Deploy SGOS IPv6 Proxy in a Transparent Deployment

<< Back to Knowledge Search


Corporate Internet service is IPv6 ready, but users have not yet upgraded their software and/or hardware to be able to connect using IPv6. As a result, content being served only on IPv6 Internet is inaccessible to the users, even though the Internet access is now IPv6 capable.  IT would like to provide IPv6 services without manual configurations on each user's machine.

Deploy SGOS IPv6 Proxy as transparent proxy appliance.  For transparent deployment, the client performs the DNS lookup. Therefore, ProxySG needs to intercept both the application protocol (typically HTTP) and DNS. This way, the DNS resolution is not limited to client’s capability, which is only IPv4. 



1. Configure the ProxySG to have both IPv4 and IPv6 connectivity. See Deploy ProxySG as an IPv6 Transitional Device.

2. Enable both explicit and transparent HTTP service. Notice the “transparent” keyword indicating the connection is not destined to the ProxySG’s IP address.

#(config proxy-services) edit “External HTTP”
#(config External HTTP) intercept transparent 80
It is essential to enable explicit HTTP proxy so that when transparent proxy fails, the DNS proxy will redirect the client traffic to the ProxySG, which will turn the connection into an explicit proxy connection. To configure explicit HTTP proxy:
#(config Explicit HTTP) intercept explicit 80
It is worth noting that the administrator does not need to distribute a PAC file or configure the user’s browser in this mode. The explicit connection is done automatically by way of DNS rewrite.  In addition, the port number for explicit proxy needs to be port 80, instead of port 8080. This is because DNS can redirect the IP address, but not the port number.
3. Enable the DNS service and intercept all clients’ DNS requests. This is a required step for transparent connection so that the ProxySG can modify client’s DNS requests, which is typically querying only IPv4 addresses (that is, type A query).
#(config proxy-services) edit “DNS”
#(config DNS) intercept all 53
4. Create policy to prefer IPv6 DNS lookup:
5. Create policy to redirect traffic back to the ProxySG when IPv6 DNS lookup fails.
dns.response.nodata=yes dns.respond.a(<sg-ip-address>)
This policy tells the client to explicitly connect to the ProxySG when DNS resolution fails, and the ensuing connections will automatically rollover to become explicit HTTP connections.
6. Notice in the following network diagram, the ProxySG is deployed inline. The users are not aware of the ProxySG.  IPv6 is currently not supported for WCCP deployment due to lack of WCCP support in the protocol design.
Additional Information
Bug Number
InQuira Doc IdKB5182

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 5.5, SGOS 6
Article Number      000008901
Was this helpful?
Previous MonthNext Month