Field of the Invention
The present invention relates to a communication system which performs communication between cloud servers outside a fire wall and devices inside the fire wall, and its relevant technique.
Description of the Background Art
There is a technique for ensuring cooperation between servers (cloud servers or the like) outside a LAN and devices (an image forming apparatus and the like) inside the LAN.
There is, for example, a technique for printing out an electronic document stored in a server on a cloud (a cloud server) by using an image forming apparatus on a local side (inside a LAN) (see Japanese Patent Application Laid Open Gazette No. 2013-73578 (Patent Document 1)).
In Patent Document 1, disclosed is a document output system (communication system) which comprises an image forming apparatus (device), a gateway, and a cloud server. In the system, an electronic document stored in the cloud server is sent to the image forming apparatus via the gateway and the like and printed out in the image forming apparatus 10. Further, the gateway and the image forming apparatus (device) are provided inside a LAN and the cloud server is provided outside the LAN.
In such a system as above, usually, a fire wall is provided between the image forming apparatus (device) inside the LAN and the cloud server outside the LAN.
Access from the image forming apparatus inside the LAN to the cloud server outside the LAN passes through the fire wall and is allowed.
Reverse access, i.e., direct access from the cloud server outside the LAN to the image forming apparatus inside the LAN, however, is blocked by the fire wall. In other words, the cloud server cannot directly access the image forming apparatus.
In contrast to this, there is a possible technique in which a message session (communication session) (as an exception to a fire wall) is established between a management server outside a LAN and a gateway (communication relay apparatus) inside the LAN and then access is made from the cloud server outside the LAN to the image forming apparatus inside the LAN via the management server and the gateway.
FIGS. 26 and 27 show such a technique as above. At the start-up or the like, a gateway 30 (30a) establishes a message session 511 with a management server 50 which is specified in advance (see a thick line in FIG. 26). After that, when a cloud server 70 (via the management server 50) issues an access request for a specific device 10a, by using the message session 511 between the management server 50 and the gateway 30 (30a), the management server 50 sends a tunnel connection request to the gateway 30a. The tunnel connection request is a command requesting the gateway 30 to establish a tunnel connection (a tunnel connection between the gateway 30 and the cloud server 70). In other words, the tunnel connection request is a command ordering the gateway 30 to perform communication using the tunnel connection. On the basis of the tunnel connection request, the gateway 30a establishes a tunnel communication with the cloud server 70 (see FIG. 27). Then, by using the tunnel communication, the cloud server 70 makes access to the device (image forming apparatus) 10a (via the gateway 30). This technique will be described later in detail.
Further, the similar technique is disclosed in Japanese Patent Application Laid Open Gazette No. 2014-215846 (Patent Document 2).
In such a technique, the management server 50 manages the gateways.
The reverse access, which is opposite in direction to that in the technique of the above-described Patent Document 2, i.e., the access from the cloud server outside the LAN to the image forming apparatus inside the LAN does not necessarily need to pass through the fire wall. It is preferable, however, from the security problem (described later) and the like that even for the access from the cloud server outside the LAN to the image forming apparatus inside the LAN, the communication should be performed via the management server 50.
Further, if the communication from the device inside the fire wall to the server outside the fire wall is performed not via the management server 50, there may occur a system control problem such as a plurality of communications performed in disorder or the like.
In order to solve these problems, it is preferable that the communication between the cloud server outside the fire wall and the device inside the fire wall should be performed via the management server 50.
There is a possible case, for example, where the management server 50 receives a communication request from each cloud server and a communication request from each device and performs processings (a tunnel connection request for the gateway, and the like) on the basis of the communication requests in accordance with the order of receiving the communication requests.
When the processings on the basis of the communication requests are performed only in accordance with the order of receiving the communication requests, however, there are many cases where the processings on the basis of the communication requests are disadvantageously performed in an inefficient order of execution.