Deploy SGOS IPv6 Proxy as a Reverse Proxy Appliance
search cancel

Deploy SGOS IPv6 Proxy as a Reverse Proxy Appliance

book

Article ID: 165639

calendar_today

Updated On:

Products

Mobility Threat Protection ProxySG Software - SGOS

Issue/Introduction

Scenario

Content that is already working on the existing IPv4 backbone needs to be provided to both existing IPv4 users and new IPv6 users. The content is hosted on the infrastructure that is IPv4 only. Modifying the infrastructure to be IPv6 ready is a major task that requires time and investment.

Solution

Deploy SGOS IPv6 Proxy as a reverse proxy appliance to provide IPv6 external connectivity to the existing IPv4 backend. 

Resolution

Deployment

  1. Configure ProxySG to have both IPv4 and IPv6 connectivity. See Deploy ProxySG as an IPv6 Transitional Device.
     
  2.  Create IPv6 to IPv4 forwarding rule. In this example, the rule is named “ipv6-forward-ipv6”, and assuming we are forwarding HTTP traffic.
    #(config)forwarding
     #(config forwarding) create host ipv6-forward-ipv4 <ocs-ip> http=80 server

  3. Create HTTPS reverse proxy service named “ipv6-https” in this example. The assumption here is the ProxySG is front-ending HTTPS traffic, with HTTP traffic in the internal network:
    #(config)proxy-services
     #(config proxy-services)create https-reverse-proxy ipv6-https
     #(config proxy-services)edit ipv6-https
     #(config ipv6-https)    add all 443

     Depending on your needs, you may want to restrict only a certain IP address to be listening on port 443. In this case, the correct IPv6 address can be specified:

    #(config ipv6-https)add <ipv6-address> 443

  4. Create policy to forward traffic to the IPv4 content. This policy will forward all connections coming in as “ipv6-https” service to the Origin Content Server (OCS):
     <Forward>
     service.name=ipv6-https forward(ipv6-forward-ipv4)

  5. Create URL rewrite rules. In many cases, the OCS contain hyperlinks that include the full link, for example, <a href=”http://<ocs-ip>/afile.exe>. When the forwarding rule is applied, this creates a problem now since the client cannot directly access the hyperlink which is in IPv4. To solve this problem, create a two-way URL rewrite policy:
    define url_rewrite my_transformer
     rewrite_url_substring "https://[2001:418:9804:111::103]/" http://10.9.45.17/
     rewrite_url_prefix "https://[2001:418:9804:111::103]/" http://10.9.45.17/
     end
     define action my_rewrite_action
     transform my_transformer
     end
     <Proxy>
     action.my_rewrite_action(yes)
    The IP addresses can also be hostnames. This example is a simplified version.
     
  6. Configure the DNS server to redirect traffic to the ProxySG reverse proxy.  Typically users connect to the OCS using hostname instead of literal IP address. This step requires the DNS authority to create an IPv6 entry to the publicly accessible hostname. 

Network Diagram

Powered by Wolken Software