As the digital landscape evolves, so does the underlying infrastructure. IPv6 is steadily gaining traction. For organizations leveraging Zscaler, understanding how to seamlessly integrate IPv6 traffic from remote users while maintaining robust security is paramount. This guide highlights Zscaler’s commitment to IPv6 and discusses how Zscaler is fully equipped to service IPv6 traffic from your remote workforce, ensuring security policies are diligently enforced.IPv6 versus IPv4The modern Internet operates using two distinct IP addressing and routing protocols to identify devices and facilitate data transmission: IPv4 (Internet Protocol version 4) and IPv6 (Internet Protocol version 6). IPv4 employs a 32-bit addressing system, while IPv6 utilizes a significantly larger 128-bit addressing scheme. IPv6 was developed to address the looming exhaustion of available IPv4 addresses. Despite IPv4's capacity to support approximately 4.3 billion unique addresses, the hierarchical allocation of its address space complicates equitable distribution. Moreover, substantial portions of the IPv4 address space are reserved for specific purposes – such as private addresses and multicast – further limiting its availability for direct use.Techniques like Network Address Translation (NAT) and the deployment of private IP addresses in residential and corporate environments have temporarily alleviated IPv4 address scarcity. However, these measures will not last forever. With the ever-increasing demand for connectivity – driven by the proliferation of digital devices and services – the strain on IPv4 resources continues to intensify. IPv6 offers a long-term solution with its vastly expanded address space, designed to support the growing needs of the Internet. Nevertheless, transitioning the global Internet infrastructure to IPv6 is fraught with challenges due to its scale and the diverse stakeholders involved. Consequently, the IPv4-based Internet is likely to persist, especially in regions with slower migration efforts, for many years to come. You can read more about this in the Embracing IPv6 with Zscaler blog here.Zscaler's Commitment to IPv6Over the past few years, Zscaler has progressively introduced and enhanced its support for IPv6. This strategic evolution empowers our customers to access internet content over IPv6, with the added advantage that security policies previously applied solely to IPv4 traffic can now be extended to IPv6 flows. While traffic forwarding to the Zscaler service still primarily relies on an IPv4 Virtual IP address, Zscaler possesses the capability to forward traffic to IPv6-only destinations. For a deeper dive into Zscaler's IPv6 capabilities, refer to our blog post and solution brief.The Importance of IPv6 Configuration for Remote UsersEven if your enterprise WAN hasn't fully embraced IPv6, configuring your Zscaler environment for IPv6 is crucial. Laptops and mobile devices frequently encounter both dual-stack (support for both IPv4 and IPv6 simultaneously) and native IPv6 networks when users are outside the office, necessitating a forward-thinking approach. This article builds upon the foundational knowledge of Zscaler's IPv6 functionality detailed in this article.Key Recommendations for Zscaler Client ConnectorTo ensure optimal performance and security for IPv6 traffic, consider the following recommendations for Zscaler Client Connector (ZCC) for Windows or Mac version 4.3.0 or later:Prioritize IPv4 in Dual-Stack Networks: We recommend enabling the Forwarding Profile option “Drop IPv6 in Dual Stack Networks.” This setting will force IPv4 when both IPv4 and IPv6 addresses are available on the client device. This ensures that security policies based on IPv4 addressing and IPv4 destinations are enforced for users in IPv4 and dual stack environments.Default DNS Behavior: In most cases, leave the Windows-specific Application Profile feature “Disable Parallel IPv4 and IPv6 DNS requests” at its default setting of ‘None’. This is primarily to avoid interoperability issues with third-party DNS filtering solutions.DNS Prioritization with Tunnel 2.0: When using Tunnel 2.0 and forwarding DNS requests to ZIA, use the Forwarding Profile option “Redirect Web Traffic to Zscaler Client Connector Listening Proxy” under Advanced Z-Tunnel 2.0 Configuration. All ZCC-initiated DNS requests will benefit from the DNS-based IPv4 prioritization inherent in Zscaler Client Connector.Configuring Zscaler Internet Access (ZIA) for IPv6Begin by following the instructions in this help documentation to configure IPv6 for your Zscaler tenant. It's generally advisable to enable IPv6 for all ZIA tenants, irrespective of your enterprise network's IPv6 status. This proactive measure minimizes the risk of poor user experiences when connecting from third-party IPv6 Native networks or those lacking robust IPv6 support. Firewall Considerations for IPv6When configuring your Zscaler firewall for IPv6 traffic, pay close attention to the order of your existing rules. For instance, if you have a rule to block QUIC traffic (as recommended here), any IPv6 allow rule should be positioned after this block to ensure that the intended QUIC block applies to IPv6 packets as well. Furthermore, review your existing IPv4-based rules and determine if they need updates to account for potential IPv6 destinations.Zscaler Client Connector Tunneling ModesZscaler Client Connector offers various tunneling modes, each with specific considerations for IPv6 traffic:Tunnel with Local Proxy (TWLP)When using Tunnel with Local Proxy (or Enforce Proxy) for “Forwarding Profile Action for ZIA,” system proxy settings are utilized to forward web requests to the Zscaler Client Connector local listener. IPv6 configuration in this mode is straightforward, with no special settings required or recommended. For bypassing web traffic flows, explicitly configuring a Forwarding Profile PAC (rather than using the system default) is recommended, as most bypasses should be managed within the Forwarding Profile PAC in TWLP.Tunnel 1.0In Tunnel Mode using Tunnel 1.0, all IPv4 and IPv6 TCP flows destined for ports 80 and 443 are redirected to the Zscaler Client Connector local listener."Drop IPv6 in Dual Stack Network" Recommendation: Zscaler recommends enabling the Forwarding Profile “Drop IPv6 in Dual Stack Network” feature. This ensures that security policies based on IPv4 addressing and IPv4 destinations are enforced for users in IPv4 and dual stack environments."Drop IPv6 in IPv6 Only Network" Recommendation: Conversely, Zscaler recommends disabling the Forwarding Profile “Drop IPv6 in IPv6 Only Network” feature. Clients will not be able to access the Internet from IPv6 native environments if this switch is enabled. Note that at the time of this blog being published, Zscaler still requires a NAT64 translation of the IPv6 traffic from the clients to be able to service the traffic.Dual Stack vs. IPv6 Only EnvironmentsUnderstanding how Zscaler Client Connector behaves in different network environments is important to ensure that the device functions as desired:Dual-Stack Networks: In a dual-stack network, Zscaler Client Connector will leverage IPv4 to communicate with the Zscaler cloud. IPv6 destinations will be "tunneled" through this IPv4 outer communication.IPv6 Only Environments and NAT64: At the time of publishing of this post, in an IPv6-only environment, the presence of NAT64 services is a strict requirement for Zscaler Client Connector to communicate with the Zscaler cloud. While ZCC will use IPv6 for its initial connection, this traffic must be translated to IPv4 before it reaches the Zscaler cloud, as Zscaler is currently an intermediate IPv4-only destination. It's important to note that most, if not all, service providers offering IPv6-only connectivity will also provide NAT64 translation services, as clients would otherwise be unable to reach IPv4-only destinations.Mac Devices: On Mac, Zscaler Client Connector will assign an IPv4 address to the utunX interface used for traffic forwarding. Even if IPv4 is absent, the OS often installs a "fake" IPv4 IP (192.0.0.2) for CLAT purposes, which can make ZCC interpret the system as dual-stack. For Mac, the general recommendations for blocking IPv6 and tunneling IPv4 over NAT64 are usually sufficient.Windows Devices: For Windows, there isn't a similar interface in the recommended packet filter mode, leading to slightly different scenarios:Allow IPv6 with Enforcement: To allow IPv6 to flow through Zscaler with maximum enforcement, disable “Drop IPv6 in IPv6 Only Network” and add [2000::/3] to the IPv6 inclusions in the Application Profile specifically for Windows hosts. This forwards all public IPv6 requests through Tunnel 2.0 to the Zscaler cloud.Fail Closed (Disconnect): To disconnect the device in an IPv6-only environment (with Client Connector 4.6+), enable the “Drop IPv6 in IPv6 Only Network” switch, which will block all IPv6 communication.Fail Open (Direct Flow): To allow IPv6 traffic to flow directly without Zscaler enforcement, disable “Drop IPv6 in IPv6 Only Network” and leave IPv6 inclusions blank. ConclusionIn an increasingly IPv6-centric world, Zscaler stands ready to secure your remote workforce, regardless of their network environment. By understanding and implementing these configurations, organizations can confidently embrace the future of the internet while maintaining robust security posture and ensuring a seamless user experience. Zscaler’s commitment to IPv6 ensures that your journey to a more connected and secure future is well-supported.
