Deploy SGOS IPv6 Proxy as a Reverse Proxy Appliance
search cancel

Deploy SGOS IPv6 Proxy as a Reverse Proxy Appliance


Article ID: 165639


Updated On:


Mobility Threat Protection ProxySG Software - SGOS



Content that is already working on the existing IPv4 backbone needs to be provided to both existing IPv4 users and new IPv6 users. The content is hosted on the infrastructure that is IPv4 only. Modifying the infrastructure to be IPv6 ready is a major task that requires time and investment.


Deploy SGOS IPv6 Proxy as a reverse proxy appliance to provide IPv6 external connectivity to the existing IPv4 backend. 



  1. Configure ProxySG to have both IPv4 and IPv6 connectivity. See Deploy ProxySG as an IPv6 Transitional Device.
  2.  Create IPv6 to IPv4 forwarding rule. In this example, the rule is named “ipv6-forward-ipv6”, and assuming we are forwarding HTTP traffic.
    #(config forwarding) create host ipv6-forward-ipv4 <ocs-ip> http=80 server

  3. Create HTTPS reverse proxy service named “ipv6-https” in this example. The assumption here is the ProxySG is front-ending HTTPS traffic, with HTTP traffic in the internal network:
    #(config proxy-services)create https-reverse-proxy ipv6-https
    #(config proxy-services)edit ipv6-https
    #(config ipv6-https)
    add all 443

    Depending on your needs, you may want to restrict only a certain IP address to be listening on port 443. In this case, the correct IPv6 address can be specified:

    #(config ipv6-https)add <ipv6-address> 443

  4. Create policy to forward traffic to the IPv4 content. This policy will forward all connections coming in as “ipv6-https” service to the Origin Content Server (OCS):
    <Forward> forward(ipv6-forward-ipv4)

  5. Create URL rewrite rules. In many cases, the OCS contain hyperlinks that include the full link, for example, <a href=”http://<ocs-ip>/afile.exe>. When the forwarding rule is applied, this creates a problem now since the client cannot directly access the hyperlink which is in IPv4. To solve this problem, create a two-way URL rewrite policy:
    define url_rewrite my_transformer
    rewrite_url_substring "https://[2001:418:9804:111::103]/"
    rewrite_url_prefix "https://[2001:418:9804:111::103]/"
    define action my_rewrite_action
    transform my_transformer

    The IP addresses can also be hostnames. This example is a simplified version.
  6. Configure the DNS server to redirect traffic to the ProxySG reverse proxy.  Typically users connect to the OCS using hostname instead of literal IP address. This step requires the DNS authority to create an IPv6 entry to the publicly accessible hostname. 

Network Diagram