Enterprise IPv6 Migration - End of proxypac ? Start of Point-to-Point ? +10K users

Posted by Yohann on Server Fault See other posts from Server Fault or by Yohann
Published on 2012-05-25T10:37:57Z Indexed on 2012/05/31 22:43 UTC
Read the original article Hit count: 245

Filed under:
|
|
|
|

Let's start with a diagram : Company in IPv4

We can see a "typical" IPv4 company network with :

  • An Internet acces through a proxy
  • An "Others companys" access through an dedicated proxy
  • A direct access to local resources

All computers have a proxy.pac file that indicates which proxy to use or whether to connect directly. Computers have access to just a local DNS (no name resolution for google.com for example.)

By the way ... The company does not respect the RFC1918 internally and uses public addresses! (historical reason). The use of internet proxy explicitly makes it possible to not to have problem.

What if we would migrate to IPv6?


Step 1 : IPv6 internet access

Internet access in IPv6 is easy. Indeed, just connect the proxy in Internet IPv4 and IPv6. There is nothing to do in internal network : Internet access IPv4 and IPv6


Step 2 : IPv6 AND IPv4 in internal network

And why not full IPv6 network directly? Because there is always the old servers that are not compatible IPv6 ..

Option 1 : Same architecture as in IPv4 with a proxy pac

This is probably the easiest solution. But is this the best?

I think the transition to IPv6 is an opportunity not to bother with this proxy pac!

Option 2 : New architecture with transparent proxy, whithout proxypac, recursive DNS

Oh yes!

In this new architecture, we have:

  • Explicit Internet Proxy becomes a Transparent Internet Proxy
  • Local DNS becomes a Normal Recursive DNS + authorative for local domains
  • No proxypac
  • Explicit Company Proxy becomes a Transparent Company Proxy
  • Routing
    • Internal Routers reditect IP of appx.ext.example.com to Company Proxy.
    • The default gateway is the Transparent Internet proxy.

Questions

  • What do you think of this architecture IPv6?
  • This architecture will reveal the IP addresses of our internal network but it is protected by firewalls. Is this a real big problem? Should we keep the explicit use of a proxy? -How would you make for this migration scenario? -And you, how do you do in your company?

Thanks! Feel free to edit my post to make it better.

© Server Fault or respective owner

Related posts about proxy

Related posts about migration