Configuring Virtual Appliances

There are three virtual appliance (VA) configuration options: standard, HTTP proxy, and secure tunnel. You can also optionally enable transport layer security for encrypted communication.

Standard VA Configuration

Standard is the default VA configuration option, as it allows the VA to connect to SailPoint and other required endpoints directly through the firewall.

Standard VA Considerations

• There is no additional setup required to achieve connectivity after the network requirements are met.

• You will have to add URLs to the allow list.

• Deep-packet inspection is not supported.

• SailPoint reserves the 10.255.255.241/28 IP range. If any sources reside in this range, traffic will not route properly.

Configuring Standard VAs

To configure standard VAs, refer to Creating Virtual Appliances.

HTTP Proxy VA Configuration

This configuration option requires additional setup to achieve connectivity through a previously configured proxy service. The VA connects to SailPoint and other required endpoints through the proxy.

HTTP Proxy VA Considerations

• All HTTP/HTTPS traffic (VA communication, updates, internal or external) is routed through the proxy.

• SailPoint reserves the 10.255.255.241/28 IP range. If any sources reside in this range, traffic will not route properly.

• This configuration is not compatible with the secure tunnel configuration.

• Traffic to external sources such as Salesforce, Box, ServiceNow, Office365, GoogleApps, GoToMeeting, WebEx, and Workday is also routed through the proxy. You may be able to allow traffic to these external sources; consult your network administrator for more information.

• The connection from the VA to the proxy can be authenticated only if your proxy supports basic authentication over the connection string. If not, the connection must be unauthenticated. We do not currently support other authentication mechanisms. However, adding IP address sources to the allow list may be used.

• You will have to add URLs to the allow list.

• Deep-packet inspection is not supported.

Configuring HTTP Proxy VAs

After you have deployed the VA image on your virtualization platform, but before creating VAs in IdentityNow, complete the following additional configuration steps to set up the HTTP proxy:

1. Download the proxy.yaml file (SailPoint Compass login required), and copy it to /home/sailpoint/.

2. Uncomment the https and http lines and replace the <proxyserver> and <port> values. A space after the colon and before the URL is required.

   https_proxy: http://<proxyserver>:<port>/

   http_proxy: http://<proxyserver>:<port>/

   Where <proxyserver> is either a host name or IP address. Typically both the http and https lines will point to a single server.

   Important

   If you have a host that needs to be reached directly over HTTP/HTTPS, you can bypass the proxy configuration by adding an exception to the proxy.yaml file. For example, you might have a custom connector that needs to reach locally-hosted APIs. In this case, add the following line to the proxy.yaml file:

   no_proxy: <host1>|<host2>

   Where <hostN> can either be a domain or an IP address. This can contain any number of hosts separate by pipe (|) symbols.

3. Save the proxy.yaml file and exit the editor.

4. Reboot the virtual appliance using the sudo reboot command.

5. Proceed to Creating Virtual Appliances.

Secure Tunnel VA Configuration

If you are required to add outbound traffic to the allow list, and your firewall does not support domain entries, we recommend using a secure tunnel configuration. This option requires additional setup for the VA to connect to SailPoint and other endpoints through secure tunnel servers.

Secure Tunnel VA Considerations

• The secure tunnel configuration has specific HTTPS network requirements.

• All HTTP/HTTPS traffic (VA communication, updates, internal or external) is routed through the secure tunnel.

• This configuration is not compatible with the HTTP proxy configuration.

• Secure tunnel configuration is not supported for FedRAMP users.

• SailPoint reserves the 10.255.255.241/28 and 172.16.0.0/22 IP ranges for secure tunnel communication. If any sources reside in these ranges, traffic will not route properly.

• SSH traffic cannot be routed publicly.

• This option makes it easy to generate a list of all outbound connections made by a VA during a specific window of time.

• This option allows customers to limit the various outbound connections generated by the VA.

• Deep-packet inspection is not supported.

Configuring Secure Tunnel VAs

After you have deployed the VA image on your virtualization platform, but before creating VAs in IdentityNow, complete the following additional configuration steps to install the SSL keys you need to communicate with the tunnel server:

1. Download the SSL key for your IdentityNow server location:

   • US East (N. Virginia)

   • Europe (Frankfurt)

   • Europe (London)

   • Asia Pacific (Singapore)

   • Asia Pacific (Sydney)

2. Find the IP address for the VA by running the ifconfig -a command.

3. Copy the SSL package to your VA file system:

   scp <download_path>/slpt-keys.tar.gz sailpoint@<ip_address>:/home/sailpoint/slpt-keys.tar.gz

4. Proceed to Creating Virtual Appliances.

Transport Layer Security

Transport Layer Security (TLS) is recommended for encrypted communication between VAs and sources that support it.

To enable TLS for a supported source:

1. In IdentityNow, go to Admin > Connections > Sources, and select your supported source.

2. In the source configuration settings, select Enable Transport Layer Security (TLS).

   

3. Select Save.

The TLS certificate should be automatically copied to the VA cluster associated with the source.

For example, Active Directory sources include checkboxes to enable TLS support in the following source configuration settings:

• Forest
• Domain
• IQ Service
• Exchange

For information about IQService TLS configuration and manually adding certificates to VAs, refer to TLS Configuration on Virtual Appliances.

FIPS VA Configuration

FedRAMP users of IdentityNow may need to configure their VAs to be compliant with Federal Information Processing Standards (FIPS).

FIPS configuration is performed on each individual VA at the Linux kernel level.

Important

FIPS configuration on a VA cannot be reversed or disabled. If you decide later not to use FIPS mode, you must create new VAs from a fresh VA image.

For instructions and more information, refer to Configuring Virtual Appliances for FIPS Compliance using your Compass login.