The present invention relates to a communication management system, a management server, a VPN server, a terminal, a communication management method, and a program.
In recent years, mobile terminals are utilized in various situations. Thus, there are an increasing number of opportunities of hand-off of mobile terminals. For example, PTL 1 describes that, when a mobile terminal executes hand-off between a wireless connection via a mobile phone and a wireless connection via an NIC for LAN, a MAC address or an IP address allocated to the NIC for LAN and an authentication state shared between the mobile terminal and a server are transmitted to the server. By using this information, the server executes restoration of the authentication state after hand-off.
[PTL 1] Japanese Patent Application Publication No. 2013-211781
When a connection method of a terminal is switched from a state of direct connection to a certain network, to a state (VPN connection) of connection to the network via a virtual private network (VPN), it is highly possible that an address allocated to the mobile terminal changes. When the address changes, there is a possibility that communication is interrupted.
An example of a problem to be solved by the present invention is to prevent a change of an address of a terminal even when a destination of connection of the terminal is switched from a first network to VPN connection.
According to the present invention, there is provided a communication management system being used together with a terminal being connectable to a first network, the communication management system including:
a VPN server for connecting the terminal to the first network by virtual private network (VPN) connection; and
a management server,
the management server including:
a processing unit that receives first address identification information capable of identifying a first address being an address allocated to the terminal in the first network, and correlates and stores, in a storage, the received first address identification information with terminal authentication information that authenticates the terminal; and
a management-side transmitting unit that reads out, upon receiving the terminal authentication information from the VPN server, the first address identification information associated with the terminal authentication information from the storage, and transmits the first address being identified by the first address identification information, to the VPN server,
the VPN server including:
an authentication information transfer unit that transmits the terminal authentication information of the terminal that requests the VPN connection, to the management server; and
a VPN connection unit that connects the terminal to the first network by the VPN connection by using an address identical to the first address transmitted from the management server.
According to the present invention, the above-described VPN server and the above-described management server are also provided.
According to the present invention, there is provided a communication management method using a VPN server and a management server, wherein
the VPN server and the management server are used together with a terminal being connectable to a first network,
the VPN server is configured to connect the terminal to the first network by virtual private network (VPN) connection,
the management server is configured to:
receive first address identification information capable of identifying a first address being an address allocated to the terminal in the first network, and correlate and store, in a storage, the received first address identification information with terminal authentication information that authenticates the terminal; and
read out, upon receiving the terminal authentication information from the VPN server, the first address identification information associated with the terminal authentication information from the storage, and transmit the first address that is identified by the first address identification information, to the VPN server, and
the VPN server is configured to:
transmit the terminal authentication information of the terminal that requests the VPN connection, to the management server; and
connect the terminal to the first network by the VPN connection by using an address identical to the first address transmitted from the management server.
According to the present invention, there is provided a communication management method using a computer,
the computer being configured to:
function as a VPN server being used together with a terminal being connectable to a first network, and a management server, the VPN server being configured to connect the terminal to the first network by virtual private network (VPN) connection;
transmit terminal authentication information of the terminal that requests the VPN connection, to the management server; and
connect the terminal to the first network by the VPN connection by using an address identical to a first address transmitted from the management server.
According to the present invention, there is provided a communication management method using a computer,
the computer being used together with a terminal being connectable to a first network, and a VPN server for connecting the terminal to the first network by virtual private network (VPN) connection,
the computer being configured to:
receive first address identification information capable of identifying a first address being an address allocated to the terminal in the first network, and correlate and store, in a storage, the received first address identification information with terminal authentication information that authenticates the terminal; and
read out, upon receiving the terminal authentication information from the VPN server, the first address identification information associated with the terminal authentication information from the storages, and transmit the first address being identified by the first address identification information, to the VPN server.
According to the present invention, there is provided a program being executable by a computer,
the program causing the computer to
function as a VPN server being used together with a terminal being connectable to a first network, and a management server, the VPN server being configured to connect the terminal to the first network by virtual private network (VPN) connection,
the program causing the computer to include:
a function of transmitting terminal authentication information of the terminal that requests the VPN connection, to the management server; and
a function of connecting the terminal to the first network by the VPN connection by using an address identical to a first address transmitted from the management server.
According to the present invention, there is provided a program being executable by a computer,
the computer being used together with a terminal being connectable to a first network, and a VPN server for connecting the terminal to the first network by virtual private network (VPN) connection,
the program causing the computer to include:
a function of receiving first address identification information capable of identifying a first address being an address allocated to the terminal in the first network, and correlating and storing, in a storage, the received first address identification information with terminal authentication information that authenticates the terminal; and
a function of reading out, upon receiving the terminal authentication information from the VPN server, the first address identification information associated with the terminal authentication information from the storage, and transmitting the first address being identified by the first address identification information, to the VPN server.
According to the present invention, even when a destination of connection of a terminal is switched from a first network to VPN connection, an address of the terminal is unchanged.
The above-described object, other objects, features and advantageous effects will become clearer by preferred example embodiments to be described below, and the following accompanying drawings.
The first network 22 is provided with an address dispensing apparatus 20. The address dispensing apparatus 20 is a server for address dispensing, such as a DHCP server, and allocates an address (e.g., IP address), which is used in the first network 22, to the terminal 50 which has connected to the first network 22. Hereinafter, the address allocated to the terminal 50 is described as “first address”. The address dispensing apparatus 20 dispenses the first address by correlating the first address with terminal identification information which identifies the terminal 50, and stores in a storage unit a correspondence relation between the first address and the terminal identification information. The storage unit may be built in the address dispensing apparatus 20, or may be disposed outside the address dispensing apparatus 20. The terminal identification information is, for example, a MAC address or International Mobile Subscriber Identity (IMSI).
In addition, the management server 10 and the VPN server 30 make an address, which is allocated to the terminal 50 in the first network when VPN connection has been established, identical to the first address. Hereinafter, the functions of the management server 10 and the VPN server 30 will be described in detail.
The processing unit 110 receives information capable of identifying the first address allocated to the terminal 50 (hereinafter referred to as “first address identification information”). The first address identification information is, for example, the above-described terminal identification information, but may be the first address itself. The transmission source of the first address identification information is, for example, the terminal 50, but may be some other apparatus (e.g., address dispensing apparatus 20). In addition, the processing unit 110 generates information for authenticating the terminal 50 (hereinafter referred to as “terminal authentication information”) to the terminal 50, and correlates, and stores in the storage unit 120, the terminal authentication information and the first address identification information. The terminal authentication information is, for example, a combination of an ID and a password, but is not limited to this.
The processing unit 110 transmits the terminal authentication information to the terminal 50. When connecting to the first network via the second network 40 by VPN connection, the terminal 50 transmits the terminal authentication information to the VPN server 30 via the router 42. The VPN server 30 transmits the terminal authentication information received from the terminal 50 to the management server 10.
Upon receiving the terminal authentication information from the VPN server 30, the management-side transmitting unit 130 reads out first address identification information associated with the terminal authentication information from the storage unit 120, and transmits a first address, which is identified by the first address identification information, to the VPN server 30. For example, the management-side transmitting unit 130 receives the first address associated with the first address identification information from the address dispensing apparatus 20, and transmits the first address to the VPN server 30.
The input/output interface 610 is an interface for connecting the management server 10 and peripheral devices.
The network interface 612 is an interface for connecting the management server 10 to a communication network, for example, the first network 22. The method, by which the network interface 612 connects the management server 10 to the communication network, may be a wireless connection or a wired connection.
The storage device 608 stores a program module for realizing respective functional elements of the management server 10. The processor 604 realizes the respective functions of the management server 10 by reading out the program module into the memory 606 and executing the program module. In addition, the storage device 608 functions also as the storage unit 120.
Note that the hardware configuration of each of the VPN server 30 and the terminal 50 is similar to the hardware configuration of 10.
Next, the communication control unit 540 transmits an issuance request for terminal authentication information to the management server 10. At this time, the terminal 50 transmits the first address identification information, i.e., the terminal identification information, to the management server 10 (step S20). Note that the transmission of the first address identification information may mean the issuance request for terminal authentication information.
The processor 110 of the management server 10 generates terminal authentication information of the terminal 50 (step S30), and correlates, and stores in the storage unit 120, the generated terminal authentication information and the first address identification information (step S40). Then, the processing unit 110 transmits the generated terminal authentication information to the terminal 50 (step S50). The VPN connection unit 520 of the terminal 50 stores the received terminal authentication information (step S60).
Like the example illustrated in
The processing unit 110 of the management server 10 executes authentication of the terminal 50 by using the terminal authentication information which is transmitted from the terminal 50 (step S32). If the authentication is successful (step S32: Yes), the processing unit 110 correlates and stores the first address identification information, which is transmitted from the terminal 50, and the terminal authentication information (step S42). Then, the processing unit 110 transmits to the terminal 50 information (process end information) indicating that the process has been normally terminated (step S52).
Before the process illustrated in
Upon receiving the terminal authentication information from the terminal 50, the authentication information transfer unit 310 of the VPN server 30 transmits the terminal authentication information to the management server 10 (step S130).
Upon receiving the terminal authentication information from the VPN server 30, the management-side transmitting unit 130 of the management server 10 executes an authentication process for the terminal authentication information (step S140). If the authentication is successful (step S140: Yes), the management-side transmitting unit 130 reads out the terminal identification information associated with the terminal authentication information from the storage unit 120 (step S150), and transmits the read-out terminal identification information to the address dispensing apparatus 20 (inquiry process: step S160).
The address dispensing apparatus 20 reads out the first address, which corresponds to the terminal identification information transmitted from the management server 10, from the storage unit, and transmits the read-out first address to the management server 10 (step S170). The management-side transmitting unit 130 of the management server 10 transmits the first address, which is received from the address dispensing apparatus 20, to the VPN server 30 (step S180). The VPN connection unit 320 of the VPN server 30 connects the terminal 50 to the first network 22 by VPN connection, by using an address identical to the first address received from the management server 10 (step S190).
The process from step S110 to step S140 is similar to the process in the example illustrated in
To begin with, the process from step S110 to step S140 is similar to the process in the example illustrated in
When the authentication failed, i.e., when the terminal 50 never connected to the first network 22 (step S140: No), and when the read-out of the terminal identification information associated with the terminal authentication information failed (step S154: No), the management-side transmitting unit 130 of the management server 10 transmits to the VPN server 30 information (authentication failure information) indicating that the authentication failed (step S200). Upon receiving the authentication failure information, the VPN connection unit 320 of the VPN server 30 selects an address (hereinafter referred to as “second address”), which is allocated to the terminal 50, from among addresses that the VPN connection unit 320 manages, and connects the terminal 50 to the first network 22 by VPN connection by using the second address (step S220).
Thereafter, upon detecting the entering to the range of communication of the first network 22, the communication control unit 540 of the terminal 50 monitors whether the operation of the application using the VPN connection is terminated or not, while continuing the VPN connection. If the operation of the application ends, the communication control unit 540 terminates the VPN connection (step S230).
Subsequently, the communication control unit 540 of the terminal 50 connects to the first network 22. Then, the process described with reference to step S10 to step S60 of
As described above, according to the present example embodiment, the terminal 50 establishes the VPN connection when the terminal 50 has moved out of the range of communication of the first network 22 and into the range of communication of the second network 40. At this time, the management server 10 transmits the address (first address), which has been allocated to the terminal 50 in the first network 22, to the VPN server 30. Thus, the VPN server 30 can connect the terminal 50 to the first network 22 by the VPN connection by using the first address. Accordingly, the terminal 50 can connect to the first network 22 by using the identical address (first address) even when the direct connection to the first network 22 is switched to the connection (VPN connection) via the VPN. Therefore, the possibility of interruption of communication at the time of switching can be lowered.
Note that in the above-described embodiment, when the terminal 50 has moved in the first network 22, or has moved between the first network 22 and the second network 40, while holding the first address or the second address, the terminal 50 may send Gratuitous ARP (RFC5227) directly or via the VPN connection. By doing so, an arp cache or L3 table in the first network 22 is updated, and, as a result, a communication packet for the terminal 50 reaches the terminal 50 within the first network 22.
Hereinafter, examples of reference modes will be supplementally noted.
1. A communication management system being used together with a terminal being connectable to a first network, the communication management system including:
a VPN server for connecting the terminal to the first network by virtual private network (VPN) connection; and
a management server,
the management server including:
a processing unit that receives first address identification information capable of identifying a first address being an address allocated to the terminal in the first network, and correlates and stores, in storage, the received first address identification information with terminal authentication information that authenticates the terminal; and
a management-side transmitting unit that reads out, upon receiving the terminal authentication information from the VPN server, the first address identification information associated with the terminal authentication information from the storage, and transmits the first address being identified by the first address identification information, to the VPN server,
the VPN server including:
an authentication information transfer unit transmits the terminal authentication information of the terminal that requests the VPN connection, to the management server; and
a VPN connection unit that connects the terminal to the first network by the VPN connection by using an address identical to the first address transmitted from the management server.
2. The communication management system according to the above 1, wherein
an address dispensing server that dispenses an address in the first network, correlates and stores the first address with first terminal identification information that identifies the terminal,
the first address identification information is the terminal identification information, and
the management-side transmitting unit of the management server sends an inquiry about the first address associated with the first terminal identification information to the address dispensing server, and transmits the first address received from the address dispensing server, to the VPN server.
3. The communication management system according to the above 2, wherein
the management-side transmitting unit of the management server transmits second terminal identification information being different from the first terminal identification information, to the address dispensing server, and causes the address dispensing server to correlate and store the second terminal identification information with the first address.
4. The communication management system according to the above 1, wherein
the first address identification information is the first address.
5. The communication management system according to any one of the above 1 to 4, wherein
the management-side transmitting unit of the management server transmits, when the first address associated with the terminal authentication information is absent, address absence information indicating to that effect to the VPN server, and
the VPN connection unit of the VPN server connects, upon receiving the address absence information, the terminal to the first network by the VPN connection by using an address coincidence of which with the first address is not ensured.
6. The communication management system according to the above 5, further including the terminal, wherein,
in the terminal, a specific application is being in the VPN connection, and
the terminal includes a communication control unit that terminates the VPN connection and directly connects to the first network, after the terminal becomes also connectable to the first network and an operation of the specific application is stopped.
7. A VPN server being used together with a terminal being connectable to a first network, and a management server, the VPN server being configured to connect the terminal to the first network by virtual private network (VPN) connection, the VPN server including:
an authentication information transfer unit transmits terminal authentication information of the terminal that requests the VPN connection, to the management server; and
a VPN connection unit that connects the terminal to the first network by the VPN connection by using an address identical to the first address transmitted from the management server.
8. A management server being used together with a terminal being connectable to a first network, and a VPN server for connecting the terminal to the first network by virtual private network (VPN) connection, the management server including:
a processing unit that receives first address identification information capable of identifying a first address being an address allocated to the terminal in the first network, and correlates and stores, in a storage, the received first address identification information with terminal authentication information that authenticates the terminal; and
a management-side transmitting unit that reads out, upon receiving the terminal authentication information from the VPN server, the first address identification information associated with the terminal authentication information from the storage, and transmits the first address being identified by the first address identification information, to the VPN server.
9. A terminal being connectable to a first network and connectable to the first network by a VPN server by virtual private network (VPN) connection, wherein,
in the terminal, a specific application is being in the VPN connection, and
the terminal includes a communication control unit that terminates the VPN connection and directly connects to the first network, after the terminal becomes also connectable to the first network and an operation of the specific application is stopped.
10. A communication management method using a VPN server and a management server, wherein
the VPN server and the management server are used together with a terminal being connectable to a first network,
the VPN server is configured to connect the terminal to the first network by virtual private network (VPN) connection,
the management server is configured to:
receive first address identification information capable of identifying a first address being an address allocated to the terminal in the first network, and correlate and store, in a storage, the received first address identification information with terminal authentication information that authenticates the terminal; and
read out, upon receiving the terminal authentication information from the VPN server, the first address identification information associated with the terminal authentication information from the storage, and transmit the first address being identified by the first address identification information, to the VPN server, and
the VPN server is configured to:
transmit the terminal authentication information of the terminal that requests the VPN connection, to the management server; and
connect the terminal to the first network by the VPN connection by using an address identical to the first address transmitted from the management server.
11. The communication management method according to the above 10, wherein
an address dispensing server that dispenses an address in the first network, correlates and stores the first address with first terminal identification information that identifies the terminal,
the first address identification information is the terminal identification information, and
the management server sends an inquiry about the first address associated with the first terminal identification information to the address dispensing server, and transmits the first address received from the address dispensing server, to the VPN server.
12. The communication management method according to the above 11, wherein
the management server transmits second terminal identification information being different from the first terminal identification information, to the address dispensing server, and causes the address dispensing server to correlate and store the second terminal identification information with the first address.
13. The communication management method according to the above 11, wherein
the first address identification information is the first address.
14. The communication management method according to any one of the above 10 to 13, wherein
the management server transmits, when the first address associated with the terminal authentication information is absent, address absence information indicating to that effect to the VPN server, and
the VPN server connects, upon receiving the address absence information, the terminal to the first network by the VPN connection by using an address coincidence of which with the first address is not ensured.
15. The communication management method according to the above 14, further including the terminal, wherein,
in the terminal, a specific application is being in the VPN connection, and
the terminal includes a communication control unit that terminates the VPN connection and directly connects to the first network, after the terminal becomes also connectable to the first network and an operation of the specific application is stopped.
16. A communication management method using a computer,
the computer being configured to:
function as a VPN server being used together with a terminal being connectable to a first network, and a management server, the VPN server being configured to connect the terminal to the first network by virtual private network (VPN) connection;
transmit terminal authentication information of the terminal that requests the VPN connection, to the management server; and
connect the terminal to the first network by the VPN connection by using an address identical to a first address transmitted from the management server.
17. A communication management method using a computer,
the computer being used together with a terminal being connectable to a first network, and a VPN server for connecting the terminal to the first network by virtual private network (VPN) connection, and
the computer being configured to:
receive first address identification information capable of identifying a first address being an address allocated to the terminal in the first network, and correlate and store, in a storage, the received first address identification information with terminal authentication information that authenticates the terminal; and
read out, upon receiving the terminal authentication information from the VPN server, the first address identification information associated with the terminal authentication information from the storage, and transmit the first address being identified by the first address identification information, to the VPN server.
18. A program being executable by a computer,
the program causing the computer to
function as a VPN server being used together with a terminal being connectable to a first network, and a management server, the VPN server being configured to connect the terminal to the first network by virtual private network (VPN) connection,
the program causing the computer to include:
a function of transmitting terminal authentication information of the terminal that requests the VPN connection, to the management server; and
a function of connecting the terminal to the first network by the VPN connection by using an address identical to a first address transmitted from the management server.
19. A program being executable by a computer,
the computer being used together with a terminal being connectable to a first network, and a VPN server for connecting the terminal to the first network by virtual private network (VPN) connection,
the program causing the computer to include:
a function of receiving first address identification information capable of identifying a first address being an address allocated to the terminal in the first network, and correlating and storing, in a storage, the received first address identification information with terminal authentication information that authenticates the terminal; and
a function of reading out, upon receiving the terminal authentication information from the VPN server, the first address identification information associated with the terminal authentication information from the storage, and transmitting the first address being identified by the first address identification information, to the VPN server.
The present application claims priority based on Japanese Patent Application No. 2019-008312, filed on Jan. 22, 2019; the entire contents of which are incorporated herein by reference.
Number | Date | Country | Kind |
---|---|---|---|
2019-008312 | Jan 2019 | JP | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2020/000404 | 1/9/2020 | WO | 00 |