Enterprise IPv6 Migration - End of proxypac ? Start of Point-to-Point ? +10K users
Posted
by
Yohann
on Server Fault
See other posts from Server Fault
or by Yohann
Published on 2012-05-25T10:37:57Z
Indexed on
2012/05/31
22:43 UTC
Read the original article
Hit count: 245
Let's start with a diagram :
We can see a "typical" IPv4 company network with :
- An Internet acces through a proxy
- An "Others companys" access through an dedicated proxy
- A direct access to local resources
All computers have a proxy.pac file that indicates which proxy to use or whether to connect directly. Computers have access to just a local DNS (no name resolution for google.com for example.)
By the way ... The company does not respect the RFC1918 internally and uses public addresses! (historical reason). The use of internet proxy explicitly makes it possible to not to have problem.
What if we would migrate to IPv6?
Step 1 : IPv6 internet access
Internet access in IPv6 is easy. Indeed, just connect the proxy in Internet IPv4 and IPv6. There is nothing to do in internal network :
Step 2 : IPv6 AND IPv4 in internal network
And why not full IPv6 network directly? Because there is always the old servers that are not compatible IPv6 ..
Option 1 : Same architecture as in IPv4 with a proxy pac
This is probably the easiest solution. But is this the best?
I think the transition to IPv6 is an opportunity not to bother with this proxy pac!
Option 2 : New architecture with transparent proxy, whithout proxypac, recursive DNS
Oh yes!
In this new architecture, we have:
Explicit Internet Proxy
becomes aTransparent Internet Proxy
Local DNS
becomes aNormal Recursive DNS
+authorative
for local domains- No proxypac
Explicit Company Proxy
becomes aTransparent Company Proxy
- Routing
- Internal Routers reditect IP of appx.ext.example.com to
Company Proxy
. - The default gateway is the
Transparent Internet proxy
.
- Internal Routers reditect IP of appx.ext.example.com to
Questions
- What do you think of this architecture IPv6?
- This architecture will reveal the IP addresses of our internal network but it is protected by firewalls. Is this a real big problem? Should we keep the explicit use of a proxy? -How would you make for this migration scenario? -And you, how do you do in your company?
Thanks! Feel free to edit my post to make it better.
© Server Fault or respective owner