Configuration: The L4 switch is configured to listen to the IPv6 Virtual IP addresses for both Access Gateway and Identity Server clusters, for example, called IDP-v6 and AG-v6. Identity Server and Access Gateway Servers must be configured in the L4 switch for listening to IPv6 requests as actual server groups IDP-Group and AG-Group. These groups serve the requests coming to IPv6 addresses configured in L4 switch.
The whole traffic to IDP-v6 and AG-v6 is forwarded to Identity Server and Access Gateway clusters respectively with the source IP changed to the IP address of the L4 switch (IPv4-Internal).
How it works: Incoming traffic to the IDP-v6 and AG-v6 will be redirected to the IDP-Group and AG-Group based on load balancing algorithm configured in the L4 switch. The outgoing response traffic from Identity Server and Access Gateway Servers to the IPv6 clients will be first routed to IPv4-Internal and forwarded back to the client with source IP address of IDP-v6 and AG-v6. The traffic initiated from Identity Servers to Access Gateway Servers and vice versa for metadata exchange, artifact resolution and so on must also be routed through the L4 switch. Hence, Identity Server and Access Gateway Servers must resolve Identity Server and Access Gateway URL to the IPv4 addresses respectively as they understand only IPv4 addresses.
For example, if an internal DNS Server is used, then the DNS Server must be configured to resolve Identity Server/Access Gateway Server URL. If the IPv4 address for Identity Server is 10.75.75.1 and Identity Server URL is www.idp.com, then Identity Server clusters must have 10.75.75.1 www.idp.com in its hosts file.
The incoming traffic can be classified into the following:
Traffic initiated from IPv6 clients.
Connections initiated from Access Gateway servers to Identity Servers.
However, both these can be considered the same as the responses from Identity Server and Access Gateway Servers will be using IPv4 address. The L4 switch converts the source to IPv6 address and forwards it to the respective remote parties. The clients can either be configured with IPv4 address or IPv6 address or both (dual stack). If the client is configured to use IPv6 address only or dual stack, it must resolve the published DNS names of Identity Server and Access Gateway Server to the IPv6 addresses respectively.