System and Network Requirements
For successful VA deployment and configuration, your organization's environment must meet system and network requirements and allow VA traffic to required URLs.
System Requirements
| Virtualization Environments |
|||
| Local |
vSphere 6.5+ Microsoft Hyper-V Server 2016 or later, Windows Server 2016 or later.
|
||
| Cloud |
AWS Azure GCP |
||
| VA Image Sizes | |||
| Local |
Minimum |
Recommended |
IdentityIQ Users With AI Services |
| AWS EC2 Instance Size |
M5.xlarge or equivalent size x86 Processors: 2-4 Refer to Amazon EC2 Instance Types for details. |
||
| Azure VM Instance Size |
Standard_B4ms or equivalent size x86 Processors: 2-4 Refer to Azure Virtual Machine Sizes for details. |
||
| GCP VM Instance Size |
n2-standard-4 or equivalent size x86 Processors: 2-4 Refer to Machine Families Resource and Comparison Guide for details. |
||
| VA Locations and Minimum Distributions |
|||
| Virtual Machines | 1 VA per virtual machine host. | ||
| Clusters | 2 VAs minimum per cluster to ensure connectivity during updates. | ||
| VAs and Sources |
|
||
| Sandbox | 2 VAs minimum on your Sandbox cluster. | ||
| High Availability and Disaster Recovery | 2 VAs minimum. A load balancer is not required. | ||
| DMZ | DMZ deployment is not recommended. | ||
Network Requirements
| DNS Servers | Required. VAs must connect to your internal DNS servers. You can connect VAs to a local DNS server behind your firewall. |
| NTP Servers |
Required. VAs must connect to a network time protocol (NTP) server. You can "connect VAs to a local NTP server behind your firewall. |
| HTTP Proxy Servers | Optional. VA traffic must be allowed to access required URLs for external sources and tools. |
| Secure Tunnel | Optional. VA traffic must be allowed access to primary and region-specific AWS URLs. |
| Deep Packet Inspection | Not supported |
| Third-party Monitoring | Not supported |
| SailPoint-reserved IP Ranges |
|
Port Requirements
VA communication should be allowed through these ports in the specified directions.
| Port | Reason | Direction | IP Addresses | Description |
| 22 | SSH | Inbound | Internal Only (Recommended) | Used to access VA when inside your network |
| 53 | DNS | Outbound | All | Used to access internal name servers and name resolution |
| 123 | NTP | Outbound | All | Used for time synchronization. If you connect all of your VAs to a local NTP server, you can close port 123. |
| 443 | HTTPS | Outbound | All | Used for HTTPS communication. The secure tunnel configuration has specific requirements for this port. |
Important
Target systems might have their own port requirements. VAs must be allowed to communicate over the ports required by target systems.
Secure Tunnel HTTPS Port Requirements
| Port | Reason | Direction | IP Addresses | Description |
| 443 | HTTPS | Outbound |
US East (N. Virginia): 52.206.133.183 52.206.132.240 52.206.130.59 Europe (Frankfurt): 35.157.132.22 35.157.185.79 35.157.251.228 Europe (London): 18.130.210.174 18.130.148.201 35.178.220.78 Asia Pacific (Singapore): 52.77.39.81 13.250.189.48 54.251.149.153 Asia Pacific (Sydney): 52.65.42.92 13.55.78.212 3.24.127.50 |
Used for secure tunnel initialization and HTTPS communication. |
Connecting the VA to a Local NTP Server
By default, VAs are configured to communicate with external network time protocol (NTP) servers using port 123. If you do not want to allow outbound access for port 123, you can configure your VAs to communicate with NTP servers behind your firewall.
Each VA must be configured individually. While you do not have to configure every VA to use your NTP server, you cannot close port 123 until all of your VAs have been configured to use internal NTP servers.
Complete the following steps to connect a VA to a local NTP server:
-
Edit the
timesyncd.conffile using the full path:sudoedit /etc/systemd/timesyncd.conf -
Add entries to the NTP line for local servers using the server host names or IP addresses. More than one server can be added, separated by a space.
Examples:
NTP=chronos.acme.comNTP=chronos1.acme.com chronos2.acme.comCaution
Be sure to remove the # sign on the NTP line before adding server names.
-
Save the changes to the
timesyncd.conffile. -
Restart the
systemd-timesyncddaemon:sudo systemctl restart systemd-timesyncd -
To verify the UTC time status on the VA run:
timedatectl status
Deep Packet Inspection is Not Supported
SailPoint does not support deep packet inspection (DPI) of VA traffic.
We recommend Transport Layer Security (TLS) for connections between the VA and sources that support TLS. Our systems enforce TLS certificate validity. Untrusted DPI certificates are automatically rejected, so the connections won’t work.
If you have DPI on your organization’s network, the only supported workaround is to use a secure tunnel configuration for the VA. Trusting DPI certificates signed by a Root Certificate Authority is not supported.
Allowing VA Traffic to Required URLs
Depending on your firewall configuration, you may need to add URLs to the allow list.
If you are required to add outbound traffic to the allow list, and your firewall does not support domain entries, we recommend you configure a secure tunnel VA.
Notes
-
These lists are subject to change without notice.
-
Deep packet inspection is not supported.
-
Allowing IP addresses of connected service endpoints is not supported.
Primary URLs
The following table lists URLs that must be accessible to the VA, regardless of the VA region.
| URL | Source | Purpose |
|
*.flatcar-linux.net *.flatcar-linux.org |
Flatcar | Used for security patches and software updates |
|
*.identitynow.com *.api.identitynow.com *.sailpoint.com global.secure-api.infra.identitynow.com va-access.infra.identitynow.com FedRAMP users only: *.sailpointfedramp.com |
SailPoint | Allows the VA to make REST requests to SailPoint |
| app.datadoghq.com |
Datadog | Sailpoint uses this service to manage events sent from the VA and gain insight into the current configuration and behavior of the machine. |
| *.launchdarkly.com |
LaunchDarkly | Sailpoint uses this service to manage feature releases. |
|
s3.amazonaws.com *.s3.amazonaws.com Refer to https://aws.amazon.com/s3/. |
AWS |
Required for SailPoint to communicate with the appliance NOTE: Some AWS URLs are specific to the zone configured for your deployment. Refer to Region-Specific AWS URLs. |
|
api.ecr.us-east-1.amazonaws.com ecr.us-east-1.amazonaws.com 874540850173.dkr.ecr.us-east-1.amazonaws.com FedRAMP users only: api.ecr.us-gov-west-1.amazonaws.com ecr.us-gov-west-1.amazonaws.com ecr-fips.us-gov-west-1.amazonaws.com 240112628119.dkr.ecr-fips.us-gov-west-1.amazonaws.com 240112628119.dkr.ecr.us-gov-west-1.amazonaws.com 229634586956.dkr.ecr-fips.us-gov-west-1.amazonaws.com 229634586956.dkr.ecr.us-gov-west-1.amazonaws.com |
Elastic Container Registry |
SailPoint’s private container registry. Allows the VA to retrieve service updates. |
| NTP | N/A |
Allows the clock to sync to standard. NOTE: This is only applicable if you're using an external NTP server. |
Region-specific AWS URLs
The services in this section must be accessible, but the URLs you must add to the allow list depend on the region configured for your VA. For example, SailPoint places messages into SQS in your region. The VA checks the queue for messages about work it needs to complete.
| Supported AWS Regions | Code |
| US East (N. Virginia) | us-east-1 |
| US West (Oregon) | us-west-2 |
| US-West (GovCloud) | us-gov-west-1 |
| Asia Pacific (Singapore) | ap-southeast-1 |
| Asia Pacific (Sydney) | ap-southeast-2 |
| Asia Pacific (Tokyo) | ap-northeast-1 |
| Canada (Central) | ca-central-1 |
| Europe (Frankfurt) | eu-central-1 |
| Europe (London) | eu-west-2 |
Contact your SailPoint deployment team to determine the region you need to use.
You must always allow:
- The primary AWS S3 URL (*.s3.amazonaws.com) as noted in Primary URLs.
- The us-east-1 URL for each of these services, even if your region is located elsewhere.
- The region-specific URL for each of these services if your tenant is in a region other than us-east-1.
The following table lists region-specific URLs that must be accessible to the VA. Replace <region_code> with the AWS region where your tenant resides.
| Service | Region-specific URLs to Allow |
| S3 |
*.s3.us-east-1.amazonaws.com and FedRAMP users only: *.s3-fips.us-gov-west-1.amazonaws.com Refer to AWS Regional endpoints. |
| SQS |
sqs.us-east-1.amazonaws.com and Refer to Amazon Simple Queue Service endpoints. |
| DynamoDB |
dynamodb.us-east-1.amazonaws.com and Refer to Amazon DynamoDB endpoints. |
| Elastic Container Registry |
874540850173.dkr.ecr.us-east-1.amazonaws.com and FedRAMP users only: 240112628119.dkr.ecr-fips.us-gov-west-1.amazonaws.com 240112628119.dkr.ecr.us-gov-west-1.amazonaws.com 229634586956.dkr.ecr-fips.us-gov-west-1.amazonaws.com 229634586956.dkr.ecr.us-gov-west-1.amazonaws.com Refer to Amazon ECR endpoints. |
|
Firehose1
|
firehose.us-east-1.amazonaws.com and FedRAMP users only: firehose-fips.us-gov-west-1.amazonaws.com Refer to Amazon Kinesis Data Firehose endpoints. |
1 Required only for AI-Driven Identity Security with IdentityIQ
IdentityIQ Customers Using IAI Harvester Only
For IdentityIQ customers using the IAI Harvester, the following URL must be accessible to the VA:
*.launchdarkly.com
If you are unable to use this URL, you may instead allow these specific URLs:
- app.launchdarkly.com
- events.launchdarkly.com
- stream.launchdarkly.com
- sdk.launchdarkly.com
- clientstream.launchdarkly.com
- clientsdk.launchdarkly.com