1. Configure the ProxySG to have both IPv4 and IPv6 connectivity. See Deploy ProxySG as an IPv6 Transitional Device.
2. Enable both explicit and transparent HTTP service. Notice the “transparent” keyword indicating the connection is not destined to the ProxySG’s IP address.
#(config proxy-services) edit “External HTTP”
#(config External HTTP) intercept transparent 80
It is essential to enable explicit HTTP proxy so that when transparent proxy fails, the DNS proxy will redirect the client traffic to the ProxySG, which will turn the connection into an explicit proxy connection. To configure explicit HTTP proxy:
#(config Explicit HTTP) intercept explicit 80
It is worth noting that the administrator does not need to distribute a PAC file or configure the user’s browser in this mode. The explicit connection is done automatically by way of DNS rewrite. In addition, the port number for explicit proxy needs to be port 80, instead of port 8080. This is because DNS can redirect the IP address, but not the port number.
3. Enable the DNS service and intercept all clients’ DNS requests. This is a required step for transparent connection so that the ProxySG can modify client’s DNS requests, which is typically querying only IPv4 addresses (that is, type A query).
#(config proxy-services) edit “DNS”
#(config DNS) intercept all 53
4. Create policy to prefer IPv6 DNS lookup:
5. Create policy to redirect traffic back to the ProxySG when IPv6 DNS lookup fails.
This policy tells the client to explicitly connect to the ProxySG when DNS resolution fails, and the ensuing connections will automatically rollover to become explicit HTTP connections.
6. Notice in the following network diagram, the ProxySG is deployed inline. The users are not aware of the ProxySG. IPv6 is currently not supported for WCCP deployment due to lack of WCCP support in the protocol design.