CN114070830A - Internet agent single-arm deployment architecture and internet agent remote deployment system - Google Patents
Internet agent single-arm deployment architecture and internet agent remote deployment system Download PDFInfo
- Publication number
- CN114070830A CN114070830A CN202111291240.8A CN202111291240A CN114070830A CN 114070830 A CN114070830 A CN 114070830A CN 202111291240 A CN202111291240 A CN 202111291240A CN 114070830 A CN114070830 A CN 114070830A
- Authority
- CN
- China
- Prior art keywords
- internet
- agent
- change
- internet agent
- deployment system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004519 manufacturing process Methods 0.000 claims abstract description 32
- 230000008859 change Effects 0.000 claims description 64
- 238000002955 isolation Methods 0.000 abstract description 13
- 238000006243 chemical reaction Methods 0.000 abstract description 7
- 238000012423 maintenance Methods 0.000 abstract description 7
- 230000000694 effects Effects 0.000 abstract description 4
- 238000007726 management method Methods 0.000 description 37
- 230000006399 behavior Effects 0.000 description 26
- 238000000034 method Methods 0.000 description 18
- 230000000903 blocking effect Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 6
- 230000001186 cumulative effect Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 238000012550 audit Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 238000002360 preparation method Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000012508 change request Methods 0.000 description 1
- 230000008602 contraction Effects 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000012917 library technology Methods 0.000 description 1
- 238000003825 pressing Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000003892 spreading Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an internet agent single-arm deployment architecture which can be used in the field of financial systems. The Internet agent adopts single-arm deployment, can eliminate the routing judgment problem of data flow back packets, reduces the link of source address conversion, and saves the use of private network IP addresses in an Internet isolation area. The technical scheme provided by the invention aims to meet the requirement of accessing the Internet by an internal terminal of an enterprise, and builds a two-place double-activity Internet production agent cluster to realize high availability of the cluster and other Internet infrastructure; meanwhile, full-automatic opening of the access requirement of the internet agent is realized, and the operation and maintenance efficiency of the internet production agent is improved.
Description
Technical Field
The invention relates to the technical field of network communication, in particular to an internet agent single-arm deployment architecture and an internet agent remote deployment system.
Background
The enterprise and the internet cooperate deeply, the requirement that the terminal inside the enterprise accesses the internet is more and more, and the internet agent is used as an important infrastructure for connecting the server inside the enterprise and the internet, is a link for the server inside the enterprise to access the internet to complete the business, and plays an important role in production.
The enterprise internet agent is deployed in the internet isolation area, and an enterprise usually uses a section of internet address as an internal address of the enterprise, so that the equipment in the internet isolation area faces the problem of conflict of internal and external network addresses. In the prior art, the method for solving the conflict between the internal network and the external network is to complete address conversion before entering the equipment, convert the address of the conflict between the internal address and the internet address into a private network address, and the equipment can determine which port a data packet is sent out from according to the internet address or the private network address.
Disclosure of Invention
The invention mainly aims to provide an internet agent single-arm deployment architecture and an internet agent remote deployment system, aiming at meeting the requirement of an enterprise internal terminal for accessing the internet, and building a two-place double-activity internet production agent cluster to realize high availability of the cluster and other internet infrastructure; meanwhile, full-automatic opening of the access requirement of the internet agent is realized, and the operation and maintenance efficiency of the internet production agent is improved.
In order to achieve the purpose, the invention provides an internet agent single-arm deployment architecture which can be applied to the field of finance.
Optionally, for access by the load balancer, the network address of the network device from which the data packet originates is recorded, and this address can be used directly when returning the packet.
Optionally, a single network port is started to be interconnected with the switch, the gateway points to the load balancing device, a vs address is started on the load balancing device to serve as a service address, and an internal network port address of a background behavior management device agent is hooked to form a cluster to provide service to the outside.
In addition, in order to achieve the above object, the present invention further provides an internet agent allopatric deployment system, including any one of the above internet agent single-arm deployment architectures.
Optionally, the system further comprises 2N behavior management devices, wherein N behavior management device agents are deployed in two different parks of the enterprise, and the 2N behavior management device agents establish a configuration synchronization relationship through the configuration master/master mode.
Optionally, the internet agent allopatric deployment system further includes an internet agent change transactionalization component.
Optionally, the internet agent change transaction component includes a behavior management device agent configuration storage module.
Optionally, the internet agent change transaction component further comprises a change transaction module.
Optionally, the internet agent change transaction component further includes a change step generation module.
Optionally, the change step generation module includes an agent change requirement table analysis module, and the agent change requirement table analysis module is configured to analyze the requirement table uploaded by the user and convert the requirement table into an input readable by the program.
Optionally, the change step generation module further includes an agent change step generation module, and the agent change step generation module is configured to generate an agent policy opening step of the behavior management device according to the demand input and the inventory configuration in the database.
Optionally, the internet agent change transacting component further comprises a change automation execution module.
In the technical scheme provided by the invention, the method can be applied to the field of financial systems, and the Internet agent single-arm deployment architecture comprises an Internet production agent cluster, an exchanger, a production machine and a balanced loader, wherein the Internet production agent cluster is interconnected with the exchanger, the exchanger is interconnected with the balanced loader, and the balanced loader is interconnected with the production machine. The Internet agent adopts single-arm deployment, can eliminate the routing judgment problem of data flow back packets, reduces the link of source address conversion, and saves the use of private network IP addresses in an Internet isolation area. The technical scheme provided by the invention aims to meet the requirement of accessing the Internet by an internal terminal of an enterprise, and builds a two-place double-activity Internet production agent cluster to realize high availability of the cluster and other Internet infrastructure; meanwhile, full-automatic opening of the access requirement of the internet agent is realized, and the operation and maintenance efficiency of the internet production agent is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the structures shown in the drawings without creative efforts.
FIG. 1 is a schematic structural diagram of an embodiment of an Internet agent single-arm deployment architecture provided by the present invention;
FIG. 2 is a schematic structural diagram of an embodiment of an Internet agent allopatric deployment system provided by the present invention;
fig. 3 is a schematic structural diagram of an internet agent change transaction component according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings. The technical solutions in the present invention are clearly and completely described, and it is obvious that the described embodiments are some, not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some block diagrams and/or flow diagrams are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, which execute via the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon for use by or in connection with an instruction execution system.
It should be noted that, if directional indication is involved in the embodiment of the present invention, the directional indication is only used for explaining the relative positional relationship, the motion situation, and the like between the components in a certain posture, and if the certain posture is changed, the directional indication is changed accordingly.
In addition, if there is a description of "first", "second", etc. in an embodiment of the present invention, the description of "first", "second", etc. is for descriptive purposes only and is not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, the meaning of "and/or" appearing throughout includes three juxtapositions, exemplified by "A and/or B" including either A or B or both A and B. Also, the technical solutions in the embodiments may be combined with each other, but must be based on the realization of those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not be within the protection scope of the present invention.
In the description of the present invention, it should be noted that the terms "upper", "lower", "top", "bottom", "inner", "outer", and the like indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience of description and simplification of description, but do not indicate or imply that the referred device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present invention.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be directly connected, they may be indirectly connected through an intermediate medium, or they may be connected internally to two elements. The specific meanings of the above terms in the present invention can be understood in specific cases to those skilled in the art.
In addition, in the description of the present invention, "a plurality", and "a plurality" mean two or more unless otherwise specified.
The enterprise and the internet cooperate deeply, the requirement that the terminal inside the enterprise accesses the internet is more and more, and the internet agent is used as an important infrastructure for connecting the server inside the enterprise and the internet, is a link for the server inside the enterprise to access the internet to complete the business, and plays an important role in production.
The enterprise internet agent is deployed in the internet isolation area, and an enterprise usually uses a section of internet address as an internal address of the enterprise, so that the equipment in the internet isolation area faces the problem of conflict of internal and external network addresses. In the prior art, the method for solving the conflict between the internal network and the external network is to complete address conversion before entering the equipment, convert the address of the conflict between the internal address and the internet address into a private network address, and the equipment can determine which port a data packet is sent out from according to the internet address or the private network address.
In view of the above, the invention provides an internet agent single-arm deployment architecture, which adopts single-arm deployment for internet agents, and can eliminate the problem of routing judgment of data stream packets, reduce the link of source address conversion, and save the use of private network IP addresses in an internet isolation area.
The technical scheme and the operation and maintenance object provided by the invention are developed around a deep-trust SG device (model AC3300S), and high availability and automation operation and maintenance aiming at the agent technology are realized. The internet behavior management means that the internet users are helped to control and manage the use of the internet. The method comprises the steps of webpage access filtering, network application control, bandwidth flow management, information transceiving audit and user behavior analysis.
It can be understood that with the rapid development of computers and broadband technologies, network office becomes increasingly popular, and the internet becomes an indispensable, convenient and efficient tool in the working, life and learning processes of people. However, while enjoying the convenience brought by computer office and internet, the phenomenon that employees surf the internet without working is more and more prominent, and enterprises generally have a serious problem of computer and internet abuse. Behaviors unrelated to work, such as online shopping, online chatting, online music and movie enjoying, downloading of a P2P tool and the like, occupy limited bandwidth and seriously affect the normal working efficiency.
The internet access behavior management product and technology are specially used for preventing illegal information from spreading maliciously and avoiding leakage of national confidentiality, commercial information and scientific research achievements; and the service condition of network resources can be monitored and managed in real time, and the overall working efficiency is improved. The network behavior management product series is suitable for network environment where content audit, behavior monitoring and behavior management are required, especially for relevant units or departments performing security protection of computer information systems according to grades.
Early internet behavior management products can be almost customized as URL filters, all web page addresses accessed by a user can be monitored, tracked and recorded by a system, if the web page addresses are set as legal addresses, the web page addresses are not limited, if the web page addresses are illegal addresses, the web page addresses are forbidden or give out warnings, and each monitoring of access behaviors is specific to each person. This is also a limitation of the black and white list to some extent. In addition, monitoring aiming at the mail sending and receiving behaviors is also like URL filtering, and the monitoring becomes a conventional internet behavior management function.
The management of the internet surfing personnel comprises the following steps:
and (3) internet identity management: and the validity of the internet surfing personnel is accurately identified and ensured by utilizing an IP/MAC identification mode, a user name/password authentication mode and a joint single sign-on mode of the existing authentication system.
And (3) internet surfing terminal management: and checking the legality of the registry/process/hard disk file of the host, and ensuring the legality and safety of the terminal PC accessed to the enterprise network.
Mobile terminal management: and checking the identification code of the mobile terminal, identifying the type/model of the intelligent mobile terminal and ensuring the validity of the mobile terminal accessed to the enterprise network.
Managing internet surfing sites: and checking a physical access point of the internet access terminal, identifying the internet access place and ensuring the legality of the internet access place.
The internet browsing management comprises the following steps:
and (3) search engine management: by utilizing the identification, recording and blocking technologies of the keywords of the search box, the legality of the online search content is ensured, and the negative influence caused by the search of improper keywords is avoided.
And (3) website URL management: and by utilizing a webpage classification library technology, mass websites are classified, identified, recorded and blocked in advance, so that the legality of the websites accessed on the Internet is ensured.
Webpage text management: the legitimacy of the browsed text is ensured by utilizing the text keyword identification, recording and blocking technology.
File downloading management: the file name/size/type/downloading frequency identification, recording and blocking technology is utilized to ensure the legality of the webpage downloading file.
The internet-surfing outgoing management comprises the following steps:
and (3) ordinary mail management: the method ensures the legitimacy of outgoing mails by deep identification, recording and blocking of SMTP transceiver/title/text/attachment contents.
WEB mail management: the method ensures the legality of the outgoing mail by utilizing the deep recognition, recording and blocking of the contents of the sender/title/text/attachment of the webpage mailbox in a WEB mode.
And (3) webpage posting management: the title and the text key words of the posted contents of websites such as BBS are identified, recorded and blocked to ensure the legality of the external utterances.
And (3) instant messaging management: the legitimacy of the external speaker is ensured by utilizing the identification, recording and blocking of the keywords of the external content of main stream IM software such as MSN, Feixin, QQ, skype, Yahoon and the like.
Other outgoing management: and the method is used for identifying, recording and blocking content keywords aiming at outgoing information of traditional protocols such as FTP (File transfer protocol), TELNET (Telnet) and the like so as to ensure the legality of the outgoing information.
The internet application management comprises the following steps:
blocking the internet application: and carrying out identification and blocking of the application by utilizing the application protocol library independent of the port.
The cumulative duration limit of the internet application: the access will be automatically terminated by assigning a cumulative duration for each or a plurality of applications, the cumulative time of use in a day reaching a limit.
The cumulative flow limit of the internet application: cumulative traffic is allocated for each or a plurality of applications, and access will be automatically terminated when the cumulative usage traffic reaches a limit during the day.
The internet traffic management comprises the following steps:
controlling the network bandwidth: and setting a virtual channel upper limit value for each or a plurality of applications, and discarding the traffic exceeding the virtual channel upper limit value.
Ensuring the bandwidth of the internet access: a virtual channel lower limit value is set for each or a plurality of applications to ensure that the necessary network bandwidth is reserved for critical applications.
Borrowing the internet bandwidth: when a plurality of virtual channels exist, the full load virtual channel is allowed to borrow the bandwidth of other idle virtual channels.
Average network bandwidth: each user is equally distributed with physical bandwidth, and the condition that the flow of a single user is too large to preempt the bandwidth of other users is avoided.
The online behavior analysis comprises the following steps:
real-time monitoring of internet surfing behavior: and uniformly displaying the current speed, bandwidth allocation, application distribution, personnel bandwidth, personnel application and the like of the network.
Log query of internet behavior: and accurately inquiring the behavior logs of online personnel/terminals/sites, online browsing, online outgoing, online application, online flow and the like in the network, and accurately positioning the problems.
Statistical analysis of internet surfing behaviors: and summarizing the log on the internet, and counting and analyzing visual reports such as a flow trend, a risk trend, a divulgence trend, an efficiency trend and the like, so that a manager can find potential problems globally.
The internet privacy protection comprises the following steps:
and log transmission encryption: the manager adopts SSL encryption tunnel mode to access the local log library and the external log center of the device, thus preventing hackers from eavesdropping.
Managing the separation of the three rights: and internally setting accounts of a manager, an auditor and an auditor. The administrator has no log viewing authority but can set an auditor account; the auditor has no log viewing authority, but the auditor authority is opened only after the validity of the auditor authority can be audited; the auditor cannot set the log viewing range of the auditor, but can view the specified log content after the auditor passes the authority audit.
Accurate log recording: all internet behaviors can be selectively recorded according to filtering conditions, violation of rules and regulations is avoided, and privacy is recorded to the minimum extent.
The equipment fault tolerance management comprises the following steps:
and (3) crash protection: the equipment can be changed into a transparent network cable after being electrified and halted/powered off, and network transmission is not influenced.
One-key obstacle removal: after the network has a fault, pressing a one-key fault-removing physical button can directly position whether the fault is caused by the internet-surfing behavior management equipment, and the network fault positioning time is shortened.
Dual system redundancy: the hard disk and Flash card dual systems are provided and mutually backup, and the normal use of the equipment can be still kept after the single system fails.
And (4) centralized risk alarming:
and (4) an alarm center: all the alarm information can be uniformly and centrally displayed in the alarm center page.
And (4) classified warning: the alarms in different levels are distinguished and arranged, so that the low-level alarm is prevented from submerging the key high-level alarm information.
And (4) alarm notification: the alarm can be notified to the administrator through mails and voice prompt modes, so that the alarm risk can be found quickly.
In view of this, the present invention provides an internet agent single-arm deployment architecture, including an internet production agent cluster, a switch, a production machine, and a balanced loader, where the internet production agent cluster is interconnected with the switch, the switch is interconnected with the balanced loader, and the balanced loader is interconnected with the production machine.
Referring to fig. 1, the SG proxy is deployed in a single-arm mode, a single network port is enabled to be interconnected with a core switch, and a gateway points to a load balancing device. And starting a vs address as a service address on the load balancer, and hooking an internal network port address of the background SG agent to form a cluster for providing external services. The load balancing device distributes the load at the front end to ensure the high availability of the SG agents, the SG agents form a synchronization group to realize the configuration synchronization of the SG agents in the synchronization group, and the deployment mode of the load balancing and the synchronization group can ensure the quick elastic expansion and contraction of the SG agents. The network architecture and data flow of the single-arm deployment of the internet agent are shown in fig. 1.
When the data stream packet of the enterprise internal terminal accessing the internet through the internet agent passes through the load balancing equipment, the auto last function of the load balancing equipment is used, so that the routing judgment of the data stream of the return packet is not needed on the load balancing equipment (the data stream of the No. 1 # does not need to judge the routing), and the problem of IP address conflict of the internal network and the external network on the load balancing equipment is skillfully solved. After the single arm of the SG agent is deployed, data streams of No. three and No. seven reach the load balancing equipment through the unique network port, and routing judgment on addresses which conflict with the Internet in a row on the SG agent is not needed any more.
It should be noted that, the internet agent, the terminal configures the agent address, the data stream accessing the internet is encapsulated in the http agent protocol or the socket agent protocol, after reaching the agent device, the agent decapsulates the real access request from the agent protocol, replaces the terminal to access the internet, and after obtaining the response, encapsulates the real access request into the agent protocol again and returns the response to the terminal. For a terminal which is not in an internet isolation area, the security level of the terminal cannot directly access the internet, and the terminal needs to be accessed instead through proxy equipment which is deployed in the isolation area.
The network equipment is deployed in a single arm mode, only one network port and the network Internet exist in the network equipment, and all access passes through the port.
Auto last hop, a function of load balancing devices. For access through load balancing, the network address of the network device from which the data packet originates is recorded, and the address can be directly used during packet return without looking up a routing table.
The method comprises the steps that N SG production agents are respectively deployed in two different places of an enterprise, 2N SG agents establish a configuration synchronization relation through a configuration main master mode, and configuration is conducted on a master control device of the park A so that the configuration can be automatically pushed to another N-1 SG agents in the same park and another N SG agents in different places of the park. The high availability of 2N SG agents is achieved by load balancing devices: starting virtual addresses on local area network load balancing equipment for N SG agents in the same park, wherein the agent flow distributed to the same park is jointly loaded by the N SG agents; two virtual addresses of different parks are subjected to load distribution through an intranet domain name resolution system, agents of the two parks share the load according to the area at ordinary times, and when one park breaks down, the other park can take over the production agent function completely. An internet agent off-site deployment system is shown in fig. 2.
It should be noted that, in the proxy master-master mode, each proxy device in the cluster is a master device and bears traffic.
After the production agent is deployed in a high availability manner in different places, the redundancy of the Internet agent equipment can be further improved, the redundancy of other infrastructure of an Internet outlet is increased, and quick isolation switching is realized when the Internet agent fails.
With the increasingly complex and diversified internet access requirements of each production system, the maintenance of the internet agent remote deployment system is very frequent, and the automatic generation and execution of a large number of daily internet agent change schemes are imperative.
Referring to fig. 3, the internet agent allopatric deployment system further includes an agent change transacting component, which is mainly divided into 4 modules: the system comprises a behavior management equipment agent configuration warehousing module, a change transaction module, a change step generation module and a change automation execution module. The operation of each module is shown in figure 3.
1) The behavior management equipment agent configuration warehousing module: and the network management system executes the SG production agent configuration warehousing module at regular time every day, acquires the SG agent configuration through an HTTP API (hyper text transport protocol) interface provided by the SG agent, and completes warehousing after processing.
2) And a change transaction module: and after a user uploads the agent strategy application form in the general transaction interface, the transaction module performs hard control verification on the validity of the application form, calls a change step generation module, names the generated steps according to a standard and then automatically uploads the SD.
3) And a change step generation module: comprises 2 sub-modules: the agent change requirement table analysis module and the agent change step generation module. The agent change requirement analysis module analyzes a requirement table uploaded by a user and converts the requirement table into readable program input; and a change step generation module generates an SG agent strategy opening step according to the demand input and the stock configuration in the database.
4) And a change automation execution module: and the change step generation module adds an HTTP API interface execution identifier in the change step, the change step is pushed to the network management change automatic execution module after the change step is approved in the SD, and the module calls the HTTP API execution interface according to the identifier in the step, carries out POST uploading operation on the processed JSON data and completes the change of the agent strategy.
It should be noted that, SD means that a user can submit a network change request on a science and technology management workbench, and a request response staff completes the opening of the request and the transfer of a work order on the SD. The change transaction is that a user submits a requirement form, and the preparation and the opening of the change are automatically completed by a tool without manual participation. The HTTP API is an access interface provided by the network device to the outside, and an external program can access the network device through an HTTP connection to obtain information such as configuration. The data format is json data, and the http connection access is http post operation.
The whole process of the internet agent change transaction component does not need manual intervention, and the whole process is automatically completed by the system, so that the change preparation time is further reduced to the second level, and the accuracy of the change step is improved; meanwhile, the execution speed of the change is accelerated, and the implementation efficiency is improved by dozens of times compared with that of the traditional command line change. At present, about 12 internet agent changes are established, scheme generation and execution are carried out through an agent change transaction tool on average every week, user requirement standardization is achieved, cost of communication between network specialties and users about requirements is reduced, and agent change circulation efficiency is greatly improved.
In conclusion, the method can be applied to the field of financial systems, and the Internet agent single-arm deployment architecture comprises an Internet production agent cluster, a switch, a production machine and a balance loader, wherein the Internet production agent cluster is interconnected with the switch, the switch is interconnected with the balance loader, and the balance loader is interconnected with the production machine. The Internet agent adopts single-arm deployment, can eliminate the routing judgment problem of data flow back packets, reduces the link of source address conversion, and saves the use of private network IP addresses in an Internet isolation area. The technical scheme provided by the invention aims to meet the requirement of accessing the Internet by an internal terminal of an enterprise, and builds a two-place double-activity Internet production agent cluster to realize high availability of the cluster and other Internet infrastructure; meanwhile, full-automatic opening of the access requirement of the internet agent is realized, and the operation and maintenance efficiency of the internet production agent is improved. The single-arm deployment can eliminate the routing judgment problem of the data flow back packet, reduce the link of source address conversion and save the use of private network IP addresses of the Internet isolation area. After the production agent is deployed in a high availability manner in different places, the redundancy of the Internet agent equipment can be further improved, the redundancy of other infrastructure of an Internet outlet is increased, and quick isolation switching is realized when the Internet agent fails. The whole process of the internet agent change transaction component does not need manual intervention, and the whole process is automatically completed by the system, so that the change preparation time is further reduced to the second level, and the accuracy of the change step is improved; meanwhile, the execution speed of the change is accelerated, and the implementation efficiency is improved by dozens of times compared with that of the traditional command line change. At present, about 12 internet agent changes are established, scheme generation and execution are carried out through an agent change transaction tool on average every week, user requirement standardization is achieved, cost of communication between network specialties and users about requirements is reduced, and agent change circulation efficiency is greatly improved.
Finally, it should be noted that: in the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, necessary security measures are taken, and the customs of the public order is not violated.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention. The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (12)
1. The utility model provides an internet agent single armed deployment architecture which characterized in that, includes internet production agent cluster, switch, production machine, balanced loader, internet production agent cluster with the switch interconnection, the switch with balanced loader interconnection, balanced loader with the production machine interconnection.
2. The internet agent single-arm deployment architecture of claim 1, wherein for access through the load balancer, the network address of the network device from which the packet originated is recorded, and this address is used directly when returning the packet.
3. The internet agent single-arm deployment architecture of claim 1, wherein a single internet port is enabled to be interconnected with a switch, a gateway points to the load balancer, a vs address is enabled to serve as a service address on the load balancer, and an internal network port address of a background behavior management device agent is hooked to form a cluster to provide services to the outside.
4. An internet agent off-site deployment system comprising the internet agent one-armed deployment architecture of any of claims 1-3.
5. The internet agent allopatric deployment system of claim 4, further comprising 2N behavior management devices, wherein the N behavior management device agents are deployed in two allopatric parks of the enterprise, the 2N behavior management device agents establishing the configuration synchronization relationship through the configuration master mode.
6. The internet agent offsite deployment system of claim 4, wherein the internet agent offsite deployment system further comprises an internet agent change facilitation component.
7. The internet agent offsite deployment system of claim 6 wherein the internet agent change facilitation component comprises a behavior management device agent configuration warehousing module.
8. The internet agent offsite deployment system of claim 6 wherein the internet agent change facilitation component further comprises a change facilitation module.
9. The internet agent offsite deployment system of claim 6 wherein said internet agent change facilitation component further comprises a change step generation module.
10. The internet agent allopatric deployment system of claim 9, wherein the change step generation module includes an agent change requirement table parsing module, the agent change requirement table parsing module being configured to parse and convert a requirement table uploaded by a user into program readable input.
11. The internet agent offsite deployment system of claim 9 wherein said change step generation module further comprises an agent change step generation module, said agent change step generation module for generating an action management device agent policy provisioning step based on demand inputs and inventory configuration in a database.
12. The internet agent offsite deployment system of claim 6 wherein the internet agent change transacting component further comprises a change automation execution module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111291240.8A CN114070830B (en) | 2021-11-02 | 2021-11-02 | Internet agent single-arm deployment architecture and Internet agent off-site deployment system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111291240.8A CN114070830B (en) | 2021-11-02 | 2021-11-02 | Internet agent single-arm deployment architecture and Internet agent off-site deployment system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114070830A true CN114070830A (en) | 2022-02-18 |
| CN114070830B CN114070830B (en) | 2024-10-25 |
Family
ID=80236562
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111291240.8A Active CN114070830B (en) | 2021-11-02 | 2021-11-02 | Internet agent single-arm deployment architecture and Internet agent off-site deployment system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114070830B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115633089A (en) * | 2022-09-06 | 2023-01-20 | 江苏省未来网络创新研究院 | A Unified Communications Proxy Supporting Concurrent Stream Scheduling in Cluster Computing |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN202918331U (en) * | 2012-10-16 | 2013-05-01 | 上海忆通广达信息技术有限公司 | Communication network system for deploying security proxy server in single arm mode |
| CN105141656A (en) * | 2015-07-20 | 2015-12-09 | 浙江工商大学 | Internet lightweight application load balancing realization method based on cloud platforms |
| CN109698796A (en) * | 2019-03-07 | 2019-04-30 | 江苏省人民医院 | A kind of high performance network SiteServer LBS and its implementation |
| CN110048956A (en) * | 2019-05-29 | 2019-07-23 | 中国海洋石油集团有限公司 | Internetwork link load control system |
| CN111010342A (en) * | 2019-11-21 | 2020-04-14 | 天津卓朗科技发展有限公司 | Distributed load balancing implementation method and device |
-
2021
- 2021-11-02 CN CN202111291240.8A patent/CN114070830B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN202918331U (en) * | 2012-10-16 | 2013-05-01 | 上海忆通广达信息技术有限公司 | Communication network system for deploying security proxy server in single arm mode |
| CN105141656A (en) * | 2015-07-20 | 2015-12-09 | 浙江工商大学 | Internet lightweight application load balancing realization method based on cloud platforms |
| CN109698796A (en) * | 2019-03-07 | 2019-04-30 | 江苏省人民医院 | A kind of high performance network SiteServer LBS and its implementation |
| CN110048956A (en) * | 2019-05-29 | 2019-07-23 | 中国海洋石油集团有限公司 | Internetwork link load control system |
| CN111010342A (en) * | 2019-11-21 | 2020-04-14 | 天津卓朗科技发展有限公司 | Distributed load balancing implementation method and device |
Non-Patent Citations (2)
| Title |
|---|
| 张楠等: ""互联网出口架构优化研究与实现"", 《信息与电脑(理论版)》, pages 2 * |
| 谢朋宇等: ""广西电网企业级应用同城双活解决方案探讨"", 《广西电力》, pages 1 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115633089A (en) * | 2022-09-06 | 2023-01-20 | 江苏省未来网络创新研究院 | A Unified Communications Proxy Supporting Concurrent Stream Scheduling in Cluster Computing |
| CN115633089B (en) * | 2022-09-06 | 2024-12-03 | 江苏省未来网络创新研究院 | Unified communication proxy supporting concurrent flow scheduling in cluster computing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114070830B (en) | 2024-10-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230144444A1 (en) | Virtual Gateway Control and Management | |
| CN110351257B (en) | Distributed Internet of things security access system | |
| WO2020028602A2 (en) | Method and system for a network presence platform with intelligent routing | |
| CN103414709A (en) | User identity binding and user identity binding assisting method and device | |
| US7822872B2 (en) | Multi-location distributed workplace network | |
| WO2019177988A1 (en) | System and method of providing a controlled interface between devices | |
| CN112383631A (en) | Regional Internet of things platform and data processing method based on regional Internet of things platform | |
| EP3096492B1 (en) | Page push method and system | |
| CN116719868A (en) | Network asset identification method, device and equipment | |
| CN112953932A (en) | Identity authentication gateway integration design method and system based on CA certificate | |
| CN102045310B (en) | Industrial Internet intrusion detection as well as defense method and device | |
| CN112001704A (en) | A smart construction site management platform for ministerial and provincial transportation construction based on micro-service architecture | |
| CN102137102B (en) | Realizing method of service supporting platform for supporting multiclass information publishing modes | |
| CN114070830A (en) | Internet agent single-arm deployment architecture and internet agent remote deployment system | |
| EP2472785B1 (en) | Service linkage control system and method | |
| CN102523236A (en) | Method and equipment for establishing dynamic connection | |
| CN110198294A (en) | Security attack detection method and device | |
| CN111343193B (en) | Cloud network port security protection method and device, electronic equipment and storage medium | |
| CN115460004A (en) | Network access method and system | |
| KR101047152B1 (en) | Data Driven Traffic Management System and Traffic Management Method | |
| CN113055427A (en) | Service-based server cluster access method and device | |
| CN111274284A (en) | Data exchange system and method | |
| CN112787947A (en) | Network service processing method, system and gateway equipment | |
| CN115065971B (en) | A method for preventing users from privately connecting to a router to access the Internet in a local area network | |
| WO2025008846A1 (en) | System and method for providing nrf support in a network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |