Skip to content

Getting Started With Virtual Appliances

Because the VA is critical to your SailPoint infrastructure, you'll need to understand your options, make crucial deployment and configuration decisions, and carefully complete deployment and configuration.


This process must be completed by someone with a clear understanding of the organization’s virtualization platform and network security requirements. These instructions assume expertise in the general tasks of deploying virtual machines on the organization's local network or cloud infrastructure.


  • VAs run with UTC as their time zone. The VA time zone cannot be changed.
  • Adding users, VA trust/key store access, and root access is not supported.
  • The VA uses Flatcar as its operating system. Prior to VA release, Flatcar releases and security updates are monitored in a sandbox environment for one week.
  • Organizations with IdentityIQ require additional configuration to deploy the VA. IdentityIQ users should refer to Deploying the Virtual Appliance with IdentityIQ.

VA Process Overview

The high-level steps to get a VA up-and-running are:

  1. Review and understand VA system and network requirements.

  2. Review and understand VA best practices.

  3. Review and select VA deployment options.

    Even though the VA itself runs Linux, the hypervisor can be any operating system that is compatible with your hardware. VA deployment options include:

    • Local with vSphere - ​​Deploy the downloaded image on a virtual machine behind your firewall. Local deployments require a static network.
    • Local with Hyper-V - ​​​​Deploy the downloaded image on a virtual machine behind your firewall. Local deployments require a static network.
    • AWS Cloud - ​Deploy our AMI on your AWS infrastructure.
    • Azure Cloud - ​​Deploy the downloaded image on a virtual machine running in your Azure environment.
    • Google Cloud Platform (GCP) - Deploy the downloaded image on a virtual machine running in your GCP environment.

    In addition to your selection of a deployment type, you should also consider options for high availability and disaster recovery.

  4. Review and select VA network configuration options.

    This selection determines how the VA will communicate with external systems. All communications, regardless of the deployment configuration selected, will be initiated as outbound only. No incoming communications from outside your network will be requested or required.


    Deep packet inspection (DPI) is not supported in any configuration.

    The following network configuration options are considered equally secure.

    • Standard - Uses the standard traffic generated by the VA.
    • HTTP Proxy - Routes all HTTP/HTTPS traffic through a proxy.
    • Secure Tunnel ​- Strictly limits the outbound connections generated by the VA.

    In addition, you can also implement:

    • Transport Layer Security (TLS) - Encrypts the connection between the VA and sources that support TLS. TLS encryption is recommended when connecting VAs to sources that support it.
    • Password Interceptor - If you enable password interception, IdentityNow intercepts password changes on supported sources (Active Directory and IBM i) and propagates them to the related source in IdentityNow.
    • Local NTP Server - If you do not want to allow outbound access for port 123, you can configure your VAs to communicate with NTP servers behind your firewall.
  5. Complete deployment steps for the VA deployment options you selected in Step 3.

  6. Complete configuration steps for the VA configuration options you selected in Step 4.

  7. Monitor and maintain your VA infrastructure.


Restarting the VA cluster is almost always the best first action to resolve problems with a VA.

If you cannot resolve a problem with a VA, consider standing up a new replacement VA or refer to the Virtual Appliance Troubleshooting Guide using your SailPoint Compass login.

Best Practices

SailPoint recommends the following best practices when deploying virtual appliances:

  • Locate VAs Close to Sources - To ensure a reliable connection between a VA and the source system, locate them as follows:

  • Local - Install clusters near the connected source system.

  • AWS/Azure/GCP - Place clusters in the Availability Zone as close as possible to the target sources. If your organization has a VPN connection to its AWS or Azure Virtual Private Cloud (VPC), the VAs should be hosted in the same region that's hosting the network gateways for your organization.

  • Deploy 2 VAs Minimum per Cluster - To ensure connectivity during updates, deploy at least 2 VAs per cluster because the VAs take turns updating.


    For organizations implementing AI-Driven Identity Security with IdentityIQ, only 1 VA is required for connectivity.

  • Maintain a 1:1 VA to Virtual Machine Ratio - To avoid a single point of failure in your environment, have a a 1:1 ratio of VA to VM.

  • To build in fault tolerance, configure local VAs in the same cluster to run on different servers whenever possible.
  • Spread VAs in the same cluster running in AWS/Azure across different Availability Zones.

  • Separate Sandbox and Production Clusters - Closely monitor your sandbox VA clusters and test connectivity changes before they go to production.

  • Create New VAs to Switch Deployment Locations and Platforms - Migrating existing VAs to a different deployment method is not supported. New VAs must be created to switch from one deployment method to another, such as from standard deployment to secure tunnel deployment.