CN106330479A

CN106330479A - A device operation and maintenance method and system

Info

Publication number: CN106330479A
Application number: CN201510334489.0A
Authority: CN
Inventors: 张可
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2015-06-16
Filing date: 2015-06-16
Publication date: 2017-01-11
Also published as: WO2016202007A1

Abstract

The invention discloses an equipment operation and maintenance method. The method comprises steps: a built-in proxy server for a user access portal and a proxy gateway as a gateway of a local area network device build a control channel for transmitting a control signaling between the two; the proxy server and the proxy gateway for the local area network device with login requested build a data channel by using the queried control channel; and the user access portal sends received operation data on the local area network device by the user to the queried proxy gateway for the local area network device e with login requested via the data channel through the proxy server. The security is improved, program mounting on each piece of equipment can be avoided, and the operation is thus simplified.

Description

A device operation and maintenance method and system

技术领域technical field

发明涉及网管设备运维领域。尤其是一种安全快捷的运维方法及系统。The invention relates to the field of operation and maintenance of network management equipment. In particular, a safe and fast operation and maintenance method and system.

背景技术Background technique

由于局域网设备的现网环境一般都是内网地址，并且对外不能直达，为了保证运维人员能够在该环境下登录并维修出现故障的设备，运维人员需要在设备上开放端口，运维人员需要通过跳板机逐级跳转，通过开放端口才能登录到目标设备上来，无疑增加了运维工作的繁琐性，效率低下；而一旦设备开放端口，就会存在安全隐患，相当于在设备上留下了后门，无法保证不会遭遇网络攻击，这也导致运维工作的安全性无法保证。Since the current network environment of LAN devices is generally an intranet address and cannot be directly accessed externally, in order to ensure that the operation and maintenance personnel can log in and repair the faulty equipment in this environment, the operation and maintenance personnel need to open ports on the equipment. It is necessary to jump step by step through the jumper and log in to the target device through the open port, which undoubtedly increases the complexity of the operation and maintenance work and inefficiency; and once the port is opened on the device, there will be security risks, which is equivalent to leaving With the back door, there is no guarantee that there will be no cyber attacks, which also leads to the inability to guarantee the security of operation and maintenance work.

或者要在设备上安装代理程序，但是涉及到对设备上安装软件，尤其是在局域网中，设备数量巨大的情况下，过程繁琐。Or it is necessary to install an agent program on the device, but it involves installing software on the device, especially in the case of a huge number of devices in a local area network, the process is cumbersome.

发明内容Contents of the invention

为了解决上述问题，本发明提供了一种设备运维的方法及装置，可以提高设备运维的安全性，提高管理的效率，简单方便。In order to solve the above problems, the present invention provides a method and device for equipment operation and maintenance, which can improve the safety of equipment operation and maintenance, improve the efficiency of management, and be simple and convenient.

一种设备运维方法，所述方法包括：A device operation and maintenance method, the method comprising:

用户访问门户的内置代理服务器、作为局域网设备的网关的代理网关建立彼此之间传输控制信令的控制通道；The built-in proxy server of the user access portal and the proxy gateway as the gateway of the LAN device establish a control channel for transmitting control signaling between each other;

所述用户访问门户接收用户操作局域网设备的请求；The user access portal receives a request from a user to operate a LAN device;

所述用户访问门户查询请求登录的局域网设备的代理网关，以及该代理网关与所述代理服务器建立的控制通道；The user access portal queries the proxy gateway of the LAN device that requests login, and the control channel established between the proxy gateway and the proxy server;

所述代理服务器与所述请求登录的局域网设备的代理网关利用查询到的控制通道，建立数据通道；The proxy server and the proxy gateway of the LAN device requesting to log in use the queried control channel to establish a data channel;

用户访问门户将接收到的用户对所述局域网设备的操作数据通过所述代理服务器经由所述数据通道发送至所述查询到的请求登录的局域网设备的代理网关；The user access portal sends the received user operation data on the LAN device through the proxy server to the proxy gateway of the queried LAN device requesting login through the data channel;

所述查询到的请求登录的局域网设备的代理网关将所述操作数据发送至用户请求操作的局域网设备。The queried proxy gateway of the LAN device requesting to log in sends the operation data to the LAN device that the user requests to operate.

可选地，其中，所述代理服务器、所述代理网关建立传输控制信令的控制通道，包括：Optionally, wherein the proxy server and the proxy gateway establish a control channel for transmitting control signaling, including:

所述代理网关向所述用户访问门户发送询问消息；The proxy gateway sends an inquiry message to the user access portal;

所述用户访问门户将已经开启的代理服务器列表信息发送至所述代理网关；The user access portal sends the opened proxy server list information to the proxy gateway;

所述代理网关向所述已经开启的代理服务器发送连接建立请求；The proxy gateway sends a connection establishment request to the activated proxy server;

所述已经开启的代理服务器接收所述代理网关发送的连接建立请求，The activated proxy server receives the connection establishment request sent by the proxy gateway,

由最快与所述代理网关建立连接的代理服务器与所述代理网关建立控制通道。A control channel is established with the proxy gateway by the proxy server that establishes the fastest connection with the proxy gateway.

可选地，所述代理服务器、所述请求登录的局域网设备的代理网关利用查询到的控制通道，建立数据通道，包括：Optionally, the proxy server and the proxy gateway of the LAN device requesting to log in use the queried control channel to establish a data channel, including:

所述代理服务器通过所述控制通道向所述请求登录的局域网设备的代理网关发送建立数据通道命令；The proxy server sends a command to establish a data channel to the proxy gateway of the LAN device requesting to log in through the control channel;

所述请求登录的局域网设备的代理网关向所述代理服务器发送建立数据通道请求消息；The proxy gateway of the LAN device requesting to log in sends a data channel establishment request message to the proxy server;

所述代理服务器接收所述请求消息；The proxy server receives the request message;

所述代理服务器、所述查找到的请求登录的局域网设备的代理网关建立彼此之间的数据通道。The proxy server and the proxy gateway of the found LAN device requesting to log in establish a data channel between them.

可选地，所述查询到的请求登录的局域网设备的代理网关将所述操作数据发送至用户请求操作的局域网设备，包括：Optionally, the queried proxy gateway of the LAN device requesting to log in sends the operation data to the LAN device that the user requests to operate, including:

所述代理网关接收所述代理服务器发送的数据包；The proxy gateway receives the data packet sent by the proxy server;

所述代理网关将所述数据包转发至所述用户请求操作的局域网设备。The proxy gateway forwards the data packet to the LAN device that the user requests to operate.

一种设备运维系统，所述系统包括：局域网设备的用户访问门户、作为局域网设备的网关的代理网关，其中，A device operation and maintenance system, the system comprising: a user access portal of a local area network device, and a proxy gateway serving as a gateway of the local area network device, wherein,

所述用户访问门户，用于通过内置的代理服务器和所述代理网关建立传输控制信令的控制通道；The user access portal is used to establish a control channel for transmitting control signaling through the built-in proxy server and the proxy gateway;

接收用户操作局域网设备的请求；Receive the user's request to operate the LAN device;

查询请求登录的局域网设备的代理网关，以及该代理网关与所述代理服务器建立的控制通道；Query the proxy gateway of the LAN device requesting to log in, and the control channel established between the proxy gateway and the proxy server;

与所述查询到的请求登录的局域网设备的代理网关，利用查询到的控制通道，建立数据通道；Establishing a data channel by utilizing the queried control channel with the proxy gateway of the queried LAN device requesting login;

将接收到的用户对所述局域网设备的操作数据通过所述代理服务器经由所述数据通道发送至所述查询到的请求登录的局域网设备的代理网关；Sending the received operation data of the user to the LAN device through the proxy server via the data channel to the proxy gateway of the queried LAN device requesting to log in;

所述代理网关，用于和所述用户访问门户，通过所述用户访问门户中的代理服务器建立传输控制信令的控制通道；The proxy gateway is configured to establish a control channel for transmitting control signaling with the user access portal through a proxy server in the user access portal;

所述查询到的请求登录的局域网设备的代理网关，用于将所述操作数据发送至用户请求操作的局域网设备。The queried proxy gateway of the LAN device that requests to log in is used to send the operation data to the LAN device that the user requests to operate.

可选地，Optionally,

所述用户访问门户，用于通过内置的代理服务器和所述代理网关建立传输控制信令的控制通道，包括：The user access portal is used to establish a control channel for transmitting control signaling through the built-in proxy server and the proxy gateway, including:

所述用户访问门户接收所述代理网关发送的询问消息；The user accesses the portal to receive the inquiry message sent by the proxy gateway;

所述代理网关向所述已经开启的代理服务器发送连接建立请求，The proxy gateway sends a connection establishment request to the activated proxy server,

可选地，Optionally,

所述用户访问门户与所述查询到的请求登录的局域网设备的代理网关，利用查询到的控制通道，建立数据通道，包括：The user access portal and the proxy gateway of the queried LAN device requesting to log in use the queried control channel to establish a data channel, including:

所述代理服务器通过所述查询到的控制通道向所述查询到的请求登录的局域网设备的代理网关发送建立数据通道命令；The proxy server sends a command to establish a data channel to the proxy gateway of the queried LAN device through the queried control channel;

所述代理服务器、所述请求登录的局域网设备的代理网关建立彼此之间的数据通道。The proxy server and the proxy gateway of the LAN device requesting to log in establish a data channel between them.

可选地，Optionally,

所述查询到的请求登录的局域网设备的代理网关，用于将所述操作数据发送至用户请求操作的局域网设备，包括：The queried proxy gateway of the LAN device requesting to log in is used to send the operation data to the LAN device that the user requests to operate, including:

一种局域网设备的用户访问门户，A user access portal for LAN devices,

所述用户访问门户，包括代理模块，接收模块，查询模块、所述代理模块包括多个代理服务器；The user access portal includes a proxy module, a receiving module, a query module, and the proxy module includes a plurality of proxy servers;

所述代理服务器与作为局域网设备的网关的代理网关建立传输控制信令的控制通道；The proxy server establishes a control channel for transmitting control signaling with a proxy gateway serving as a gateway of a LAN device;

所述用户访问门户，包括：The user access portal, including:

接收模块，用于接收用户操作局域网设备的请求，并将用户对局域网设备的操作数据发送到所述代理服务器；A receiving module, configured to receive a request from a user to operate a LAN device, and send the user's operation data on the LAN device to the proxy server;

查询模块，用于查询请求登录的局域网设备的代理网关，以及该代理网关与所述代理服务器建立的控制通道；A query module, configured to query the proxy gateway of the LAN device requesting login, and the control channel established between the proxy gateway and the proxy server;

所述代理模块，用于通过代理服务器与所述请求登录的局域网设备的代理网关利用查询到的控制通道，建立数据通道；通过代理服务器将接收到的用户对所述局域网设备的操作数据通过所述数据通道发送至查询到的代理网关。The proxy module is used to establish a data channel through the proxy server and the proxy gateway of the LAN device requesting to log in using the queried control channel; through the proxy server, the received user operation data on the LAN device is passed through the proxy server. The above data channel is sent to the queried proxy gateway.

可选地，Optionally,

所述代理服务器与作为局域网设备的网关的代理网关建立传输控制信令的控制通道，包括：The proxy server establishes a control channel for transmitting control signaling with the proxy gateway as the gateway of the LAN device, including:

可选地，Optionally,

所述代理模块，用于通过代理服务器与所述请求登录的局域网设备的代理网关利用查询到的控制通道，建立数据通道，包括：The proxy module is used to establish a data channel through the proxy server and the proxy gateway of the LAN device requesting to log in using the queried control channel, including:

采用本发明的方法及装置，解决了现有技术中，安全性低或者对局域网设备进行安装程序所造成的程序繁琐，效率低下的问题。By adopting the method and device of the present invention, the problems of low security or cumbersome programs and low efficiency caused by installing programs for local area network equipment in the prior art are solved.

代理服务器对局域网的操作通过专用的数据通道发送，从而提高了安全性。既提高了设备运维的安全性，又不需要对局域网设备进行程序上的修改，简化了操作，提高了管理效率。The operation of the proxy server to the LAN is sent through a dedicated data channel, thereby improving security. It not only improves the security of equipment operation and maintenance, but also does not need to modify the program of the LAN equipment, simplifies the operation, and improves the management efficiency.

附图说明Description of drawings

图1是本发明的流程图；Fig. 1 is a flow chart of the present invention;

图2是本发明提供的系统组网结构图；Fig. 2 is a system networking structure diagram provided by the present invention;

图3是本发明提供的Agent与Portal注册时序图；Fig. 3 is the Agent and Portal registration timing diagram that the present invention provides;

图4是本发明提供的Agent控制通道建立时序图；Fig. 4 is the sequence diagram of establishing the Agent control channel provided by the present invention;

图5是本发明提供的用户通过门户SSH(Secure Shell)登录到被管设备时序图；Fig. 5 is that the user provided by the present invention logs in to managed device sequence diagram through portal SSH (Secure Shell);

图6是反向代理技术原理图。Fig. 6 is a schematic diagram of reverse proxy technology.

具体实施方式detailed description

下面将结合附图及实施例对本发明的技术方案进行更详细的说明。The technical solution of the present invention will be described in more detail below with reference to the drawings and embodiments.

需要说明的是，如果不冲突，本发明实施例以及实施例中的各个特征可以相互结合，均在本发明的保护范围之内。另外，虽然在流程图中示出了逻辑顺序，但是在某些情况下，可以以不同于此处的顺序执行所示出或描述的步骤。It should be noted that, if there is no conflict, the embodiments of the present invention and various features in the embodiments can be combined with each other, and all are within the protection scope of the present invention. In addition, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.

图1是本发明的流程图:Fig. 1 is a flow chart of the present invention:

步骤S101：用户访问门户的内置代理服务器、作为局域网设备的网关的代理网关建立彼此之间传输控制信令的控制通道；Step S101: the user accesses the built-in proxy server of the portal, and the proxy gateway as the gateway of the LAN device establishes a control channel for transmitting control signaling between each other;

步骤S102：所述用户访问门户接收用户操作局域网设备的请求；Step S102: the user access portal receives a user's request to operate a LAN device;

步骤S103：用户访问门户查询请求登录的局域网设备的代理网关，以及该代理网关与所述代理服务器建立的控制通道；Step S103: the user accesses the portal to query the proxy gateway of the LAN device that requests to log in, and the control channel established between the proxy gateway and the proxy server;

步骤S104：所述代理服务器与所述请求登录的局域网设备的代理网关利用查询到的控制通道，建立数据通道；Step S104: The proxy server establishes a data channel with the proxy gateway of the LAN device requesting to log in using the queried control channel;

步骤S105：用户访问门户将接收到的用户对所述局域网设备的操作数据通过所述代理服务器经由所述数据通道发送至查询到的代理网关；Step S105: The user access portal sends the received user operation data on the LAN device to the queried proxy gateway through the proxy server via the data channel;

步骤S106：所述查询到的代理网关将所述操作数据发送至用户请求操作的局域网设备。Step S106: The queried proxy gateway sends the operation data to the LAN device requested by the user for operation.

图1中，Portal为用户访问门户，Agent为代理网关。In Figure 1, Portal is the user access portal, and Agent is the proxy gateway.

本发明提供的Agent和Portal之间通信基于标准的SSL(Secure SocketLayer)加密体系，注册流程如图3所示，Agent进行注册认证时需要使用证书签名和关键信息加密后传送给Portal，Portal进行签名检查和证书认证成功后，Agent才能真正和Portal建立通讯通道。Communication between Agent and Portal provided by the present invention is based on standard SSL (Secure SocketLayer) encryption system, and the registration process is as shown in Figure 3. When Agent performs registration authentication, it needs to use certificate signature and key information encryption to send to Portal, and Portal signs After the inspection and certificate authentication are successful, the Agent can actually establish a communication channel with the Portal.

图3是本发明提供的Agent与Portal注册时序图：Fig. 3 is a sequence diagram of Agent and Portal registration provided by the present invention:

步骤S301：根据证书判断Agent与Portal是否匹配；Step S301: judging whether the Agent matches the Portal according to the certificate;

步骤S302：若匹配成功，则继续，若失败，则中断；Step S302: If the matching is successful, continue, and if it fails, stop;

步骤S303：Agent向Portal传递相关注册信息；Step S303: the Agent transmits relevant registration information to the Portal;

步骤S304：Portal向用户发送消息，通知用户审核；Step S304: Portal sends a message to the user, notifying the user to review;

步骤S305：用户向Portal发送消息，通知Portal审核通过，注册成功；Step S305: the user sends a message to the Portal, informing the Portal that the review is passed and the registration is successful;

步骤S306：Portal向Agent发送注册成功消息。Step S306: Portal sends a registration success message to Agent.

Agent和Portal的通讯过程使用两个通讯通道：控制通道和数据通道。控制通道在Agent启动注册时建立，具体地说，在注册完成后，建立控制通道，控制通道用于Agent与Portal之间的控制信息交互以及控制数据通道建立、关闭。The communication process between Agent and Portal uses two communication channels: control channel and data channel. The control channel is established when the Agent starts to register. Specifically, after the registration is completed, the control channel is established. The control channel is used for the exchange of control information between the Agent and the Portal and the establishment and closing of the control data channel.

可选地，Optionally,

步骤S401：Agent首先访问Portal的所有代理服务器Agent server；Step S401: the Agent first accesses all Agent servers of the Portal;

步骤S402：Portal返回给Agent已开启的代理服务器Agent server列表；Step S402: Portal returns to the agent server Agent server list that Agent has opened;

步骤S403：Agent尝试与Portal上所有部署的代理服务器Agentserver建立连接，并寻找最优的一个。Step S403: the Agent tries to establish connections with all Agentservers deployed on the Portal, and searches for the optimal one.

也就是说，对于一个Agent，在Portal中，可能对应多个代理服务器Agentserver，通过比较，找出寻找响应最快的代理服务器，也就是最优的服务器，与所述最优的代理服务器建立连接。That is to say, for an Agent, in the Portal, it may correspond to multiple proxy servers Agentserver, by comparison, find out the proxy server with the fastest response, that is, the optimal server, and establish a connection with the optimal proxy server .

步骤S404：Agent与Portal的代理服务器建立连接，形成控制通道。Step S404: the Agent establishes a connection with the proxy server of the Portal to form a control channel.

Agent实际与Portal侧内置的代理服务器Agent Server建立连接，代理服务器Agent Server开放端口，处理消息中转；The Agent actually establishes a connection with the built-in proxy server Agent Server on the Portal side, and the proxy server Agent Server opens a port to handle message transfer;

数据通道是用户使用Portal上提供的远程工具通过Portal端的代理服务器Agent Server内置服务和被访问设备进行网络通讯的通道。The data channel is the channel through which the user uses the remote tool provided on the Portal to communicate with the accessed device through the built-in service of the Agent Server on the Portal side.

Portal和Agent会通过控制通道进行基于通讯证书的安全检查，一旦检查失败，Agent和Portal会自动切断数据通道。Portal and Agent will conduct a security check based on the communication certificate through the control channel. Once the check fails, Agent and Portal will automatically cut off the data channel.

Agent和Portal整个通讯过程中，Portal作为服务端通过固定的端口对外提供服务，Agent通过TCP反向代理技术和Portal建立反向连接。During the entire communication process between Agent and Portal, Portal serves as a server to provide external services through a fixed port, and Agent establishes a reverse connection with Portal through TCP reverse proxy technology.

这确保了Agent没有开放任何固定的对外端口，从而防止Agent侧遭遇网络攻击。This ensures that the Agent does not open any fixed external ports, thereby preventing the Agent side from encountering network attacks.

图5是本发明提供的用户通过门户SSH(Secure Shell)登录到被管设备时序图Fig. 5 is a sequence diagram of a user logging in to a managed device through a portal SSH (Secure Shell) provided by the present invention

一种实现通过Portal使用SSH登录被管理设备的应用场景：An application scenario for logging in to managed devices using SSH through Portal:

下面结合附图5对本发明的具体实施方法进一步说明：Below in conjunction with accompanying drawing 5 the concrete implementation method of the present invention is further described:

步骤S501，运维人员从Portal上需要通过SSH工具登录局域网某一台设备A。In step S501, the operation and maintenance personnel need to log in to a certain device A in the LAN through the SSH tool from the Portal.

步骤S502，Portal查询数据库查找设备A的信息，包括管辖设备A的Agent，Agent与Portal的控制通道ID等。In step S502, the Portal queries the database to find information about the device A, including the Agent in charge of the device A, the ID of the control channel between the Agent and the Portal, and the like.

步骤S503，Portal的内置服务Agent Server会通过控制通道ID查找到该控制通道，发送指令请求Agent主动再与Portal建立一条数据通道，用于SSH客户端与目标设备之间交互，指令格式为Step S503, the Portal's built-in service Agent Server will find the control channel through the control channel ID, and send an instruction to request the Agent to actively establish a data channel with the Portal for the interaction between the SSH client and the target device. The instruction format is

type＝ReqConnect&agentSrvId＝2&hostIp＝10.46.180.130&agentPort＝8323。type=ReqConnect&agentSrvId=2&hostIp=10.46.180.130&agentPort=8323.

步骤S504，Agent向Portal建立数据通道，根据Portal发过来的IP和代理端口建立Socket连接。In step S504, the Agent establishes a data channel to the Portal, and establishes a Socket connection according to the IP and agent port sent by the Portal.

步骤S505，Portal将新建立的数据通道ID记录，用户在Portal上对远程设备的操作都会被Portal的Agent Server通过数据通道转发给Agent。In step S505, the Portal records the newly established data channel ID, and the user's operations on the remote device on the Portal will be forwarded to the Agent by the Portal's Agent Server through the data channel.

步骤S506，Agent收到数据包后，直接转发给本地的SOCKS5代理服务去处理，SOCKS5代理服务是通用标准，用于转发数据包。In step S506, after the Agent receives the data packet, it directly forwards it to the local SOCKS5 proxy service for processing. The SOCKS5 proxy service is a common standard for forwarding the data packet.

值得注意的是，数据包中可以包含局域网设备的IP地址消息。Agent收到数据包后，可以根据IP地址消息，将数据包发送给局域网设备。It is worth noting that the IP address information of the LAN device may be included in the data packet. After the Agent receives the data packet, it can send the data packet to the LAN device according to the IP address message.

步骤S507，SOCKS5代理服务将数据包传送给局域网设备A。Step S507, the SOCKS5 proxy service transmits the data packet to the LAN device A.

步骤S508，局域网设备A处理相应的指令，然后把响应数据发给Agent的SOCKS5代理。In step S508, the LAN device A processes the corresponding command, and then sends the response data to the SOCKS5 proxy of the Agent.

步骤S509，Agent上面的SOCKS5代理将响应数据沿原路传回到Portal侧。Step S509, the SOCKS5 proxy on the Agent sends the response data back to the Portal side along the original path.

步骤S510，Portal最终回显响应数据给用户。本发明由Agent作为网关而且Agent本身对外不开放，而是基于反向代理技术与Portal通信，被管设备零入侵，在保证运维人员快捷便利地访问设备的同时，又能保证被管设备网络的安全性。In step S510, the Portal finally echoes back the response data to the user. The invention uses Agent as the gateway and the Agent itself is not open to the outside world, but communicates with the Portal based on the reverse proxy technology, and the managed device has zero intrusion. While ensuring the operation and maintenance personnel to access the device quickly and conveniently, it can also ensure the network of the managed device security.

图2是本发明提供的系统组网结构图。Fig. 2 is a system network structure diagram provided by the present invention.

Agent为代理网关；Portal为用户访问门户，或者称为用户访问入口。Agent is a proxy gateway; Portal is a user access portal, or called a user access portal.

该系统包括作为局域网设备的网关的代理网关Agent和局域网设备的用户访问入口Portal，Agent负责打通Portal与局域网设备之间的消息通道，并只对Portal开放。Portal提供了访问管理设备的统一管理入口，局域网识别分为两组，每一组都有个代理网关Agent，一个用户访问入口Portal中包含有多个代理服务器Agent Server。The system includes agent gateway Agent as the gateway of the LAN device and the user access portal Portal of the LAN device. The Agent is responsible for opening the message channel between the Portal and the LAN device, and is only open to the Portal. Portal provides a unified management entrance for accessing management devices. LAN identification is divided into two groups, each group has an agent gateway Agent, and a user access portal contains multiple agent servers Agent Server.

可选地，Optionally,

所述用户访问门户，包括：The user access portal, including:

可选地，Optionally,

本发明提供一种方案，用于解决远程运维场景下，运维人员能够通过简单的统一的门户入口，安全快捷的访问运营环境中局域网环境下的目标设备，而且目标设备无需开放端口或安装代理程序。The present invention provides a solution, which is used to solve the problem of remote operation and maintenance. The operation and maintenance personnel can safely and quickly access the target device in the LAN environment in the operation environment through a simple and unified portal entry, and the target device does not need to open ports or install agent.

本发明由Agent作为网关，而且Agent本身对外不开放，而是基于反向代理技术与Portal通信，被管设备零入侵，在保证运维人员快捷便利地访问设备的同时，又能保证被管设备网络的安全性。The invention uses Agent as the gateway, and the Agent itself is not open to the outside world, but communicates with the Portal based on the reverse proxy technology, and the managed device has zero intrusion. While ensuring that the operation and maintenance personnel can access the device quickly and conveniently, it can also ensure that the managed device network security.

关于反向代理技术：About reverse proxy technology:

通常的代理一般称为正向代理，只用于代理内部网络对外部网络的连接请求，不支持外部网络对内部网络的访问请求。当一个代理服务器能够代理外部网络上的主机访问内部网络时，这种代理称为反向代理。A common proxy is generally called a forward proxy, which is only used to proxy the connection request from the internal network to the external network, and does not support the access request from the external network to the internal network. When a proxy server can act as a proxy for hosts on the external network to access the internal network, this proxy is called a reverse proxy.

图6表明了反向代理技术的工作原理：Figure 6 shows the working principle of the reverse proxy technology:

包括客户端601，反向代理服务器602，服务器603；从图中可知，在真实的服务器603与客户端601之间，还设置一个服务器，称为反向代理服务器602。It includes a client 601, a reverse proxy server 602, and a server 603; as can be seen from the figure, a server called a reverse proxy server 602 is also set between the real server 603 and the client 601.

在真实服务器前面设置反向代理服务器，有以下作用：Setting up a reverse proxy server in front of the real server has the following effects:

反向代理服务器直接与客户端相连，然后连接真实服务器，可以降低真实服务器的负载，比如，客户端访问的内容如果缓存在反向代理服务器上，代理服务器就可以直接将内容发送给客户端，从而减小了真实服务器的负载。The reverse proxy server is directly connected to the client, and then connected to the real server, which can reduce the load on the real server. For example, if the content accessed by the client is cached on the reverse proxy server, the proxy server can directly send the content to the client. Thereby reducing the load on the real server.

另外，真实服务器设置在反向代理服务器之后，客户端在访问时，直接采集到的只是反向代理服务器的信息，这就保护了真实服务器的信息和数据，阻挡了黑客的攻击，提高了真实服务器的安全性。In addition, the real server is set behind the reverse proxy server, and when the client accesses, it directly collects only the information of the reverse proxy server, which protects the information and data of the real server, prevents hackers from attacking, and improves the authenticity. Server Security.

也就是说，本发明中，Agent相当于反向代理服务器，而局域网内的被控设备相当于真实服务器；Portal相当于客户端。That is to say, in the present invention, the Agent is equivalent to a reverse proxy server, and the controlled device in the local area network is equivalent to a real server; the Portal is equivalent to a client.

客户端就是为了访问局域网的被控设备，使用agent作为代理的原因是由于客户端和局域网设备服务器无法直连，所以要通过agent代理去转发通信数据；由于agent为了安全性不对外开放端口，但是客户端要和agent代理通信就必须有连接通道，所以这里由agent server启动端口监听，由agent去建立反向连接，形成数据通道，这样才能打通客户端与局域网真实服务器之间的通信。Agent也就成为反向代理服务器。The client is to access the controlled device in the LAN. The reason why the agent is used as the proxy is that the client and the LAN device server cannot be directly connected, so the communication data must be forwarded through the agent proxy; because the agent does not open the port for security, but The client must have a connection channel to communicate with the agent agent, so here the agent server starts port monitoring, and the agent establishes a reverse connection to form a data channel, so that the communication between the client and the real server of the LAN can be opened. Agent also becomes a reverse proxy server.

使用反向代理的技术来实现统一安全地访问被管设备的方案，通过此方案可以快捷的与运营环境上的局域网设备实现远程访问。Use reverse proxy technology to achieve a unified and secure access to managed devices. Through this solution, remote access can be quickly realized with LAN devices in the operating environment.

本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件完成，所述程序可以存储于计算机可读存储介质中，如只读存储器、磁盘或光盘等。可选地，上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地，上述实施例中的各模块/单元可以采用硬件的形式实现，也可以采用软件功能模块的形式实现。本发明不限制于任何特定形式的硬件和软件的结合。Those skilled in the art can understand that all or part of the steps in the above method can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable storage medium, such as a read-only memory, a magnetic disk or an optical disk, and the like. Optionally, all or part of the steps in the foregoing embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiments may be implemented in the form of hardware, or may be implemented in the form of software function modules. The present invention is not limited to any specific combination of hardware and software.

当然，本发明还可有其他多种实施例，在不背离本发明精神及其实质的情况下，熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形，但这些相应的改变和变形都应属于本发明的权利要求的保护范围。Of course, the present invention can also have other various embodiments, and those skilled in the art can make various corresponding changes and deformations according to the present invention without departing from the spirit and essence of the present invention, but these corresponding Changes and deformations should all belong to the protection scope of the claims of the present invention.

Claims

1. an equipment O&M method, it is characterised in that described method includes:

User accesses the built in agent server of door, builds as the proxy gateway of the gateway of lan device Vertical transmission each other controls the control passage of signaling；

Described user accesses door and receives the request of user operation lan device；

Described user accesses the proxy gateway of the lan device that door inquiry request logs in, and this agency The control passage that gateway is set up with described proxy server；

The proxy gateway of the lan device that described proxy server logs in described request utilizes and inquires Control passage, set up data channel；

User accesses door and passes through described by the user received to the operation data of described lan device The lan device that proxy server logs in via the request inquired described in the transmission extremely of described data channel Proxy gateway；

Described operation data are sent by the proxy gateway of the lan device that the described request inquired logs in The lan device of operation is asked to user.

2. the method for claim 1, it is characterised in that wherein, described proxy server, Described proxy gateway is set up transmission and is controlled the control passage of signaling, including:

Described proxy gateway accesses door to described user and sends inquiry message；

Described user accesses door and sends the proxy server list information having been switched on to described agency Gateway；

Described proxy gateway sends connection establishment request to the described proxy server having been switched on；

The described proxy server having been switched on receives the connection establishment request that described proxy gateway sends,

Control is set up with described proxy gateway by setting up the proxy server being connected the soonest with described proxy gateway Passage processed.

3. method as claimed in claim 1 or 2, it is characterised in that described proxy server, institute The proxy gateway stating the lan device that request logs in utilizes the control passage inquired, and sets up data and leads to Road, including:

The generation of the lan device that described proxy server is logged in described request by described control passage Reason gateway sends sets up Data Channel Command；

The proxy gateway of the lan device that described request logs in sends to described proxy server and sets up number According to channel request message；

Described proxy server receives described request message；

Described proxy server, described in find request log in lan device proxy gateway set up Data channel each other.

4. the method for claim 1, it is characterised in that described in inquire request log in The lan device of operation is asked in the transmission of described operation data by the proxy gateway of lan device to user, Including:

Described proxy gateway receives the packet that described proxy server sends；

Described packet is forwarded to described user and asks the lan device of operation by described proxy gateway.

5. an equipment operational system, it is characterised in that described system includes: the use of lan device Family accesses door, the proxy gateway of gateway as lan device, wherein,

Described user accesses door, passes for being set up by built-in proxy server and described proxy gateway The control passage of defeated control signaling；

Receive the request of user operation lan device；

The proxy gateway of lan device that inquiry request logs in, and this proxy gateway and described agency's clothes The control passage that business device is set up；

With the proxy gateway of the lan device that the described request inquired logs in, utilize the control inquired Passage, sets up data channel；

The operation data of described lan device are passed through described proxy server warp by the user received The proxy gateway of the lan device that the request inquired described in described data channel sends extremely logs in；

Described proxy gateway, for accessing door with described user, is accessed in door by described user Proxy server is set up transmission and is controlled the control passage of signaling；

The proxy gateway of the lan device that the described request inquired logs in, for by described operation data Transmission asks the lan device of operation to user.

6. system as claimed in claim 5, it is characterised in that

Described user accesses door, passes for being set up by built-in proxy server and described proxy gateway The control passage of defeated control signaling, including:

Described user accesses door and receives the inquiry message that described proxy gateway sends；

Described proxy gateway sends connection establishment request to the described proxy server having been switched on,

7. the system as described in claim 5 or 6, it is characterised in that

Described user accesses the proxy gateway of the lan device that door logs in the described request inquired, Utilize the control passage inquired, set up data channel, including:

Described proxy server pass through described in inquire control passage log in the described request inquired Lan device proxy gateway send set up Data Channel Command；

The proxy gateway of the lan device that described proxy server, described request log in is set up each other Data channel.

8. system as claimed in claim 5, it is characterised in that

The proxy gateway of the lan device that the described request inquired logs in, for by described operation data Transmission asks the lan device of operation to user, including:

9. the user of a lan device accesses door, it is characterised in that

Described user accesses door, including proxy module, and receiver module, enquiry module, described act on behalf of mould Block includes multiple proxy server；

Described proxy server controls letter with the proxy gateway foundation transmission of the gateway as lan device The control passage of order；

Described user accesses door, including:

Receiver module, for receiving the request of user operation lan device, and sets user's local area network Standby operation data are sent to described proxy server；

Enquiry module, for the proxy gateway of the lan device that inquiry request logs in, and this acts on behalf of net Close the control passage set up with described proxy server；

Described proxy module, the generation of the lan device for being logged in described request by proxy server Reason gateway utilizes the control passage inquired, and sets up data channel；To be received by proxy server User is operated data and is sent to the agency inquired by described data channel described lan device Gateway.

10. user as claimed in claim 9 accesses door, it is characterised in that

Described proxy server controls letter with the proxy gateway foundation transmission of the gateway as lan device The control passage of order, including:

11. users as claimed in claim 9 access door, it is characterised in that

Described proxy module, the generation of the lan device for being logged in described request by proxy server Reason gateway utilizes the control passage inquired, and sets up data channel, including:

Described proxy server receives described request message；