WO2022247751A1 - Procédé, système et appareil pour accéder à distance à une application, dispositif, et support de stockage - Google Patents

Procédé, système et appareil pour accéder à distance à une application, dispositif, et support de stockage Download PDF

Info

Publication number
WO2022247751A1
WO2022247751A1 PCT/CN2022/094195 CN2022094195W WO2022247751A1 WO 2022247751 A1 WO2022247751 A1 WO 2022247751A1 CN 2022094195 W CN2022094195 W CN 2022094195W WO 2022247751 A1 WO2022247751 A1 WO 2022247751A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
connection
edge
target
target application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2022/094195
Other languages
English (en)
Chinese (zh)
Inventor
胡金涌
刘贺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Yundun Information Technology Co Ltd
Original Assignee
Shanghai Yundun Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Yundun Information Technology Co Ltd filed Critical Shanghai Yundun Information Technology Co Ltd
Publication of WO2022247751A1 publication Critical patent/WO2022247751A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Program-control systems
    • G05B19/02Program-control systems electric
    • G05B19/04Program control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Program control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0423Input/output
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/23Pc programming
    • G05B2219/23051Remote control, enter program remote, detachable programmer

Definitions

  • Embodiments of the present disclosure relate to, but are not limited to, a method, system, device, device, and storage medium for remotely accessing applications.
  • VPN Virtual Private Network, virtual private network
  • the traditional VPN solution is difficult to cope with this new change.
  • enterprises face the problems of high cost and complex management when deploying VPN in multi-branch and multi-cloud environments;
  • the traditional VPN experience is poor, and network fluctuations can easily lead to problems such as access delays or unstable services, which affect work efficiency;
  • the traditional VPN mainly connects to the enterprise infrastructure through an untrusted network, which itself will form a loophole in the firewall.
  • hackers can gain access to the enterprise network through the VPN and move laterally internally to access applications and data, which poses a huge security risk to the enterprise.
  • the present disclosure proposes a method, system, device, equipment and storage medium for remote access applications, which can at least to a certain extent avoid the problem of unstable and difficult-to-maintain VPN, and can also Guarantee the security of the target application.
  • a method for remotely accessing an application which is applied to a connection server, and the connection server is associated with at least one target application, including:
  • a method for remotely accessing an application is provided, which is applied to an edge security server, including:
  • a method for remotely accessing an application is provided, which is applied to an edge acceleration server, including:
  • the domain name of the target application determine the address information of the edge security server corresponding to the domain name of the target application;
  • a method for remotely accessing an application is provided, which is applied to a management platform, including:
  • server configuration information corresponding to the connection server, where the server configuration information at least includes identification information of the connection server and address information of an edge security server corresponding to the connection server;
  • the application configuration information includes at least one of the domain name of the target application, a back-to-source address, identification information of an associated connection server, an identity authentication policy, and an access control policy;
  • a system for remotely accessing applications including: a management platform, an edge acceleration server, an edge security server, and a connection server;
  • the management platform is configured to generate the application configuration information of the target application, and generate the server configuration information corresponding to the connection server; send the application configuration information of the target application required by the edge acceleration server and the connection server associated with the target application Server configuration information, and send the server configuration information required to connect to the server;
  • the edge acceleration server is configured to receive the access request sent by the target terminal for the target application; and send the access request to the corresponding edge security server according to the domain name of the target application included in the access request;
  • the edge security server is configured to receive the access request sent by the edge acceleration server; forward the access request to the corresponding connection server according to the previously established session connection with the connection server;
  • connection server is configured to receive the access request sent by the edge security server, and forward the access request to a corresponding target application.
  • a device for remotely accessing an application which is used to connect to a server, including:
  • An acquisition module configured to acquire address information of at least one edge security server corresponding to the connection server
  • Establishing a session module configured to establish a session connection with the at least one edge security server according to the address information of the at least one edge security server, the session connection is from the connection server to the at least one edge security server outbound connections to the server;
  • the sending module is configured to send the access request to the target application if an access request for the target application forwarded by the edge security server is received based on the session connection; and send the received request response information to the edge
  • the security server sends it, and the request response information is fed back by the target application according to the access request.
  • a device for remotely accessing applications is provided, which is applied to an edge security server, including:
  • a receiving module configured to receive a connection request sent by at least one connection server
  • Establishing a session module configured to establish a session connection with the at least one connection server according to the connection request;
  • the receiving module is also configured to receive the access request for the target application forwarded by the edge acceleration server;
  • a determining module configured to determine a target connection server corresponding to the target application
  • a sending module configured to forward the access request to the target connection server according to the session connection corresponding to the target connection server.
  • a device for remotely accessing applications is provided, which is applied to an edge acceleration server, including:
  • the receiving module is configured to receive an access request sent by the target terminal for the target application, where the access request includes the domain name of the target application;
  • the determination module is configured to determine the address information of the edge security server corresponding to the domain name of the target application according to the domain name of the target application;
  • a sending module configured to forward the access request to the edge security server according to the address information of the edge security server.
  • a device for remotely accessing applications is provided, which is applied to a management platform, including:
  • the generation module is configured to generate server configuration information corresponding to the connection server, the server configuration information at least including the identification information of the connection server and the address information of the edge security server corresponding to the connection server; generating application configuration information corresponding to the target application, the The application configuration information includes at least one of the domain name of the target application, the return address, the identification information of the associated connection server, the identity authentication strategy, and the access control strategy;
  • the sending module is configured to send the server configuration information required by the connection server; send the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application.
  • an electronic device including a memory, a processor, and a computer program stored on the memory and operable on the processor, and the processor runs the computer program to realize The method described in any one of the first to fourth aspects above.
  • a computer-readable storage medium on which a computer program is stored, and the program is executed by a processor to implement the method described in any one of the first to fourth aspects above.
  • the session connection is an outbound connection between the connection server and the edge security server, so that the user does not need to use the VPN server
  • the target terminal can remotely access the target application, which solves the problem that the VPN server is unstable and difficult to maintain.
  • receiving the access request for the target application forwarded by the edge security server can avoid the occurrence of other servers actively sending information to the connection server or establishing a connection, reducing the risk of malicious attacks and ensuring the security of the target application. App security.
  • Fig. 1 is a schematic diagram of an exemplary system architecture to which the technical solutions of the embodiments of the present disclosure can be applied according to an exemplary embodiment
  • Fig. 2 is a signaling interaction diagram of a method for remotely accessing an application according to an exemplary embodiment
  • Fig. 3 is a schematic diagram showing application configuration information of a target application and template parameter information of a connector according to an exemplary embodiment
  • Fig. 4 is a schematic diagram showing the process of establishing a session connection between a connection server and an edge security server according to an exemplary embodiment
  • Fig. 5 is a schematic diagram showing an edge security server establishing a mapping relationship between identification information of a connection server and a session according to an exemplary embodiment
  • Fig. 6 is a flowchart showing a method for remotely accessing an application according to an exemplary embodiment
  • Fig. 7 is another flowchart of a method for remotely accessing an application according to an exemplary embodiment
  • Fig. 8 is an operation flowchart of connecting to a server in a method for remotely accessing an application according to an exemplary embodiment
  • Fig. 9 is an operation flowchart of an edge security server in a method for remotely accessing an application according to an exemplary embodiment
  • Fig. 10 is an operation flowchart of an edge acceleration server in a method for remotely accessing an application according to an exemplary embodiment
  • Fig. 11 is an operation flowchart of a management platform in a method for remotely accessing an application according to an exemplary embodiment
  • Fig. 12 is a schematic structural diagram of a device for connecting to a remote access application of a server according to an exemplary embodiment
  • Fig. 13 is a schematic structural diagram of a device for remote access applications applied to an edge security server according to an exemplary embodiment
  • Fig. 14 is a schematic structural diagram of a device for remote access applications applied to an edge acceleration server according to an exemplary embodiment
  • Fig. 15 is a schematic structural diagram of a device for remotely accessing applications applied to a management platform according to an exemplary embodiment
  • Fig. 16 is a schematic structural diagram of an electronic device according to an exemplary embodiment
  • Fig. 17 is a schematic diagram of a storage medium according to an exemplary embodiment.
  • the network system architecture based on the method includes a connection server, an edge security server, an edge acceleration server, a management platform, and a target terminal.
  • the connection server can use VPC (Virtual Private Cloud, proprietary network)/NAT (Network Address Translation, network address translation), the server configured with one or more connectors is called a connection server, and the connector can be used for A software program for network communication, the connection server can be associated with at least one target application through its own configured connector.
  • each connector in the connection server can communicate with one or more target applications, and the target applications can be internal applications in the intranet or applications in the public network, such as source sites.
  • FIG. 1 only schematically shows that the connection server includes a connector, and the connector communicates with a target application in the intranet.
  • the connection server establishes a session connection with the edge security server through the connector.
  • the session connection is an outgoing communication connection.
  • the session connection can be a TCP (Transmission Control Protocol, Transmission Control Protocol) connection or HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer, Hypertext Transfer Security Protocol) connection or SSL/TLS connection, etc.
  • the edge acceleration server communicates with the edge security server and the target terminal, and the management platform communicates with the edge acceleration server.
  • the edge acceleration node can also execute the authentication policy on the user of the target terminal to ensure that only the target terminal that passes the authentication policy can access the target application and ensure the security of the target application .
  • the edge acceleration node may acquire the identity information of the target user through the authentication center, so as to implement an authentication policy based on the identity information.
  • the authentication center may be an authentication component set in the edge acceleration server or an authentication device independent of the edge acceleration server, and the authentication center is connected with the edge acceleration server.
  • the authentication center can be connected with a third-party identity authentication system to obtain the identity information of the target user from the third-party identity authentication system; in another example, the authentication center can also pass through the edge acceleration server, the edge The security server and the connection server obtain the identity information of the target user from the internal authentication system.
  • the authentication center can obtain the identity information of the target user from the third-party identity authentication system or the internal identity authentication system according to the authentication method selected by the user, and so on.
  • Those skilled in the art can determine the corresponding identity information acquisition method according to actual implementation requirements, which is not specifically limited in the present disclosure.
  • the edge acceleration server can also obtain identity information from the internal identity authentication system through the edge security server and connection server or perform identity information verification.
  • the participation of the authentication center is not required, that is, the authentication center does not necessarily exist in the network system architecture, and those skilled in the art can configure it according to actual implementation needs, which is not specifically limited in the present disclosure.
  • the target terminal may include one or more of a smart phone, a tablet computer, a portable computer, or a desktop computer. It can be understood that the number of target terminals, edge acceleration servers, authentication centers, management platforms, edge security servers, and connection servers in FIG. , authentication center, management platform, edge security server, and connection server.
  • the network architecture may include one or more edge acceleration servers and one or more edge security servers, and FIG. 1 only schematically shows one edge acceleration server and one edge security server.
  • edge acceleration server and the edge security server mentioned in the embodiments of the present disclosure are two logical concepts, which are proposed separately to facilitate understanding. In practice, they can be deployed separately or on the same server device. The present disclosure does not specifically limit this.
  • the target terminal can access the target application in the intranet without using a VPN server, which solves the problem that the VPN server is unstable and difficult to maintain.
  • the target application in the intranet can be SaaS (Software-as-a-Service, software as a service) without modifying the original network topology.
  • SaaS Software-as-a-Service, software as a service
  • Fig. 2 shows a signaling interaction diagram of a method for remotely accessing an application provided by an embodiment of the present disclosure.
  • the method at least includes step 101 to step 113, described in detail as follows:
  • Step 101 The management platform generates server configuration information corresponding to the connection server, the server configuration information at least including identification information of the connection server and address information of an edge security server corresponding to the connection server.
  • the management platform may be a cloud computing platform, such as a private cloud or a public cloud.
  • the management platform can provide server configuration information for connection servers of groups such as enterprises, institutions or social organizations.
  • the server configuration information at least includes identification information of the connection server and address information of the edge security server corresponding to the connection server.
  • the identification information can be used to uniquely identify the connection server, which can be the connection server's IP address, MAC (Media Access Control Address, hardware address) address, or a character sequence that can uniquely identify the connection server, which is artificially set or automatically generated.
  • the connection server can be a server installed with a connector.
  • the connector is a software program for network communication.
  • the connector is installed on the connection server of groups such as enterprises, institutions or social organizations, so that the connection server can communicate with the outside world through the connector.
  • the network establishes a session connection, and realizes remote access to the internal network through the established session connection.
  • the edge security server may be a server capable of communicating with the connection server, and may establish a session connection with the connection server for transmitting information. It can be understood that the address information of the edge security server may include a domain name and /IP address, and if it is a domain name, it can be resolved to one or more IP addresses of the edge security server according to the domain name. It should be noted that one edge security server may communicate with one or more connection servers, and one connection server may also be connected with one or more edge security servers, which is not specifically limited in this disclosure.
  • connection server before realizing remote access through the connection server, first generate server configuration information corresponding to the connection server on the management platform. After the server configuration information configures the connection server, the connection server is enabled.
  • the customer can configure the server configuration information by himself.
  • the management platform can support the customer's configuration operation and receive the server configuration information configured by the customer. It is also possible that the client provides the relevant configuration information of the application server to the service provider, and then the service provider configures the server configuration information corresponding to the client's application server on the management platform.
  • the management platform can also automatically generate server configuration information corresponding to the connection server. Specifically, the management platform can assign the connection server identification information for uniquely identifying the connection server, and according to the entire network system architecture.
  • the configuration information of all the edge security servers of the connection server is allocated to the edge security server corresponding to the connection server.
  • the configuration information of the edge security server may include but not limited to the address information of the edge security server, the number of associated connectors, the upper limit of the number of associated connectors, and the like.
  • the connector may be created on the management platform, and the management platform may provide the service provider with an interface for creating the connector.
  • the connector can run on a variety of platforms, such as VMware's virtual machine, Docker (application container engine), public cloud cloud host, etc.
  • the service provider uses the interface provided by the management platform to create connectors running on different platforms.
  • the installation package and configuration information corresponding to the connector are also generated.
  • the configuration information includes the unique identifier of the connector, the address information of the edge security server corresponding to the connector, etc., and the address information of the edge security server can be Include the domain name and/or IP address of the edge security server.
  • one connector or multiple connectors can be created on the management platform, and the configuration information corresponding to each connector can include the address information of one or more edge security servers corresponding to the connector, After the connection server installs and starts the connector, the connector can establish a session connection with one or more edge security servers in the system architecture shown in FIG. 1 .
  • Figure 3 shows the configuration information of a connector, which includes the unique identifier of the connector "connector id: 12345" and the domain name "companyA.connector.com” of the edge security server corresponding to the connector .
  • the domain name included in the address information of the edge security server will be resolved to at least two IP addresses of the edge security server.
  • the connection server can respectively establish session connections with multiple edge security servers according to the resolved IP addresses of multiple edge security servers, so that when a certain session connection fails or fails, it can be connected through other sessions. carry out information transmission.
  • the session connections established by the multiple edge security servers may be session connections for transmitting the same information. In other words, some of the multiple session connections may be used as primary session connections and others as secondary session connections. When the main session connection fails, the information transmitted by the secondary session connection can be used for processing to ensure the stability of access.
  • Step 102 The management platform generates application configuration information corresponding to the target application.
  • the application configuration information includes at least one of the domain name of the target application, the return address, the identification information of the associated connection server, the identity authentication policy, and the access control policy .
  • the target application can be the application in the intranet of groups such as enterprises, institutions or social organizations, such as OA system, Web (website), SSH (Secure Shell, secure shell protocol), VNC (Virtual Network Console, virtual network console) ), RDP (Remote Desktop Protocol, Remote Desktop Protocol), internal IAM (Identity and Access Management, identity identification and access management), etc.
  • the target application can also be an application program in the public network.
  • the management platform before accessing the target application, the management platform generates application configuration information corresponding to the target application.
  • the management platform can support user configuration operations. Users determine the target applications that allow remote access according to their own needs, and then configure the application configuration information corresponding to these target applications on the management platform.
  • the management platform can receive and store the applications configured by the user. configuration information, and associate the application configuration information with the corresponding target application.
  • the application configuration information may include return-to-source address, domain name of the target application, identity authentication policy, access control policy, and identification information of the connection server associated with the target application.
  • the back-to-source address may include the IP address of the device where the target application is located and the port number opened to the outside world by the device where the target application is located.
  • the identity authentication policy is used to specify the identity authentication method of the target user
  • the access control policy is used to specify the identity of the user who has access to the target application.
  • the back-to-source address in the application configuration information corresponding to the target application shown in Figure 3 is 172.16.1.100:433, where 172.16.1.100 is the IP address of the device where the target application is located, and 433 indicates the port open to the outside world on the device where the target application is located Only port 433 (that is, web browsing port).
  • the domain name of the target application included in the application configuration information in Figure 3 is "oa.companyA.com”
  • the back-to-source load balancing policy is "Polling”
  • the identity authentication method is "Enterprise WeChat”
  • the access control policy is "Allow financial personnel Access”
  • the unique identifier of the Connection Server associated with this target application is "Binding Connector:12345”.
  • the server configuration information corresponding to the connection server and the application configuration information corresponding to the target application are generated on the management platform, and the target application is connected to the connection server by setting the identification information of the associated connection server in the application configuration information.
  • the server is linked.
  • the target application and the connection server can be in the same network, for example, both belong to the internal network, both belong to the public network, or belong to the same segment C network, etc.
  • the target application and the connection server can also be in different networks, for example, one is on the public network and the other One is in the internal network, etc., which is not particularly limited in the present disclosure, as long as the target application and the connection server can communicate.
  • Step 103 the management platform sends the server configuration information required to connect to the server.
  • the connection server may directly download the installation package of the connector from the management platform, and install the connector locally on the connection server according to the downloaded installation package.
  • the connection server sends a connector acquisition request to the management platform, and the management platform sends the installation package of the connector to the connection server according to the received connection server's connector acquisition request.
  • the connection server downloads the installation package of the connector from the management platform, the connector is installed in the connection server according to the installation package.
  • a connector may be pre-installed in the cloud host where the server is connected.
  • the connection server may also download a complete connector image file from the management platform for installation, and so on.
  • the embodiments of the present disclosure make no special limitation on how the connection server installs the connector.
  • the connection server sends a configuration information acquisition request to the management platform requesting server, and the configuration information acquisition request may include the identification information of the connection server (that is, the identification information of the connector), and the management platform may, according to the identification information, set The corresponding server configuration information is fed back to the connection server.
  • one or more connectors may be deployed on the same connection server.
  • multiple connectors can be associated with the same target application.
  • the associated multiple connectors can be divided into active connectors and standby connectors , so that the backup connector can be used for communication when the primary connector fails, and the network stability of the remote access application can be improved.
  • the identification information of multiple connectors can be used as the identification information of the connection server.
  • connection server A there are two connectors, and the The identification information is 123456 and 234567 respectively, then the identification information of the connection server A can be two, that is, 123456 and 234567, and so on.
  • one identification information may be configured for the connection server, and the identification information may have a mapping relationship with the identification information of multiple connectors.
  • Step 104 the connection server acquires address information of at least one edge security server corresponding to the connection server.
  • the connection server obtains server configuration information corresponding to the connection server from the management platform.
  • the connection server can directly obtain server configuration information from the management platform.
  • the connection server can also indirectly obtain server configuration information from the management platform through an intermediary, for example, the management platform sends the server configuration information of the connection server to the configuration center, and the connection server obtains the server configuration information from the configuration center.
  • the connection server obtains address information of at least one edge security server corresponding to the connection server from the server configuration information.
  • the address information includes the IP address and/or domain name of the edge security server.
  • Step 105 The connection server establishes a session connection with at least one edge security server according to the address information of the at least one edge security server, and the session connection is an outbound connection from the connection server to the at least one edge security server.
  • the connection server needs to establish a session connection between at least one edge security server corresponding to the connection server through the connector. If the address information of the at least one edge security server includes the IP address of the edge security server, a session connection between the connection server and the at least one edge security server is directly established according to the IP address of the at least one edge security server.
  • the connection server sends the domain name resolution request of the at least one edge security server to the domain name server.
  • the domain name server performs domain name analysis for each domain name, obtains the IP address corresponding to each domain name, and then sends the IP address corresponding to each domain name to the connection server.
  • the connection server receives the IP address corresponding to each domain name returned by the domain name server, and sends a connection request to the edge security server corresponding to each IP address according to each IP address.
  • the connection request includes the identification information of the connection server to establish and A session connection between the connection server and at least one corresponding edge security server is uniquely identified.
  • the session connection is an outbound connection from the connection server to the at least one edge security server, and these session connections are active outgoing communication connections of the connection server.
  • the connection server prohibits incoming connections.
  • the firewall of the connection server can be configured to prohibit incoming connection requests, so that the connection server can prohibit all incoming requests except the above-mentioned established session connections through the firewall. This can ensure that the connection server can only receive incoming information through the established session connection, realize remote access to the target application program through the established session connection, and at the same time avoid other incoming accesses, ensuring the security of the target application program.
  • the target application is an intranet application, the security of the intranet can be greatly improved.
  • Step 106 The edge security server receives the connection request sent by at least one connection server, and establishes a session connection with the at least one connection server according to the connection request.
  • connection server before the connection server establishes the session connection with the edge security server, it sends a connection request to the edge security server, and the connection request includes the identification information of the connection server. Since an edge security server can establish a session connection with at least one connection server, the edge security server can receive a connection request sent by at least one connection server, and establish a connection with the at least one connection server according to the identification information included in the received connection request. , which is a session connection between the Edge Security Server and the connector installed in Connection Server.
  • the number of connection requests received by the edge security server may be multiple, and the connection request includes identification information of the corresponding connection server.
  • the edge security server respectively establishes a session connection with at least one connection server according to multiple connection requests, and associates the identification information included in each connection request with the corresponding session connection.
  • the edge security server stores the identification information included in the connection request and the corresponding session in the mapping relationship between the identification information of the connection server and the session.
  • a connector in the connection server can establish a session connection with one or more edge security servers, and one edge security server can be connected with one or more connection servers, that is, one edge security server can be connected with a One or more connectors in the server establish a session connection, which prevents the failure of a connector, a connection server, or an edge security server from interrupting remote access.
  • the session connection between the connection server and the edge security server is established on port 443 (that is, the webpage browsing port), and the connection multiplexing of the application layer is realized on the session connection, and the session connection Implement request back-to-source on the circuit.
  • the connector can establish persistent session connections with multiple edge security servers.
  • the connection server because the session connection corresponding to the connector is outbound, the back-to-source access of the target application only depends on the session connection, and does not need to establish any inbound connection. Therefore, the intranet firewall or VPC (Virtual Private Cloud, Virtual private cloud) security policy does not need to set a very complex network policy, only need to open port 443 and block all incoming connections.
  • VPC Virtual Private Cloud, Virtual private cloud
  • connection server sends a resolution request for the domain name "abc.yundun-tunnel.com” to nameservers.
  • the domain name server resolves the domain name and sends the resolved IP address to the connection server.
  • the connection server establishes a session connection with the edge security server according to the IP address, and the session connection is established on port 443.
  • the connection server performs data communication with the edge security server through the session based on the hypertext transfer protocol http2.
  • the firewall connected to the server only needs to open port 443 and block all incoming connections.
  • the edge security server maintains a mapping relationship between the identification information of the connection server and the session.
  • the edge security server with the IP address "1.1.1.1” establishes a session connection with a connector in connection servers 1, 2 and 3 respectively. Therefore, the mapping relationship maintained on the edge security server includes connector 12345: session 1, connector 34567: session 2, and connector 45678: session 3.
  • the connector is created on the management platform and the application configuration information corresponding to the target application is set, and the connector is installed in the connection server, and the connector establishes a session connection with the edge security server, and the domain names of all target applications that are allowed to be accessed remotely It is resolved to the IP address of the edge acceleration server, so that these target applications can be directly published on the public network. Then the remote terminal can access the target application through the method provided by the embodiment of the present disclosure.
  • Step 107 The edge acceleration server receives the access request for the target application sent by the target terminal, where the access request includes the domain name of the target application.
  • the edge acceleration server provides DDoS (Distributed Denial of Service, distributed denial of service) cleaning, cache acceleration, WAF (Web Application Firewall, Web application protection system), load balancing and other functions, and also serves as an edge security gateway to provide identity authentication, Rights management, access control and other functions.
  • DDoS Distributed Denial of Service, distributed denial of service
  • WAF Web Application Firewall, Web application protection system
  • load balancing and other functions, and also serves as an edge security gateway to provide identity authentication, Rights management, access control and other functions.
  • the target terminal when an employee working at home or on a business trip needs to access a target application in the company's intranet, he can view multiple target applications published by the company on the public network through the target terminal, and select the target application he needs to access. For example, Select by clicking.
  • the target terminal detects that a certain target application is clicked, it obtains the domain name of the clicked target application, and sends a resolution request for the domain name of the target application to the domain name server.
  • the domain name server resolves the domain name of the target application. Since the domain names of all target applications published on the public network have been resolved to the IP address of the edge acceleration server, the domain name server can resolve the domain name of the current target application.
  • the IP address of the edge acceleration server The domain name server returns the IP address obtained through domain name analysis to the target terminal.
  • the target terminal sends an access request to the corresponding edge acceleration server according to the IP address, and the access request includes the domain name of the target application that the target user needs to access.
  • the edge acceleration server may also record the target user's access behavior log, which may include access time, access object, identity information, etc., and such information can facilitate the security management personnel of the enterprise to User behavior is audited and controlled.
  • Step 108 The edge acceleration server determines the address information of the edge security server corresponding to the domain name of the target application according to the domain name of the target application.
  • the edge acceleration server may obtain the application configuration information corresponding to each target application and the server configuration information of the connection server from the management platform in advance. It should be noted that the edge acceleration server may obtain the information directly from the management platform, or may obtain the information from an intermediary such as a configuration center, which is not specifically limited in this disclosure.
  • the edge acceleration server When the edge acceleration server receives the access request for the target application, it can obtain the domain name of the target application included in the access request, determine the corresponding application configuration information according to the domain name of the target application, and then determine the corresponding application configuration information according to the application configuration information. Identification information for the connection server associated with the target application. Based on the determined identification information of the connection server, the corresponding server configuration information is determined, whereby the address information of the edge security server associated with the connection server can be obtained from the server configuration information.
  • the address information may include a domain name and/or an IP address. If the address information is a domain name, the edge acceleration server may send the domain name resolution request of the edge security server to the domain name server for resolution, so that the domain name server returns IP address of the corresponding edge security server.
  • edge security server address information for example, multiple edge security server IP addresses, or one or more IP addresses corresponding to the domain name fed back by the domain name server, and so on.
  • Some edge security servers corresponding to multiple address information can be used as primary edge security servers, and others can be used as backup edge security servers.
  • the edge acceleration server requests or accepts push from the management platform about the application configuration information of the target application.
  • the management platform queries the application configuration information of the target application according to the query request containing the domain name of the target application sent by the edge acceleration server, obtains the identification information of the connection server associated with the target application from the application configuration information, and then according to the The identification information obtains the server configuration information of the connection server, obtains the address information of the edge security server associated with the connection server from the server configuration information, and sends the address information of the edge security server to the edge acceleration server.
  • the edge acceleration server may execute an authentication policy on the user's identity information, and the authentication policy may include an identity authentication policy and/or or access rights authentication policy.
  • the edge acceleration server when executing the identity authentication policy on the user's identity information, can detect whether the access request carries the target user's identity information after receiving the access request, because the user's access request for the first time is No identity information will be carried. If the edge acceleration server detects that the user identity information is not included in the access request, an identity authentication operation is triggered.
  • the authentication center shown in Figure 1 can be an authentication component set in the edge acceleration server, or an authentication device independent of the edge acceleration server. The authentication center can communicate with a third-party identity authentication system or an internal identity in the intranet. The authentication system performs data interaction.
  • the third-party identity authentication system can be accessed through the Internet, and the internal identity authentication system in the intranet needs to be accessed through the edge acceleration server, edge security server and connection server.
  • the third-party identity authentication system is accessed through the Internet, or the internal identity authentication system in the intranet is accessed through the edge acceleration server and the edge security server.
  • the third-party identity authentication system or the internal identity authentication system in the The center returns the identity information of the target user. It should be noted that if the authentication center receives the returned identity information, it can be determined that the identity information has passed identity authentication, and subsequent steps can be performed.
  • the authentication center may also send an identity authentication page to the edge acceleration server.
  • the edge acceleration server may send the identity authentication page to the target terminal, and the target terminal displays the identity authentication page, and the identity authentication page includes at least one identity authentication option.
  • the identity authentication page may include but not limited to multiple identity authentication options such as WeChat authentication, corporate WeChat authentication, and mobile phone number authentication.
  • the user can select the corresponding identity authentication option to determine the corresponding identity authentication strategy. For example, if the user selects the option of WeChat authentication, the user can be authenticated through the user's WeChat ID, WeChat password and other information, and so on.
  • the identity authentication page can correspondingly obtain the identity information of the target user corresponding to the identity authentication option to be verified. For example, if the user selects WeChat authentication, the corresponding WeChat ID and WeChat password will be obtained. ,and many more.
  • the authentication center can authenticate the identity information received on the identity authentication page to the corresponding third-party identity authentication system or internal identity authentication system, and the third-party identity authentication system or internal identity authentication system will feed back the verification result, that is, whether the identity information is passed or not. certified.
  • the edge acceleration server After passing the identity authentication, the edge acceleration server will set the validity period for the user identity information based on this identity authentication, store the user identity information and the corresponding validity period, and instruct the target terminal to access the target application every time it requests to access the target application.
  • the request carries the user identity information.
  • the user identity information is authenticated through the identity authentication policy included in the corresponding authentication policy. Specifically, the validity period corresponding to the user identity information is obtained. If it is determined that the validity period has not arrived, it indicates that the user identity information has passed identity authentication before and is still within the validity period. There is no need to perform identity authentication again, and it is directly determined that the current user identity authentication has passed .
  • the detection result is that the access request includes user identity information, but the user identity information has expired, re-authenticate the target user according to the identity authentication policy configured in the edge acceleration server.
  • the edge acceleration server may send the target user's identification information (such as user account, etc.) included in the access request to the third-party identity authentication system through the authentication center.
  • the third-party identity authentication system obtains the identity information of the target user according to the identity information of the target user, and feeds back the identity information of the target user to the authentication center.
  • the edge acceleration server After the edge acceleration server obtains the identity information of the target user through the authentication center, it performs identity authentication and/or access authority authentication on the user identity information according to a pre-configured authentication policy.
  • the identity information of the target user can be sent to the intranet through the edge acceleration server, the edge security server and the connection server The internal authentication system in , to obtain the identity information of the target user from the internal authentication system.
  • the edge acceleration server may send the domain name of the target application to the management platform, and the management platform obtains the edge security server corresponding to the connection server from the server configuration information corresponding to the connection server associated with the target application The address information of the edge security server is sent to the edge acceleration server.
  • the edge acceleration server establishes a communication connection with the edge security server according to the IP address, and sends the identification information of the target user and the domain name of the target application included in the access request to The edge security server. If the address information only includes the domain name of the edge security server, the edge acceleration server sends a resolution request of the domain name of the edge security server to the domain name server.
  • the domain name server performs domain name analysis on the domain name of the edge security server, obtains the IP address of the edge security server, and sends the IP address to the edge acceleration server.
  • the edge acceleration server establishes a communication connection with the edge security server according to the IP address, and sends the identification information of the target user and the domain name of the target application included in the access request to the edge security server.
  • the edge security server may send a request including the domain name of the target application to query the connection server associated with the target application to the management platform.
  • the management platform obtains the identification information of the connection server associated with the target application from the application configuration information corresponding to the target application according to the domain name, and sends the identification information of the connection server to the edge security server.
  • the edge security server obtains the session connection corresponding to the connection server from the mapping relationship between the identification information of the connection server and the session connection, and sends the identification information of the target user to the connection server through the session connection.
  • the connection server After receiving the identification information of the target user, the connection server forwards the identification information of the target user to the internal identity authentication system in the intranet to which the target application belongs, and the internal identity authentication system obtains the identity information of the target user according to the identification information of the target user. , and return the identity information of the target user to the authentication center corresponding to the above-mentioned edge acceleration server via the connection server and the above-mentioned edge security server in turn.
  • the edge security server may not query the management platform for the identification information of the corresponding connection server, but the edge acceleration server obtains the application configuration information corresponding to the target application from the management platform according to the domain name of the target application, and The user identity information and the application configuration information are sent to the edge security server together.
  • the edge security server queries the identification information of the connection server associated with the target application from the application configuration information, and then forwards the identification information of the target user to the corresponding server in the intranet through the session connection with the connection server according to the identification information.
  • Internal authentication system The internal identity authentication system obtains the identity information of the target user according to the identity information of the target user, and returns the identity information of the target user to the authentication center corresponding to the edge acceleration server through the original path.
  • the edge acceleration server may instruct the target terminal to display the above identity authentication page each time the user visits. After selecting each identity authentication option included in the identity authentication page, the target terminal determines the corresponding user identity information according to each option information selected by the user. For example, the user's login information in the application corresponding to the option is used as the user identity information.
  • the edge acceleration server forwards the user identity information to the third-party identity authentication system or the internal identity authentication system in the intranet through the authentication center to authenticate the user identity information, and feeds back the authentication result to the authentication center.
  • the user identity information included in the access request is authenticated by any of the above methods, and if the authentication fails, an error prompt message is sent to the target terminal, and the error prompt message is used to prompt the user identity authentication failure.
  • the identity authentication is passed, and the authentication policy deployed in the edge acceleration server only includes the identity authentication policy, then it is determined that the target user is authenticated. If the authentication policy also includes the access authority authentication policy, it is also necessary to determine whether the user has the access authority of the target application according to the access authority control policy.
  • the access control policy can specify the identity of the user who can access the target application. For example, some financial-related target applications may only allow access to financial personnel, and some personnel management-related target applications may only allow access to personnel in the human resources department, and so on. Alternatively, an access password of the target application may be specified in the access right control policy, and the access password may be a password composed of a character string, or an agreed word, etc.
  • the edge acceleration server authenticates the access authority of the target user, and may instruct the target terminal to display an authority authentication interface, and the authority authentication interface includes one or more authority authentication options.
  • the permission authentication options may include one or more of job number, name, contact information, ID number, access password and other options.
  • the target terminal sends the authentication option information to the edge acceleration server.
  • the edge acceleration server can send the domain name of the target application to the management server, and the management server can obtain the relevant configuration information of the access rights of the target application from the application configuration information of the target application according to the domain name of the target application.
  • User information such as job numbers, names, contact information, and ID numbers of users who can access the target application may be included, and/or, the configuration information related to the access rights may also include the access password of the target application.
  • the management platform sends the relevant configuration information of the access right to the edge acceleration server.
  • the edge acceleration server judges whether the target user has the permission to access the target application according to the relevant configuration information of the access permission and the authentication option information submitted by the user.
  • the management platform may also directly send the application configuration information of the target application to the edge acceleration server.
  • the edge acceleration server obtains relevant configuration information of the access right from the application configuration information, and judges whether the target user has the access right based on this.
  • the application configuration information may include the title of the position that is allowed to access the target application, for example, a certain application can be accessed by finance, managers, and so on.
  • the user's identity information can include the user's job title, and the edge acceleration server can compare the user's job title with the job title corresponding to the target application. If the user's job title matches the job title corresponding to the target application, that is If the user's job title is one of the job titles allowed to access the target application, it means that the user has passed the access authority authentication policy, otherwise, it has not passed.
  • the edge acceleration server may not obtain related configuration information of access rights or application configuration information of the target application from the management platform. Instead, determine the connection server associated with the target application and the edge security server managed by the connection server, and then forward the authentication option information of the target user to the internal identity authentication in the intranet through the edge security server and the connection server in turn
  • the system is used to perform authorization authentication on the authentication option information of the target user, and return the authentication result to the edge acceleration server through the original route.
  • the edge acceleration server can implement fine-grained access authority control through the access authority control policy, which can effectively eliminate the risk of malicious attacks on the target application by malicious elements.
  • step 109 the edge acceleration server forwards the access request to the edge security server according to the address information of the edge security server.
  • the edge acceleration server directly forwards the access request to the edge security server according to the IP address. If the address information only includes the domain name of the edge security server, the edge acceleration server sends the domain name resolution request of the edge security server to the domain name server.
  • the domain name server performs domain name analysis on the domain name sent by the edge acceleration server to obtain the corresponding IP address of each edge security server, forms an IP list for each obtained IP address, and returns the IP list to the edge acceleration server.
  • the IP list includes The IP addresses of one or more edge security servers.
  • the edge acceleration server receives the IP list returned by the domain name server, and selects an IP address from the IP list. Specifically, if the IP list includes only one IP address, the IP address is directly selected. If the IP list includes multiple IP addresses, an IP address of an active edge security server is selected from the multiple IP addresses. The edge acceleration server establishes a communication connection between edge security servers corresponding to the selected IP address according to the selected IP address, and then sends the access request to the edge security server.
  • the edge acceleration server may also perform mutual authentication with the edge security server to further ensure the security of the target application access. For example, the edge acceleration server sends its first certificate to the edge security server. The edge security server receives the first certificate of the edge acceleration server and verifies the first certificate to verify whether the first certificate is issued by its new CA center. The server returns a warning message, warning the edge acceleration server that the first certificate is not trustworthy. After the verification is passed, the edge security server can compare the information in the certificate, such as the domain name and public key, and if the domain name or public key conforms to the preset information transmission rules, the legal identity of the edge acceleration server is recognized
  • the edge acceleration server can also ask the edge security server to send its own second certificate. After receiving the second certificate, the edge acceleration server can verify the second certificate. If the verification is not passed, the connection will be rejected. If the verification is passed, Then information can be transmitted between the two.
  • the two-way authentication is carried out between the edge acceleration server and the edge security server through the above method.
  • the edge acceleration server will not send the access request to the edge
  • the security server greatly improves the security of intranet access.
  • the edge acceleration server can also encrypt the access request first, and send the encrypted data to the edge security server to improve the security of data transmission.
  • Step 110 The edge security server receives the access request for the target application forwarded by the edge acceleration server, and determines the target connection server corresponding to the target application.
  • the edge security server is a transit medium, which can realize the connection between the edge acceleration server and the target application.
  • the target application is located in the intranet, the connection between the edge acceleration server and the intranet application can be realized.
  • the edge security server After the edge security server starts, it waits for the connection between the edge acceleration server and the connector in the connection server and forwards the access request from the edge acceleration server.
  • the edge security server After receiving the access request from the target terminal to the target application forwarded by the edge acceleration server, the edge security server sends the domain name of the target application included in the access request to the management platform.
  • the management platform obtains the application configuration information of the target application according to the domain name of the target application, and queries the identification information of the connection server associated with the target application from the application configuration information, and the connection server associated with the target application is the target To connect to the server, the management platform sends the identification information of the target connection server to the edge security server.
  • the edge security server receives the identification information of the target connection server.
  • the edge acceleration server may also obtain the application configuration information of the target application and the server configuration information of the connection server associated with the target application from the management platform during the stage of authenticating the target user, and The edge acceleration server forwards the access request and application configuration information to the edge security server.
  • the edge security server can locally obtain the identification information of the connection server associated with the target application from the application configuration information, and determine that the identification information is the identification information of the target connection server.
  • the edge acceleration server when the edge acceleration server forwards the access request to the edge security server, it may also send the application configuration information of the target application corresponding to the access request to the edge security server.
  • the edge security server can determine the target connection server according to the identification information of the connection server associated with the target application included in the application configuration information. It can be understood that the number of target connection servers determined by the edge security server may be one or more.
  • the target connection servers can be used as the main target connection server, and the other target connection servers are secondary target connection servers.
  • the target connection server fails or fails, the target application can be accessed through the secondary target connection server.
  • target applications associated with the primary target connection server and the secondary target connection server should be the same, or the target application associated with the primary target connection server is included in the target application associated with the secondary target connection server, and Or the primary target connection server and the secondary target connection server have partially the same associated target applications, and so on.
  • Step 111 The edge security server forwards the access request to the target connection server according to the session connection corresponding to the target connection server.
  • the edge security server obtains the identification information of each connection server from the locally stored mapping relationship between the identification information of the connection server and the session according to the determined identification information of each target connection server.
  • the corresponding session connection The access request is forwarded to each target connection server through the session connection corresponding to each connection server.
  • the edge security server may also obtain the health status information of the connection server through the session connection corresponding to the connection server, and the health status information includes the connection server's One or more of load status information, network status information, system status information, and disk status information.
  • the edge security server sends a health check request to each connection server through a session connection corresponding to each connection server.
  • the connector in the connection server obtains its own health status information, and sends the health status information to the edge security server through a session connection with the edge security server.
  • the edge security server selects a connected server that meets the preset health conditions from each connected server.
  • the preset health conditions can include load less than a preset threshold, network status, system status and disk There is no abnormality in the state, and some abnormalities in the network state, system state, and disk state can be listed in the preset health conditions, such as network interruption, system resource usage exceeding the preset ratio, and the remaining storage space of the disk is less than the preset value. If the edge security server determines a plurality of connection servers satisfying the preset health conditions, it may select randomly or sequentially from them to determine a target connection server. After determining the target connection server, the edge security server may forward the access request to the connector in the target connection server according to the session connection corresponding to the identification information of the target connection server.
  • the edge security server may also forward the access request to the connector in the connection server in a polling manner.
  • a preset polling rule is configured in the edge security server, and the preset polling rule specifies the polling sequence of each target connection server associated with the target application. Select one target connection server per target connection server. According to the identification information of the selected target connection server, the session connection corresponding to the selected target connection server is obtained from the mapping relationship between the identification information and the session, and the access request is forwarded to the target connection server through the obtained session connection.
  • the remote terminal sends an access request to the edge acceleration server, and the access request includes the domain name "oa.companyA.com" of the target application to be accessed.
  • the edge acceleration server obtains the application configuration information corresponding to the domain name "oa.companyA.com” from the management platform.
  • the unique identifier of the connector bound in the application configuration information is "12345", and also obtains the connector from the management platform. 12345's server configuration information.
  • the edge acceleration server After the edge acceleration server obtains the application configuration information and server configuration information, it sends a resolution request of the domain name "companyA.connector.com” of the edge security server included in the server configuration information to the domain name server, and receives the IP address of the edge security server returned by the domain name server. Address "1.1.1.1”. The edge acceleration server establishes a communication connection with the edge security server according to the IP address "1.1.1.1”, and sends the access request and application configuration information to the edge security server.
  • the edge security server with the IP address "1.1.1.1” obtains the session connection corresponding to the connector from the pre-stored mapping relationship according to the unique identifier "12345" of the connector included in the application configuration information, and through the session connection, the access The request is sent to connector 12345 in connection server 1 of enterprise A.
  • Step 112 Based on the session connection with the edge security server, if the connection server receives the access request for the target application forwarded by the edge security server, send the access request to the target application.
  • the connection server may be configured with a mapping relationship between the domain name of each target application associated with it and the return-to-origin address.
  • the management platform may send the back-to-source address or application configuration information of each target application to the connection server. If the connection server receives the access request for the target application sent by the edge security server through the session connection between the two, the connection server will query the back-to-source address of the target application locally according to the domain name of the target application included in the access request. The back-to-source address forwards the access request to a corresponding target application.
  • the mapping relationship between the domain name of the associated target application and the return-to-origin address may not be configured in the connection server.
  • the edge security server obtains the application configuration information corresponding to the target application from the management platform or the edge acceleration server.
  • the application configuration information includes the back-to-source address corresponding to the target application, and the edge security server forwards the access request to the target connection
  • the corresponding connector in the server can also send the back-to-source address to the connector.
  • the connector forwards the access request to the corresponding target application according to the back-to-source address.
  • the target application responds to the access request, and transmits the generated response message to the connection server associated with the target application.
  • Step 113 The connection server sends the received request response information to the edge security server, and the request response information is fed back by the target application according to the access request.
  • the target application generates request response information according to the feedback of the access request, and sends the request response information to the connection server.
  • the connection server then sends the request response information to the edge security server through the session connection between itself and the edge security server.
  • the edge security server sends the request response information to the edge acceleration server, and the edge acceleration server sends the request response information to the target terminal.
  • the transmission protocol of the session connection between the connection server and the edge security server may be an encrypted transmission protocol
  • the data between the connection server and the edge security server is encrypted transmission to ensure data security during transmission sex.
  • connection servers may be associated with the same target application.
  • the multiple connection servers associated therewith may include a primary connection server and a standby connection server.
  • the server fails the access request of the target terminal to the target application can be received through the session connection corresponding to the standby connection server, or the request response information generated by the target application responding to the access request can be sent through the session connection corresponding to the standby connection server.
  • a connection server may also include multiple connectors, which are divided into primary connectors and secondary connectors. After the primary connector fails or the load limit is reached, the secondary connector performs data transmission.
  • connection server can also send its own health status information and the health status information of each connector to the management platform every preset time period (such as 2min, 0.5h or 1h, etc.), and the management platform And the health status information of each connector to judge whether there is an abnormality in the connection server and the connector, and if there is an abnormality, an alarm message will be sent to the management personnel in time.
  • preset time period such as 2min, 0.5h or 1h, etc.
  • connectors 1 and 2 in connection server A and connectors 3 and 4 in connection server B obtain the corresponding edge security server domain name from the domain name server according to the domain name of the edge security server in their respective configuration information.
  • the IP address of the server and then establish a session connection with the edge security server based on the obtained IP address.
  • the remote user sends an access request to the edge acceleration server, and the access request includes the domain name of the target application.
  • the edge acceleration server determines whether the access request includes user identity information that is still valid, and if so, determines that the identity authentication is passed. If not, the edge acceleration server redirects to the identity authentication page to obtain the user identity information of the current user.
  • the edge acceleration server acquires the application configuration information of the target application to be accessed and the server configuration information of the connection server associated with the target application from the management platform.
  • the edge acceleration server authenticates the obtained user identity information according to the identity authentication policy included in the application configuration information.
  • the edge acceleration server sends the domain name resolution request of the domain name of the edge security server included in the server configuration information to the domain name server, and sends the access request and application configuration information to the edge server according to the IP address of the edge security server returned by the domain name server in the security server.
  • the domain name "A.yundun-tunnel.com” corresponds to two edge security servers with IP addresses "1.1.1.1” and "2.2.2.2” respectively, and the edge server with IP address "1.1.1.1”
  • the security server is the active edge security server
  • the edge security server with the IP address "2.2.2.2” is the standby edge security server.
  • the domain name "B.yundun-tunnel.com” corresponds to two edge security servers with IP addresses “3.3.3.3” and "4.4.4.4", and the edge security server with IP address "3.3.3.3” is the main The edge security server, the edge security server with the IP address "4.4.4.4” is the backup edge security server.
  • the edge acceleration server may send the access request and application configuration information to the edge security server with the IP address "1.1.1.1".
  • the edge security server then sends the access request to connection server A through the session connection with connector 1 or connector 2 .
  • the target terminal can access the target application in the intranet without using a VPN server, which solves the problem that the VPN server is unstable and difficult to maintain. Directly publish the target application to the public network, and the user access experience is better.
  • the edge acceleration server authenticates user identity and access rights, eliminating the risk of malicious attacks.
  • the target application in the intranet can be SaaS-based without modifying the original network topology. Moreover, by increasing the number of edge acceleration servers and edge security servers, capacity expansion can be easily performed, and it can adapt to application scenarios with a large number of target users.
  • Some other embodiments of the present disclosure provide a method for remotely accessing an application, and the method is used to connect to a server. Referring to Figure 8, the method specifically includes the following steps:
  • Step 201 The connection server acquires address information of at least one edge security server corresponding to the connection server.
  • the connection server obtains server configuration information corresponding to the connection server from the management platform.
  • the connection server can directly obtain server configuration information from the management platform.
  • the connection server can also indirectly obtain server configuration information from the management platform through an intermediary, for example, the management platform sends the server configuration information of the connection server to the configuration center, and the connection server then obtains the server configuration information from the configuration center .
  • the connection server obtains address information of at least one edge security server corresponding to the connection server from the server configuration information.
  • the address information includes the IP address and/or domain name of the edge security server.
  • Step 202 The connection server establishes a session connection with at least one edge security server according to the address information of at least one edge security server, and the session connection is an outbound connection from the connection server to the at least one edge security server.
  • the connection server if the address information of the edge security server only includes an IP address, the connection server establishes a session connection with the at least one edge security server according to the IP address of the at least one edge security server. If the address information of the edge security server only includes the domain name of the edge security server, the connection server sends the domain name of at least one edge security server to the domain name server; receives the IP address corresponding to each domain name returned by the domain name server; according to each IP address , respectively sending a connection request to one or more edge security servers, where the connection request includes identification information of the connection server, so as to establish a session connection between the connection server and the one or more edge security servers.
  • the session connection is an outbound connection between the connection server and the edge security server, which is an active outgoing communication connection of the connection server. Malicious attacks to ensure the security of the target application.
  • prohibiting incoming connection requests may be configured in the connection server, so that the connection server can prohibit all incoming requests except the session connection established above through the firewall.
  • the transmission protocol of the session connection is an encrypted transmission protocol, that is, the data transmitted through the session connection is encrypted and then transmitted in ciphertext, so as to improve the security of data transmission.
  • Step 203 Based on the established session connection, if the connection server receives the access request for the target application forwarded by the edge security server, it sends the access request to the target application.
  • Step 204 The connection server sends the received request response information to the edge security server, and the request response information is fed back by the target application according to the access request.
  • connection server may include a primary connection server and a secondary connection server, and the secondary connection server is used when the primary connection server fails.
  • Multiple connectors can be deployed in Connection Server, including active connectors and standby connectors.
  • the active connectors and standby connectors are associated with the same target application; when the active connector fails, the standby The session connection corresponding to the connector receives the access request of the target terminal to the target application.
  • the connection server also sends the health status information of the connector to the management platform every preset time period.
  • the health status information includes one or more of the load status information, network status information, system status information, and disk status information of the connector.
  • the connection server can also receive the health check request sent by the edge security server through the session connection corresponding to the connector, and send the health status information of the connector to the edge security server through the session connection.
  • connection server establishes a session connection with the edge security server through the connector, and the target terminal can access the target application through the session connection.
  • VPN server which solves the problem that the VPN server is unstable and difficult to maintain.
  • the target application in the intranet can be SaaS-based without modifying the original network topology.
  • Some embodiments of the present disclosure provide a method for remotely accessing an application.
  • the method is applied to an edge security server. Referring to FIG. 9 , the method specifically includes the following steps:
  • Step 301 The edge security server receives a connection request sent by at least one connection server.
  • connection request includes identification information of a corresponding connection server.
  • Step 302 The edge security server establishes a session connection with at least one connection server according to the connection request.
  • the edge security server respectively establishes a session connection with at least one connection server according to multiple connection requests, and associates the identification information of each connection server with the corresponding session connection.
  • Step 303 The edge security server receives the access request for the target application forwarded by the edge acceleration server, and determines the target connection server corresponding to the target application.
  • Step 304 The edge security server forwards the access request to the target connection server according to the session connection corresponding to the target connection server.
  • the edge security server forwards the access request to each target connection server according to the session connection associated with the identification information of the multiple target connection servers.
  • the edge security server extracts the identification information of each connection server associated with the target application from the application configuration information; according to the identification information of each connection server, obtains the session connection corresponding to each connection server from the mapping relationship; Obtain the health status information of each connection server through the session connection corresponding to each connection server; according to the health status information of each connection server, select a target connection server that meets the preset health conditions from each connection server, and select The session connection corresponding to the target connection server forwards the access request to the target connection server.
  • the edge security server may also use a polling mechanism to forward the access request. Specifically, extract the identification information of each connection server associated with the target application from the application configuration information; select a target connection server from each connection server according to a preset polling rule; Information, obtain the session connection corresponding to the selected target connection server from the mapping relationship; forward the access request to the target connection server through the obtained session connection.
  • edge security server For the specific operation details of the edge security server, reference may be made to the operation of the edge security server in any of the foregoing embodiments, and details are not repeated here.
  • the edge security server establishes a session connection with the connector in the connection server, through which the access request from the target terminal is forwarded to the connection server, and the target terminal can be realized without using a VPN server.
  • Access to the target application solves the problem that the VPN server is unstable and difficult to maintain.
  • the target application in the intranet can be SaaS-based without modifying the original network topology.
  • the capacity can be easily expanded, and it can adapt to application scenarios with a large number of target users.
  • Some embodiments of the present disclosure provide a method for remotely accessing an application.
  • the method is applied to an edge acceleration server. Referring to FIG. 10 , the method specifically includes the following steps:
  • Step 401 The edge acceleration server receives an access request for the target application sent by the target terminal, and the access request includes the domain name of the target application.
  • Step 402 The edge acceleration server determines the address information of the edge security server corresponding to the domain name of the target application according to the domain name of the target application.
  • the edge acceleration server before determining the address information of the edge security server corresponding to the domain name of the target application, can also detect whether the access request carries the identity information of the target user; The identity information of the user executes an authentication strategy corresponding to the detection result, and the authentication strategy includes an identity authentication strategy and/or an access authority authentication strategy; if the identity information of the target user passes the authentication of the authentication strategy, then according to the domain name of the target application, determine the The address information of the edge security server corresponding to the domain name of the target application.
  • Step 403 The edge acceleration server forwards the access request to the edge security server according to the address information of the edge security server.
  • edge acceleration server For the specific operation details of the edge acceleration server, reference may be made to the operation of the edge acceleration server in any of the foregoing embodiments, which will not be repeated here.
  • the edge acceleration server authenticates the user identity and access rights, eliminating the risk of malicious attacks.
  • the edge acceleration server forwards the access request and application configuration information to the edge security server, and then forwards the access request to the connection server through the edge security server.
  • the target terminal can access the target application in the connection server without using a VPN server, which solves the problem of VPN
  • the server is unstable and difficult to maintain.
  • the target application in the intranet can be SaaS-based without modifying the original network topology.
  • capacity expansion can be easily performed, and it can adapt to application scenarios with a large number of target users.
  • Some embodiments of the present disclosure provide a method for remotely accessing an application.
  • the method is applied to a management platform. Referring to FIG. 11 , the method specifically includes the following steps:
  • Step 501 The management platform generates server configuration information corresponding to the connection server.
  • the server configuration information includes at least identification information of the connection server and address information of the edge security server corresponding to the connection server.
  • Step 502 The management platform generates application configuration information corresponding to the target application.
  • the application configuration information includes at least one of the domain name of the target application, the return address, the identification information of the associated connection server, the identity authentication policy, and the access control policy.
  • Step 503 the management platform sends the server configuration information needed to connect to the server.
  • Step 504 The management platform sends the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application.
  • server configuration information of the connection server and application configuration information of the target application are generated in the management platform, and the target application is associated with the connection server. And send the server configuration information to the connection server through the management platform. Then send the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application.
  • the target terminal can access the target application connected to the server without using a VPN server, which solves the problem that the VPN server is unstable and difficult to maintain.
  • the target application in the intranet can be SaaS-based without modifying the original network topology, which can be easily expanded and adapted to the application scenario with a large number of target users.
  • An embodiment of the present disclosure provides a system for remotely accessing applications.
  • the system includes: an edge acceleration server, an edge security server, a management platform, and a connection server;
  • the management platform is configured to generate application configuration information of the target application, and generate server configuration information corresponding to the connection server; send the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application, And send the server configuration information required to connect to the server;
  • the edge acceleration server is configured to receive the access request sent by the target terminal for the target application; and send the access request to the corresponding edge security server according to the domain name of the target application included in the access request;
  • the edge security server is configured to receive the access request sent by the edge acceleration server; forward the access request to the corresponding connection server according to the previously established session connection with the connection server;
  • connection server is set to receive the access request sent by the edge security server, and forward the access request to the corresponding target application.
  • the session connection is an outbound connection from the connection server to the edge security server.
  • the system further includes: an authentication center, configured to implement an authentication policy on the identity information of the target user according to the identity information of the target user carried in the access request, and the authentication policy includes an identity authentication policy and/or access rights Authentication policy.
  • the system for remotely accessing applications provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for remotely accessing applications provided by the embodiments of the present disclosure, and has the same beneficial effects as the methods adopted, run or implemented by its stored applications .
  • An embodiment of the present disclosure further provides a device for remotely accessing an application, the device is configured to perform an operation of connecting to a server in the method for remotely accessing an application provided in any one of the above embodiments.
  • the device includes:
  • An acquisition module 601 configured to acquire address information of at least one edge security server corresponding to the connection server;
  • the first session establishment module 602 is configured to establish a session connection with at least one edge security server according to the address information of at least one edge security server, and the session connection is an outbound connection from the connection server to at least one edge security server;
  • the first sending module 603 is set to be based on a session connection. If an access request for the target application forwarded by the edge security server is received, the access request is sent to the target application; the received request response information is sent to the edge security server, The request response information is fed back by the target application according to the access request.
  • the above address information is a domain name
  • the first session establishment module 602 is also configured to send the domain name of at least one edge security server to the domain name server; receive the IP address corresponding to the domain name of at least one edge security server sent by the domain name server; according to each IP address , respectively sending a connection request to at least one edge security server to establish a session connection between the connection server and the at least one edge security server, the connection request includes identification information of the connection server, so that at least one edge security server compares the identification information with the corresponding Session connections are associated.
  • the obtaining module 601 is further configured to obtain server configuration information corresponding to the connection server from the management platform; obtain address information of at least one edge security server corresponding to the connection server from the server configuration information.
  • the transmission protocol of the above session connection is an encrypted transmission protocol.
  • the device for remotely accessing applications provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for remotely accessing applications provided by the embodiments of the present disclosure, and has the same beneficial effects as the methods adopted, run or implemented by its stored applications .
  • An embodiment of the present disclosure further provides a device for remotely accessing an application, the device is configured to perform an operation of the edge security server in the method for remotely accessing an application provided in any one of the above embodiments.
  • the device includes:
  • the first receiving module 701 is configured to receive a connection request sent by at least one connection server;
  • the second establishing session module 702 is configured to establish a session connection with at least one connection server according to the connection request;
  • the first receiving module 701 is also configured to receive the access request for the target application forwarded by the edge acceleration server;
  • the first determining module 703 is configured to determine the target connection server corresponding to the target application
  • the second sending module 704 is configured to forward the access request to the target connection server according to the session connection corresponding to the target connection server.
  • connection request includes identification information of the corresponding connection server
  • the second session establishing module 702 is further configured to respectively establish a session connection with at least one connection server according to multiple connection requests, and associate each piece of identification information with the corresponding session connection.
  • the second sending module 704 is further configured to forward the access request to the target connection server according to the session connection associated with the identification information of the multiple target connection servers.
  • the device for remotely accessing applications provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for remotely accessing applications provided by the embodiments of the present disclosure, and has the same beneficial effects as the methods adopted, run or implemented by its stored applications .
  • An embodiment of the present disclosure further provides a device for remotely accessing an application, the device is configured to perform an operation of an edge acceleration server in the method for remotely accessing an application provided in any one of the above embodiments.
  • the device includes:
  • the second receiving module 801 is configured to receive an access request sent by the target terminal for the target application, where the access request includes the domain name of the target application;
  • the second determination module 802 is configured to determine the address information of the edge security server corresponding to the domain name of the target application according to the domain name of the target application;
  • the third sending module 803 is configured to forward the access request to the edge security server according to the address information of the edge security server.
  • the second determination module 802 is also configured to detect whether the access request carries the identity information of the target user; according to the detection result, implement an authentication strategy for the identity information of the target user; if the identity information of the target user passes the authentication of the authentication strategy, then according to the target
  • the domain name of the application determines the address information of the edge security server corresponding to the domain name of the target application.
  • the foregoing authentication policies include identity authentication policies and/or access right authentication policies.
  • the device for remotely accessing applications provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for remotely accessing applications provided by the embodiments of the present disclosure, and has the same beneficial effects as the methods adopted, run or implemented by its stored applications .
  • An embodiment of the present disclosure further provides a device for remotely accessing an application, the device is configured to execute the operations of the management platform in the method for remotely accessing an application provided in any one of the above embodiments.
  • the device includes:
  • the generation module 901 is configured to generate server configuration information corresponding to the connection server, the server configuration information at least includes the identification information of the connection server and the address information of the edge security server corresponding to the connection server; generates the application configuration information corresponding to the target application, the application configuration information Including at least one of the domain name of the target application, the return address, the identification information of the associated connection server, the identity authentication policy, and the access control policy;
  • the fourth sending module 902 is configured to send the server configuration information required by the connection server; send the application configuration information of the target application required by the edge acceleration server and the server configuration information of the connection server associated with the target application.
  • the device for remotely accessing applications provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for remotely accessing applications provided by the embodiments of the present disclosure, and has the same beneficial effects as the methods adopted, run or implemented by its stored applications .
  • Embodiments of the present disclosure also provide an electronic device to execute the above method for remotely accessing an application.
  • FIG. 16 shows a schematic diagram of an electronic device provided by some embodiments of the present disclosure.
  • the electronic device 10 includes: a processor 1000, a memory 1001, a bus 1002 and a communication interface 1003, the processor 1000, the communication interface 1003 and the memory 1001 are connected through the bus 1002;
  • a computer program running on the processor 1000 when the processor 1000 runs the computer program, executes the method for remotely accessing an application provided in any one of the foregoing implementations of the present disclosure.
  • the memory 1001 may include a high-speed random access memory (RAM: Random Access Memory), and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.
  • RAM Random Access Memory
  • non-volatile memory such as at least one disk memory.
  • the communication connection between the system network element and at least one other network element is realized through at least one communication interface 1003 (which may be wired or wireless), and Internet, wide area network, local network, metropolitan area network, etc. can be used.
  • the bus 1002 may be an ISA bus, a PCI bus or an EISA bus, etc.
  • the bus can be divided into address bus, data bus, control bus and so on.
  • the memory 1001 is used to store a program, and the processor 1000 executes the program after receiving an execution instruction, and the method for remotely accessing an application disclosed in any implementation manner of the foregoing embodiments of the present disclosure can be applied to the processor 1000 in, or implemented by the processor 1000.
  • the processor 1000 may be an integrated circuit chip with signal processing capability.
  • each step of the above method may be implemented by an integrated logic circuit of hardware in the processor 1000 or instructions in the form of software.
  • the above-mentioned processor 1000 can be a general-purpose processor, including a central processing unit (Central Processing Unit, referred to as CPU), a network processor (Network Processor, referred to as NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), off-the-shelf programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
  • DSP digital signal processor
  • ASIC application-specific integrated circuit
  • FPGA off-the-shelf programmable gate array
  • Various methods, steps and logic block diagrams disclosed in the embodiments of the present disclosure may be implemented or executed.
  • a general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like.
  • the steps of the method disclosed in the embodiments of the present disclosure may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.
  • the storage medium is located in the memory 1001, and the processor 1000 reads the information in the memory 1001, and completes the steps of the above method in combination with its hardware.
  • the electronic device provided by the embodiment of the present disclosure is based on the same inventive concept as the method for remotely accessing an application provided by the embodiment of the present disclosure, and has the same beneficial effect as the method adopted, operated or implemented.
  • Embodiments of the present disclosure also provide a computer-readable storage medium corresponding to the method for remotely accessing an application provided in the foregoing embodiments.
  • a computer program that is, a program product.
  • the computer program When the computer program is run by a processor, it will execute the method for remotely accessing an application provided in any of the foregoing implementation manners.
  • examples of the computer-readable storage medium may also include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random Access memory (RAM), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other optical and magnetic storage media will not be repeated here.
  • PRAM phase change memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • RAM random Access memory
  • ROM read only memory
  • EEPROM electrically erasable programmable read only memory
  • flash memory or other optical and magnetic storage media will not be repeated here.
  • the computer-readable storage medium provided by the above-mentioned embodiments of the present disclosure is based on the same inventive concept as the method for remotely accessing applications provided by the embodiments of the present disclosure, and has the same beneficial effects as the method adopted, run or implemented by the stored application program .
  • the session connection is an outbound connection between the connection server and the edge security server, so that the user does not need to use the VPN server
  • the target terminal can remotely access the target application, which solves the problem that the VPN server is unstable and difficult to maintain.
  • receiving the access request for the target application forwarded by the edge security server can avoid the occurrence of other servers actively sending information to the connection server or establishing a connection, reducing the risk of malicious attacks and ensuring the security of the target application. App security.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente divulgation porte sur un procédé, sur un système et sur un appareil pour accéder à distance à une application, ainsi que sur un dispositif, et sur un support de stockage. Le procédé consiste à : acquérir des informations d'adresse d'au moins un serveur de sécurité de périphérie correspondant à un serveur de connexion ; établir une connexion de session avec le ou les serveurs de sécurité de périphérie en fonction des informations d'adresse acquises ; sur la base de la connexion de session, si une requête d'accès, transmise par le serveur de sécurité de périphérie, pour une application cible est reçue, envoyer la requête d'accès à l'application cible ; et envoyer, au serveur de sécurité de périphérie, des informations de réponse de requête reçues renvoyées par l'application cible.
PCT/CN2022/094195 2021-05-28 2022-05-20 Procédé, système et appareil pour accéder à distance à une application, dispositif, et support de stockage Ceased WO2022247751A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110595342.2A CN113341798A (zh) 2021-05-28 2021-05-28 远程访问应用的方法、系统、装置、设备及存储介质
CN202110595342.2 2021-05-28

Publications (1)

Publication Number Publication Date
WO2022247751A1 true WO2022247751A1 (fr) 2022-12-01

Family

ID=77472088

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/094195 Ceased WO2022247751A1 (fr) 2021-05-28 2022-05-20 Procédé, système et appareil pour accéder à distance à une application, dispositif, et support de stockage

Country Status (2)

Country Link
CN (2) CN113341798A (fr)
WO (1) WO2022247751A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116170759A (zh) * 2023-02-10 2023-05-26 北京自如信息科技有限公司 一种基于微信的局域网访问方法及系统
CN119720172A (zh) * 2024-12-17 2025-03-28 北京百度网讯科技有限公司 安全认证方法、装置、电子设备、介质及程序产品

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113341798A (zh) * 2021-05-28 2021-09-03 上海云盾信息技术有限公司 远程访问应用的方法、系统、装置、设备及存储介质
CN113872933B (zh) * 2021-08-20 2023-05-26 上海云盾信息技术有限公司 隐藏源站的方法、系统、装置、设备及存储介质
CN115826444B (zh) * 2021-09-18 2025-09-19 上海云盾信息技术有限公司 基于dns解析的安全访问控制方法、系统、装置及设备
CN113890864B (zh) * 2021-10-19 2024-06-14 京东科技信息技术有限公司 数据包处理方法、装置、电子设备和存储介质
CN116418539B (zh) * 2021-12-31 2025-11-07 上海云盾信息技术有限公司 身份认证方法、系统、装置、设备及存储介质
CN114640672B (zh) * 2022-02-11 2025-02-11 网宿科技股份有限公司 一种远程访问边缘设备的方法、设备及系统
CN115297179B (zh) * 2022-07-25 2024-03-08 天翼云科技有限公司 一种数据传输方法及装置
CN115065559B (zh) * 2022-08-15 2022-12-27 浙江毫微米科技有限公司 一种身份认证系统、方法、装置、电子设备及存储介质
CN115632816A (zh) * 2022-09-19 2023-01-20 杭州安恒信息技术股份有限公司 反向代理方法、装置、身份认证方法、装置、系统、产品
CN115834513A (zh) * 2022-11-23 2023-03-21 中国联合网络通信集团有限公司 一种远程访问方法、装置及存储介质

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103117907A (zh) * 2013-03-11 2013-05-22 星云融创(北京)信息技术有限公司 网速测试方法和系统、选择加速服务器的方法和系统
US20140149552A1 (en) * 2012-11-26 2014-05-29 Go Daddy Operating Company, LLC Dns overriding-based methods of accelerating content delivery
CN106302512A (zh) * 2016-09-05 2017-01-04 上海云盾信息技术有限公司 一种用于控制访问的方法、设备与系统
CN109417536A (zh) * 2016-04-15 2019-03-01 高通股份有限公司 用于管理内容递送网络中的安全内容传输的技术
CN112256308A (zh) * 2020-11-12 2021-01-22 腾讯科技(深圳)有限公司 一种目标应用更新方法及装置
CN113341798A (zh) * 2021-05-28 2021-09-03 上海云盾信息技术有限公司 远程访问应用的方法、系统、装置、设备及存储介质

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488945B (zh) * 2008-01-14 2012-09-19 北京大唐高鸿数据网络技术有限公司 一种面向会话初始化协议的鉴权方法
US9614870B2 (en) * 2014-06-04 2017-04-04 Aaa Internet Publishing Inc. Method of DDoS and hacking protection for internet-based servers using a private network of internet servers by executing computer-executable instructions stored on a non-transitory computer-readable medium
CN107277025A (zh) * 2017-06-28 2017-10-20 维沃移动通信有限公司 一种网络安全访问方法、移动终端及计算机可读存储介质
CN110392073B (zh) * 2018-04-19 2022-02-18 贵州白山云科技股份有限公司 一种基于动态加速的调度方法及装置
CN109151512A (zh) * 2018-09-12 2019-01-04 中国联合网络通信集团有限公司 Cdn网络中获取内容的方法及装置
CN110677683B (zh) * 2019-09-30 2022-03-04 北京奇艺世纪科技有限公司 视频存储、视频访问方法及分布式存储、视频访问系统
CN110830458B (zh) * 2019-10-25 2021-11-23 云深互联(北京)科技有限公司 域名访问方法、系统、设备和计算机可读存储介质
CN111885217B (zh) * 2020-07-21 2023-11-07 深信服科技股份有限公司 一种数据通信方法、装置、设备及存储介质
CN111953811B (zh) * 2020-08-07 2024-02-06 腾讯科技(深圳)有限公司 站点访问方法、站点注册方法、装置、设备及存储介质
CN112637346B (zh) * 2020-12-24 2023-12-01 北京知道创宇信息技术股份有限公司 代理方法、装置、代理服务器及存储介质

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140149552A1 (en) * 2012-11-26 2014-05-29 Go Daddy Operating Company, LLC Dns overriding-based methods of accelerating content delivery
CN103117907A (zh) * 2013-03-11 2013-05-22 星云融创(北京)信息技术有限公司 网速测试方法和系统、选择加速服务器的方法和系统
CN109417536A (zh) * 2016-04-15 2019-03-01 高通股份有限公司 用于管理内容递送网络中的安全内容传输的技术
CN106302512A (zh) * 2016-09-05 2017-01-04 上海云盾信息技术有限公司 一种用于控制访问的方法、设备与系统
CN112256308A (zh) * 2020-11-12 2021-01-22 腾讯科技(深圳)有限公司 一种目标应用更新方法及装置
CN113341798A (zh) * 2021-05-28 2021-09-03 上海云盾信息技术有限公司 远程访问应用的方法、系统、装置、设备及存储介质

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116170759A (zh) * 2023-02-10 2023-05-26 北京自如信息科技有限公司 一种基于微信的局域网访问方法及系统
CN119720172A (zh) * 2024-12-17 2025-03-28 北京百度网讯科技有限公司 安全认证方法、装置、电子设备、介质及程序产品

Also Published As

Publication number Publication date
CN114995214A (zh) 2022-09-02
CN113341798A (zh) 2021-09-03

Similar Documents

Publication Publication Date Title
WO2022247751A1 (fr) Procédé, système et appareil pour accéder à distance à une application, dispositif, et support de stockage
US11647003B2 (en) Concealing internal applications that are accessed over a network
US8769128B2 (en) Method for extranet security
US9204345B1 (en) Socially-aware cloud control of network devices
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
US10873497B2 (en) Systems and methods for maintaining communication links
US10911485B2 (en) Providing cross site request forgery protection at an edge server
US20160219035A1 (en) Methods for providing secure access to network resources and devices thereof
US12542765B2 (en) Remote server isolation utilizing zero trust architecture
US12470522B2 (en) Techniques for providing a secure web gateway through a zero trust network environment
CN115694960A (zh) 一种应用代理方法、装置、设备及可读存储介质
WO2023020606A1 (fr) Procédé, système et appareil pour masquer une station source, et dispositif et support de stockage
CN104662871A (zh) 安全地访问网络服务的方法和设备
CN115913583A (zh) 业务数据访问方法、装置和设备及计算机存储介质
US11683309B2 (en) Nonce-based enterprise security policy enforcement
US12445438B2 (en) Techniques for managing cookies through a secure web gateway
JP2015505626A (ja) サーバー・アプリケーションと多数の認証プロバイダーとの統合
CN118694608B (zh) 应用于fttr网关的portal认证方法、装置及存储介质
US12549518B2 (en) System and method for client-based traffic control utilizing domain catalog
CN108462670A (zh) 用于tcp连接的鉴权方法、装置以及电子设备
HK40061824A (en) Method, system and apparatus for remotely accessing application, and device and storage medium
CN116418539B (zh) 身份认证方法、系统、装置、设备及存储介质
US20250071557A1 (en) Systems and methods for end user authentication
CN115150170B (zh) 安全策略配置方法、装置、电子设备和存储介质
CN121009532A (zh) 资源访问方法、装置、电子设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22810478

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22810478

Country of ref document: EP

Kind code of ref document: A1