On a security socket layer protocol (Security Socket Layer Protocol, SSL) virtual private network (Virtual Private Network, VPN), a client can access an intranet by using a network extension function after logging in to SSL VPN. Therefore, for packets of certain public services, the client may directly transmit them to the intranet; for packets of certain protected services, the client needs to transmit the packets of the protected services over SSL VPN to the intranet.
The network topological structure provided in the prior art is shown in FIG. 1. After the client logs in to SSL VPN, for a packet (that is, a packet of a public service) that does not need to be transmitted over SSL VPN, the client directly sends it without adding a tunnel IP address or using a VPN tunnel. The source IP address of the packet is an external network IP address (for example, the external network IP address of the packet sent by Port B in FIG. 1 is 50.1.1.1). For a packet (a packet of a protected service) that needs to be transmitted over SSL VPN, the client software sends it over the VPN tunnel after adding a tunnel IP address. In this case, the source IP address of the sent packet is an external network IP address (for example, the external network IP address of the packet sent by Port A in FIG. 1 is 50.1.1.1). The firewall sends the packet to SSL VPN according to the tunnel IP address. SSL VPN allocates a virtual IP address (for example 192.168.0.X in FIG. 1) to this client, and changes the source IP address (that is, external network IP address, for example, 50.1.1.1 in FIG. 1) to the virtual IP address (for example, 192.168.0.X in FIG. 1) so as to implement communication between the external network and the intranet. Accordingly, a private network segment corresponding to the virtual IP address is allocated on the intranet and is dedicated for the communication with the external network over SSL VPN.
During the implementation of the present invention, the inventor discovers the following: In the prior art, because a dedicated private network segment for communication with the external network over SSL VPN needs to be allocated on the intranet, the topological structure of the intranet will change. In addition, because a private network is allocated on the intranet, the management policy of the intranet will also change. Especially when multiple clients need to access the intranet over SSL VPN, a large number of virtual IP addresses need to be allocated, and multiple private networks need to be allocated on the intranet, thereby changing the topological structure of the intranet.