Configuring Virtual Appliances

There are three virtual appliance (VA) configuration options: standard, HTTP proxy, and network tunnel. You can also optionally enable transport layer security for encrypted communication.

Standard VA Configuration

Standard is the default VA configuration option, as it allows the VA to connect to SailPoint and other required endpoints directly through the firewall.

Standard VA Considerations

• There is no additional setup required to achieve connectivity after the network requirements are met.

• You will have to add URLs to the allow list.

• Deep-packet inspection is not supported.

• SailPoint reserves the 10.255.255.241/28 IP range. If any sources reside in this range, traffic will not route properly.

Configuring Standard VAs

To configure standard VAs, refer to Creating Virtual Appliances.

HTTP Proxy VA Configuration

This configuration option requires additional setup to achieve connectivity through a previously configured proxy service. The VA connects to SailPoint and other required endpoints through the proxy.

HTTP Proxy VA Considerations

• All HTTP/HTTPS traffic (VA communication, updates, internal or external) is routed through the proxy.

• SailPoint reserves the 10.255.255.241/28 IP range. If any sources reside in this range, traffic will not route properly.

• This configuration is not compatible with the network tunnel configuration.

• Traffic to external sources such as Salesforce, Box, ServiceNow, Office365, GoogleApps, GoToMeeting, WebEx, and Workday is also routed through the proxy. You may be able to allow traffic to these external sources; consult your network administrator for more information.

• The connection from the VA to the proxy can be authenticated only if your proxy supports basic authentication over the connection string. If not, the connection must be unauthenticated. We do not currently support other authentication mechanisms. However, adding IP address sources to the allow list may be used.

• You will have to add URLs to the allow list.

• Deep-packet inspection is not supported.

Configuring HTTP Proxy VAs

After you have deployed the VA image on your virtualization platform, but before creating VAs, complete the following additional configuration steps to set up the HTTP proxy:

1. Download the proxy.yaml file (SailPoint Compass login required), and copy it to /home/sailpoint/.

2. Uncomment the https and http lines and replace the <proxyserver> and <port> values. A space after the colon and before the URL is required.

   https_proxy: http://<proxyserver>:<port>/

   http_proxy: http://<proxyserver>:<port>/

   Where <proxyserver> is either a host name or IP address. Typically both the http and https lines will point to a single server.

   Important

   SailPoint does not recommend using the HTTP proxy VA configuration in cloud environments.

   If you choose to use the HTTP proxy VA configuration in a cloud environment, be sure to allow traffic to all required URLs and avoid connectivity to the cloud environment's metadata API.

   Important

   If you have a host that needs to be reached directly over HTTP/HTTPS, you can bypass the proxy configuration by adding an exception to the proxy.yaml file. For example, you might have a custom connector that needs to reach locally-hosted APIs. In this case, add the following line to the proxy.yaml file:

   no_proxy: <host1>|<host2>

   Where <hostN> can either be a domain or an IP address. This can contain any number of hosts separated by pipe (|) symbols.

3. Save the proxy.yaml file and exit the editor.

4. Create an empty file named config.yaml and place it in the folder /home/sailpoint/

5. The VA should automatically reboot. If this does not happen, reboot the virtual appliance using the sudo reboot command.

6. Proceed to Creating Virtual Appliances.

Network Tunnel VA Configuration

If you are required to add outbound traffic to the allow list, and your firewall does not support domain entries, we recommend using a network tunnel configuration. This option requires additional setup for the VA to connect to SailPoint and other endpoints through network tunnel servers.

Network Tunnel VA Considerations

• The network tunnel configuration has specific HTTPS network requirements.

• All HTTP/HTTPS traffic (VA communication, updates, internal or external) is routed through the network tunnel.

• This configuration is not compatible with the HTTP proxy configuration.

• Network tunnel configuration is not supported for FedRAMP users.

• SailPoint reserves the 10.255.255.241/28 and 172.16.0.0/22 IP ranges for network tunnel communication. If any sources reside in these ranges, traffic will not route properly.

• SSH traffic cannot be routed publicly.

• This option makes it easy to generate a list of all outbound connections made by a VA during a specific window of time.

• This option allows customers to limit the various outbound connections generated by the VA.

• Deep-packet inspection is not supported.

Configuring Network Tunnel VAs

After you have deployed the VA image on your virtualization platform, but before creating VAs, complete the following additional configuration steps to install the SSL keys you need to communicate with the tunnel server:

1. Download the SSL key for your Identity Security Cloud server location:

   • US East (N. Virginia)

   • Europe (Frankfurt)

   • Europe (London)

   • Asia Pacific (Singapore)

   • Asia Pacific (Sydney)

2. Find the IP address for the VA by running the ifconfig -a command.

3. Copy the SSL package to your VA file system:

   scp <download_path>/slpt-keys.tar.gz sailpoint@<ip_address>:/home/sailpoint/slpt-keys.tar.gz

4. Run the following command to start the tunnel: sudo systemctl start canal

5. Confirm that the tunnel is up and running:

   a. Verify that the container is stable in sudo docker ps.

   b. Verify the IP address from the VA using a site such as curl https://ifconfig.me/.

6. Proceed to Creating Virtual Appliances.

Transport Layer Security

Transport Layer Security (TLS) is recommended for encrypted communication between VAs and sources that support it.

To enable TLS for a supported source:

1. In your tenant, go to Admin > Connections > Sources, and select your supported source.

2. In the Source Setup section, select Use Transport Layer Security (TLS) on the relevant config pages.

3. Select Save.

The TLS certificate should be automatically copied to the VA cluster associated with the source.

For example, Active Directory sources include checkboxes to enable TLS support in the following source configuration settings:

• Forest
• Domain
• IQ Service
• Exchange

For information about IQService TLS configuration and manually adding certificates to VAs, refer to TLS Configuration on Virtual Appliances.

FIPS VA Configuration

FedRAMP users may need to configure their VAs to be compliant with Federal Information Processing Standards (FIPS).

FIPS configuration is performed on each individual VA at the Linux kernel level.

Important

FIPS configuration on a VA cannot be reversed or disabled. If you decide later not to use FIPS mode, you must create new VAs from a fresh VA image.

For instructions and more information, refer to Configuring Virtual Appliances for FIPS Compliance using your Compass login.

Configuring a Hosts.yaml File

Source connectors may need a host entry in the hosts.yaml file to complete an Identity Security Cloud Connector implementation.

To add a source host entry in the hosts.yaml file:

1. Go to /home/sailpoint/.
2. Create the file or edit an existing hosts.yaml file using the command vim hosts.yaml.

3. Add an entry for the source host.

   Important

   Example hosts.yaml

   hosts:
     10.20.30.40:
     - host1.domain.example
     - host1
     10.20.30.41:
     - host2.domain.example
     - host2
   

   Spacing and indentation in the hosts.yaml file must be precise:

   • The second line must start with two spaces followed by a valid IP address matching the IP address configured for the host.
   • The third line must start with two spaces followed by a dash and one additional space. It must contain a fully qualified hostname matching the fully qualified hostname configured for the source.
   • The fourth line must start with two spaces followed by a dash and one additional space. It must contain a hostname matching the hostname configured for the source.
   • Repeat second to fourth lines for multiple entries.

4. Save the hosts.yaml file.

5. Restart the charon service using the command sudo systemctl restart charon.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.