An intranet penetration system
By combining low-configuration cloud hosts and high-configuration LAN computers in the intranet penetration system, and using a one-to-one mapping between proxy services and internal services, the problems of high cost and complex operation of obtaining public IP addresses are solved, and a low-cost, high-performance intranet penetration service is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA NANHU ACAD OF ELECTRONICS & INFORMATION TECH
- Filing Date
- 2023-03-07
- Publication Date
- 2026-07-03
AI Technical Summary
Existing intranet penetration technologies suffer from high costs in obtaining public IP addresses, limited resources, and complex and user-unfriendly operation.
The solution combines low-configuration cloud servers with high-configuration computers within the local area network. By mapping proxy services and internal services one-to-one, the low-configuration cloud servers forward traffic while the high-configuration computers provide computing and storage services, simplifying the intranet penetration operation.
It effectively controls the cost of obtaining public IP addresses, provides powerful computing and storage services, simplifies intranet penetration operations, and reduces configuration complexity and cost.
Smart Images

Figure CN116436891B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of intranet penetration technology, and specifically relates to an intranet penetration system. Background Technology
[0002] Most computers are used within a local area network (LAN), where IP addresses are internal network IPs. Therefore, internal services within a LAN can only be accessed by computers on the same LAN. To make these internal services available to other internet users, a public IP address and corresponding computing resources are required. Currently, there are two ways to obtain a public IP address:
[0003] The first method is to purchase a public IP address from a telecom operator. This method allows you to directly provide services to internet users, but purchasing a public IP address is expensive.
[0004] The second option is to purchase a cloud server. Cloud servers typically come with a public IP address. Low-configuration cloud servers are relatively inexpensive, but due to their low configuration, their computing and storage capabilities are severely limited, making it almost impossible to run tasks that consume significant computing power and storage. On the other hand, high-performance cloud servers are very expensive.
[0005] When providing internal services to internet users, in addition to configuring a public IP address, an intranet penetration client needs to be installed on the intranet server. When a user terminal requests access to an intranet user terminal via a public IP address, the request is sent to the intranet penetration server. The intranet penetration server receives the request, uses network address translation (NAT) technology, and forwards it to the intranet penetration client. The intranet penetration client then maps its own port to a virtual private network (VPN) port using its local NAT. The intranet user terminal then accesses intranet services across local area networks (LANs) through the VPN port.
[0006] However, the above access process requires creating an address mapping table in the intranet penetration server to record the intranet source address, mapped address, and external host address. The external host sends data packets to the intranet server, and these packets contain the external host source address and the intranet host destination address. This approach has several drawbacks:
[0007] 1) If address mapping is used, address mapping configuration is required. If a new intranet service is added, address mapping configuration needs to be added.
[0008] 2) The transmission protocol contains the source address of the external host and the destination address of the internal host. The protocol contains information about the message, but it is not transparent to the message itself and has redundancy and complexity.
[0009] 3) The port number allocation of the intranet penetration client is not user-friendly.
[0010] Therefore, in the current process of providing access to internal services to Internet users, there are not only problems such as high cost or limited resources for obtaining public IP addresses, but also problems such as complex, redundant and unfriendly internal network penetration operations. Summary of the Invention
[0011] The purpose of this invention is to provide an intranet penetration system that provides strong computing and storage services to the outside world while controlling costs, and simplifies the intranet penetration operation.
[0012] An intranet penetration system includes a client and a server. The client runs on a computer within a local area network (LAN), and the server runs on a cloud host.
[0013] Each client corresponds to an internal service on the local area network. The client is used to initiate a connection request to the server when the internal service it is connected to needs to be traversed.
[0014] The server is used to receive connection requests sent by the client, establish a tunnel with the client, and start a proxy service for the internal service corresponding to the client. The proxy service receives access requests from Internet users and forwards them to the internal service on the local area network through the server and the client.
[0015] To achieve the above objectives, the technical solution adopted by the present invention is as follows:
[0016] Several alternative methods are provided below, but they are not intended as additional limitations on the overall solution above. They are merely further additions or optimizations. Provided there are no technical or logical contradictions, each alternative method can be combined individually with respect to the overall solution above, or multiple alternative methods can be combined with each other.
[0017] Preferably, the server provides a tunneling service, which receives TCP connection requests initiated by the client and creates a TCP tunnel between the server and the client.
[0018] Preferably, the connection request initiated by the client includes: the address of the internal service corresponding to the client and the internal service identifier of the internal service.
[0019] Preferably, the server and client communicate via a tunnel, and the message protocol in the communication includes: a message type field, a message length field, and an encrypted message content field.
[0020] Preferably, the message type in the message type field is connection establishment, connection disconnection, or message transmission.
[0021] Preferably, the message content in the encrypted message content field includes an index field and a message field. The index field points to the connection between the client and the internal service or the connection between the proxy service and the Internet user, and the message field is the original message exchanged between the server and the client.
[0022] Preferably, the server initiates a proxy service for the internal service corresponding to the client, including:
[0023] Parse and obtain the internal service identifier from the connection request;
[0024] Port numbers are assigned based on internal service identifiers;
[0025] The assigned port number is used to provide proxy services to Internet users.
[0026] Preferably, the server initializes a pool of available ports when it starts up, and the server allocates port numbers based on the port pool.
[0027] Preferably, the process of allocating port numbers based on internal service identifiers includes:
[0028] The last used port number is retrieved based on the internal service identifier. If the retrieval is successful, the port number is assigned and the process ends. If the retrieval fails, execution continues.
[0029] Randomly obtain an unused port number. If the acquisition is successful, assign the port number and record the correspondence between the internal service identifier and the port number. If the acquisition fails, continue execution.
[0030] Retrieve the port number with the longest idle time. If successful, assign the port number, delete the historical mapping of the port number, and re-record the mapping between the internal service identifier and the port number. If the retrieval fails, issue an alarm.
[0031] Preferably, the idle time is the difference between the current time and the last time the service was allocated.
[0032] This invention provides an intranet penetration system that employs a one-to-one mapping scheme between proxy services and internal services. The cloud host receives and forwards access requests through the proxy service, thus requiring only a low-configuration cloud host and effectively controlling the cost of obtaining public IP addresses. Furthermore, the actual computing and storage services are provided by the client. Combined with high-performance computers within the local area network, this ensures strong computing and storage services are provided externally, offering a low-cost, high-performance service solution. When an internal service needs to penetrate, the client is activated, initiating a connection request to the server, simplifying the intranet penetration operation and facilitating the addition of new internal services. Attached Figure Description
[0033] Figure 1This is a schematic diagram of the structure of an intranet penetration system according to the present invention;
[0034] Figure 2 This is a schematic diagram of the message protocol structure of the present invention;
[0035] Figure 3 This is a flowchart illustrating the port number allocation process of the present invention. Detailed Implementation
[0036] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0037] Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to limit the invention.
[0038] To overcome the shortcomings of existing intranet penetration technologies, this invention combines low-configuration cloud hosts with high-configuration computers within a local area network. The low-configuration cloud hosts forward traffic, while the high-configuration computers truly provide computing and storage services.
[0039] like Figure 1 As shown, the intranet penetration system in this embodiment includes a client and a server. The client runs on a computer within a local area network, and the server runs on a cloud host.
[0040] It should be noted that there can be one or more clients interacting with the same server, or multiple clients (e.g., ...). Figure 1 Client 1, Client 2, and Client 3 can run on the same or different computers, and multiple clients can also be located on the same or different local area networks.
[0041] For the client, each client corresponds to an internal service on the local area network. The client initiates a connection request to the server when the internal service it is connected to needs to be traversed.
[0042] In this embodiment, the client is configured to be in a closed state when its corresponding internal service does not require penetration. When the corresponding internal service requires penetration, the client is started. When the client starts, it specifies the address of the server, the address of the internal service, and the internal service identifier. Based on the server's address, it initiates a connection request to the corresponding server. The connection request includes: the address of the client's corresponding internal service and the internal service identifier of that internal service.
[0043] To improve connection reusability, the connection request initiated by the client is a TCP connection request, and a TCP tunnel is established between the client and the server. After the TCP tunnel is successfully established, messages are transmitted through the TCP tunnel.
[0044] From the server's perspective, the server provides a tunneling service, which receives TCP connection requests initiated by the client and creates a TCP tunnel between the server and the client. Therefore, all interactions between the server and the client are conducted through the tunneling service.
[0045] The TCP tunnel creation process in this embodiment is existing technology and will not be described in detail here.
[0046] After receiving a connection request from a client, the server establishes a tunnel with the client and, upon successful tunnel establishment, starts a proxy service for the internal service corresponding to that client. In this embodiment, each proxy service corresponds one-to-one with an internal service; the proxy service is a mapping to an internal service. It receives access requests from internet users, forwards them to the client via the tunnel service, and then the client forwards them to the internal service on the local area network, thus achieving intranet penetration.
[0047] The connection between the proxy service and the internet user is one-to-one with the connection initiated by the client to the internal service. When the corresponding connection is interrupted, the corresponding connection will also be interrupted. In addition, when the tunnel is broken, the tunnel service will shut down the corresponding proxy service and disconnect all related connections to release resources.
[0048] The disconnection of the tunnel and the connection do not necessarily occur in a sequential manner. Both the client and the internet user may experience active or passive disconnection. When one end disconnects, the connection on the other end will also be disconnected accordingly. If the tunnel is accidentally disconnected, all connections will be disconnected. If the client is closed, both the tunnel and all connections will be disconnected.
[0049] like Figure 1 In the process, the tunnel service starts the proxy service 1 corresponding to the internal service 1. When the proxy service 1 is accessed by multiple Internet users (represented by the symbol C in the diagram), connection 1, connection 2 and connection 3 are established between different Internet users and the proxy service 1. Correspondingly, client 1 will initiate the corresponding connection 1, connection 2 and connection 3 to the internal service 1, thereby ensuring the correct transmission of Internet user access requests.
[0050] To ensure a one-to-one correspondence between the independent TCP connections at both ends of the tunnel, the proxy service and the client need to control the connections to ensure effective message exchange between the server and client through the tunnel. Therefore, the tunnel needs to send control information to both ends while forwarding messages. This embodiment designs a message protocol for the interaction as follows: Figure 2 As shown.
[0051] Message type field: type(uint8) One byte for the message type. In this embodiment, there are three message types: connection establishment, connection termination, and message transmission. Connection establishment is usually sent by the client to the server, requesting the server to establish a tunnel connection; connection termination can be sent by the client to the server or by the server to the client. Upon receiving a connection termination message, the server will actively terminate the tunnel connection; message transmission is the regular message passing, implemented on the tunnel connection.
[0052] Message length field: length(uint16) two bytes, representing the length of the encrypted message content field, which is used for parsing during reception.
[0053] Encrypted message content fields: The message content includes an index field and a message field.
[0054] Index field: index(uint16) Two bytes, representing the connection index, pointing to the connection between the client and the internal service or the connection between the proxy service and the internet user. After receiving the message, the tunnel finds the corresponding connection based on the index and forwards it. Message field: data(byte[]) A byte stream of a specific length, representing the original message exchanged between the server and the client. It is sent by the connection on one side of the tunnel and forwarded to its corresponding connection after passing through the tunnel.
[0055] by Figure 1 For example, after an internet user establishes connection 1 with proxy service 1, the internet user sends an access request to proxy service 1. The tunnel service receives this access request as the original message and writes "1" to the index field to indicate that the access request comes from the internet request corresponding to connection 1. It also writes the message type field and message length field, encrypts the message to obtain the encrypted message content field, and sends the message to client 1 through tunnel 1. Client 1 parses and decrypts the message to obtain the index field and message field. Based on the index field, it sends the original message to internal service 1 through connection 1, completing one message transmission. The process of internal service transmitting messages to internet user is similar to the process of internet user transmitting messages to internal service, and will not be described in detail in this embodiment.
[0056] This embodiment demonstrates secure message transmission by encrypting messages while they are passing through a tunnel and decrypting them upon receipt within the tunnel. This embodiment allows the use of custom domain names and custom encryption methods; no restrictions are imposed.
[0057] The essence of starting a proxy service on the server side is to allocate a corresponding port number, provide the port to the outside world for internet users to access, and forward access requests input by internet users through the port. To address the problem of unfriendly port number allocation in existing technologies, this embodiment provides a proxy service startup method as follows: parsing and obtaining the internal service identifier from the connection request; allocating a port number based on the internal service identifier; and using the allocated port number to provide proxy services to internet users.
[0058] To avoid providing invalid ports to internet users, the server-side tunnel service initializes its optional port pool upon startup. After a client initiates a connection request, a port number needs to be assigned to the proxy service to be started based on the port pool, and this port number is used to provide services to internet users. The restriction on this port number is that it must not be already in use; ideally, the same internal service should use the same port number externally.
[0059] like Figure 3 As shown, the port number allocation principle in this embodiment is as follows:
[0060] The last used port number is retrieved based on the internal service identifier. If the retrieval is successful, the port number is assigned and the process ends. If the retrieval fails, execution continues.
[0061] Randomly obtain an unused port number from the port pool. If the acquisition is successful, assign the port number and record the correspondence between the internal service identifier and the port number. If the acquisition fails (i.e., there is no unused port number), continue execution.
[0062] Retrieve the port number with the longest idle time. If successful, assign the port number, delete the historical mapping of the port number, and re-record the mapping between the internal service identifier and the port number. If the retrieval fails, issue an alarm.
[0063] To avoid frequent changes in port numbers for the same service, which could degrade the user experience, this embodiment prioritizes previously used port numbers when allocating them, followed by those never used, and finally those that have not been used for a long time. Therefore, the idle time in this embodiment is the difference between the current time and the last time the service was allocated and ended.
[0064] The port number allocation method in this embodiment has the following advantages:
[0065] Clients use the same internal service identifier to represent the same internal service, and the port number for the external proxy service remains largely unchanged. This design ensures that the access port remains consistent for internet users. Before the tunnel service port pool is fully utilized, the internal service with the new internal service identifier will always use the new proxy service port number. Even if the tunnel service port pool has been used up, a port number that has not been used for a long time will be selected as the port for the external proxy service to minimize disruption to user habits.
[0066] The intranet penetration system of this invention is simple to configure, uses a simple protocol, and is low in cost. The configuration mainly consists of configuring the server and configuring the client. The server only needs to be configured once and does not require any other additional maintenance tasks.
[0067] The steps to configure the server are as follows:
[0068] 1) Assign a specific range of ports allowed by the firewall to the cloud host.
[0069] 2) Start the server and specify the port pool range.
[0070] The steps to configure the client are as follows:
[0071] 1) When a local area network service needs to be traversed, start the client and specify the address of the server, the address of the internal service, and the internal service identifier.
[0072] 2) If the proxy service starts successfully, the corresponding proxy service address and port will be printed out on the client.
[0073] To add LAN service penetration using this invention, simply configure and start a new client following the steps described above. To start LAN service penetration, simply start the corresponding client; to stop LAN service penetration, simply close the corresponding client. The server flexibly starts and stops external services based on client connection status, providing a degree of flexibility and ensuring that the cloud host always provides services to the outside world at maximum performance.
[0074] This invention employs a one-to-one mapping scheme between proxy services and internal services. The protocol only records connection information, remaining completely transparent to the original packets. The protocol is simple and has virtually no performance overhead. Port numbers are assigned by the server; because the server records the available port numbers, the successful startup of the corresponding proxy service is guaranteed. Furthermore, internal service identifiers and historical records are used to ensure that the same internal service uses the same port number, which is more user-friendly for external internet users.
[0075] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0076] The embodiments described above are merely illustrative of several implementations of the present invention, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of the invention. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of the present invention, and these modifications and improvements all fall within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the appended claims.
Claims
1. An intranet penetration system, characterized in that, The intranet penetration system includes a client and a server. The client runs on a computer within a local area network, and the server runs on a cloud host. Each client corresponds to an internal service on the local area network. The client is used to initiate a connection request to the server when the internal service it is connected to needs to be traversed. The server is used to receive connection requests sent by the client, establish a tunnel with the client, and start a proxy service for the internal service corresponding to the client. The proxy service receives access requests from Internet users and forwards them to the internal service of the local area network through the server and the client. The server, by initiating a proxy service for the internal service corresponding to the client, includes: parsing and obtaining the internal service identifier from the connection request; allocating a port number based on the internal service identifier; and providing a proxy service to the internet user using the allocated port number. The step of allocating the port number based on the internal service identifier includes: The last used port number is retrieved based on the internal service identifier. If the retrieval is successful, the port number is assigned and the process ends. If the retrieval fails, execution continues. Randomly obtain an unused port number. If the acquisition is successful, assign the port number and record the correspondence between the internal service identifier and the port number. If the acquisition fails, continue execution. Retrieve the port number with the longest idle time. If successful, assign the port number, delete the historical mapping of the port number, and re-record the mapping between the internal service identifier and the port number. If the retrieval fails, issue an alarm.
2. The intranet penetration system as described in claim 1, characterized in that, The server provides a tunneling service, which receives TCP connection requests initiated by the client and creates a TCP tunnel between the server and the client.
3. The intranet penetration system as described in claim 1, characterized in that, The connection request initiated by the client includes: the address of the internal service corresponding to the client and the internal service identifier of the internal service.
4. The intranet penetration system as described in claim 1, characterized in that, The server and client communicate via a tunnel, and the message protocol in the communication includes: message type field, message length field, and encrypted message content field.
5. The intranet penetration system as described in claim 4, characterized in that, The message type field indicates whether the message type is connection established, connection disconnected, or message transmitted.
6. The intranet penetration system as described in claim 4, characterized in that, The encrypted message content field includes an index field and a message field. The index field points to the connection between the client and the internal service or the connection between the proxy service and the Internet user. The message field is the original message exchanged between the server and the client.
7. The intranet penetration system as described in claim 1, characterized in that, When the server starts, it initializes a pool of available ports and allocates port numbers based on the port pool.
8. The intranet penetration system as described in claim 1, characterized in that, The idle time is the difference between the current time and the last time the service was allocated and ended.