Solutions

Deploy SGOS IPv6 Proxy as a Reverse Proxy Appliance

Solutions ID:    KB5180
Version:    2.0
Status:    Published
Published date:    06/27/2012
Updated:    07/23/2013
 

Problem Description

Scenario

Content that is already working on the existing IPv4 backbone needs to be provided to both existing IPv4 users and new IPv6 users. The content is hosted on the infrastructure that is IPv4 only. Modifying the infrastructure to be IPv6 ready is a major task that requires time and investment.

Solution

Deploy SGOS IPv6 Proxy as a reverse proxy appliance to provide IPv6 external connectivity to the existing IPv4 backend. 

Resolution

Deployment

  1. Configure ProxySG to have both IPv4 and IPv6 connectivity. See Deploy ProxySG as an IPv6 Transitional Device.
     
  2.  Create IPv6 to IPv4 forwarding rule. In this example, the rule is named “ipv6-forward-ipv6”, and assuming we are forwarding HTTP traffic.
    #(config)forwarding
    #(config forwarding) create host ipv6-forward-ipv4 <ocs-ip> http=80 server

  3. Create HTTPS reverse proxy service named “ipv6-https” in this example. The assumption here is the ProxySG is front-ending HTTPS traffic, with HTTP traffic in the internal network:
    #(config)proxy-services
    #(config proxy-services)create https-reverse-proxy ipv6-https
    #(config proxy-services)edit ipv6-https
    #(config ipv6-https)
    add all 443

    Depending on your needs, you may want to restrict only a certain IP address to be listening on port 443. In this case, the correct IPv6 address can be specified:

    #(config ipv6-https)add <ipv6-address> 443

  4. Create policy to forward traffic to the IPv4 content. This policy will forward all connections coming in as “ipv6-https” service to the Origin Content Server (OCS):
    <Forward>
    service.name=ipv6-https forward(ipv6-forward-ipv4)

  5. Create URL rewrite rules. In many cases, the OCS contain hyperlinks that include the full link, for example, <a href=”http://<ocs-ip>/afile.exe>. When the forwarding rule is applied, this creates a problem now since the client cannot directly access the hyperlink which is in IPv4. To solve this problem, create a two-way URL rewrite policy:
    define url_rewrite my_transformer
    rewrite_url_substring "https://[2001:418:9804:111::103]/" http://10.9.45.17/
    rewrite_url_prefix "https://[2001:418:9804:111::103]/" http://10.9.45.17/
    end
    define action my_rewrite_action
    transform my_transformer
    end
    <Proxy>
    action.my_rewrite_action(yes)


    The IP addresses can also be hostnames. This example is a simplified version.
     
  6. Configure the DNS server to redirect traffic to the ProxySG reverse proxy.  Typically users connect to the OCS using hostname instead of literal IP address. This step requires the DNS authority to create an IPv6 entry to the publicly accessible hostname. 

Network Diagram


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question