Skip to content

System and Network Requirements

For successful VA deployment and configuration, your organization's environment must meet system and network requirements and allow VA traffic to required URLs.

System Requirements

Virtualization Environments

vSphere 6.5+ 

Microsoft Hyper-V Server 2016 or later, Windows Server 2016 or later.






VA Image Sizes

Processors:  2
Memory:  16 GB
Storage:  128 GB

Processors:  2-4
Memory:  16-32 GB
Storage:  128 GB

IdentityIQ Users With AI Services
Processors:  4
Memory:  16 GB
Storage:  128 GB

AWS EC2 Instance Size


Refer to Amazon EC2 Instance Types ​for details.

Azure VM Instance Size Standard_B4ms
GCP VM Instance Size x86 Processors: 2-4; Memory: 16-32 GB; Storage: 128 GB. Refer to Machine Families Resource and Comparison Guide.
VA Locations and Minimum Distributions
Virtual Machines 1 VA per virtual machine host.
Clusters 2 VAs minimum per cluster to ensure connectivity during updates.
VAs and Sources
  • Local - Each cluster should be installed in close proximity to the connected source system.
  • AWS/Azure - Each cluster should be placed in the Availability Zone as close as possible to the target sources. If your organization has a VPN connection to its AWS or Azure VPC, the VAs should be hosted in the same regions hosting the network gateways for your organization.
Sandbox 2 VAs minimum on your Sandbox cluster.
High Availability and Disaster Recovery 2 VAs minimum. A load balancer is not required.
 DMZ DMZ deployment is not recommended.

Network Requirements

DNS Servers Required. VAs must connect to your internal DNS servers. You can connect VAs to a local DNS server behind your firewall.
NTP Servers

Required. VAs must connect to a network time protocol (NTP) server. You can "connect VAs to a local NTP server behind your firewall.

HTTP Proxy Servers Optional. VA traffic must be allowed to access required URLs for external sources and tools.
Secure Tunnel Optional. VA traffic must be allowed access to primary and region-specific AWS URLs.
Deep Packet Inspection Not supported
Third-party Monitoring Not supported
SailPoint-reserved IP Ranges
  • - If any sources reside in this range, traffic will not route properly for any VA configuration type.
  • - If any sources reside in this range, traffic will not route properly for secure tunnel VA configurations.

Port Requirements

VA communication should be allowed through these ports in the specified directions.

Port Reason Direction IP Addresses Description
22 SSH Inbound Internal Only (Recommended) Used to access VA when inside your network
53 DNS Outbound All Used to access internal name servers and name resolution
123 NTP Outbound All Used for time synchronization. If you connect all of your VAs to a local NTP server, you can close port 123.
443 HTTPS Outbound All Used for HTTPS communication. The secure tunnel configuration has specific requirements for this port.


Target systems might have their own port requirements. VAs must be allowed to communicate over the ports required by target systems.

Secure Tunnel HTTPS Port Requirements

Port Reason Direction IP Addresses Description
443 HTTPS Outbound

US East (N. Virginia):

Europe (Frankfurt):

Europe (London):

Asia Pacific (Singapore):

Asia Pacific (Sydney):

Used for secure tunnel initialization and HTTPS communication.

Connecting the VA to a Local NTP Server

By default, VAs are configured to communicate with external network time protocol (NTP) servers using port 123. If you do not want to allow outbound access for port 123, you can configure your VAs to communicate with NTP servers behind your firewall.

Each VA must be configured individually. While you do not have to configure every VA to use your NTP server, you cannot close port 123 until all of your VAs have been configured to use internal NTP servers.

Complete the following steps to connect a VA to a local NTP server:

  1. Edit the timesyncd.conf file using the full path:

    sudoedit /etc/systemd/timesyncd.conf

  2. Add entries to the NTP line for local servers using the server host names or IP addresses. More than one server can be added, separated by a space.



    Be sure to remove the # sign on the NTP line before adding server names.

  3. Save the changes to the timesyncd.conf file.

  4. Restart the systemd-timesyncd daemon:

    sudo systemctl restart systemd-timesyncd

  5. To verify the UTC time status on the VA run:

    timedatectl status

Deep Packet Inspection is Not Supported

SailPoint does not support deep packet inspection (DPI) of VA traffic.

We recommend Transport Layer Security (TLS) for connections between the VA and sources that support TLS. Our systems enforce TLS certificate validity. Untrusted DPI certificates are automatically rejected, so the connections won’t work.

If you have DPI on your organization’s network, the only supported workaround is to use a secure tunnel configuration for the VA. Trusting DPI certificates signed by a Root Certificate Authority is not supported.

Allowing VA Traffic to Required URLs

Depending on your firewall configuration, you may need to add URLs to the allow list.

If you are required to add outbound traffic to the allow list, and your firewall does not support domain entries, we recommend you configure a secure tunnel VA.


  • These lists are subject to change without notice.

  • Deep packet inspection is not supported.

  • Allowing IP addresses of connected service endpoints is not supported.

Primary URLs

The following table lists URLs that must be accessible to the VA, regardless of the VA region.

URL Source Purpose



Flatcar Used for security patches and software updates




FedRAMP users only:


SailPoint Allows the VA to make REST requests to SailPoint

Datadog Sailpoint uses this service to manage events sent from the VA and gain insight into the current configuration and behavior of the machine.

LaunchDarkly Sailpoint uses this service to manage feature releases.


Refer to


Required for SailPoint to communicate with the appliance

NOTE: Some AWS URLs are specific to the zone configured for your deployment. Refer to Region-Specific AWS URLs.

FedRAMP users only:

Elastic Container Registry

SailPoint’s private container registry. Allows the VA to retrieve service updates.


Allows the clock to sync to standard.

NOTE: This is only applicable if you're using an external NTP server.

Region-specific AWS URLs

The services in this section must be accessible, but the URLs you must add to the allow list depend on the region configured for your VA. For example, SailPoint places messages into SQS in your region. The VA checks the queue for messages about work it needs to complete.

Supported AWS Regions Code
US East (N. Virginia) us-east-1
US West (Oregon) us-west-2
US-West (GovCloud) us-gov-west-1
Asia Pacific (Singapore) ap-southeast-1
Asia Pacific (Sydney) ap-southeast-2
Asia Pacific (Tokyo) ap-northeast-1
Canada (Central) ca-central-1
Europe (Frankfurt) eu-central-1
Europe (London) eu-west-2

Contact your SailPoint deployment team to determine the region you need to use.

You must always allow:

  • The primary AWS S3 URL (* as noted in Primary URLs.
  • The us-east-1 URL for each of these services, even if your region is located elsewhere.
  • The region-specific URL for each of these services if your tenant is in a region other than us-east-1.

The following table lists region-specific URLs that must be accessible to the VA. Replace <region_code> with the AWS region where your tenant resides.

Service Region-specific URLs to Allow

* and 

FedRAMP users only:


Refer to AWS Regional endpoints.

SQS and 

Refer to Amazon Simple Queue Service endpoints.

DynamoDB and

Refer to Amazon DynamoDB endpoints.

Elastic Container Registry and

FedRAMP users only:

Refer to Amazon ECR endpoints.

Firehose1 and 

FedRAMP users only:

Refer to Amazon Kinesis Data Firehose endpoints.

1 Required only for AI-Driven Identity Security with IdentityIQ


IdentityIQ Customers Using IAI Harvester Only

For IdentityIQ customers using the IAI Harvester, the following URL must be accessible to the VA:


If you are unable to use this URL, you may instead allow these specific URLs: