Corporate Internet service is IPv6 ready, but users have not yet upgraded their software and/or hardware to be able to connect using IPv6. As a result, content being served only on IPv6 Internet is inaccessible to the users, even though the Internet access is now IPv6 capable. IT would like to provide IPv6 services without manual configurations on each user's machine.
Deploy SGOS IPv6 Proxy as transparent proxy appliance. For transparent deployment, the client performs the DNS lookup. Therefore, ProxySG needs to intercept both the application protocol (typically HTTP) and DNS. This way, the DNS resolution is not limited to client’s capability, which is only IPv4.
2. Enable both explicit and transparent HTTP service. Notice the “transparent” keyword indicating the connection is not destined to the ProxySG’s IP address.
edit “External HTTP”
#(config External HTTP)
intercept transparent 80
It is essential to enable explicit HTTP proxy so that when transparent proxy fails, the DNS proxy will redirect the client traffic to the ProxySG, which will turn the connection into an explicit proxy connection. To configure explicit HTTP proxy:
#(config Explicit HTTP)
intercept explicit 80
It is worth noting that the administrator does not need to distribute a PAC file or configure the user’s browser in this mode. The explicit connection is done automatically by way of DNS rewrite. In addition, the port number for explicit proxy needs to be port 80, instead of port 8080. This is because DNS can redirect the IP address, but not the port number.
3. Enable the DNS service and intercept all clients’ DNS requests. This is a required step for transparent connection so that the ProxySG can modify client’s DNS requests, which is typically querying only IPv4 addresses (that is, type A query).
intercept all 53
4. Create policy to prefer IPv6 DNS lookup:
5. Create policy to redirect traffic back to the ProxySG when IPv6 DNS lookup fails.
This policy tells the client to explicitly connect to the ProxySG when DNS resolution fails, and the ensuing connections will automatically rollover to become explicit HTTP connections.
6. Notice in the following network diagram, the ProxySG is deployed inline. The users are not aware of the ProxySG. IPv6 is currently not supported for WCCP deployment due to lack of WCCP support in the protocol design.
Imported Document ID: 000008901
Subscribing will provide email updates when this Article is updated. Login is required.