Deploying SGOS IPv6 Proxy in a Transparent Deployment
search cancel

Deploying SGOS IPv6 Proxy in a Transparent Deployment

book

Article ID: 165644

calendar_today

Updated On:

Products

Mobility Threat Protection ProxySG Software - SGOS

Issue/Introduction

For transparent deployment, the client performs the DNS lookup. Therefore, Edge SWG needs to intercept both the application protocol (typically HTTP) and DNS. This way, the DNS resolution is not limited to client’s capability, which is only IPv4. 

Resolution

Deployment

1. Configure the Edge SWG to have both IPv4 and IPv6 connectivity. See Deploy Edge SWG as an IPv6 Transitional Device.

2. Enable both explicit and transparent HTTP service. Notice the “transparent” keyword indicating the connection is not destined to the Edge SWG’s IP address.

#(config proxy-services) edit “External HTTP”
#(config External HTTP) intercept transparent 80
 
It is essential to enable explicit HTTP proxy so that when transparent proxy fails, the DNS proxy will redirect the client traffic to the Edge SWG, which will turn the connection into an explicit proxy connection. To configure explicit HTTP proxy:
 
#(config Explicit HTTP) intercept explicit 80
 
It is worth noting that the administrator does not need to distribute a PAC file or configure the user’s browser in this mode. The explicit connection is done automatically by way of DNS rewrite.  In addition, the port number for explicit proxy needs to be port 80, instead of port 8080. This is because DNS can redirect the IP address, but not the port number.
 
3. Enable the DNS service and intercept all clients’ DNS requests. This is a required step for transparent connection so that the Edge SWG can modify client’s DNS requests, which is typically querying only IPv4 addresses.
 
#(config proxy-services) edit “DNS”
#(config DNS) intercept all 53
 
4. Create policy to prefer IPv6 DNS lookup:
 
<Proxy>
server_url.dns_lookup(prefer-ipv6)
 
5. Create policy to redirect traffic back to the Edge SWG when IPv6 DNS lookup fails.
<dns-proxy>
dns.response.nodata=yes dns.respond.a(<sg-ip-address>)
 
This policy tells the client to explicitly connect to the Edge SWG when DNS resolution fails, and the ensuing connections will automatically rollover to become explicit HTTP connections.
Powered by Wolken Software