A server hosting system provides servers for use by multiple customers, or tenants. Computing devices in the server hosting system are located at one or more locations remote from the tenants. For instance, the computing devices in the server hosting system can be located at a premises occupied by a vendor, or offsite from the vendor. Use of server hosting systems is growing in popularity because a server hosting system can enable a tenant to divide the cost of implementing, maintaining, and running servers with other tenants.
A server provided by a server hosting system is sometimes referred to as a managed server. A server hosting system can include a dedicated computing device that exclusively provides an individual managed server for a tenant. Alternatively, the server hosting system can include a computing device that provides multiple virtual managed servers. In this alternative scenario, each of the virtual managed servers functions like a separate server, even though the virtual managed servers are provided by a single computing device.
Preferably, a tenant is able to readily access a managed server in a simple manner, to allow a managed server to approximate the convenience of a local server managed by that tenant. Access, in this context, includes administration of a server hosting system and managed servers included in such a system including adding or deleting managed servers, or controlling access to those managed servers to certain individuals associated with the tenant. To do so, a tenant should be able to communicate data securely with the server hosting system, and use any off-the-shelf networking devices to accomplish this connection. Additionally, the tenant must be able to identify the particular managed server within the server hosting system that the tenant wishes to access.
In some cases, a server hosting system can be secured internally, to protect data exchanged among managed servers. For example, in the case where the managed servers are virtual managed servers, multiple tenants may share a set of those virtual managed servers, but those tenants may not be allowed access to each other's data. One example of such a server hosting system security arrangement is provided by the Stealth data parsing technology provided by Unisys Corporation of Blue Bell, Pa. However, to integrate this data parsing technology at a tenant, the tenant is required to install specialized software or use a particular secure appliance as a gateway to gain access to a server hosting system. In some circumstances, tenants prefer an off-the-shelf networking appliance that allows them to connect to their managed servers at a server hosting system.
One method by which secured communication can be provided is through use of the Internet Protocol Security (IPsec) protocol suite. IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite. It can be used in protecting data communicated between hosts, gateways, or some combination thereof. IPsec secures IP communication by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between computing systems at the beginning of a communications session and negotiation of cryptographic keys to be used during the session.
Typically, to allow tenants to access managed servers, those tenants would be assigned a set of contiguous IP addresses, such that the server hosting system receiving data packets from a variety of tenants could use subnetting to determine the specific destination managed server for data received from a tenant. However, in these situations, IP addresses can quickly become exhausted, providing an unnecessary limitation on the number of tenants able to connect to a managed server in the server hosting system. Also, because, tenants are allowed to dynamically add and delete servers, server IP addresses are assigned in an unpredictable fashion. This results in non-contiguous IP addresses and segmentation of the available IP address space. Furthermore, because tenants are preferably allowed to assign their own IP addresses to managed servers, those tenants may in fact assign the same IP address to different servers, resulting in the case where two tenants may desire to use two different servers with the same IP address.
Other arrangements use a tag in the IPsec communication packet that identifies the managed server that is the destination of the packet from the tenant. However, this approach requires use of a proprietary addition to the data packet that must be added by a tenant device, and therefore requires that tenants obtain specialized appliances that can handle routing of data packets by applying such tags.
For these and other reasons, improvements are desirable.