Abstract: A computer system for providing a remote access service includes a unit for acquiring information on a relation between a terminal and a user using the terminal, a unit for acquiring network information about the terminal, a unit for acquiring network information about a blade that the terminal will access, a unit for acquiring information on a relation between the blade and a storage area, and a management server for extracting information on the user and its usage information and providing these information in real time. The management server also has a unit for permitting an administrator of the management server, persons other than the user and a management program to use the blade.

Abstract: In a storage session management system in a storage area network, the session information blocks periodically collected from the storage devices in the network are grouped based on the information indicating the relation between sessions. That is, since a storage session management server in the management system integrally manages constitution information and operation information, when there is a possibility that circumstances such as a failure and the deterioration of performance occur in information devices, a failure notification module displays such circumstances and makes notification of them to a minimum necessary range that is consolidated by a session consolidation module, thereby a storage session can be managed without applying loads on the respective information devices and the network.

Abstract: In a system which manages path information and status of network with respect to a path being used for access to a storage apparatus and has a redundant path, when a fault occurs in the network, whether or not the path can be recovered by rerouting in network apparatuses is discriminated, thereby performing proper path switching. Construction information and the path information of the network are managed as information of the path which is being used for a storage access by a management server. Further, when the access path is made redundant, the management server obtains fault information in the network and information showing whether or not the path is being reconstructed from the network apparatuses, thereby discriminating the necessity of the path switching. If the path switching is necessary, the management server notifies a host computer and the storage apparatus of it and each apparatus executes a switching process.

Abstract: The present invention decreases the burden of operation required for specifying the continuity status and the cause of failure of a network storage device. A host computer accepts the specification of the device identifier, that is an identifier of the network storage device in the host protocol which positions in a higher hierarchy than the network communication protocol, and a volume identifier, that is an identifier of the volume. Then based on the specified device identifier, the host computer specifies the network identifier, that is an identifier of the network storage device in the network communication protocol. And continuity is confirmed in the network communication protocol in which the specified network identifier is the destination. Also continuity is confirmed in the host protocol in which the device identifier is the destination. And the volume specified by the volume identifier is accessed.

Abstract: A computer system for providing a remote access service includes a unit for acquiring information on a relation between a terminal and a user using the terminal, a unit for acquiring network information about the terminal, a unit for acquiring network information about a blade that the terminal will access, a unit for acquiring information on a relation between the blade and a storage area, and a management server for extracting information on the user and its usage information and providing these information in real time. The management server also has a unit for permitting an administrator of the management server, persons other than the user and a management program to use the blade.

Abstract: A technique which can properly control resources which can be disclosed for an access through a relay apparatus and can improve a security is provided. In a management server, there are executed: a notifying processing module which receives a using request for the resources; a situation information collecting module which, when the using request is received, obtains situation information regarding a case where the resources (server, etc.) are used by a user terminal; a policy collating module which decides the use-permissible resources among the resources on the basis of the situation information; and a filtering control module which controls a filtering by a switch so that an access to the use-permissible resources through a blade PC can be made.

Abstract: In a remote access environment such as a thin client system, there are problems in that a user cannot be informed as to whether a user's computer can be accessed upon activation thereof, or as to whether termination of the computer is completed upon termination thereof, and that an administrator cannot manage computer status of an entire system, leading to delay in identifying failure occurrences.

Abstract: When there is competition for use of a blade PC, a legitimate user is determined by inputting a predetermined number of pieces of additional authentication information. Only when it is possible to determine the legitimate user based on the additional authentication information, the legitimate user is allowed to continuously use the blade PC. Further, while continuous use is allowed, next time a use request is made, additional information of an amount corresponding to that with which determination of the legitimate user has been possible is requested. Thus, when there is competition for access to the blade PC, use is ensured for the legitimate user without sacrificing security.

Abstract: In order to remove security vulnerability in an IP-SAN and eliminate unauthorized access by spoofing, firewalls are installed in valid user servers and storage devices, and a distributed firewall manager for managing the firewalls integrally is provided in the IP-SAN. The distributed firewall manager obtains discovery domain information from an iSNS server, determines nodes registered in the iSNS server as the nodes of valid users, and autocreates a security policy according to sets consisting of an iSCSI name and portal information. This security policy is distributed to all of the firewalls as a common policy, whereupon access control is executed to deny TCP connection requests from unauthorized access sources.

Abstract: An access control system and an access control server using Terminal Services or the like, which prevents information from being leaked are provided. The access control system includes one or more computer units, one or more terminals, and the access control server that controls a hub. The one or more terminals are coupled with the one or more computer units through a network and the hub. The hub controls access from the one or more terminals to the one or more computer units. In accordance with the result of the authentication, the access control server authenticates a user who operates one of the terminals and sets the hub so that a network link for a particular protocol is established between the terminal operated by the user and a particular one of the computer units.

Abstract: In an IP-SAN, instead of the presence or absence of mount/unmount requests, the actual mount/unmount status of storages is determined by monitoring session information of the storage apparatus and communicated to a mount reservation server. Change of access status is communicated in an accurate and real-time manner to the user terminal or management server that uses disk resources. This solves a problem that stoppage of access cannot be detected when the presence or absence of access to the storage apparatus is determined only by the mount/unmount request. The invention also solves a problem that, when the mounting is broken down due to any failure, a computer requesting to use the disk resources cannot access the disk despite its mount request.

Abstract: To provide an access control service and control server for protecting a computer from an Illegal access such as a password cracking, in a terminal service and other related services. An access server 3 includes an authentication manager 7 for authenticating a user to operate a terminal, and an ACE manager 9 for setting a network link that enables communication between a terminal 1 that the user operates and a specific computer unit 2, to a hub 4 in accordance with a result of the authentication. Information on each user and information on the specific computer unit 2 that the each user can use are associated with each other and registered in the ACE manager 9.

Abstract: In a storage session management system in a storage area network, the session information blocks periodically collected from the storage devices in the network are grouped based on the information indicating the relation between sessions. That is, since a storage session management server in the management system integrally manages constitution information and operation information, when there is a possibility that circumstances such as a failure and the deterioration of performance occur in information devices, a failure notification module displays such circumstances and makes notification of them to a minimum necessary range that is consolidated by a session consolidation module, thereby a storage session can be managed without applying loads on the respective information devices and the network.

Abstract: The invention provides a management system solving the problems of the storage area network shared among plural devices, which was incapable of guaranteeing communication performances due to varied response time, and which required unstable time for accessing volumes.

Abstract: The band controller 500 included in the computer system 1000 regularly acquires map information and IF information, etc. from the work server 100, the storage device 200, and the routers 300 and 400, and based on these pieces of information, detects iSCSI sessions for which the communication band is insufficient. When an iSCSI session with insufficient band is detected, the band controller 500 selects another iSCSI session to perform band allocation based on the iSCSI session importance level or the circuit use-rate. The band controller 500 allocates at least part of the communication band of the network route used by the iSCSI session selected in this way to the iSCSI session with insufficient band. The computer system 1000 performs efficient data transfer in storage area networks on which many variations of communication band exist.

Abstract: In a system which manages path information and status of network with respect to a path being used for access to a storage apparatus and has a redundant path, when a fault occurs in the network, whether or not the path can be recovered by rerouting in network apparatuses is discriminated, thereby performing proper path switching. Construction information and the path information of the network are managed as information of the path which is being used for a storage access by a management server. Further, when the access path is made redundant, the management server obtains fault information in the network and information showing whether or not the path is being reconstructed from the network apparatuses, thereby discriminating the necessity of the path switching. If the path switching is necessary, the management server notifies a host computer and the storage apparatus of it and each apparatus executes a switching process.

Abstract: To provide a storage connection changing method for a storage management system of setting and releasing an external connection between a primary storage system and an external storage system in a storage system, the storage management system includes a computer, the primary storage system, the external storage system, a network device, and a management device which manages the computer, the primary storage system, the external storage system, and the network device. The management device obtains a communication group information for limiting a communicable range between the computer and the storage systems from the network device, upon receiving of a request for changing an external connection state, And the management device generates a communication group information after the changing of the external connection state based on the request for changing the external connection state and the obtained communication group information.

Abstract: Storage groups are generated using group information previously set to a switch 3. In a group information acquisition step, group information, which is previously set to the switch 3 and relates to computers 4 and storage devices 5, is acquired from the switch 3, and the acquired group information is stored in a storing means 16. In a node information acquisition step, node information required for connecting to a network is acquired from each of the computers 4 and the storage devices 5, and acquired node information is stored in the storing means 16. In a group generation step, the storage groups are generated based on the group information stored in the storing means 16. And, in a registration step, the generated storage groups and the node information stored in the storing means 16 are registered at a storage name solving server 2.

Abstract: In order to remove security vulnerability in an IP-SAN and eliminate unauthorized access by spoofing firewalls are installed in valid user servers and storage devices, and a distributed firewall manager for managing the firewalls integrally is provided in the IP-SAN. The distributed firewall manager obtains discovery domain information from an iSNS server, determines nodes registered in the iSNS server as the nodes of valid users, and autocreates a security policy according to sets consisting of an iSCSI name and portal information. This security policy is distributed to all of the firewalls as a common policy, whereupon access control is executed to deny TCP connection requests from unauthorized access sources.

Abstract: The present invention decreases the burden of operation required for specifying the continuity status and the cause of failure of a network storage device. A host computer accepts the specification of the device identifier, that is an identifier of the network storage device in the host protocol which positions in a higher hierarchy than the network communication protocol, and a volume identifier, that is an identifier of the volume. Then based on the specified device identifier, the host computer specifies the network identifier, that is an identifier of the network storage device in the network communication protocol. And continuity is confirmed in the network communication protocol in which the specified network identifier is the destination. Also continuity is confirmed in the host protocol in which the device identifier is the destination. And the volume specified by the volume identifier is accessed.