Overview
The initial IPv6 support for WebAccess is only for browsers; there is currently no schedule for Cosign filters on protected websites connecting to webaccess.psu.edu via IPv6.
The support was done by adding DNS AAAA records to the DNS record for webaccess.psu.edu.
Changes (one) for Cosign Filters
One change is required: disable IP address checking. (Any website running in a load-balanced – multiple server – configuration already should have it turned off.)
Why?
The problem occurs when an dual-homed browser (not many today, but will increase over time) connects to WebAccess via IPv6, but connects to the protected website via IPv4 (or vice versa). The IP address retrieved (from the WebAccess servers) by the protected website’s Cosign filter will be IPv6, which will never match the IPv4 address seen by protected website. Without disabling IP address checking, the user’s browser will either loop, or be presented a never-ending display of the WebAccess re-authentication web page, and not be able to access the protected website.
How?
If you’re running an older version than listed below, contact us for instructions (or upgrade).
IIS 5/6 (IISCosign)
Current default value is “never check IP address”: if you’re running the latest version (3.0.0), nothing else is required.
IIS 7 (CosignModule)
Nothing required: this filter does not check IP addresses.
Apache (mod_cosign)
Since version 3.1.0, the default is “never check IP address”.
JavaCosign
The default value is “never check IP address”.
Frequently Asked Questions (FAQ)
- Does my cosign-protected website also have to implement IPv6 at the same time?
No. A dual-homed browser can still access your IPv4-only site via IPv4. - Can my cosign-protected website only use IPv6?
For browsers, yes. But not for your Cosign filter, which still needs an IPv4 address to connect to webaccess.psu.edu and verify Cosign cookies. That IPv4 address could be allocated from Penn State’s private IP address space.