Search

JP-2026075267-A - Communication systems and communication methods

JP2026075267AJP 2026075267 AJP2026075267 AJP 2026075267AJP-2026075267-A

Abstract

[Challenge] To provide a relay server for accessing the user environment from the outside, at a low cost and with high security. [Solution] The communication system 100 includes a distribution device 20 that receives access to the first user network 32A from each client 10A and distributes that access to the first relay server 31A, and a first relay server 31A that relays the access distributed by the distribution device 20 to the first user network 32A. The first relay server 31A, which is located outside the first user network 32A, and the first user network 32A are connected within the first SD-WAN 30A. [Selection Diagram] Figure 1

Inventors

  • 上野 高暉

Assignees

  • 株式会社日立製作所

Dates

Publication Date
20260508
Application Date
20241022

Claims (10)

  1. A distribution device that receives access to the client environment from each client and distributes that access to a relay server, A communication system comprising: a relay server that relays the access distributed from the distribution device to the client environment, A communication system characterized in that the relay server located outside the client environment and the client environment are connected within a closed network.
  2. The communication system according to claim 1, characterized in that the closed network has multiple client environments sharing the same address space connected to one relay server.
  3. The communication system according to claim 1, characterized in that the closed network is a virtual network formed by SD-WAN (Software Defined Wide Area Network).
  4. The aforementioned client environment includes a processing server that establishes a session with the client. The communication system according to claim 1, characterized in that the access is the access to the processing server.
  5. The communication system according to claim 4, characterized in that the processing server establishes a virtual desktop environment session with the client.
  6. The distribution device includes a receiving unit that confirms destination information indicating a combination of the source information and destination information of the access, A confirmation unit searches for the destination information of the received access from communication control information that associates the relay server heading toward the destination of the destination information with the destination information for each destination information for which communication is permitted, The communication system according to claim 1, further comprising a determination unit that discards the access that could not be retrieved from the communication control information.
  7. The communication system according to claim 6, characterized in that the determination unit forwards the access that was retrieved from the communication control information to the relay server associated with the communication control information.
  8. The communication system according to claim 6, characterized in that the verification unit searches for the IP address read as the destination information of the received access from the IP addresses registered as the destination information of the communication control information.
  9. The communication system according to claim 6, characterized in that the verification unit searches for the domain name read as the destination information of the received access from the domain names registered as the destination information of the communication control information.
  10. The communication system includes a distribution device and a relay server. The aforementioned distribution device receives access to the client environment from each client and distributes that access to the relay server. The relay server relays the access distributed from the distribution device to the client environment. A communication method characterized in that the relay server located outside the client environment and the client environment are connected within a closed network.

Description

This invention relates to a communication system and a communication method. A network within a single location, such as within the same building, is called a LAN (Local Area Network), while a network between multiple locations is called a WAN (Wide Area Network). Various types of networks exist within a WAN, including the internet and IP-VPN (Virtual Private Network). SD-WAN (Software Defined Wide Area Network) has been proposed as a mechanism for centrally managing these multiple WANs using software definitions. Patent Document 1 describes a system for interconnecting multiple SD-WANs via segment routing. Special Publication No. 2022-546563 This is a diagram illustrating the configuration of the communication system according to this embodiment.This is a flowchart showing the processing of the communication system according to this embodiment.This is a table showing an example of a communication list related to this embodiment.This is a hardware configuration diagram of each device in the communication system according to this embodiment. The following describes one embodiment of the present invention with reference to the drawings. Figure 1 is a diagram showing the configuration of the communication system 100. The communication system 100 includes a distribution device 20 and relay servers (first relay server 31A, second relay server 31B) for each client (client 10A, client 10B) to access each processing server (first server 33A, second server 33B, third server 33C). In Figure 1, the IP address of each device is also shown inside each device. For example, client 10A is assigned the IPv4 address [xxx.xxx.xxx.001], and the first server 33A is assigned the IPv4 address [xxx.xxx.xxx.011]. Each processing server is located within the client environment of each user network (first user network 32A, second user network 32B, third user network 32C), and is accessible from outside each user network by authorized clients. Each user network may be an internal network built using a LAN, or an inter-site network built using a WAN. To make the explanation easier to understand, we will use a communication system 100 that accommodates two companies, Company A and Company B, as an example. As part of Company A's user network, the first user network 32A, used by Company A's development department, contains the first server 33A, and the second user network 32B, used by Company A's sales department, contains the second server 33B. Employees of Company A can access the first server 33A, which provides a virtual desktop environment, from outside the first user network 32A via the distribution device 20 and the first relay server 31A by operating their client 10A (for Company A). Similarly, client 10A can access the second server 33B, which provides the file server, from outside the first user network 32A via the distribution device 20 and the first relay server 31A. Within the third user network 32C, used by the general affairs department of Company B, is the third server 33C. Employees of Company B can access the third server 33C, which provides the video conferencing server, from outside the third user network 32C via the distribution device 20 and the second relay server 31B, by operating their client 10B. Then, in order to provide communication services to companies A and B, company C constructs a communication system 100 as shown in [Configuration 1] to [Configuration 3] below. [Configuration 1] Company C prepares a distribution device 20. This distribution device 20 is a window for receiving access (packets) from each client, and distributes access to each relay server that is authorized to communicate, while appropriately blocking access to relay servers that are not authorized to communicate. For this purpose, the distribution device 20 has an address confirmation unit (receiving unit) 21, a registration confirmation unit (confirmation unit) 22, a determination unit 23, and a communication list (communication control information) 24. Details of these components of the distribution device 20 will be clarified in the flowchart in Figure 2. Furthermore, it is desirable for Company C to implement the distribution device 20 as a cloud service, providing a communication relay service equipped with security functions, remote access functions, etc., in accordance with the SASE (Secure Access Service Edge) model. Alternatively, Company C may implement the functions available in SASE as an on-premise solution for the distribution device 20. [Configuration 2] Company C manages a closed network (private network) such as SD-WAN (1st SD-WAN30A, 2nd SD-WAN30B). Since this closed network is provided separately from open networks (public networks) that can be accessed by an unspecified number of people, such as the internet, each device within the closed network can maintain a high level of security. Company C provides fully managed services for each device within this closed network but outside the user network, including installati