In the following example I would like to explain how to realize an IPv6 implementation with Dual Stack Services on the Citrix NetScaler.

First I thought about the network implementation regarding the firewall, because IPv6 works with the end to end principle, which means NAT is possible, but not necessary. So in my case I route all IPv6 traffic directly to the NetScaler, so I built a kind of transfer network through the firewall.

Usually you get a /64 Network from your provider, under certain circumstances it may be a /48 Network.

In my case it is a /64 Netwerk, that i assign with the first possible IP on my external Firewall-Interface as shown below on an Sophos UTM Firewall.

UTM_Interface_Configuration

The default Gateway is fe80::1 which was provided by my Provider

As the next step, the entire IPv6 traffic must be routed from the external interface to the DMZ interface.

UTM_Policy_Route

On the DMZ Interface i assign a second IP-Address, that will work as my default Gateway on the NetScaler.

UTM_DMZ_Interface_Configuration

For now we are finished with the firewall configuration. At a later step we will add some packet-filter rules.

On the NetScaler we start with the network configuration. In my case, i have setup two vServer IPs with an /128 mask, as defined as an single IP address, similar to /32 on IPv4.

NetScaler_IP_Configuration

Next, I have defined the IPv6 default route , the “Internet” is specifed with ::/0. My Gateway IP is the IP address of my firewall DMZ interface.

NetScaler_IP_Routes

That´s it for the network configuration on the NetScaler, now you can add your LB / CS or NSG vServer, using a IPv6 address. To the backend i communicate with IPv4.

NetScaler_LB_vServer_IPv6For the DualStack Mode you need to configure an additional vServer with an IPv4 address but with the same backend service group. In my case the IPv6 vServer is an load balancer, the IPv4 vServer is an content switch.

LoadBalancer – direct IPv6 addressing

NetScaler_LB_Overview

Content Switch – internal IPv4 address, with DNAT on the firewall

NetScaler_CS_Overview

 

Now we create an access rule on the firewall, that will allow the HTTP & HTTPS Traffic to my VIPs on the NetScaler.

UTM_Firewall_access_RuleAs the last step, the DNS configuration must be adapted. We have to configure an AAAA-Record, that is similar as an simple A-Record in IPv4.

DNS_DualStack

The mechanism to access an website at first is trying to resolve the AAAA-Record, if that will fail (Because it is not set or your ISP doesn’t support IPv6) there is an fallback to theA-Record. In the following screenshot you see an PING to the same CNAME but with different results.

PING_www_netscaler_expert

I hope this article is useful for you. It is my first IPv6 project, so for tips or suggestions you may like to use the comment function.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">