Communication method and apparatus
By using SSL VPN tunnels and global application address ranges in the SDP zero-trust network, the authentication failure issue caused by administrators' failure to configure user authorization relationships in a timely manner was resolved, enabling users to access resources even without configuration.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NEW H3C NETWORK INFORMATION SECURITY SOFTWARE CO LTD
- Filing Date
- 2023-07-28
- Publication Date
- 2026-06-05
AI Technical Summary
In an SDP zero-trust network, if the administrator fails to configure the authorization relationship between users and resources in the SDP controller within a short period of time, the SDP gateway will be unable to authenticate users, and users will be unable to obtain resource content.
The system receives client service messages through an SSL VPN tunnel, checks if there is a matching entry in the application access permission table, and if not, determines whether the destination address belongs to the address range of the global application and sends a resource access request within that range.
Even without configuring specific authorization relationships, the gateway can still successfully authenticate and forward business messages to the resource server corresponding to the global application, thus solving the problem of users being unable to obtain resource content.
Smart Images

Figure CN117040965B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of communication technology, and in particular to a communication method and apparatus. Background Technology
[0002] With the rise of internet technologies such as cloud computing, the Internet of Things, and mobile office, enterprise resources are no longer confined to the internal network. The need for employees to access the enterprise intranet anytime, anywhere is becoming increasingly common. Traditional network protection boundaries are becoming increasingly blurred, and security measures based on network boundaries are finding it increasingly difficult to meet these needs.
[0003] To overcome these challenges, Software Defined Perimeter (SDP) zero-trust technology emerged. The core idea of SDP zero-trust technology is to distrust no person, network device, or network system, and to continuously and dynamically authenticate and grant least privileges to all users accessing restricted resources.
[0004] SDP zero-trust functionality refers to network devices acting as SDP gateways and working in conjunction with SDP controllers to authenticate and authorize users accessing specified resources. This enables centralized control over user identity and access permissions, preventing unauthorized users from obtaining network resources.
[0005] After successfully authenticating a user, the SDP controller sends back the IP address of each SDP gateway corresponding to all authorized resources of that user to the SDP client. The SDP client then establishes a Secure Sockets Layer (SSL) Virtual Private Network (VPN) tunnel with each SDP gateway, allowing the SDP client to access network resources protected by each SDP gateway.
[0006] In a real-world networking environment, with a large number of users, user groups, and resource servers present, administrators cannot quickly determine which users and user groups have access to which resources and applications. When user terminals connect to the zero-trust network and attempt to access resources using the existing process, the SDP gateway cannot authenticate users and user groups because administrators have not configured the authorization relationships between users, user groups, and resources on the SDP controller. This results in users being unable to access resource content. Summary of the Invention
[0007] In view of this, this application provides a communication method and apparatus to solve the problem that users are unable to obtain resource content when the administrator fails to configure the authorization relationship between users and resources to the SDP controller in a short period of time.
[0008] In a first aspect, this application provides a communication method applied to a gateway, wherein the gateway has established an SSL VPN tunnel with a client, the method comprising:
[0009] The SSL VPN tunnel is used to receive service messages sent by the client, including resource access request messages, which include a destination address.
[0010] Based on the destination address, check in the application access permission table whether there is an entry for a first application that matches the destination address;
[0011] If no entry for the first application that matches the destination address exists, then determine whether the destination address belongs to the address range of the global application.
[0012] If the destination address belongs to the address range of the global application, then a resource access request is sent to the resource server corresponding to the global application.
[0013] Secondly, this application provides a communication device applied to a gateway, wherein the gateway has established an SSL VPN tunnel with a client, and the device includes:
[0014] The receiving unit is configured to receive service messages sent by the client through the SSL VPN tunnel, the service messages including resource access request messages, the resource access request messages including a destination address;
[0015] The lookup unit is used to search, based on the destination address, whether there is an entry in the application access permission table that matches the destination address;
[0016] The determination unit is used to determine whether the destination address belongs to the address range of the global application if there is no table entry of the first application that matches the destination address.
[0017] The sending unit is configured to send a resource access request to the resource server corresponding to the global application if the destination address belongs to the address range of the global application.
[0018] Thirdly, this application provides a network device including a processor and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor, which in turn cause the processor to perform the method provided in the first aspect of this application.
[0019] Therefore, using the communication method and apparatus provided in this application, through an SSL VPN tunnel, the gateway receives a service message sent by the client. This service message includes a resource access request message, which includes a destination address. Based on the destination address, the gateway searches the application access permission table for an entry of a first application that matches the destination address. If no entry of a first application that matches the destination address exists, the gateway determines whether the destination address belongs to the address range of a global application. If the destination address belongs to the address range of a global application, the gateway sends a resource access request to the resource server corresponding to the global application.
[0020] Thus, even in scenarios where no application entry matches the destination address, if the destination address belongs to the address range of the global application, the gateway will still determine that authentication was successful and forward the service message to the resource server corresponding to the global application. This solves the problem that in scenarios where administrators have not configured user-authorized resources to be open to the SDP controller for a short period of time, the SDP gateway cannot authenticate service messages sent by the client, resulting in users being unable to obtain resource content. Attached Figure Description
[0021] Figure 1 A flowchart illustrating the communication method provided in the embodiments of this application;
[0022] Figure 2 A signaling diagram of a service processing flow provided in an embodiment of this application;
[0023] Figure 3 Signaling diagram of another service processing flow provided in the embodiments of this application;
[0024] Figure 4 A structural diagram of a communication device provided in an embodiment of this application;
[0025] Figure 5 The network device hardware structure provided in the embodiments of this application. Detailed Implementation
[0026] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numerals in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.
[0027] The terminology used in this application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The singular forms “a,” “the,” and “the” used in this application and the appended claims are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to and includes any or all possible combinations of one or more of the corresponding listed items.
[0028] It should be understood that although the terms first, second, third, etc., may be used in this application to describe various information, such information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, without departing from the scope of this application, first information may also be referred to as second information, and similarly, second information may also be referred to as first information. Depending on the context, the word "if" as used herein may be interpreted as "when," "when," or "in response to determination."
[0029] The communication method provided in the embodiments of this application will be described in detail below. See also... Figure 1 , Figure 1 A flowchart illustrating a communication method provided in an embodiment of this application. This method is applied to a network device and may include the following steps.
[0030] Step 110: Receive service messages sent by the client through the SSL VPN tunnel. The service messages include resource access request messages, and the resource access request messages include a destination address.
[0031] Specifically, the gateway has established an SSL VPN tunnel with the client. When a user wants to access network resources, the client generates a resource access request message, which includes the destination address. After generating the resource access request message, the client encapsulates the SSL VPN tunnel header on the outer layer of the resource access request message. This tunnel header includes the source address and destination address of the SSL VPN tunnel, and the client then obtains the service message.
[0032] Through an SSL VPN tunnel, the client sends a service message to the gateway. This service message includes a resource access request message. The gateway receives the service message.
[0033] Step 120: Based on the destination address, search the application access permission table to see if there is an entry for a first application that matches the destination address;
[0034] Specifically, according to the description in step 110, after receiving the service message, the gateway first decapsulates the service message, stripping off the tunnel header to obtain the resource access request message. Then, the gateway obtains the destination address from the resource access request message.
[0035] Based on the destination address, the gateway looks up the local application access permission table. The application access permission table includes at least one entry, and each entry includes an application identifier and the address corresponding to that application identifier. The application identifier indicates an application that the controller has authorized to access after authenticating the user corresponding to the client's terminal; at the same time, this application is under the protection of the gateway.
[0036] The gateway checks if there is an entry in the application access permission table that matches the destination address for the first application. If there is no entry in the application access permission table that matches the destination address for the first application, the gateway proceeds to step 130.
[0037] Optionally, if there is an entry in the application access permission table that matches the destination address for the first application, the gateway forwards the resource access request message to the resource server corresponding to the first application.
[0038] It should be noted that in subsequent embodiments, the process of the controller authenticating the user corresponding to the terminal where the client is located and the process of the controller authorizing the user to access resources will be described, and will not be repeated here.
[0039] Step 130: If there is no entry in the table of the first application that matches the destination address, then determine whether the destination address belongs to the address range of the global application.
[0040] Specifically, according to the description of step 120, if there is no entry for the first application that matches the destination address in the application access permission table, the gateway continues to determine whether the destination address belongs to the address range of the global application.
[0041] If the destination address belongs to the address range of the global application, the gateway executes step 140.
[0042] Optionally, if the destination address does not belong to the address range of the global application, the resource access request is discarded.
[0043] It should be noted that the gateway first establishes a global application locally based on the notification message sent by the controller. The process of the gateway establishing a global application will be described in subsequent embodiments and will not be repeated here.
[0044] Step 140: If the destination address belongs to the address range of the global application, then send a resource access request to the resource server corresponding to the global application.
[0045] Specifically, according to the description in step 130, if the destination address belongs to the address range of the global application, the gateway sends a resource access request to the resource server corresponding to the global application. There is at least one resource server corresponding to the global application, and the gateway can send a resource access request to each resource server. If the resource server can process the resource access request, it processes it accordingly and sends a resource access response to the gateway; otherwise, the resource server discards the resource access request.
[0046] In this embodiment, the global application refers to a temporarily accessible resource authorized by the controller for users. It is used to temporarily open resources within a certain range to prevent users from being unable to access resource content when the administrator has not configured the authorization relationship between users and resources for a short period of time. In this embodiment, the temporarily accessible resource is a non-critical resource with low security performance; the short period can specifically be 1 day, 2 days, etc.
[0047] Therefore, using the communication method provided in this application, through an SSL VPN tunnel, the gateway receives a service message sent by the client. This service message includes a resource access request message, which includes a destination address. Based on the destination address, the gateway searches the application access permission table for an entry of a first application that matches the destination address. If no entry of a first application that matches the destination address exists, the gateway determines whether the destination address belongs to the address range of the global application. If the destination address belongs to the address range of the global application, the gateway sends a resource access request to the resource server corresponding to the global application.
[0048] Thus, even in scenarios where no application entry matches the destination address, if the destination address belongs to the address range of the global application, the gateway will still determine that authentication was successful and forward the service message to the resource server corresponding to the global application. This solves the problem that in scenarios where administrators have not configured user-authorized resources to be open to the SDP controller for a short period of time, the SDP gateway cannot authenticate service messages sent by the client, resulting in users being unable to obtain resource content.
[0049] Optionally, in this embodiment of the application, the process of the gateway receiving a notification message sent by the controller and establishing a global application is also included.
[0050] Specifically, the administrator inputs a configuration command to the controller, which includes a global resource address range. Upon receiving the configuration command, the controller retrieves the global resource address range from it. The controller then generates a notification message, which also includes the global resource address range. Finally, the controller sends the notification message to the gateway.
[0051] After receiving the notification message, the gateway retrieves the global resource address range from it. The gateway stores the global resource address range locally and uses it to create a global application locally.
[0052] Optionally, in this embodiment of the application, the process of the gateway sending routing information to the client is also included.
[0053] Specifically, after establishing a communication connection with the gateway, the client generates a handshake request and sends it to the gateway. Upon receiving the handshake request, the gateway sends a handshake response to the client based on the request. This handshake response includes routing information, which includes the address range of the global application, the application address authorized by the controller, and next-hop information. The next-hop information indicates the SSL VPN tunnel port of the SDP gateway (specifically, the AC port).
[0054] After receiving the handshake response, the client retrieves the global application's address range, the application address authorized by the controller, and the next-hop information. The client generates a resource access route locally, which includes a destination address field and a next-hop field. The destination address field stores the global application's address range and the application address authorized by the controller; the next-hop field stores the gateway's SSL VPN tunnel port.
[0055] It should be noted that the aforementioned notification messages and handshake responses are all messages exchanged between the gateway, controller, and client after the existing client accesses the zero-trust network. In this embodiment, based on the existing messages, the notification message carries a global resource address range, and the handshake response carries a global application address range, so that the gateway can create a global application locally, and the client can generate a route to the global application locally.
[0056] The communication method has been briefly described in the above embodiments. The communication method provided in the embodiments of this application will now be described in detail. See also... Figure 2 as well as Figure 3 , Figure 2 A signaling diagram of a service processing flow provided in an embodiment of this application; Figure 3 Signaling diagram for another service processing flow provided in an embodiment of this application.
[0057] exist Figure 2In this zero-trust network, an SDP controller, multiple SDP gateways, and multiple terminals are included, each terminal being configured with an SDP client. This embodiment uses one SDP gateway and one SDP client as an example. After the SDP controller and SDP gateways are connected to the zero-trust network, the administrator inputs configuration instructions to the SDP controller. These instructions include a global resource address range (e.g., 10.0.0.1-10.0.255.255) and application attribute information protected by each SDP gateway. The application attribute information may specifically include the application name, address, etc.
[0058] After receiving the configuration command, the SDP controller stores the global resource address range and the application attribute information protected by each SDP gateway locally.
[0059] The SDP gateway initiates the registration process and sends a registration message to the SDP controller. Based on the registration message, the SDP controller registers the SDP gateway locally. Upon successful local registration, the SDP controller sends a registration success message to the SDP gateway. Simultaneously, the SDP controller retrieves the global resource address range and application attribute information for all applications protected by the SDP gateway from its local storage. The SDP controller generates a notification message, which includes the global resource address range and application attribute information. The SDP controller then sends this notification message to the SDP gateway.
[0060] After receiving the notification message, the SDP gateway retrieves the global resource address range and application attribute information. The SDP gateway stores the global resource address range locally and uses it to create a global application locally.
[0061] Furthermore, the SDP controller treats the global resource address range as an application and sends it to the SDP gateway via a notification message. This notification message also includes the application name, application identifier, application type, and service list. The service list includes the protocol type, subnet, and port. See the example below:
[0062]
[0063]
[0064] The application name is fixed as "default", "AccessType" is 4 to indicate a global application, and "Protocol" is 5 to reuse existing protocols, indicating that it matches all protocol types. After receiving the notification message, the SDP gateway creates the corresponding global application locally according to the message content.
[0065] The SDP gateway stores the application attribute information of all applications it protects locally and uses this information to create an application attribute table locally. The application attribute table includes information such as the application name and address of each application protected by the SDP gateway.
[0066] After the terminal connects to the zero-trust network, the SDP client configured within the terminal initiates the authentication process. The SDP client sends an SPA message and a login request to the SDP controller. The SDP controller authenticates the user corresponding to the terminal. After successful authentication, the SDP controller authorizes the user to access resources (which can be some or all of the applications protected by each SDP gateway), assigns an IP address to the SDP client, a user token, etc.
[0067] The SDP controller sends a notification message to the SDP gateway again. This message includes the user's online event, username, user token, terminal identifier, IP address assigned to the SDP client, and a list of accessible applications. Simultaneously, the SDP controller sends a login response to the SDP client, notifying it of successful login. The login response also includes the user token, information about the SDP gateways accessible to the SDP client, and a list of corresponding resources. The accessible gateway information includes the address of the SDP gateway.
[0068] After receiving the notification message, the SDP gateway establishes and maintains an application access permission table locally. This table records the relationship between each online user and the resources authorized for them by the SDP controller. The table includes information about accessible applications, such as the application name and address. It also includes user-side information, such as the user token, terminal identifier, and the IP address of the SDP client.
[0069] Of course, if the risk associated with a user changes, the controller can adjust the resource permissions granted to that user and send a notification message to the SDP gateway again. This notification message includes the user token and the list of accessible applications after the permission adjustment. Upon receiving the notification message, the SDP gateway updates its local application access permission table.
[0070] If a user no longer accesses network resources, the SDP client sends an offline request to the SDP controller. Upon receiving the offline request, the SDP controller logs the SDP client offline. The SDP controller then sends a notification message to the SDP gateway, which includes the user token and offline information.
[0071] Upon receiving the notification message, the SDP gateway retrieves and deletes the corresponding entry from the application access permission table based on the user token. Simultaneously, the SDP gateway disconnects the established SSL VPN tunnel with the SDP client.
[0072] exist Figure 3 In the process, after receiving the login response sent by the SDP controller, the SDP client obtains the user token, accessible gateway information, and the corresponding resource list from it.
[0073] Based on the accessible gateway information, the SDP client generates and sends an SPA message to the SDP gateway. This SPA message is used to establish a communication connection with the SDP gateway, such as a TCP connection. After establishing a communication connection with the SDP gateway, the SDP client generates a handshake request and sends it to the SDP gateway.
[0074] Upon receiving the handshake request, the SDP gateway sends a handshake response to the SDP client. This response includes the IP address assigned to the SDP client by the SDP controller and routing information. It is understood that the handshake response may also include DNS information. This routing information includes the address range of the global application, the application addresses authorized by the SDP controller, and next-hop information, where the next-hop information indicates the SDP gateway's SSL VPN tunnel interface.
[0075] After receiving the handshake response, the SDP client obtains the IP address and routing information. Using the IP address, the SDP client establishes an SSL VPN tunnel with the SDP gateway. Simultaneously, the SDP client creates a virtual network interface card (NIC) locally and configures the IP address as the NIC's network address. The SDP client obtains the global application's address range, the application addresses authorized by the SDP controller, and the next-hop information from the routing information. The SDP client generates a resource access route locally, which includes a destination address field and a next-hop field. The destination address field stores the global application's address range and the application addresses authorized by the SDP controller; the next-hop field stores the SDP gateway's SSL VPN tunnel interface.
[0076] When a user wants to access network resources through an SDP client, the SDP client generates a resource access request message, which includes the destination address. After generating the resource access request message, the SDP client encapsulates the tunnel header of an SSL VPN tunnel on the outer layer of the resource access request message to obtain the first service message.
[0077] Through the SSL VPN tunnel, the SDP client sends its first service message to the SDP gateway. This first service message includes a resource access request message. The SDP gateway receives the first service message.
[0078] After receiving the first service packet, the SDP gateway first decapsulates it, stripping the tunnel header to obtain the resource access request packet. Then, the SDP gateway obtains the destination address from the resource access request packet. Based on the destination address, the SDP gateway checks its local application access permission table to see if there is an entry for the first application that matches the destination address.
[0079] If an entry for the first application matching the destination address exists in the application access permission table, the SDP gateway forwards the resource access request message to the resource server corresponding to the first application. If no entry for the first application matching the destination address exists in the application access permission table, the SDP gateway continues to determine whether the destination address belongs to the address range of the global application.
[0080] If the destination address does not belong to the address range of the global application, SDP will discard the resource access request.
[0081] If the destination address belongs to the address range of the global application, the SDP gateway sends a resource access request to the resource server corresponding to the global application.
[0082] After the SDP gateway sends a resource access request to the resource server, the resource server processes the request and generates and sends a resource access response message to the SDP gateway. Upon receiving the resource access response message, the SDP gateway encapsulates the tunnel header of the SSL VPN tunnel into the outer layer of the resource access response message to obtain the second service message.
[0083] The SDP gateway sends a second service message to the SDP client. Through this second service message, the SDP client receives a response to the resource access request.
[0084] Based on the same inventive concept, embodiments of this application also provide a communication device corresponding to the communication method. See also Figure 4 , Figure 4 The communication apparatus provided in this application embodiment is applied to a gateway, the gateway having established an SSLVPN tunnel with a client, and the apparatus includes:
[0085] The receiving unit 410 is configured to receive service messages sent by the client through the SSL VPN tunnel, the service messages including resource access request messages, the resource access request messages including destination addresses;
[0086] The lookup unit 420 is used to search, based on the destination address, whether there is an entry for a first application that matches the destination address in the application access permission table;
[0087] The judgment unit 430 is used to determine whether the destination address belongs to the address range of the global application if there is no table entry of the first application that matches the destination address.
[0088] The sending unit 440 is configured to send a resource access request to the resource server corresponding to the global application if the destination address belongs to the address range of the global application.
[0089] Optionally, the receiving unit 410 is further configured to receive a notification message sent by the controller, the notification message including a global resource address range;
[0090] The apparatus further includes: a creation unit (not shown in the figure), used to store the global resource address range locally and use the global resource address range to create the global application locally;
[0091] The global resource address range is configured within the controller by administrators through configuration commands.
[0092] Optionally, the receiving unit 410 is further configured to receive a handshake request sent by the client;
[0093] The sending unit 440 is further configured to send a handshake response to the client according to the handshake request. The handshake response includes routing information, which includes the address range of the global application, the application address authorized by the controller, and next-hop information, so that the client can generate a resource access route.
[0094] The next-hop information indicates the SSL VPN tunnel port of the gateway.
[0095] Optionally, the sending unit 440 is further configured to forward the resource access request message to the resource server corresponding to the first application if there is an entry for the first application that matches the destination address.
[0096] The first application is whereby the controller authenticates the user corresponding to the terminal where the client is located, and after the authentication is successful, it authorizes the user to access resources.
[0097] Optionally, the apparatus further includes a discarding unit (not shown in the figure), configured to discard the resource access request if the destination address does not belong to the address range of the global application.
[0098] Therefore, using the communication method and apparatus provided in this application, through an SSL VPN tunnel, the gateway receives a service message sent by the client. This service message includes a resource access request message, which includes a destination address. Based on the destination address, the gateway searches the application access permission table for an entry of a first application that matches the destination address. If no entry of a first application that matches the destination address exists, the gateway determines whether the destination address belongs to the address range of a global application. If the destination address belongs to the address range of a global application, the gateway sends a resource access request to the resource server corresponding to the global application.
[0099] Thus, even in scenarios where no application entry matches the destination address, if the destination address belongs to the address range of the global application, the gateway will still determine that authentication was successful and forward the service message to the resource server corresponding to the global application. This solves the problem that in scenarios where administrators have not configured user-authorized resources to be open to the SDP controller for a short period of time, the SDP gateway cannot authenticate service messages sent by the client, resulting in users being unable to obtain resource content.
[0100] Based on the same inventive concept, embodiments of this application also provide a network device, such as... Figure 5 As shown, the system includes a processor 510, a transceiver 520, and a machine-readable storage medium 530. The machine-readable storage medium 530 stores machine-executable instructions that can be executed by the processor 510. The processor 510 is prompted by the machine-executable instructions to execute the communication method provided in the embodiments of this application. (The foregoing...) Figure 4 The communication device shown can be used as follows: Figure 5 The hardware structure of the network device shown is implemented.
[0101] The aforementioned computer-readable storage medium 530 may include random access memory (RAM) or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the computer-readable storage medium 530 may also be at least one storage device located remotely from the aforementioned processor 510.
[0102] The processor 510 mentioned above can be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it can also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components.
[0103] In this embodiment, the processor 510 reads the machine-executable instructions stored in the machine-readable storage medium 530, and is prompted by the machine-executable instructions to enable the processor 510 itself and the transceiver 520 to execute the communication method described in the foregoing embodiment.
[0104] In addition, this application provides a machine-readable storage medium 530 that stores machine-executable instructions. When called and executed by the processor 510, the machine-executable instructions cause the processor 510 itself and the transceiver 520 to execute the communication method described in the aforementioned application.
[0105] The specific implementation process of the functions and roles of each unit in the above device can be found in the implementation process of the corresponding steps in the above method, and will not be repeated here.
[0106] For the device embodiments, since they basically correspond to the method embodiments, the relevant parts can be referred to in the description of the method embodiments. The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this application according to actual needs. Those skilled in the art can understand and implement this without creative effort.
[0107] For the embodiments of communication devices and machine-readable storage media, since the methods involved are basically similar to those of the aforementioned method embodiments, the description is relatively simple, and relevant details can be found in the descriptions of the method embodiments.
[0108] The above description is merely a preferred embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application.
Claims
1. A communication method, characterized in that, The method is applied to an SDP gateway, which has established an SSL VPN tunnel with the client. The method includes: The SSL VPN tunnel is used to receive service messages sent by the client, including resource access request messages, which include a destination address. Based on the destination address, check in the application access permission table whether there is an entry for a first application that matches the destination address; If no entry for the first application that matches the destination address exists, then determine whether the destination address belongs to the address range of the global application. If the destination address belongs to the address range of the global application, a resource access request is sent to the resource server corresponding to the global application.
2. The method according to claim 1, characterized in that, Before receiving the service message sent by the client through the SSL VPN tunnel, the method further includes: Receive a notification message sent by the controller, the notification message including the address range of the global application; The address range of the global application is stored locally, and the global application is created locally using the address range of the global application. The address range of the global application is configured within the controller by the administrator through configuration instructions.
3. The method according to claim 1, characterized in that, Before receiving the service message sent by the client through the SSL VPN tunnel, the method further includes: Receive the handshake request sent by the client; Based on the handshake request, a handshake response is sent to the client. The handshake response includes routing information, which includes the address range of the global application, the application address authorized by the controller, and the next-hop information, so that the client can generate a resource access route. The next-hop information indicates the SSL VPN tunnel port of the gateway.
4. The method according to claim 1, characterized in that, The method further includes: If an entry for a first application that matches the destination address exists, the resource access request message is forwarded to the resource server corresponding to the first application. The first application is whereby the controller authenticates the user corresponding to the terminal where the client is located, and after the authentication is successful, it authorizes the user to access resources.
5. The method according to claim 1, characterized in that, The method further includes: If the destination address does not belong to the address range of the global application, the resource access request is discarded.
6. A communication device, characterized in that, The device is used in an SDP gateway, which has established an SSL VPN tunnel with a client, and the device includes: The receiving unit is configured to receive service messages sent by the client through the SSL VPN tunnel, the service messages including resource access request messages, the resource access request messages including a destination address; The lookup unit is used to search, based on the destination address, whether there is an entry in the application access permission table that matches the destination address; The determination unit is used to determine whether the destination address belongs to the address range of the global application if there is no table entry of the first application that matches the destination address. The sending unit is configured to send a resource access request to the resource server corresponding to the global application if the destination address belongs to the address range of the global application.
7. The apparatus according to claim 6, characterized in that, The receiving unit is further configured to receive a notification message sent by the controller, the notification message including the address range of the global application; The apparatus further includes: a creation unit, configured to locally store the address range of the global application, and use the address range of the global application to create the global application locally; The address range of the global application is configured within the controller by the administrator through configuration instructions.
8. The apparatus according to claim 6, characterized in that, The receiving unit is also configured to receive a handshake request sent by the client; The sending unit is further configured to send a handshake response to the client according to the handshake request. The handshake response includes routing information, which includes the address range of the global application, the application address authorized by the controller, and next-hop information, so that the client can generate a resource access route. The next-hop information indicates the SSL VPN tunnel port of the gateway.
9. The apparatus according to claim 6, characterized in that, The sending unit is further configured to, if there is an entry for a first application that matches the destination address, forward the resource access request message to the resource server corresponding to the first application. The first application is whereby the controller authenticates the user corresponding to the terminal where the client is located, and after the authentication is successful, it authorizes the user to access resources.
10. The apparatus according to claim 6, characterized in that, The device further includes: The discarding unit is used to discard the resource access request if the destination address does not belong to the address range of the global application.