returning home. It is done. In particular, there is a desire to operate such home appliances from outside the home via the Internet.

  Generally, when a plurality of home appliances exist in a home network (hereinafter referred to as “home NW”), a broadband router (hereinafter referred to as “BBR: Broadband Router”) for connection to the Internet. Is introduced. Under the current IPv4 (Internet Protocol Version 4) situation, a global address to be accessed from a global network represented by the Internet is converted into a private address used in the home network (NAT: Network Address Translation). Therefore, a function called “NAT traversal” or port forwarding (hereinafter collectively referred to as “NAT traversal function”) is generally provided in the BBR. The NAT traversal function possessed by the BBR usually corresponds to a specific set of private IP address and port number with respect to a specific set of global IP address and port number.

  By the way, depending on the network environment, accessible IP addresses and port numbers may be restricted for security reasons. In such an environment, even if there are a plurality of network-compatible home appliances in the home NW, it is difficult to properly use a plurality of port numbers, and it is difficult to access all of them from the global network.

  In order to solve such a problem, by conventionally reserving a port mapping of a destination port that overlaps with others, and re-establishing the port mapping using the IP address of the access source every time access from the global network, A router that realizes packet relay to a plurality of devices has been proposed (see, for example, Patent Document 1).

  Further, a proxy server that realizes packet relay to a plurality of devices by re-mapping a plurality of servers to different URLs (mounting to a directory) using a reverse proxy function has been proposed (for example, Non-Patent Document 1). reference). This proxy server can also be applied to the home NW.

By the way, in the situation of IPv6 (Internet Protocol Version 6), since a globally identifiable address is assigned to a device belonging to the local network, it is usually unnecessary to consider the “NAT traversing function”. However, if no consideration is given, unrestricted access from the global network is permitted, which is a security problem. For this reason, in this case, the firewall (function for controlling access authorization) is also set in the BBR.
JP 2007-110266 A “Dele Gate Home Page” http://www.delegate.org/delegate/

  However, the router disclosed in Patent Document 1 needs to define and process a special protocol for NAT traversal. Accordingly, not only the computer connected to the network needs to support the protocol but also the router needs to support the protocol, and a general router that does not implement such a special protocol cannot be used.

  In addition, since the proxy server disclosed in Non-Patent Document 1 is originally a server operation technique, it is necessary for the server administrator to manually perform settings for relaying. Therefore, when applied to a home NW, it is very difficult for a general user to set and use it correctly.

  Furthermore, under the IPv6 situation, every time a device belonging to the local network is added, the security setting for the device belonging to the local network is performed by BBR in order to prevent unlimited access from the global network to the device belonging to the local network. However, there is a problem that it is not easy for general users but very troublesome.

  The present invention has been made in view of such circumstances, and can realize access to a plurality of devices in a home network even in a situation where only a limited port can be accessed from an external communication terminal device. It is an object to provide a server device, a communication terminal device, an access system, an access method, and an access program.

  (1) In order to achieve the above object, the present invention has taken the following measures. That is, a server device according to the present invention is a server device connected to a local network that provides a service to a communication terminal device, and a request receiving unit that receives a request that can identify another server device; And request relay means for relaying the request to the other server device specified by the request.

  In this way, the server device receives a request capable of specifying another server device, and relays the request to another server device specified by the request. Since requests that are not addressed can be relayed to other server devices, access to a plurality of devices in the home network (local network) is realized even in situations where only a limited port can be accessed from an external communication terminal device It becomes possible.

  (2) In the server device according to the present invention, resource identifier generating means for generating an access resource identifier component including information for specifying the server device in a local network, and the access resource identifier component Resource identifier output means for outputting to register with the communication terminal device, wherein the request received by the request receiving means is a request corresponding to the access resource identifier component Yes.

  As described above, the server device generates an access resource identifier component including information for identifying the server device in the local network, and outputs the access resource identifier component to be registered in the communication terminal device. Therefore, the access resource identifier component can be registered in the communication terminal device, and a request not addressed to the own device from the communication terminal device based on the access resource identifier component is relayed to another server device. It becomes possible to do.

  (3) In the server apparatus according to the present invention, an external network apparatus having a function of converting a global address to a local address can access the server function of the own apparatus by a request corresponding to the access resource identifier component. An address conversion setting unit for performing address conversion setting is further provided.

  In this way, the address translation setting means can perform address translation setting so that the server function of its own device can be accessed by a request corresponding to the resource identifier component for access to the external network device, so that the global network is accessed. It is possible to cope with remote access from a possible communication terminal device.

  (4) In the server device according to the present invention, the resource identifier generation means generates the access resource identifier component including a MAC (Media Access Control) address of the own device.

  As described above, since the MAC address of the own device is included in the resource identifier component for access, when relaying a request to another server device as a relay destination, it is ensured without communicating with the other server device. It becomes possible to acquire the IP address of the other server device.

  (5) In the server device according to the present invention, the resource identifier generation unit generates the access resource identifier component including an IP (Internet Protocol) address assigned to the own device.

  In this way, since the access resource identifier component includes the IP address assigned to the own device, it is possible to provide an access resource identifier component that is easy for the user of the communication terminal device to understand. .

  (6) In the server device according to the present invention, when the resource identifier generation unit generates the access resource identifier component, the resource identifier generation unit determines that the information included in the access resource identifier component is regular It is characterized in that an authentication code is included.

  In this way, since the authentication code for determining that the information included in the access resource identifier component is legitimate is included in the access resource identifier component, for example, the access resource identifier directly It is possible to prevent unauthorized access to the local network by inputting the URL corresponding to the component.

  (7) In the server device according to the present invention, the resource identifier generation unit generates the authentication code using a MAC address of a specific network device.

  Thus, since the authentication code is generated using the MAC address of a specific network device, it is possible to effectively prevent an attack by an attacker who does not know the MAC address of the network device.

  (8) In the server device according to the present invention, the resource identifier output means transmits an e-mail message including the access resource identifier component to the communication terminal device.

  In this way, the resource identifier output means transmits an e-mail message including the access resource identifier component to the communication terminal apparatus. Therefore, in the communication terminal apparatus, the access resource identifier is based on the e-mail message. Since the constituent elements can be registered, it is possible to save the trouble of manually inputting complicated characters.

  (9) The server device according to the present invention is characterized in that the resource identifier output means converts the resource identifier for access into a format that can be recognized by the communication terminal device and displays it.

  In this way, the resource identifier output means converts the resource identifier component for access into a format that can be recognized by the communication terminal device, and displays the converted image data in the communication terminal device. Thus, the access resource identifier component can be registered, so that it is possible to save the trouble of manually inputting complicated characters.

  (10) In the server device according to the present invention, the resource identifier output means converts the access resource identifier component into a two-dimensional barcode format as the image recognizable format.

  In this way, since the access resource identifier component is converted into the two-dimensional barcode format, even when the access resource identifier component is long, it can be appropriately converted into the two-dimensional barcode format. It becomes. For example, it is converted into a QR code as a two-dimensional barcode.

  (11) In the server device according to the present invention, the address conversion setting means repeatedly performs address conversion setting for the external network device in a predetermined period.

  As described above, since the address conversion setting for the external network device is repeatedly performed in a predetermined period by the address conversion setting means, a network caused by DHCP (Dynamic Host Configuration Protocol) lease expiration or stop of other server devices, etc. It is possible to follow changes in the environment.

  (12) In the server device according to the present invention, the address conversion setting means may assume that the load on the other server device is higher than a predetermined value in the case of address setting via the other server device, or In the case where it is assumed that a delay of a predetermined time or more will occur due to passing through the other server device, an address conversion setting is performed for the external network device.

  As described above, when the address conversion setting unit is configured to set an address via another server device, when the load on the other server device is assumed to be higher than a predetermined value, or via the other server device. For example, a service with a high bit rate is performed via another server device because address translation is set for the external network device when a delay of a predetermined time or more is expected to occur due to the In such a case, since the data can be output without going through the other server device, it is possible to prevent an increase in the load on the other server device. In addition, when a service requiring real-time performance is performed via another server device, it is possible to prevent a delay from occurring via the other server device. .

  (13) In the server device according to the present invention, the request receiving unit compares the request with a predetermined pattern, and rejects processing for the request when the pattern is included in the request. It is said.

  In this way, the request receiving means compares the request with a predetermined pattern, and if the pattern is included in the request, the processing for the request is rejected. It is possible to prevent a situation in which the security level is lowered due to the relay processing.

  (14) In the server device according to the present invention, the address translation setting unit acquires a specific setting in the external network device, and the request relay unit is for the access corresponding to the request received by the request receiving unit. When the resource identifier component does not conform to a predetermined format, the request is relayed to another server device based on the specific setting acquired by the address translation setting means.

  As described above, when the access resource identifier component corresponding to the request received from the communication terminal device does not conform to the predetermined format, the request is changed to another one based on the specific setting acquired by the address translation setting unit. For example, even when a server device other than the server device according to the present invention (conventional server device) exists in the local network, the server device according to the present invention is secured while ensuring access to the server. It is also possible to realize access to.

  (15) A communication terminal device according to the present invention is based on resource identifier input means for inputting an access resource identifier component including information for specifying any of the server devices described above, and the access resource identifier component And access means for accessing.

  In this way, by accessing the identifier component for access including information for specifying the server device server device, it is possible to access a plurality of devices (server devices) on the local network. It becomes possible to receive a service provided by the device (server device).

  (16) An access system of the present invention is an access system comprising a communication terminal device and a server device connected to a local network that provides a service to the communication terminal device, and the server device is in a local network. Resource identifier generating means for generating an access resource identifier component including information for specifying the server device, and resource identifier output means for outputting the access resource identifier component to be registered in the communication terminal device Request receiving means for receiving a request corresponding to the access resource identifier component, and the request to another server device identified from the access resource identifier component corresponding to the request received by the request receiving means. Request to relay And the communication terminal device includes resource identifier input means for inputting the access resource identifier component generated by the server device, and access means for accessing based on the access resource identifier. It is characterized by.

  As described above, in the server device, an access resource identifier component including information for specifying the server device in the local network is generated, while a request is received from the communication terminal device, and an access resource corresponding to the request is received. Since the request is relayed to the other server device specified by the resource identifier component, a request that is not addressed to the own device from the communication terminal device can be relayed to the other server device. Even in a situation where access from an external communication terminal device is not possible, access to a plurality of devices in a home NW (local network) can be realized.

  (17) An access method of the present invention is an access method using a communication terminal device and a server device connected to a local network that provides a service to the communication terminal device, and specifies another server device. Receiving the possible request, and relaying the request to the other server device specified by the received request.

  In this way, the server device receives a request capable of specifying another server device, and relays the request to another server device specified by the request. Since requests that are not addressed can be relayed to other server devices, access to a plurality of devices in the home network (local network) is realized even in situations where only a limited port can be accessed from an external communication terminal device It becomes possible.

  (18) An access method of the present invention is an access method using a communication terminal device and a server device connected to a local network that provides a service to the communication terminal device, and for specifying the server device. And a step of inputting an access resource identifier component including the above information, and an access based on the access resource identifier component.

  As described above, since the access identifier component including information for specifying the server device is accessed, for example, the server device receives a request corresponding to the access identifier component and responds to the request. By relaying the request to another server device specified from the access resource identifier component to be accessed, it is possible to access a plurality of devices (server devices) on the local network, so these devices (server devices) It is possible to receive services provided by.

  (19) The access program of the present invention allows a computer to send a request that can specify a different server device to a request receiving unit that receives the request, and to the other server device specified by the request received by the request receiving unit It is characterized by functioning as a request relay means for relaying the request.

  In this way, the server device receives a request capable of specifying another server device, and relays the request to another server device specified by the request. Since requests that are not addressed can be relayed to other server devices, access to a plurality of devices in the home network (local network) is realized even in situations where only a limited port can be accessed from an external communication terminal device It becomes possible.

  (20) The access program of the present invention includes a resource identifier input means for inputting an access resource identifier component including information for specifying a server device connected to a local network, and the access resource identifier configuration It is characterized by functioning as an access means for accessing based on elements.

  As described above, since the access identifier component including information for specifying the server device is accessed, for example, the server device receives a request corresponding to the access identifier component and responds to the request. By relaying the request to another server device specified from the access resource identifier component to be accessed, it is possible to access a plurality of devices (server devices) on the local network, so these devices (server devices) It is possible to receive services provided by.

  According to the present invention, the server device receives a request that can specify another server device, and relays the request to another server device specified by the request. Since requests that are not addressed to the own device can be relayed to other server devices, access to a plurality of devices in the home network (local network) can be performed even in situations where only a limited port can be accessed from an external communication terminal device. It can be realized.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the following description, the case where the present invention is applied to an access system will be described in detail. However, the present invention can also be established as an access method or a program that allows a computer to function.

(First embodiment)
FIG. 1 is a block diagram showing a configuration of an access system to which a server device according to the first embodiment of the present invention is connected. As shown in FIG. 1, in the access system according to the present embodiment, a home NW or the like from a remote terminal 100 via a global network (hereinafter referred to as “global NW”) 200 and a BBR (broadband router) 300. It is possible to remotely access the server device 400 installed in the network.

  The remote terminal 100 is composed of a communication terminal device having a function of accessing the global NW 200. In particular, the remote terminal 100 has a function of receiving and registering an input of an access URL described later and accessing the access URL. Typically, it includes a mobile phone device having a WEB access function, a PDA (Personal Digital Assistant), a personal computer (personal computer), and the like. The global NW 200 is typically configured with the Internet. In the present embodiment, the global NW 200 is cited as an example of a communication network, but the communication network is not limited to this. For example, a wireless communication network managed by a mobile phone company, a network managed by an Internet provider company, or an intranet built in a company can be used. It is also possible to configure the network from two or more different types of networks, such as accessing the Internet from a corporate intranet via a proxy server, or accessing the Internet from a mobile network via a server of a communication company.

  The BBR 300 has a function of connecting to the global NW 200, constructing a home NW (home network), and relaying packets to access the Internet from a device (generally a personal computer or the like) in the home NW. The BBR 300 preferably has a NAT traversal function. The NAT traversal function is a function for converting an IP address assigned to the BBR 300 into a private IP address in the home NW in order to access a device in the home NW from the global NW 200 side. Furthermore, the BBR 300 preferably has a UPnP IGD (Universal Plug and Play Internet Gateway Device) function. The UPnP IGD is a function that can set NAT traversal from a device in the home NW via a network. Note that NAT traversal and UPnP IGD are usually implemented in many commercially available BBRs and are not special functions.

  The server device 400 is, for example, a network compatible device connected to the home NW. The server apparatus 400 provides different functions depending on the functions of the unique service unit 409 described later. For example, the server apparatus 400 provides services as a hard disk (HDD) recorder, an air conditioner, and a refrigerator according to the functions of the unique service unit 409. In other words, each device such as an HDD recorder, an air conditioner, and a refrigerator connected to the home NW constitutes a server device. For example, the server device 400a functions as an HDD recorder, the server device 400b functions as an air conditioner, and the server device 400c functions as a refrigerator. In the following, the server device 400a will be described.

  As shown in FIG. 1, the server device 400a includes a network unit 401, a port forward setting unit 402, an address detection unit 403, an address storage unit 404, a URL generation unit 405, a URL output unit 406, a request reception unit 407, and a URL determination unit. 408, unique service means 409, request relay means 410, and relay destination determination means 411. The port forward setting means 402 functions as address conversion setting means in the claims, and the URL generation means 405 functions as resource identifier generation means in the claims.

  The network unit 401 is connected to the home NW provided by the BBR 300 and performs data communication with other devices including the BBR 300. Typically, it is realized by an Ethernet (registered trademark) interface or a wireless LAN interface such as IEEE802.11g.

  The port forward setting means 402 has a UPnP IGD control point (CP) function, and performs port forward setting for the UPnP IGD function of the BBR 300. Further, it has a function of acquiring a global IP address (external address) of the BBR 300 and performs processing for registering the address in the address storage unit 404. The specification of UPnP IGD is determined by the UPnP forum (http://www.upnp.org), and is realized by software that executes processing according to the specification.

  The address detection means 403 detects the MAC address (Media Access Control Address) assigned to the network means 401 and the assigned IP address. Since the network means 401 can communicate with the application software through the driver software, it is generally detectable.

  The address storage unit 404 stores the external address of the BBR 300 acquired by the port forward setting unit 402, the MAC address and the IP address detected by the address detection unit 403, and the like. The address storage unit 404 is realized by, for example, a memory or a magnetic disk device.

  The URL generation unit 405 generates an access URL based on the external address of the BBR 300 stored by the address storage unit 404 and the MAC address and IP address of the network unit 401. As will be described in detail later, the remote terminal 100 can remotely operate the server device 400 by performing WEB access to the URL generated by the URL generation unit 405. Usually, the URL generation means 405 is realized by software. Here, a case where the URL generation unit 405 generates a URL as a resource identifier including information for specifying the server device 400a in the home NW is shown, but the content of the resource identifier is limited to this. is not. Changes can be made as appropriate on the condition that the resource identifier includes information for specifying the server device 400a in the home NW.

  The URL output unit 406 outputs the access URL generated by the URL generation unit 405 so as to be registered in the remote terminal 100. As will be described in detail later, for example, the URL output unit 406 causes the remote terminal 100 to output and register a URL generated by e-mail, or read a two-dimensional barcode such as a QR code or the like by the remote terminal 100. To register the generated URL.

  The request receiving unit 407 receives (Accept) the HTTP request generated by the WEB access of the remote terminal 100, interprets the request, and calls the URL determination unit 408 as necessary. The request receiving unit 407 is realized by software, and is equivalent to the request receiving unit provided in a general WEB server.

  The URL determination unit 408 interprets the URL specified by the HTTP request received by the request reception unit 407, and should be processed by the server device 400a itself or relayed to the other server devices 400b and 400c. Determine. A detailed determination method by the URL determination unit 408 will be described later. Usually, the URL determination means 408 is realized by software.

  The unique service unit 409 has a function unique to the server device 400a and provides the remote terminal 100 with a service according to the characteristics of the server device 400a. In the server apparatuses 400a to 400c, services provided to the remote terminal 100 differ depending on the functions of the unique service unit 409. The unique service means 409 is realized by using a general WEB application server mounting technology such as CGI implemented in Perl or Java (registered trademark) Servlet.

  The request relay unit 410 relays the request received by the request reception unit 407 to the relay destination server device (for example, the server devices 400b and 400c) determined by the relay destination determination unit 411. The request relay unit 410 is realized by using a general proxy server mounting technique such as DelGate (http://www.delegate.org/delegate/).

  The relay destination determination unit 411 determines a relay destination for the URL that is determined to be relayed to the other server apparatuses 400b and 400c by the URL determination unit 408. A detailed method of determining the relay destination by the relay destination determination unit 411 will be described later. Usually, the relay destination determination unit 411 is realized by software.

  Note that the execution of the software group in the server device 400a described above is realized by preparing hardware necessary for operation in a general computer, such as a CPU and a memory.

  The server apparatus 400a according to the present embodiment has such a configuration, performs port forward setting to enable remote access to the remote terminal 100, generates a URL for remote access, and generates the generated URL Is output to the remote terminal 100. When receiving a WEB access using the URL from the remote terminal 100, it is determined whether the access is to the own device, and in the case of the access to the own device, the requested process is executed while the access to the device other than the own device is performed. In the case of access, it is relayed to the other server apparatuses 400b and 400c. Hereinafter, processing in the server apparatus 400 according to the present embodiment will be described.

(Process when connecting server device to home NW)
First, processing when the server device according to the present embodiment is connected to the home NW will be described. FIG. 2 is a flowchart for explaining processing when the server device according to the present embodiment is connected to the home NW. Note that in the processing when the server device is connected to the home NW, port forward setting is generally performed and various addresses are detected. In the following, it is assumed that the BBR 300 according to the present embodiment is equipped with a UPnP IGD function.

  As shown in FIG. 2, first, in step S <b> 101, the server apparatus 400 a according to the present embodiment is connected to the home NW constructed by the BBR 300. At this time, typically, a private IP address used in the home NW is assigned to the network unit 401 through DHCP (Dynamic Host Configuration Protocol) of the BBR 300 to enable communication with other devices in the home NW, and for other communication. Necessary DNS (Domain Name System) and default gateway are set together. In addition, when there is a local DNS server in the home NW, for example, a host name such as “hgw1” may be registered in the DNS.

  Next, in step S102, various addresses are detected. In addition to the IP address obtained in S101, the detected address includes a MAC address, a host name, and the like originally assigned to the network unit 401. Here, for example, it is assumed that “192.168.0.101” as the IP address, “00: 1B: 23: 45: 67: 89” as the MAC address, and “hgw1” as the host name are detected.

  Next, in step S103, the port forward setting of the BBR 300 is performed. As described above, the BBR 300 is equipped with a UPnP IGD function. Using this IGD function, for example, the external address of the BBR 300 can be acquired by calling the GetExternalIPAddress function of the WWWIPConnection service (for example, 200.0.0.10 is obtained). For this reason, using this information, it is possible to call the AddPort Mapping function of the WWWIPConnection service and set the port forward of the 80th port of the BBR 300 to the 80th port of the server device 400a.

  An example of the port forward setting set in the BBR 300 is shown in FIG. As shown in FIG. 3, in the port forward setting, a global transmission source IP address, a global transmission destination port (BBR300 reception port), a TCP or UDP type, a private transfer destination IP address, and a private transfer destination port Are associated with each other.

  In step S104, the address information obtained in steps S101 to S103 is registered in the address storage unit 404. FIG. 4 shows an example of address information registered in the address storage unit 404. In the address information shown in FIG. 4, the “port number” is a port number on which the request receiving unit 407 waits, and depends on the implementation of the unique service unit 409 built in the server device 400a. This port number may be fixed, or a predetermined setting may be possible. The “service URL name” is also dependent on the implementation of the unique service unit 409 and is fixed in principle. Furthermore, the “BBR MAC address” can be reliably acquired from the IP address of the BBR 300 (usually acquired by DHCP) by the ARP protocol.

  Next, in step S105, the processes in steps S102 to S104 are repeated for a predetermined period. This is because a lease period is generally set for the IP address of the server apparatus 400a assigned by the DHCP function of the BBR 300, and there is a possibility that the IP address may be changed, and other UPnP IGD control point functions. This is because there is a possibility that a device in the home NW having the port overwrites the port forward setting, and a case where another server device 400 is stopped for some reason. The period may be about 1 minute to 1 day, preferably about 10 minutes to 2 hours, and more preferably about 1 hour.

(Process when registering access URL in remote terminal)
Next, a process for registering the URL component (hereinafter simply referred to as “access URL”) for accessing the server apparatus 400a according to the present embodiment in the remote terminal 100 will be described. FIG. 5 is a flowchart for explaining processing when the remote terminal 100 registers a URL for accessing the server device 400a according to the present embodiment. In the process for registering the access URL in the remote terminal, the access URL is generally generated and the access URL is output to the remote terminal 100.

  As shown in FIG. 5, first, in step S201, the URL generation unit 405 acquires the address information shown in FIG. 4 from the address storage unit 404, and generates an access URL. Here, for example, an access URL is generated according to a rule of “http: // <BBR external address>: <BBR port number> / <MAC address>: <port number> / <service URL name>”, In addition, if the port number portion is omitted in the case of 80 ports, the URL for access to the server device 400a can be expressed as “http://200.0.0.10/001B23456789/recorder” according to HTTP convention. . Here, a case where the URL generation unit 405 generates an access URL in a complete format will be described. However, as will be described later, a format in which part of the access URL is specified by the user of the remote terminal 100 or the like. The URL for access may be generated (see the fourth embodiment). In this specification, the “access URL” includes a complete access URL and an access URL in which a part of the specification is left to the user of the remote terminal 100 or the like.

  FIG. 6 shows an example of an access URL for another server apparatus 400 such as the server apparatus 400b. In FIG. 6, the URL for access to the server device 400a is shown in (a), the URL for access to the server device 400b is shown in (b), and the URL for access to the server device 400c is shown in (c). If the DNS name is used instead of <MAC address> in the access URL shown in (a), it can be expressed as (a ') shown in FIG. Input is also easy. Similarly, if the IP address in the home NW is used instead of <MAC address> in the access URL shown in (a), it can be expressed as (a '') shown in FIG. Manual input is also easy.

  Further, in order to prevent an attack into the home NW by direct URL input, an authentication code (= A099) can be embedded in the URL as shown in FIG. 6 (a ″ ″). For example, if this authentication code is generated by a predetermined algorithm from the MAC address of the BBR 300 and the IP address of the server device 400a (in addition, the MAC address, DNS name, etc.), the other server devices 400b and 400c and data Without performing communication, it can be determined whether or not the URL is a legitimate URL. In this case, it becomes extremely difficult for an attacker who does not know the MAC address of the BBR 300 to attack inside the home NW.

  Furthermore, as shown in FIG. 6 (a ″ ″), by adding prefixes such as “mac:”, “dns:”, and “ip:” to the URL notation as described above. You can also switch freely. In this case, for example, the best access URL can be selected in accordance with the status of the network environment.

  Next, in step 202, the URL output means 406 outputs the access URL generated by the URL generation means 405 to the remote terminal 100 by some method. When the URL for access output from the URL output unit 406 is received in this way, it is registered in the remote terminal 100 based on a user instruction.

  Although the output mode of the access URL by the URL output unit 406 is not particularly limited, two typical modes will be described below. 7 to 10 are diagrams for explaining a first output mode of the URL for access by the URL output means 406. FIG. FIGS. 11 to 13 are diagrams for explaining a second output mode of the URL for access by the URL output unit 406. In the following description, the URL output unit 406a represents the first output mode, and the URL output unit 406b represents the second output mode.

(Configuration of URL output means 406a)
FIG. 7 is a block diagram showing an example of an embodiment of the URL output means 406a. In FIG. 7, the server device 400a-1 is one embodiment of the server device 400a, and the URL output means 406 is replaced with the URL output means 406a. The server device 400a-1 illustrated in FIG. 7 omits other means, but basically includes the same means as the server device 400a.

  As shown in FIG. 7, the URL output unit 406a includes a UPnP device unit 4101, a WWW server unit 4102, a service HTML 4103, and an SMTP client unit 4104. The UPnP device unit 4101 is a device having a function defined by UPnP. Specifically, the URL of the HTML page output by the WWW server means 4102 is notified as “Presentation URL” determined by UPnP. Since UPnP is a known technique, detailed description thereof is omitted.

  The WWW server means 4102 operates as a WWW server for the WWW browser 1102 of the personal computer 1000 described later while referring to the HTML stored in the service HTML 4103. For example, the WWW server means 4102 can be realized using “Apache HTTP Server (http://httpd.apache.org/)” or the like. The service HTML 4103 stores the service HTML referenced by the WWW server means 4102.

  The SMTP client unit 4104 has a function of sending an e-mail to a designated e-mail address according to an instruction from the WWW server unit 4102. For example, the SMTP client unit 4104 can use UNIX (registered trademark) standard sendmail or Postfix (http://www.postfix.org/).

  In FIG. 7, a personal computer 1000 is a general personal computer connected to a home NW constructed by the BBR 300. The personal computer 1000 is used for various purposes by the user. Here, it is used for the purpose of accessing the server device 400a-1 and inputting the mail address of the remote terminal 100. The personal computer 1000 is typically composed of a desktop personal computer or a notebook personal computer in which Windows (registered trademark) (XP, Vista, etc.) is installed as an OS. Usually, the personal computer 1000 includes a UPnP control point unit 1101 and a WWW browser 1102 such as Internet Explorer as standard.

  FIG. 8 is a flowchart for explaining the operation in the first output mode of the URL for access using the URL output means 406a. In the first output mode of the access URL, generally, the access URL is transmitted to the remote terminal 100 in response to an instruction input from the operator of the personal computer 1000, and the access URL is registered in the remote terminal 100. The

  In the first output mode of the URL for access, first, in step S211, the WWW server means 4102 is accessed from the WWW browser 1102 of the personal computer 1000. At this time, the URL to be accessed is typically popped up on the task bar of the Windows (registered trademark) screen by the UPnP device unit 4101 and the UPnP control point unit 1101, so that the user automatically selects the URL to access. The WWW browser 1102 is activated to access the WWW server means 4102. Since this series of processing is known, no further detailed description will be given.

  In step S212, the WWW browser 1102 receives the HTML data output by the WWW server unit 4102 while referring to the service HTML 4103, and displays an HTML page corresponding to the HTML data. On the HTML page, the access URL generated by the URL generation unit 405 in step S201 is displayed.

  FIG. 9 shows a screen configuration example of the HTML page. In the HTML page screen shown in FIG. 9, “http://200.0.0.10/001B23456789/recorder” shown in FIG. 6A is displayed as the access URL, and the mail address of the remote terminal 100 is input. A field (mail address input field) and a send button for instructing transmission of the access URL are displayed.

  Next, in step S213, the user of the personal computer 1000 inputs the email address of the remote terminal 100 to which the access URL is to be notified into the email address entry field of the HTML page displayed on the WWW browser 1102, and sends the email address to the email address. Select the send button to instruct to send.

  In step S214, the WWW server means 4102 generates an e-mail message for notifying the access URL. In step S213, the SMTP client unit 4104 is instructed to send the electronic mail message to the mail address input.

  FIG. 10 shows an example of the content of an e-mail message transmitted to the remote terminal 100. As shown in FIG. 10, in the e-mail message, “HDD recorder top page” indicating the contents of the server device 400a is displayed in the subject (Subject), and “http: //200.0. 0.10 / 001B23456789 / recorder "is displayed. In addition, a list of possible processes on the page is displayed. Here, “recording reservation confirmation”, “program recording”, and “recorded program viewing” are displayed as a list.

  Next, in step S215, the e-mail message received on the remote terminal 100 side is bookmarked. Here, the bookmark depends on the implementation of the remote terminal 100. For example, the bookmark is “protected” not to delete the corresponding e-mail, or “moved” to an arbitrary folder, or indicated. There is a method of accessing a URL and bookmarking when a WWW page is displayed, but there is no particular limitation as long as a general method is used.

  By such a series of operations, the access URL generated by the server device 400a-1 is registered in the remote terminal 100 in the first output mode of the access URL by the URL output means 406. In particular, in the first output mode, since an electronic mail message including an access URL is transmitted to the remote terminal 100, the remote terminal 100 registers the access URL based on the electronic mail message. Therefore, it is possible to save the trouble of manually inputting complicated characters.

(Configuration of URL output means 406b)
FIG. 11 is a block diagram illustrating an example of an embodiment of the URL output unit 406b. In FIG. 11, the server device 400a-2 is one embodiment of the server device 400a, and the URL output means 406 is replaced with the URL output means 406b. In the server apparatus 400a-2 shown in FIG. 11, other means are omitted, but basically the same means as the server apparatus 400a is provided.

  As shown in FIG. 11, the URL output unit 406 b includes a video output unit 4201, a QR code generation unit 4202, and a setting instruction unit 4203. The video output means 4201 outputs various information such as text and graphics for the user to recognize. The video output unit 4201 is typically realized by a monitor such as a liquid crystal display device, a video encoder that separately transmits RGB signals, video signals, and the like to the liquid crystal display device.

  QR code generation means 4202 generates a QR code figure that represents text information as a two-dimensional barcode. The QR code generating means 4202 is typically realized by software. Here, the case where the code generated by the URL output unit 406b is a QR code has been described, but the present invention is not particularly limited to this, and a one-dimensional bar code, other two-dimensional bar codes, characters, etc. A simple character string for recognition may be generated. Since QR codes, general bar codes, and character strings for character recognition are well known, detailed descriptions thereof are omitted.

  The setting instruction unit 4203 instructs the video output unit 4201 to display information such as an access URL on the screen by a user operation. The setting instruction unit 4203 is realized by, for example, a remote controller attached to the server device 400a-2, an operation button provided in the server device 400a-2, or the like.

  FIG. 12 is a flowchart for explaining the operation in the second output mode of the access URL using the URL output means 406b. In the second output mode of the access URL, generally, a QR code that is a two-dimensional barcode is generated from the access URL in response to an instruction input from the operator of the personal computer 1000, and the QR code is generated in the remote terminal 100. The URL for access is registered by reading the code.

  In the second output mode of the access URL, first, in step S221, the user selects the “setting” menu using the setting instruction means 4203. The “setting” menu switches the screen displayed on the liquid crystal display device or the like connected to the server device 402a-2 to a screen for displaying URL information (URL for access) for access. To do.

  In step S222, the video output unit 4201 notifies the access URL generated by the URL generation unit 405 in step 201 to the QR code generation unit 4202, and generates a QR code corresponding to the access URL. The access URL is displayed together with the QR code on the liquid crystal display screen. FIG. 13 shows a configuration example of a screen displayed on the liquid crystal display screen. In the display screen shown in FIG. 13, “http://200.0.0.10/001B23456789/recorder” shown in FIG. 6A is displayed as the access URL, and the QR code generated from this access URL is displayed. Is displayed.

  Next, in step S223, the user of the remote terminal 100 captures the QR code displayed on the liquid crystal display screen using the camera function provided in the remote terminal 100.

  Next, in step S224, a URL to be accessed is obtained by decoding the captured QR code, and the URL is accessed. As a result, a screen corresponding to the accessed URL is displayed on the remote terminal 100.

  Next, in step S225, the screen displayed on the remote terminal 100 side is registered as a bookmark (or a commonly used registration method such as favorite registration). Through such a series of operations, the access URL generated by the server device 400a-2 is registered in the remote terminal 100 in the second output mode of the access URL by the URL output means 406. In particular, in the second output mode, since the QR code generated based on the access URL is displayed, the remote terminal 100 can register the access URL by reading the QR code. Thus, it is possible to save the trouble of manually inputting complicated characters.

  Here, the operation in the first or second output mode of the access URL by the URL output means 406 has been described along the flow shown in FIG. 8 or FIG. Is not limited to these. Any method may be used as long as the URL for access can be registered in the remote terminal 100. For example, the user may input the remote terminal 100 manually by looking at the screen represented by FIG. 13 or the like displayed by the video output means 4201, or write it out on paper or the like and access it as necessary. The URL for use may be input.

  Further, although the URL generation unit 405 and the URL output unit 406 are described as essential, the present invention is not limited to this. In other words, even without these means, in the instruction manual, for example, “Generate the URL for access from a mobile phone etc. as follows. (1) The sticker affixed to the back of the device (This is referred to as aa: bb: cc: dd: ee: ff.) (2) Check the global address of the BBR you are using. (3) The URL for access should be as follows: http: //xx.yy.zz.ww/aabbccddeeff/recorder Can know the URL for access, so this method may be used.

(Process when accessing server device from remote terminal)
Next, processing when accessing the server apparatus 400a according to the present embodiment from the remote terminal 100 will be described. FIG. 14 is a flowchart for explaining processing when accessing the server apparatus 400a according to the present embodiment from the remote terminal 100. In the processing when accessing the server apparatus 400a from the remote terminal 100, the request received from the remote terminal 100 is generally analyzed, and the request is processed by the server apparatus 400a according to the analysis content. Relay to another server device 400b or the like.

  As shown in FIG. 14, first, in step S <b> 301, the request receiving unit 407 receives an HTTP request from the remote terminal 100. In this case, for example, the remote terminal 100 accesses the URL shown in FIG. 15 and connects to the 80th port of the BBR 300 to which the global IP address “200.0.0.10” is assigned. Then, the BBR 300 relays it to the 80th port of the IP address “192.168.0.101” in the home NW. As a result, the HTTP request from the remote terminal 100 is passed to the request receiving means 407.

  Next, in step S302, the URL determination unit 408 extracts the <MAC address> portion. Here, it is assumed that the URL is generated according to the rule "http: // <BBR external address>: <BBR port number> / <MAC address>: <port number> / <service URL name>". , <MAC address> part is “001B23456789”.

  Next, in step S303, the URL determination unit 408 determines whether or not the extracted “001B23456789” belongs to the own server device 400a. In this case, since the MAC address of the own server device 400a is stored in the address storage unit 404, the URL determination unit 408 determines whether or not it is the same. As shown in FIG. 4, since the MAC address is that of the own server apparatus 400a, it is determined that the HTTP request is addressed to the own server apparatus 400a, and the process proceeds to step S304.

  In step S304, since the HTTP request is passed to the unique service unit 409, the unique service of the server apparatus 400a is processed and the processing result is transmitted to the remote terminal 100. For example, when the server device 400a is an HDD recorder, services such as recording reservation control and streaming playback of recorded content are provided. Further, when the server device 400a is a refrigerator, a service is provided in which a stock can be confirmed by taking a picture of the inside of the warehouse with a digital camera and transmitting the picture. Furthermore, when the server device 400a is an air conditioner, a service that can control the power On / Off and adjust the room temperature is provided.

  On the other hand, when the remote terminal 100 accesses, for example, the URL shown in FIG. 16 in step S301, the HTTP request is addressed to the other server apparatuses 400b and 400c because it is different from the MAC address of the server apparatus 400a in step S303. The process proceeds to step S305.

  In step S305, connection is made to the request receiving means 407 such as the corresponding server devices 400b and 400c based on the extracted MAC address. Normally, connection by HTTP requires IP address information of a connection destination, which can be easily converted from a MAC address by the ARP protocol.

  In step S306, the request relay unit 410 relays the request and response between the other connected server device 400b and the remote terminal 100.

  With the configuration described above, even when a plurality of server devices 400 are connected in the home NW constructed by the BBR 300, the corresponding server device 400 can be accessed by accessing each access URL from the remote terminal 100. It becomes possible to access the unique service means 409. At this time, it does not depend on the port forward setting contents in the BBR 300, and the access URL does not change by affecting the port forward setting contents.

  Thus, according to the access system according to the present embodiment, the server device 400a generates an access URL including information for specifying the server device 400a in the local network (home NW), while the remote terminal Since the request is received from 100 and the request is relayed to the other server device 400b identified from the access URL corresponding to this request, the server device 400a connected to the home NW receives the request from the remote terminal 100. Since requests that are not addressed to the own device can be relayed to the other server device 400b or the like, even in a situation where only a limited port can be accessed from an external communication terminal device (remote terminal 100), a plurality of devices in the home NW can be accessed. Remote access can be realized.

  Even under IPv6 conditions, there are cases where firewall settings are required in the BBR 300 for each individual device connected to the local network. In this case, in order to avoid the troublesome firewall setting, only the specific device connected to the local network is set as a firewall, and requests are sent to other devices via the specific device. You can make it a mechanism to receive. Therefore, it is not necessary to perform the firewall setting in the BBR 300 many times, and the user's troublesomeness can be reduced.

  In the above description, the MAC address is used to identify the server apparatus 400 in the home NW. However, when the DNS name is used as shown in FIG. 6 (a ′), the home NW is used. The IP address may be acquired by inquiring the DNS within the network. In addition, as shown in FIG. 6 (a ″), when an IP address (a part of) is used, the IP address is acquired while referring to the netmask and network address set in the home NW. It ’s fine. Further, as shown in FIG. 6 (a ′ ″), when an authentication code is given, the URL determination unit 408 determines whether the URL itself is a legitimate prior to extraction of the corresponding address. Can be checked. For example, an authentication code includes a designated MAC address, a specific network device, for example, a default gateway (BBR300) MAC address (which is not known to an attacker) and an exclusive OR of other magic codes. The URL determination unit 408 can determine whether the URL is a legitimate URL only by confirming only the URL. In addition to the MAC address of the default gateway, any data that can be specified as the same value by the server device of the local network, such as the DNS server or the IP address of the proxy server, without communicating with other server devices.

  Here, a case where a more specific service is provided using the server device 400 according to the present embodiment will be described. FIG. 17 is a block diagram illustrating a configuration of an access system to which a server apparatus 1400d that functions as a streaming server that enables streaming playback in the remote terminal 100 is connected. The server device 1400d is one of the embodiments of the server device 400. The port forward setting unit 1402 in which the function of the port forward setting unit 402 is expanded, and the unique service in which the function of the unique service unit 409 is expanded. Means 1409 are included.

  The port forward setting unit 1402 has a function of performing port forward setting according to an instruction from the unique service unit 1409, as compared with the port forward setting unit 402. The unique service unit 1409 has a function of instructing the port forward setting unit 402 at a predetermined timing and overwriting the port forward setting in the BBR 300 as compared with the unique service unit 409.

  Hereinafter, processing in the access system having the server apparatus 1400d having such a configuration will be described. FIG. 18 is a sequence chart for explaining processing in the access system having the server apparatus 1400d according to the present embodiment. Here, it is assumed that the access from the remote terminal 100 to the BBR 300 is set to be relayed to the server apparatus 400b by the port forward setting in the server apparatus 400b.

  In the access system configured as described above, when streaming playback is requested from the remote terminal 100, the content data is transmitted from the server apparatus 1400d via the server apparatus 400b via the BBR 300 as shown in FIG. (Steps S1401 to S1406). In this case, the content data has a relatively large data amount (or a high bit rate), which increases the load on the server device 400b that relays the data. If the server device 400b is configured with weak hardware, it may affect not only the operation of the server device 400b but also the quality of streaming playback. Further, when the content data requires real-time property, there is a possibility that a delay may occur due to passing through the server device 400b.

  Therefore, when it is assumed that the load of the server device 400b is higher than a predetermined value (a fixed value, a user setting value, or a value calculated so as not to affect other processing), Predetermined time (fixed time, user set time, or time calculated so as not to affect other processing; for example, 10 milliseconds, 100 milliseconds, 1 second, corresponding to the jitter buffer due to passing When it is assumed that the above delay occurs, the port forward setting of the BBR 300 is performed. For example, when streaming playback is foreseen (for example, when a metadata page for embedding a “play” link is requested, or when content data is divided into multiple blocks, the first block is requested. Etc.), the specific service unit 1409 issues an instruction to the port forward setting unit 1402 to overwrite the port forward setting content of the BBR 300 so that the content data does not pass through the server device 400b (steps S1407 to S1408). Here, although the load and delay are not actually measured, it may be normally assumed that the load and delay in the server device 400b become a problem by referring to the experiment during development and other products.

  In this way, by overwriting the port forward setting contents at the timing at which streaming playback is predicted, the next content data relay is directly transmitted from the server device 1400d to the remote terminal 100 via the BBR 300 ( Steps S1409 to S1412). As a result, it is possible to prevent an increase in the load on the server device 400b and to prevent a situation in which the quality of streaming playback is degraded. In addition, it is possible to prevent a delay from occurring in the content data output from the server device 1400d. On the other hand, even in this case, the access to the server apparatus 400b causes a problem because the request is transferred through the route of the remote terminal 100 → BBR300 → server apparatus 1400d → server apparatus 400b using the same URL. There is no.

  As described above, when the address setting via the other server device 400b is performed by the port forward setting unit 402, when the load on the other server device 400b becomes higher than a certain value, or via the other server device. When a delay of a certain time or more occurs due to the fact that port forwarding is set for the BRR 300, for example, a service with a high bit rate is being performed via the other server device 400b. In this case, since the data can be output without going through the other server device 400b, the load on the other server device 400b is prevented from increasing, and a delay occurs when the data is reproduced. Can be prevented.

(Second Embodiment)
The access system according to the second embodiment is different from the access system according to the first embodiment in that the function in security is improved. Normally, the server device 400 has a simple security function such as allowing reception of only a specific port. However, the security policy to be set is set to distinguish between access from the global NW and access from the local NW, and access from the local NW is often tolerated.

  In the server apparatus 400 according to the first embodiment, even when accessing from the global NW, a request is made directly via the BBR 300 (source IP is recognized as a global address), and by another server apparatus 400 It may be relayed (the source IP is recognized as a local address), and depending on the route, the security level may be lowered as a result. In the server device according to the second embodiment, a decrease in the security level that can occur in this way is prevented.

  FIG. 19 is a block diagram showing a configuration of an access system to which a server device according to the second embodiment of the present invention is connected. A server apparatus 2400a illustrated in FIG. 19 is one embodiment of the server apparatus 400a. The server apparatus 2400a is the same as the server apparatus 400a except that the server apparatus 2400a includes a request receiving unit 2407 that is an extension of the request receiving unit 407.

  The request receiving unit 2407 has a function of WAF (Web Application Firewall) in addition to the function of the request receiving unit 407. The WAF recognizes a pattern of HTTP application layer data, detects an attack, and blocks it if necessary. Examples of WAF implementation include “BIG-IP (R) Application Security Manager (http://www.f5networks.co.jp/)”, etc., which are well-known and will not be described in detail. Only specific examples are shown.

  For example, the request receiving means 2407 can be set with a pattern as shown in FIG. “Priority” represents the order in which patterns are applied, and FIG. 20 indicates that the patterns are applied in order from the upper pattern. “URL pattern” indicates a pattern of a URL to be detected. For example, a URL including “′ OR’t” = ”t” is detected. Note that this pattern is a typical SQL injection attack. If this pattern is executed on the server device 400 having this vulnerability, the password authentication is passed and the server device 400 is illegally operated. Become. Similarly, “| ls -la /” is a command injection attack pattern. “Action” represents how to process the detected request. For example, “400 error” means that an HTTP 400 error (Bad Request) is returned as a response.

  As described above, according to the access system according to the present embodiment, the request receiving unit 2407 compares the access URL included in the request with a predetermined pattern, and when the pattern is included in the access URL. Since the processing for the request is rejected, it is possible to prevent a situation in which the security level is lowered due to the relay processing of the request from the remote terminal 100 performed by the server device 2400a.

(Third embodiment)
In the first and second embodiments, description has been made assuming that all the devices having the server function accessed from the remote terminal 100 are the server device 400. However, the present invention is particularly suitable in this case. It is not limited. In the access system to which the server apparatus 3400 according to the third embodiment of the present invention is connected, for example, there is one conventional server apparatus 500 that is assumed to be accessed from the remote terminal 100, although it is not the server apparatus 400. Even when only a single server exists, the server device 3400 and the conventional server device 500 can be remotely accessed using a single port. Hereinafter, the configuration of the access system to which the server apparatus 3400 according to the third embodiment is connected will be described.

  FIG. 21 is a block diagram showing a configuration of an access system to which a server apparatus 3400 according to the third embodiment of the present invention is connected. A server device 3400 illustrated in FIG. 21 is one embodiment of the server device 400. The server apparatus 3400 includes a port forward setting unit 3402 in which the port forward setting unit 402 is expanded, an address storage unit 3404 in which the address storage unit 404 is expanded, a URL determination unit 3408 in which the URL determination unit 408 is expanded, and a relay destination determination unit 411. The server apparatus 400 is the same as the server apparatus 400 except that the relay destination determination means 3411 is provided.

  Compared to the port forward setting unit 402, the port forward setting unit 3402 has a function of acquiring a previous port forward setting from the BBR 300, and information on the acquired port forward setting in the address storage unit 3404 as “other IP”, “other port” The function to register as an item has been added. Compared to the address storage unit 404, the address storage unit 3404 has a function of storing “other IP” and “other port” items.

  Compared with the URL determination unit 408, the URL determination unit 3408 has a function capable of determining when a MAC address does not exist in the URL. Compared to the relay destination determination unit 411, the relay destination determination unit 3411 has a function of determining the address of the conventional server device 500 when there is no MAC address in the URL.

  The conventional server device 500 includes network means 501, port forward setting means 502, unique service means 509, and request receiving means 510. The network unit 501 is equivalent to the network unit 401. The port forward setting unit 502 is equivalent to the port forward setting unit 402. The unique service unit 509 is equivalent to the unique service unit 409, and implements a unique service in the conventional server device 500. The request receiving unit 510 is equivalent to the request receiving unit 410.

  Hereinafter, processing in the access system to which the server apparatus 3400 having such a configuration is connected will be described. FIG. 22 is a sequence chart for explaining processing in the access system to which the server apparatus 3400 according to this embodiment is connected. FIG. 23 and FIG. 24 are flowcharts for explaining the operation in the access system having the server device 3400 according to the present embodiment.

  As shown in FIG. 22, in step S3401, the conventional server device 500 performs port forward setting for the BBR 300 using the port forward setting means 502. In this state, access to the BBR 300 by the remote terminal 100 is port-forwarded to the conventional server device 500 without going through the server device 3400 (step S3402).

  Next, in step S3403, server apparatus 3400 is connected to home NW and performs port forward setting. Specifically, as shown in FIG. 23, when the server apparatus 3400 is connected to the home NW (step S2101), the MAC address of the network means 401 is detected in step 2102, and the current port forward setting is detected in step S2103. To get. In order to obtain the port forward setting, a GetGenericPortMappingEntry function of the WANIPConnection service of UPnP IGD may be used.

  Here, since the port forward setting by the conventional server device 500 is performed in advance (step S2104: Yes), it is registered in the address storage means 3404 as “other IP” and “other port” items (step S2105). ). Here, the IP address of the conventional server device 500 is registered in “other IP”, and the port number used for service processing by the conventional server device 500 is registered in “other port”.

  If port forward setting is not performed by the conventional server device 500 (step S2104: No), the contents of “other IP” are cleared (step S2106: However, in this case, the conventional server device 500 does not exist). Therefore, it will be as described in the first embodiment). Steps S2107 to S2109 are equivalent to steps S103 to S105. That is, the port forward setting unit 3402 sets port forward (S2107), registers the address information in the address storage unit 3404 (S2108), and repeats the processing of S2102 to S2108 (S2109). By performing such a series of processing, the BBR 300 is set to be port-forwarded to the server apparatus 3400.

  Here, as shown in FIG. 22, when the remote terminal 100 accesses the conventional server device 500 in step S3404, the URL determination means 3408 determines in step S3405 that the access is to the conventional server device 500, The request relay unit 410 relays the address determined by the relay destination determination unit 3411.

  Specifically, as shown in FIG. 24, first, in step S2301, the request receiving unit 407 receives an HTTP request from the remote terminal 100. Next, in step S2302, the URL determination unit 408 extracts the <MAC address> part. Then, in step S2303, it is determined whether or not the extracted MAC address portion belongs to the own server device 3400. If it belongs to the own server device 3400, an HTTP request is passed to the unique service means 409. Therefore, in step S2304, the unique service of the server device 3400 is processed and the processing result is transmitted to the remote terminal 100. Become.

  On the other hand, if the MAC address portion could not be extracted in step S2303, the address registered as “other IP” and “other port” items in the address storage means 3404 is acquired as the corresponding terminal in step S2305. Connecting. If “other IP” is cleared, there is no connection destination and an error is returned. Thereafter, in step S2306, the request relay unit 410 performs request and response relay processing with the remote terminal 100 for the connected conventional server device 500.

  If the conventional server device 500 happens to be stopped and there is no port forward setting on the BBR 300 for the conventional server device 500, even if the conventional server device 500 is later restored, Since the information such as “” has not been saved, the above-described processing does not result in the expected state. However, in such a case, the state can be expected by restarting again in the order of the conventional server device 500 → the server device 400, etc., so that it can be described as a recovery method that is easy for general users to understand. .

  Thus, according to the access system according to the present embodiment, in the server device 3400, when the MAC address does not exist in the access URL included in the request from the remote terminal 100, it is relayed to the conventional server device 500. Even in a configuration in which the conventional server device 500 that is not the server device 3400 according to the present invention exists in the home NW, each server device 3400 and the conventional server device can be connected from the remote terminal 100 using a single port on the BBR 300. 500 can be accessed.

(Fourth embodiment)
In the access systems according to the first to third embodiments, the server device 400 or the like includes the port forward setting unit 402, and the URL generation unit 405 using the external address of the BBR 300 acquired by the port forward setting unit 402. Shows a case where the URL for access is generated. The access system according to the fourth embodiment differs from the access systems according to the first to third embodiments in that no port forward setting means is provided.

  FIG. 25 is a block diagram showing a configuration of an access system to which a server device according to the fourth embodiment of the present invention is connected. A server apparatus 4400 illustrated in FIG. 25 is one embodiment of the server apparatus 400. The server device 4400 is not provided with the port forward setting unit 402, and includes the address storage unit 4404 obtained by expanding the address storage unit 404 and the URL generation unit 4405 obtained by expanding the URL generation unit 405. Is equivalent to

  The address storage unit 4404 stores the MAC address, IP address, and the like detected by the address detection unit 403 as in the above-described embodiment, but the external address of the BBR 300 is not acquired by the port forward setting unit 402. The fact that “to be determined” is stored in the external address.

  The URL generation unit 4405 generates an access URL including a dummy character string at a position corresponding to the external address of the BBR 300. That is, in the access system according to the above-described embodiment, when generating the access URL, the external address of the BBR 300 is required. However, part of the access URL may be specified by the user of the remote terminal 100 and the access URL may be completed. The URL generation unit 4405 generates an access URL including a dummy character string from such a viewpoint.

  For example, in this case, the generated URL for access is represented as “http: // your domain here / 001B23456789 / recorder”. Here, an example of an access URL corresponding to the HDD recorder shown in FIG. In addition, although the case where “your domain here” is set as a dummy character string is shown here, the dummy character string can be changed to an arbitrary character string.

  In the server apparatus 4400 according to the present embodiment, the URL for access generated in this way is output to the URL output unit 406 in the manner described above. Then, when registering at the remote terminal 100, the user edits the URL for access to make a correct host unit, so that the complete URL for access can be obtained.

  For example, the user of the remote terminal 100 may acquire the host part information of the access URL in the following manner. If a fixed IP address is assigned as the external address of the BBR 300, that IP address is used. Further, when the user has acquired a domain (for example, “.com”, etc.), the domain is changed to the domain. In this case, when the Dynamic DNS service is used, even when the external IP address of the BBR 300 is dynamically allocated, it is possible to cope with a fixed domain name.

  Although the case where the access URL is edited by the remote terminal 100 is shown here, the host unit is input to the access URL by the administrator of the server apparatus 4400 in the step of output by the URL output means 406. May be. For example, when the URL output unit 406 is configured by the URL output unit 406a shown in FIG. 7, the mail address of the remote terminal 100 is input, and an HTML page capable of inputting the host part of the access URL is displayed. It is possible.

  FIG. 26 shows a screen configuration example of the HTML page. In the HTML page screen shown in FIG. 26, “http: // ***** / 001B23456789 / recorder” is displayed as the URL for access, and the host name or domain name is added to “*****”. , A field for inputting the mail address of the remote terminal 100 (mail address input field), and a send button for instructing transmission of the access URL. By entering the host name in such an HTML page, an access URL containing an appropriate host name can be created, so that the access URL can be registered in the remote terminal 100 in the same manner as in the embodiment described above. It becomes. The same applies when generating a QR code.

  In the access system according to the fourth embodiment, the address translation setting for a specific server device (for example, the server device 4400) is manually input only once for the BBR 300 connected in the home NW. (Therefore, access to the BBR 300 from all the global NWs 200 is forwarded to the server apparatus 4400). However, when another server device 400b or the like is added to the home NW after that, it is not necessary to perform address conversion setting in the BBR 300, and therefore an access URL is generated without worrying about address conversion setting. be able to. As a result, when there is an access from the remote terminal 100, the server device 4400 relays to the other server device 400b or the like as necessary, so even in a situation where only a limited port can be accessed from an external communication terminal device. It becomes possible to realize access to a plurality of devices in the home network.

  If the Dynamic DNS service can be used as described above, the URL generation unit 4405 and the URL output unit 406 may automatically perform processing for acquiring a fixed domain name. For example, when a DNS record is registered from the URL output unit 406 with a user ID and a password as necessary for a Dynamic DNS service registered in advance, an HTTP response or DNS search corresponding to this is performed. Since the DNS domain name can be acquired, it is conceivable that the URL generation means 4405 uses the DNS domain name or the like as the host part of the access URL.

  As described above, the embodiments and embodiments of the present invention have been described. However, the embodiments and embodiments disclosed this time should be considered as illustrative in all points and not restrictive. It is. The scope of the present invention is defined by the terms of the claims, and includes meanings equivalent to the terms of the claims and all modifications within the scope.

  For example, in the access system according to the above-described embodiment, the remote terminal 100 can access the server device 400 or the like using a known WEB browser function, but provides a user interface with higher usability. A dedicated application may be prepared. In such a dedicated application, for example, it is possible to register an easy-to-understand name associated with the access URL, or to connect from the screen on which the server device 400 as a connection destination is displayed as a list. It is preferable to make it.

  FIG. 27 and FIG. 28 are diagrams showing examples of display screens of dedicated applications displayed on the remote terminal 100 of the access system according to the present embodiment. FIG. 27 shows an example of a name registration screen associated with the access URL, and FIG. 28 shows an example of a connection screen for the server apparatus 400 as a connection destination. In FIG. 27, the display of the access URL is omitted.

  In FIG. 27, an access URL input field, a name input field associated therewith, and a setting button for instructing setting are provided. The user of the remote terminal 100 inputs the URL for access corresponding to the server device 400 or the like connected to the home NW and an arbitrary name from such a registration screen, and selects a setting button. It is possible to register a desired access URL and name. Note that the access URL input method is not limited to a specific method, and any method can be adopted. Instead of inputting directly, it is also possible to quote and display an access URL transmitted from the server device 400 or the like.

  In FIG. 28, a list of names registered in association with the URL for access via the registration screen shown in FIG. 27 and a connection button for instructing connection are displayed. Here, a case where names of “recorder control”, “air conditioner control”, “refrigerator control”, and “pet feeder control” are displayed in a list is shown. The user of the remote terminal 100 can access the server device 400 or the like corresponding to the selected name by selecting a desired name with an arrow button or the like from such a list display and selecting a connection button. It becomes.

It is a block diagram which shows the structure of the access system to which the server apparatus which concerns on the 1st Embodiment of this invention is connected. It is a flowchart for demonstrating the process at the time of connecting the server apparatus which concerns on 1st Embodiment to a home NW. It is a figure which shows an example of the port forward setting set to BBR in the access system which concerns on 1st Embodiment. It is a figure which shows an example of the address information registered into the address storage means of the server apparatus which concerns on 1st Embodiment. It is a flowchart for demonstrating the process at the time of registering URL for accessing the server apparatus which concerns on 1st Embodiment with a remote terminal. It is a figure which shows another example of URL for access with respect to the server apparatus which concerns on 1st Embodiment. It is a block diagram which shows an example of the URL output means which the server apparatus which concerns on 1st Embodiment has. It is a flowchart for demonstrating the operation | movement in the 1st output mode of URL for access in the server apparatus which concerns on 1st Embodiment. It is a figure which shows the example of a screen structure of the HTML page output from the server apparatus which concerns on 1st Embodiment. It is a figure which shows an example of the content of the email message transmitted to the remote terminal from the server apparatus which concerns on 1st Embodiment. It is a block diagram which shows another example of the URL output means which the server apparatus which concerns on 1st Embodiment has. It is a flowchart for demonstrating the operation | movement in the 2nd output mode of URL for access in the server apparatus which concerns on 1st Embodiment. It is a figure which shows the structural example of the liquid crystal display screen displayed by the server apparatus which concerns on 1st Embodiment. It is a flowchart for demonstrating the process at the time of accessing the server apparatus which concerns on 1st Embodiment from a remote terminal. It is a figure which shows an example of URL for access which the remote terminal which concerns on 1st Embodiment refers. It is a figure which shows another example of URL for access which the remote terminal which concerns on 1st Embodiment refers. It is a block diagram which shows the structure of the access system in the case of making the server apparatus which concerns on 1st Embodiment function as a streaming server. It is a sequence chart for demonstrating the process in the access system shown in FIG. It is a block diagram which shows the structure of the access system with which the server apparatus which concerns on the 2nd Embodiment of this invention is connected. It is a figure which shows an example of the pattern set to the request reception means of the server apparatus which concerns on 2nd Embodiment. It is a block diagram which shows the structure of the access system with which the server apparatus which concerns on the 3rd Embodiment of this invention is connected. It is a sequence chart for demonstrating the process in the access system to which the server apparatus which concerns on 3rd Embodiment is connected. It is a flowchart for demonstrating the operation | movement in the access system which has a server apparatus concerning 3rd Embodiment. It is a flowchart for demonstrating the operation | movement in the access system which has a server apparatus concerning 3rd Embodiment. It is a block diagram which shows the structure of the access system with which the server apparatus which concerns on the 4th Embodiment of this invention is connected. It is a figure which shows the example of a screen structure of the HTML page output from the server apparatus which concerns on 4th Embodiment. It is a figure which shows an example of the display screen of a dedicated application displayed on the remote terminal of the access system which concerns on the said embodiment. It is a figure which shows an example of the display screen of a dedicated application displayed on the remote terminal of the access system which concerns on the said embodiment.

Explanation of symbols

100 Remote terminal 200 Global network 300 Broadband router (BBR)
400a to c, 1400d, 2400a, 3400, 4400 Server device 401 Network means 402, 1402, 3402 Port forward setting means 403 Address detection means 404, 3404, 4404 Address storage means 405, 4405 URL generation means 406 URL output means 407, 2407 Request receiving means 408, 3408 URL determining means 409, 1409 Specific service means 410 Request relay means 411 Relay destination determining means 4101 UPnP device means 4102 WWW server means 4103 Service HTML
4104 SMTP client means 4201 Video output means 4202 QR code generating means 4203 Setting instruction means 500 Conventional server device 501 Network means 502 Port forward setting means 509 Specific service means 510 Request receiving means 1000 Personal computer 1101 UPnP control point means 1102 WWW browser

Claims (20)

A server device connected to a local network that provides a service to a communication terminal device,
Request receiving means for receiving a request capable of specifying another server device;
Request relay means for relaying the request to the other server device specified by the request. Resource identifier generating means for generating an access resource identifier component including information for identifying the server device in a local network;
Resource identifier output means for outputting the access resource identifier component to cause the communication terminal device to register, further comprising:
The server apparatus, wherein the request received by the request receiving means is a request corresponding to the access resource identifier component.   Address conversion setting means for performing address conversion setting so that an external network device having an address conversion function between a global address and a local address can access the server function of the own device by a request corresponding to the access resource identifier component. The server device according to claim 2, further comprising:   4. The server apparatus according to claim 2, wherein the resource identifier generating unit generates the access resource identifier component including a MAC (Media Access Control) address of the own apparatus.   4. The server apparatus according to claim 2, wherein the resource identifier generation unit generates the access resource identifier component including an IP (Internet Protocol) address assigned to the own apparatus.   The resource identifier generation means includes an authentication code for determining that the information included in the access resource identifier component is legitimate when generating the access resource identifier component. The server device according to any one of claims 2 to 5.   The server device according to claim 6, wherein the resource identifier generation unit generates the authentication code using a MAC address of a specific network device.   8. The server apparatus according to claim 2, wherein the resource identifier output unit transmits an e-mail message including the access resource identifier component to the communication terminal apparatus.   8. The server according to claim 2, wherein the resource identifier output unit converts the resource identifier for access into a format that can be recognized by the communication terminal device and displays the same. apparatus.   10. The server apparatus according to claim 9, wherein the resource identifier output means converts the access resource identifier component into a two-dimensional barcode format as the image recognizable format.   4. The server apparatus according to claim 3, wherein the address translation setting unit repeatedly performs address translation settings for the external network apparatus in a predetermined period.   In the case of address setting via another server device, the address conversion setting means is assumed that the load on the other server device is higher than a predetermined value, or via the other server device. 4. The server apparatus according to claim 3, wherein an address conversion setting is made for the external network apparatus when it is assumed that a delay of a predetermined time or more is caused.   12. The request according to any one of claims 1 to 11, wherein the request receiving means compares the request with a predetermined pattern, and rejects processing for the request when the pattern is included in the request. The server apparatus according to the above.   The address translation setting unit acquires a specific setting in the external network device, and the request relay unit is configured such that the access resource identifier component corresponding to the request received by the request receiving unit conforms to a predetermined format. 4. The server apparatus according to claim 3, wherein if there is not, the request is relayed to another server apparatus based on the specific setting acquired by the address translation setting means. Resource identifier input means for inputting an access resource identifier component including information for specifying the server device according to any one of claims 1 to 14,
Access means for accessing on the basis of the access resource identifier component. An access system comprising a communication terminal device and a server device connected to a local network for providing a service to the communication terminal device,
The server device
Resource identifier generating means for generating an access resource identifier component including information for identifying the server device in a local network;
Resource identifier output means for outputting the access resource identifier component to register the communication terminal device;
Request receiving means for receiving a request corresponding to the resource identifier component for access;
Request relay means for relaying the request to another server device identified from the access resource identifier component corresponding to the request received by the request receiving means,
The communication terminal device
Resource identifier input means for inputting the access resource identifier component generated by the server device;
And an access means for accessing based on the access resource identifier. An access method using a communication terminal device and a server device connected to a local network that provides a service to the communication terminal device,
Receiving a request capable of identifying another server device;
Relaying the request to the other server device specified by the received request. An access method using a communication terminal device and a server device connected to a local network that provides a service to the communication terminal device,
Inputting an access resource identifier component including information for identifying the server device;
And accessing based on the access resource identifier component. Computer
Request receiving means for receiving a request capable of specifying another server device;
An access program for causing another server device specified by the request received by the request receiving means to function as a request relay means for relaying the request. Computer
Resource identifier input means for inputting an access resource identifier component including information for specifying a server device connected to the local network;
An access program for causing an access means to access based on the access resource identifier component.

Images