Configuring Virtual Appliances
There are three virtual appliance (VA) configuration options: standard, HTTP proxy, and secure tunnel. You can also optionally enable transport layer security for encrypted communication.
Standard VA Configuration
Standard is the default VA configuration option, as it allows the VA to connect to SailPoint and other required endpoints directly through the firewall.
Standard VA Considerations
-
There is no additional setup required to achieve connectivity after the network requirements are met.
-
You will have to add URLs to the allow list.
-
Deep-packet inspection is not supported.
Configuring Standard VAs
To configure standard VAs, refer to Creating Virtual Applinaces.
HTTP Proxy VA Configuration
This configuration option requires additional setup to achieve connectivity through a previously configured proxy service. The VA connects to SailPoint and other required endpoints through the proxy.
HTTP Proxy VA Considerations
-
All HTTP/HTTPS traffic (VA communication, updates, internal or external) is routed through the proxy.
-
SailPoint reserves the 10.255.255.241/28 IP range. If any sources reside in this range, implementing this solution will not allow those sources to properly route traffic.
-
This configuration is not compatible with the secure tunnel configuration.
-
Traffic to external sources such as Salesforce, Box, ServiceNow, Office365, GoogleApps, GoToMeeting, WebEx, and Workday is also routed through the proxy. You may be able to allow traffic to these external sources; consult your network administrator for more information.
-
The connection from the VA to the proxy can be authenticated only if your proxy supports basic authentication over the connection string. If not, the connection must be unauthenticated. We do not currently support other authentication mechanisms. However, adding IP address sources to the allow list may be used.
-
You will have to add URLs to the allow list.
-
Deep-packet inspection is not supported.
Configuring HTTP Proxy VAs
After you have deployed the VA image on your virtualization platform, but before creating VAs in IdentityNow, complete the following additional configuration steps to set up the HTTP proxy:
-
Download the
proxy.yaml
file (SailPoint Compass login required), and copy it to/home/sailpoint/
. -
Uncomment the https and http lines and replace the
<proxyserver>
and<port>
values. A space after the colon and before the URL is required.https_proxy: http://<proxyserver>:<port>/
http_proxy: http://<proxyserver>:<port>/
Where
<proxyserver>
is either a host name or IP address. Typically both the http and https lines will point to a single server.Important
If you have a host that needs to be reached directly over HTTP/HTTPS, you can bypass the proxy configuration by adding an exception to the
proxy.yaml
file. For example, you might have a custom connector that needs to reach locally-hosted APIs. In this case, add the following line to theproxy.yaml
file:no_proxy: <host1>|<host2>
Where
<hostN>
can either be a domain or an IP address. This can contain any number of hosts separate by pipe (|) symbols. -
Save the
proxy.yaml
file and exit the editor. -
Reboot the virtual appliance using the
sudo reboot
command. -
Proceed to Creating Virtual Appliances.
Secure Tunnel VA Configuration
If you are required to add outbound traffic to the allow list, and your firewall does not support domain entries, we recommend using a secure tunnel configuration. This option requires additional setup for the VA to connect to SailPoint and other endpoints through secure tunnel servers.
Secure Tunnel VA Considerations
-
The secure tunnel configuration has specific HTTPS network requirements.
-
All HTTP/HTTPS traffic (VA communication, updates, internal or external) is routed through the secure tunnel.
-
This configuration is not compatible with the HTTP proxy configuration.
-
Secure tunnel configuration is not supported for FedRAMP users.
-
SailPoint reserves the 172.16.0.0/22 IP range for secure tunnel communication. If any sources reside in this range, implementing this configuration will prevent those sources from properly routing traffic.
-
SSH traffic cannot be routed publicly.
-
This option makes it easy to generate a list of all outbound connections made by a VA during a specific window of time.
-
This option allows customers to limit the various outbound connections generated by the VA.
-
Deep-packet inspection is not supported.
Configuring Secure Tunnel VAs
After you have deployed the VA image on your virtualization platform, but before creating VAs in IdentityNow, complete the following additional configuration steps to install the SSL keys you need to communicate with the tunnel server:
-
Download the SSL key for your IdentityNow server location:
-
Find the IP address for the VA by running the
ifconfig -a
command. -
Copy the SSL package to your VA file system:
scp <download_path>/slpt-keys.tar.gz sailpoint@<ip_address>:/home/sailpoint/slpt-keys.tar.gz
-
Proceed to Creating Virtual Appliances.
Transport Layer Security
Transport Layer Security (TLS) is recommended for encrypted communication between VAs and sources that support it.
To enable TLS for a supported source:
-
In IdentityNow, go to Admin > Connections > Sources, and select your supported source.
-
In the source configuration settings, select Enable Transport Layer Security (TLS).
-
Select Save.
The TLS certificate should be automatically copied to the VA cluster associated with the source.
For example, Active Directory sources include checkboxes to enable TLS support in the following source configuration settings:
- Forest
- Domain
- IQ Service
- Exchange
For information about IQService TLS configuration and manually adding certificates to VAs, refer to TLS Configuration on Virtual Appliances.
FIPS VA Configuration
FedRAMP users of IdentityNow may need to configure their VAs to be compliant with Federal Information Processing Standards (FIPS).
FIPS configuration is performed on each individual VA at the Linux kernel level.
Important
FIPS configuration on a VA cannot be reversed or disabled. If you decide later not to use FIPS mode, you must create new VAs from a fresh VA image.
For instructions and more information, refer to Configuring Virtual Appliances for FIPS Compliance using your Compass login.