Solutions

Deploy SGOS IPv6 Proxy in a Transparent Deployment

Solutions ID:    KB5182
Version:    2.0
Status:    Published
Published date:    06/27/2012
Updated:    07/23/2013
 

Problem Description

Scenario

Corporate Internet service is IPv6 ready, but users have not yet upgraded their software and/or hardware to be able to connect using IPv6. As a result, content being served only on IPv6 Internet is inaccessible to the users, even though the Internet access is now IPv6 capable.  IT would like to provide IPv6 services without manual configurations on each user's machine.

Solution

Deploy SGOS IPv6 Proxy as transparent proxy appliance.  For transparent deployment, the client performs the DNS lookup. Therefore, ProxySG needs to intercept both the application protocol (typically HTTP) and DNS. This way, the DNS resolution is not limited to client’s capability, which is only IPv4.

Resolution

Deployment

  1. Configure the ProxySG to have both IPv4 and IPv6 connectivity. See Deploy ProxySG as an IPv6 Transitional Device.
  2. Enable both explicit and transparent HTTP service. Notice the “transparent” keyword indicating the connection is not destined to the ProxySG’s IP address.
    #(config proxy-services) edit “External HTTP”
    #(config External HTTP) intercept transparent 80


    It is essential to enable explicit HTTP proxy so that when transparent proxy fails, the DNS proxy will redirect the client traffic to the ProxySG, which will turn the connection into an explicit proxy connection. To configure explicit HTTP proxy:

    #(config Explicit HTTP) intercept explicit 80

    It is worth noting that the administrator does not need to distribute a PAC file or configure the user’s browser in this mode. The explicit connection is done automatically by way of DNS rewrite.  In addition, the port number for explicit proxy needs to be port 80, instead of port 8080. This is because DNS can redirect the IP address, but not the port number.

  3. Enable the DNS service and intercept all clients’ DNS requests. This is a required step for transparent connection so that the ProxySG can modify client’s DNS requests, which is typically querying only IPv4 addresses (that is, type A query).
    #(config proxy-services) edit “DNS”
    #(config DNS) intercept all 53

  4. Create policy to prefer IPv6 DNS lookup:
    <Proxy>
    server_url.dns_lookup(prefer-ipv6)

  5. Create policy to redirect traffic back to the ProxySG when IPv6 DNS lookup fails.
    <dns-proxy>
    dns.response.nodata=yes dns.respond.a(<sg-ip-address>)


    This policy tells the client to explicitly connect to the ProxySG when DNS resolution fails, and the ensuing connections will automatically rollover to become explicit HTTP connections.

6.      Notice in the following network diagram, the ProxySG is deployed inline. The users are not aware of the ProxySG.  IPv6 is currently not supported for WCCP deployment due to lack of WCCP support in the protocol design.
 

Network Diagram


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question