This application claims the benefit of Taiwan's Patent Application No. 106127667, filed on Aug. 15, 2017, at Taiwan's Intellectual Property Office, the disclosures of which are incorporated herein in their entirety by reference.
Embodiments in the present disclosure are related to a network connection system and a connection method thereof, and more particularly to a remote network connection system and a connection method thereof.
In the prior art, there are two major technologies for supporting a business trip or using resources of an enterprise's computer for an employee working at home. One technology is using a VPN (virtual private network), and another technology is using a remote desktop technology. As for the VPN, it is necessary to buy expensive equipment, set up the terminal equipment in a remote side and install software to cause the VPN to cooperate with the terminal equipment. For example, a laptop or a smart phone carried by the employee needs to be installed and set up step by step; and it is complex and troublesome to prepare those installations and setups in advance. As for the remote desktop technology, such as Citrix®, Chrome®, or Teamviewer® technology, the software deployment cost is expensive, the installations and settings of the software and the hardware for each user's terminal equipment are also time-consuming and complex to set up. In addition, the operation of connecting to the internet is complicated, the security level is not high, thus it still has drawbacks. Furthermore, in the above prior art, especially for VPN, if the user of the terminal equipment not only uses the internal enterprise network, the operation of the network connection has also to be performed outside the internal enterprise network. Thus, all the packets related to the network connection first enter into the VPN channel, and then these packets are divided into different network streams according to characteristics of the packets, thereby resulting in increasing the channel traffic and decreasing the network speed; and it is also a drawback in the prior art.
Therefore, the inventor in view of the drawbacks in the prior art, has thought of an idea to improve upon the prior art, simplify the preparation tasks, and greatly reduce the establishment cost of the software and hardware, by inventing the present application “remote network connection system, access equipment and connection method thereof”, so as to improve the drawbacks in the above prior art.
The purpose of the present application is to provide an equipment, system and method of a novel remote network connection. By the present invention, an access point in an internal wireless network in an enterprise, organization or company can be extended to the remote terminal, i.e., establishing a virtual internal network outside the physical internal network of the enterprises, namely, this virtual network is an extension of the internal enterprise network. By using a hardware unit having an enterprise WiFi communication protocol (such as CAPWAP, LWAPP), one network interface of the hardware unit can establish a tunnel connection with the enterprise. The tunnel connection indicates that a packet carried with a private network address is encapsulated into a loading part of a public connection packet to pass a public network (such as the internet) by using a tunneling protocol. Another network interface of the hardware unit is connected with one or more terminal equipments, and thus achieves the aforementioned efficacies, i.e., the terminal equipment considers the hardware unit as the access point in the internal wireless network in the enterprise, hardware and software configuration rules in each terminal equipment are the same as those used inside the enterprise, it does not need any additional setup, and the only thing that done is a setup of the hardware unit. In the disclosure in the present invention, it will quickly turn these access points into virtual internal enterprise network hot spots after installing software or configuring the access points, such as with a MiFi® device, a WiFi repeater or a smart phone. It can be seen that the system disclosed in the present invention is used to reduce the costs of establishing a remote office or a mobile office, and only a few settings on an access equipment are required, and then the access equipment can provide multiple terminal equipments with the internet service. In addition, the system disclosed in the present invention can perform local breakouts to each packet according to each packet's destination on different terminal equipments. If a packet's destination is at the internal enterprise's network, this packet can pass through the tunnel connection. Otherwise, it can be directly connected to the internet at the access point. Therefore, the problem when all packets pass through the tunnel connection and result in a bandwidth jam of the tunnel connection can be avoided.
In accordance with one embodiment of the present disclosure, a remote network connection system is disclosed. The remote network connection system includes a gateway, a mobile office access equipment and a terminal equipment. The gateway is connected in an enterprise network, and connected to an internet. The mobile office access equipment is connected to the gateway through the internet. The terminal equipment is connected to the internet through the mobile office access equipment, and transmits a packet having a destination address toward the gateway. The breakout unit is arranged in the mobile office access equipment, and alternatively forms a public connection to obtain an internet service directly through the internet and forms a tunnel connection with the gateway based on the destination address of the packet.
In accordance with one embodiment of the present disclosure, a method of connecting a mobile office and a destination office through a tunnel connection is disclosed, wherein the destination office has a gateway, the mobile office uses a public network and produces a plurality of packets, and the method includes steps of providing an access equipment for the mobile office; causing the access equipment to be connected to the gateway; establishing a breakout rule for the plurality of packets, wherein the plurality of packets have a first packet and a second packet, and each of the plurality of packets has a destination address; and alternatively causing the first packet to use the public network to form a public connection, and causing the second packet to use the public network to form the tunnel connection according to the breakout rule.
In accordance with a further embodiment of the present disclosure, an access equipment for a mobile office includes an NAT (network address translation) unit, a router unit, a tunnel unit, a bridge unit and a local breakout unit. The router unit is connected to the NAT, the tunnel unit is connected to the router unit, the bridge unit is connected to the router unit and the tunnel unit. The local breakout unit is connected to the bridge unit, and determines whether a packet is to be alternatively transmitted to an internet, from the bridge unit, through the tunnel unit to the router unit to form a tunnel connection, and transmitted to the internet from the bridge unit, through the router unit to the NAT unit to form a public connection based on a destination address of the packet.
The above embodiments and advantages of the present invention will become more readily apparent to those ordinarily skilled in the art after reviewing the following detailed descriptions and accompanying drawings.
Please refer to all Figs. of the present invention when reading the following detailed description, wherein all Figs. of the present invention demonstrate different embodiments of the present invention by showing examples, and help the skilled person in the art to understand how to implement the present invention. The present examples provide sufficient embodiments to demonstrate the spirit of the present invention, each embodiment does not conflict with the others, and new embodiments can be implemented through an arbitrary combination thereof, i.e., the present invention is not restricted to the embodiments disclosed in the present specification.
Please refer to
Please refer to
Moreover, the efficacy of the breakout unit 13 in the present invention is that the packet can be inspected and transmitted to the gateway 20 through the tunnel connection 4 by using the mobile office access equipment 1 controlled by the breakout unit 13, if the purpose of the packet is to the enterprise network 2 which the gateway 20 is internally connected to. In addition, if the purpose of the packet is irrelevant to the aforementioned purpose, such as to enter a server of the enterprise network, the packet can be transmitted to the internet 3 through the public connection 31 by the mobile office access equipment 1 controlled by the breakout unit 13, rather than being transmitted through the tunnel connection 4. The purpose of the packet usually indicates, but is not limited to, for example, a destination or an application. In order to simplify the management, the purpose can be represented by a white list or a black list, that is, corresponding to different users, usually including the belonging department, rank and categories of the employees, different databases of the internal enterprise network are accessible to the specific individuals.
Thus, when a purpose of a packet meets contents of the white list, the packet will be transmitted to the gateway 20 through the tunnel connection 4 (it usually means the purpose of the packet is to enter the enterprise network 2). As to the environment of the mobile office access equipment 1, there is a first router R1 therein connected to the internet 3. As to the environment of the enterprise network 2 where the gateway 20 is internally connected to, there is a second router R2 therein connected to the internet 3. In addition, the mobile office access equipment 1 in the present invention can be one of a MiFi® device, a mobile phone or a computer having two communication interface units.
Please refer to
Since wireless communication technique is very mature and widespread, in most circumstances, the mobile portable electronic equipment used by users connects to the wireless access point, and thus it is a reasonable arrangement if the enterprise gateway 20 is a wireless access controller. Similarly, the network setting in Step S3 is usually a wireless network setting, so as to be applied to laptops, notebooks etc. If combined with hardware to demonstrate the aforementioned method, the present invention provides a method that allows a mobile office 1′ (i.e., the remote local network 1′ in
Please refer to
After Step S5, the subsequent Step S51 is related to obtain an IP address. In Step S51, determine if the terminal equipment 5 uses a dynamic IP address. If not, as shown in Step S51N, i.e., not using the dynamic IP address, the next step is Step S51N1. In Step S51N1, the terminal equipment 5 uses the related setting of the static IP address in the enterprise network 2. If yes in Step S51, as shown in Step S51Y, i.e., using the dynamic IP address, the next step is Step S51Y1. In Step S51Y1, the terminal equipment 5 sends a dynamic address request to obtain the related setting of the internal enterprise network IP address through the tunnel unit 15 (
Next, it is one of the key points of the present invention, i.e., the local breakout rule is related to the purpose of the packet. In Step S6, determine if the purpose of the packet transmitted by the terminal equipment 5 meets the requirement of the local breakout rule. It is noted that herein meeting the requirement of the local breakout rule indicates the packet will be shunted at the place where the mobile office access equipment 1 is located, and the packet does not need to enter the tunnel connection 4. When the result in Step S6 is yes, as shown in Step S6Y, the local breakout unit 13 intercepts the packet and transmit it to a router unit 12, so that an NAT unit 11 translates a source address of the packet and then transmits the packet through a second network interface 17 (
Please refer to
Please refer to
Please refer to
Please refer to
Overall, a remote network connection system, an access equipment and a connecting method thereof are disclosed in the present invention. The purpose of the invention is described in the aforementioned paragraphs, and is to minimize building costs of the mobile office to be as low as possible. A hardware unit (such as the mobile office access equipment 1) having two or more network interfaces is provided, and after easily setting up the hardware unit, it can serve as a wireless access point as if used in the enterprise network. The settings contents of the access equipment is listed as follows, i.e., such as ID code of the access equipment, tunnel connection settings, the local breakout rule, user account and password and so on. Basically, if these settings are complete, the building of the remote office or the mobile office is complete. These settings are easier than VPN settings in the prior art. The register process of the access equipment is also simple. At first, the mobile office access equipment is connected to the internet. Afterward, a user inputs the address of the enterprise gateway 20 into the user interface unit of the access equipment. Afterward, the access equipment transmits a management request to the enterprise gateway, Afterward, the enterprise gateway 20 manages the access equipment. Later on, the enterprise gateway 20 sets up the access equipment, such as a wireless network address (e.g. a service set identifier (SSID)) which the access equipment need to use, and the local breakout rule used by each wireless network (remote area network, i.e., wireless network where the mobile office is located). In addition, regarding the management as described above, the user can input MAC address or ID code of the mobile office access equipment into the enterprise gateway 20 directly, in order to perform the management.
Moreover, the mobile office access equipment 1 can be a MiFi® device, a mobile phone, or a computer having two communication interfaces. If the mobile office access equipment is a mobile phone (it is usually a smart phone, but is not limited to) or a computer having two communication interfaces (it is usually a laptop, but is not limited to), an application installed therein can make the abovementioned devices to have functions described in each Figure and description Because the smart phone and the laptop are indispensible devices whenever a traveler takes a business trip or a pleasure trip, to install the application software into both devices can prevent the demand to carry an additional access device, and can also reduce the traveler's baggage load. If a business traveler uses the access equipment according to the preferred embodiment of the present disclosure, the additional software is not necessary to install on the smart phone or the laptop of the business traveler; however, the additional software needs to be installed on both devices when using the VPN technology in the prior art. If the present invention is integrated with voice IP (VoIP), it can be applied to transfer a telephone session. According to the aforementioned Figs. and descriptions, the present invention extends the access point in the enterprise network to form a virtual internal network. The virtual internal network is very convenient for the employee working in a remote office because the setting of the terminal equipment is the same as used in the enterprise, there is no need for an additional setting.
Furthermore, because the access device equals to the wireless network access point in the enterprise network, a plurality of access devices in the invention can be prepared for an enterprise, a business unit or a party, and are installed and configured to complete in advance, and all the same configurations can be used Because account of each employee is different from each other and each account has its own access authority, the region in the enterprise network where a tunnel packet can access is not always the same. For management information system (MIS)/information technology (IT) members in the enterprise, the present invention can be integrated together with a wireless local area network (WLAN) management in the office, and an additional VPN server is not necessary. By using the system, the device and the method disclosed in the present invention, a remote office can be achieved easily, the cost is low, the operation is simple, and there are no complex configurations, thus the efficacy increases accordingly, and therefore the present invention is beneficial to the remote office, the mobile office, and the application and popularization of office at home.
1. A remote network connection system, comprising: a gateway connected in an enterprise network and connected to an internet; a mobile office access equipment connected to the gateway through the internet; a terminal equipment connected to the internet through the mobile office access equipment; and a breakout unit arranged in the mobile office access equipment, and alternatively forming a public connection to obtain an internet service directly through the internet, or forming a tunnel connection with the gateway based on a purpose which a packet is generated.
2. The system in Embodiment 1, wherein the breakout unit determines a shunt of the packet based on a white list or a black list associated with the purpose of the packet.
3. The system of any one of Embodiments 1-2, wherein said shunt of the packet is performed in the mobile office access equipment.
4. The system of any one of Embodiments 1-3, wherein the mobile office access equipment is one selected from a group consisting of a MiFi® device, a mobile phone and a computer having two communication interfaces.
5. The system of any one of Embodiments 1-4, wherein the gateway is arranged in the enterprise network.
6. The system of any one of Embodiments 1-5, wherein the gateway has a first connection in the enterprise network and a second connection to the internet.
7. The system of any one of Embodiments 1-6, wherein the terminal equipment transmits the packet to the breakout unit, a purpose of the packet is inspected by the breakout unit, and the packet is transmitted to the gateway by the tunnel connection when the purpose of the packet indicates a destination belonging to the enterprise network.
8. The system of any one of Embodiment 1-7, wherein the terminal equipment transmits the packet to the breakout unit, a purpose of the packet is inspected by the breakout unit, and the packet is transmitted through the public connection when the purpose of the packet indicates a destination being irrelevant to the enterprise network.
9. A method of connecting a mobile office of an user equipment and a target office through a tunnel connection, wherein the target office has a gateway, the mobile office uses a public network and the user equipment produces a plurality of packets, and the method comprises steps of: providing an access equipment for the mobile office; making the access equipment to connect to the gateway; establishing a breakout rule for the plurality of packets, wherein the plurality of packets have a first packet and a second packet; and alternatively making the first packet to use the public network to form a public connection, and making the second packet to use the public network to form the tunnel connection according to the breakout rule, so as to make the mobile office to acquire an internet service.
10. The method in Embodiment 9, wherein the access equipment is one selected from a group consisting of a MiFi® device, a mobile phone, a computer having two communication interfaces.
11. The method of any one of Embodiments 9-10, wherein when the breakout rule is determined according to a purpose which the plurality of packets are inputted into a network multiplex device, a specific one of the plurality of packets which conforms with a predetermined purpose is enter into the gateway, and the predetermined purpose is ruled by a white list or a black list.
12. The method of any one of Embodiments 9-11, wherein the breakout rule is determined according to a purpose which the plurality of packets are inputted into a network multiplex device, if the purpose is an address within the gateway, the plurality of packets are allowed to pass the gateway.
13. The method of any one of Embodiments 9-12, further comprising steps of: providing for the mobile office a request for a connection to the gateway through the access equipment; performing by the gateway a verification on the request provided from the mobile office; arranging for the gateway network settings and importing the breakout rule into the access equipment when the request passes the verification; and starting by the access equipment an internet service for the mobile office.
14. The method of any one of Embodiments 9-13, further comprising steps of: using an enterprise network SSID (Service Set Identifier) to connect the mobile office to a first network interface of the access equipment; and one of the following steps: directly transmitting by the mobile office a dynamic IP address request to obtain a first configuration related to an enterprise IP address; and directly using for the mobile office a second configuration of a static IP address in an internal enterprise network.
15. The method of any one of Embodiments 9-14, further comprising steps of: determining how the destination address of each of the plurality of packets meets the breakout rule; and one of the following steps: directly intercepting each of the plurality of packets by a breakout unit when the destination of each packet meets a first connection of the breakout rule, transmitting the each packet from the breakout unit to a router unit, transforming a source address of the each packet from the router unit by an NAT (Network Address Translation) unit, transmitting the each packet from the NAT unit to a second network interface, and transmitting the each packet from a second network interface; and directly having each of the plurality of packets transmitted to the second network interface through a bridge unit, a tunnel unit and the router unit back to an internal enterprise network when the each packet meets a second connection of the breakout rule.
16. The method of any one of Embodiments 9-15, further comprising steps of: judging whether each of the plurality of packets returning to the access equipment is a tunnel-encapsulated packet; transmitting the each packet to the mobile office through a router unit, a tunnel unit and a bridge unit to the mobile office when the each packet returning to the access equipment is the tunnel-encapsulated packet; and transmitting the each packet to the mobile office through an NAT (network address translation) unit, a router unit and a bridge unit to the mobile office when the each packet returning to the access equipment is not the tunnel-encapsulated packet.
17. An access equipment for a mobile office, comprising: an NAT (network address translation) unit; a router unit connected to the NAT; a tunnel unit connected to the router unit; a bridge unit connected to the router unit and the tunnel unit; and a local breakout unit connected to the bridge unit, and determining whether a packet is to be alternatively transmitted to an internet, from the bridge unit, through the tunnel unit to the router unit to form a tunnel connection, and transmitted to the internet from the bridge unit, through the router unit to the NAT unit to form a public connection based on a purpose which the packet is generated.
18. The access equipment in Embodiment 17, further comprising a wireless downlink interface connected to the local breakout unit, and making the local breakout unit to connect to a terminal device through the wireless downlink interface.
19. The access equipment of any one of Embodiments 17-18, further comprising a wireless uplink interface connected to the router unit and the NAT unit, and making the packet to obtain a service of the internet through the wireless uplink interface.
20. The access equipment of any one of Embodiments 17-19, wherein the access equipment is one selected from a group consisting of a MiFi® device, a mobile phone and a computer having two communication interfaces.
While the invention has been described in terms of what is presently considered to be the most practical and preferred embodiments, it is to be understood that the invention need not be limited to the disclosed embodiments. On the contrary, it is intended to cover various modifications and similar arrangements included within the spirit and scope of the appended claims which are to be accorded with the broadest interpretation so as to encompass all such modifications and similar structures.
Number | Date | Country | Kind |
---|---|---|---|
106127667 | Aug 2017 | TW | national |