IDN_2_Virtual Appliance

Virtual appliance setup, the customer needs to perform the following: Setting up the networking configuration required for your domain. This includes the DNS, NTP, IP address of the VAs, and external traffic channels used. Key passphrase to generate the public-private encryption key pair that secures communications between the VAs and your IdentityNow tenant. Configure the cloud connector gateway to enable the VA connection.

Production systems should have 1 VA in a cluster. TRUE. FALSE.

Which of these steps is involved in connectivity gateway communication between tenant and connected source systems (6). VA from same cluster poll the cluster queue for work / messages. Tenant submits work by adding messages to VA cluster queue. VA reads messages, removes from queue. VA messages decrypted with private key. VA communicates internally with cloud connector gateway (CCG) to complete work. Communication always initiated by VA as outbound traffic. VA deployed in the DMZ zone. CCG polls the VA / Cluster for work.

SailPoint supports the virtual appliance image by: (2). Designing the VAs to continuously make outbound-only calls to the cloud environment to check for patches and updates. Including built-in monitoring to alert us when the the VA is down. Designing the VAs to make outbound-only calls at midnight to the cloud environment to check for patches and updates. Polling the VA continuosly to alert us when the the VA is down.

Best practice for deploying & administering VA. Static IP address for simple network & monitoring. Allow inbound communication over SSH port 22. Allow unrestricted outbound traffic on ports 53 DNS, 123 NTP and 443 HTTPS. Configure VA to communicate with connected sources over transport layer security (TLS). Key passphrases secured in password vault (recommend 1 key for all VA).

Tenant can be deployed in SP regional zones for residency. CA central, US central, EU West, EU Central, AP Northeast, AP SouthEast. Asia Pacific, North America, South America, Europe, Central Europe & Africa.

SailPoint recommends the following best practices related to deploying virtual appliances: Each VA cluster should be installed in close proximity to the connected source system for on-premise. Each VA cluster should be placed in the Availability Zone as close as possible to the target sources hosting the network gateways for your organization. Each VA cluster should be deployed in separate zones for availability. Each VA cluster should be installed in same server hosting on premise systems.

SailPoint recommends the following best practices related to deploying virtual appliances: Minimum Cluster Size - To ensure connectivity during updates, we recommend you deploy at least 2 VAs per cluster because the VAs take turns updating. VA to Virtual Machine Ratio - To avoid a single point of failure in your environment, we recommend a 1:1 ratio of VA to VM. Separate Sandbox and Production Clusters. New VAs must be created to switch from one deployment method to another, such as from standard deployment to secure tunnel deployment. . One cluster for sandbox and production clusters. VA cluster to Virtual Machine Ratio - To avoid a single point of failure in your environment, we recommend a 1:1 ratio of VA cluster to VM.

The following lists URLs that must be accessible to the VA, regardless of the VA zone. The primary AWS S3 URL (*.s3.amazonaws.com) as noted in Primary URLs. The us-east-1 URL for each of these services, even if your region is located elsewhere. The region-specific URL for each of these services if your tenant is in a region. The eu-central-1 URL for each of these services, even if your region is located elsewhere. The primary AWS S3 URL (*.amazon.com) as noted in Primary URLs.

LOCAL VIRTUAL APPLIANCE DEPLOYMENT STEPS in order. Download the virtual appliance zip file from https://sppcbu-va-images.s3.amazonaws.com/va-latest.zip. Unzip and copy to your virtualization platform. Start the virtual appliance image and change password with Login - User Name: sailpoint Password: S@ilp0int. [Optional best practice] Set a static IP address and DNS settings. Create / maintain virtual appliance cluster and save. Create / maintain virtual appliances. From the New Virtual Appliance page in IdentityNow, under Download Configuration File, click Download. This copies the va-config-<va_id>.yaml file to your workstation. Change the value of keyPassphrase from _ch@ngeMe_ to a unique value for your organization. Copy local .yaml file to the virtual appliance:. scp <download path>/ va-config-<va_id>.yaml sailpoint@<ip_address>:/home/sailpoint/config.yamlsailpoint@<ip_address>:/home/sailpoint/config.yaml & test connection.

Deployment type for local vsphere, what are the different steps?. Name of your virtual NIC card for your VA. Edit the static.network file. Disable the ESX DHCP bump service: sudo systemctl disable esx_dhcp_bump.service. Reboot the VA: sudo reboot.

Deployment type for Hyper-V, what are the different steps?. New Virtual Machine needs to be created. Disable the ESX DHCP bump service: sudo systemctl disable esx_dhcp_bump.service. Name of your virtual NIC card for your VA.

All Hyper-V images currently ship with the waagent Azure service enabled by default. This should be enabled?. This can cause DNS issues and irregular network routing on virtual appliances running on Hyper-V. To prevent these issues, you'll need to disable the waagent service. This should be enabled so DNS issues and irregular network routing on virtual appliances running on Hyper-V is prevented.

For VA deployment on cloud AWS, the maintenance window will take place from at what time in the selected time zone. 12 a.m. to 4 a.m. 7 a.m. to 11 a.m. 12 p.m. to 4 p.m. 7 p.m. to 11 p.m.

For VA deploymeny on cloud AWS, the first step is: Visit Working with Support and open a support ticket requesting an Amazon Machine Image (AMI) ID to install a VA in AWS. You will need to provide your AWS account number and regions (Ex: 123456789). SailPoint support will provide an AMI ID. Download and extract sailpoint-va.vhd from the following .zip file: https://sppcbu-va-images.s3.amazonaws.com/va-azure-latest.zip.

What are the 3 VA configuration options. Standard. Proxy. Secure Tunnel. Virtual Machine.

For Standard VA configuration, which ports are required?. 53 - DNS - Outbound. 123 - NTP - Outbound. 22 - SSH - Inbound. 443 - HTTPS - Outbound. 53 - DNS - Inbound. 125 - NTP - Outbound. 38 - SSH - Inbound. 447 - HTTPS - Outbound.

For VA HTTP Proxy Configuration, deep packet inspection is supported. FALSE. True.

For VA Secure Tunnel Configuration, additional setup to gain connectivity is required. True. FALSE.

SailPoint reserves the IP range 172.16.0.0/22. If any sources reside in this range, implementing this solution will not allow those sources to properly route traffic. True. FALSE.

For VA Secure Tunnel Configuration, following ports are required. 53 - DNS - Outbound. 443 - HTTPS - Outbound. 123 - NTP - Outbound. 22 - SSH - Inbound.

For VAs deployed locally, each cluster should be installed in close proximity to the source system it is connecting to. True. FALSE.

For VAs on AWS or Azure, each cluster should be placed in the Availability Zone as close as possible to the target sources to ensure reliable connections. FALSE. True.

VA Updates - SailPoint manages VA updates: Whenever we make improvements to the VA image, we deploy them to the clusters, which then perform rolling updates and reboots on the related VA. At least two VAs per cluster ensures connectivity with your sources during these updates. Applying updates and rebooting one at a time, the VA cluster maintains full availability during the update process.  . Register downtime for all updates to process and reboot. Whenever we make improvements to the VA image, we deploy them one by one to each VA.

Best practices for monitoring Your VA Infrastructure. SailPoint has monitoring built in to alert us if a VA goes down. Notifications - You can configure IdentityNow to send you email when a VA goes down. Admin Dashboard - Click the Clusters tile of the system components status panel. Virtual Appliance Clusters page - Click Admin > Connections > Virtual Appliances to see the status of your VA clusters. Click on a cluster name and select Virtual Appliances to see the status of that cluster's VAs. System connection, click the overview monitor to view the status. Virtual appliance clusters page, click the healthcheck report.

VA deployment options. All VA's running. Switch Clusters. Standby reactive deployment. VA's associated to multiple clusters.

Advantage of the all VA's running deployment. On DR event, no action needed. Full utilization of all VAs. VAs stay up-to-date. Outage Minimization. VAs don’t add latency.

Disdvantage of the all SWITCH CLUSTERS deployment. No utilization of DR VA Cluster. IDN reconfiguration needed; re-entering of source passwords. Not great for large amounts of sources. Turnaround time can be greater depending on deployment of VA DR. This depends on readiness.

Disdvantage of the standby reactive deployment. Latency. Not great for large amounts of sources. Turnaround time can be greater depending on deployment of VA DR. This depends on readiness.

Advantage of the Switch Cluster deployment. DR VAs stay up-to-date. VAs don’t add latency, as they aren’t processing anything until DR event. On DR event, no action needed.

Why Not Deploy in the DMZ?. Security. Proximity. Connectivity. Performance.

Log File Locations. /home/sailpoint/log. /home/sailpoint/log/ccg.log. /home/sailpoint/log/va_agent.log.

Contains details about the virtual appliance master service, which runs all other services. /home/sailpoint/log/ccg.log. /home/sailpoint/log/fluent.log. /home/sailpoint/log/charon.log. /home/sailpoint/log/canal.log. /home/sailpoint/log/relay.log.

Match log to purpose. Contains all details involving a source connector (connection, aggregation, authentication, provisioning, etc). Contains details about the virtual appliance agent, which handles communication between the virtual appliance and IdentityNow. Contains details about the logging aggregator services on the virtual appliance. Contains details about the virtual appliance master service, which runs all other services. Contains details about the Secure Tunnel service on the virtual appliance. Contains details about the IdentityNow proxy relay for Password Interceptor.

To enable debug logging in IdentityNow. Go to Admin > Connections > Virtual Appliance > va_cluster_name, and check Enable Debugging. Go to Admin > Connections > Virtual Appliance > Check Enable Debugging.

Non-TLS. typically on port 389. typically on port 636.

TLS. typically on port 389. typically on port 636.

How many VA's should you have in your tenant. Best practice > 2. Best practice > 3.

VA cluster is assigned to service 1 or more specific sources. TRUE. FALSE.

Can you get detailed logs of VA for debugging. TRUE, when VA Cluster configured. TRUE, when set on the VA and not the cluster. FALSE.

Virtual appliance. Deep Packet Inspection & Third-party Monitoring not supported. DNS Servers are required and a VA must connect to your internal DNS servers. NTP Servers are required and the VAs must connect to a network time protocol (NTP) server. Deep Packet Inspection & Third-party Monitoring is required. DNS Servers are optional and a VA does not need to be connected to your internal DNS servers. NTP Servers are not required and the VAs does not need to connect to a network time protocol (NTP) server.

HTTP Proxy. all HTTP/HTTPS traffic (such as virtual appliance communication and updates) is routed through the proxy. Traffic for all sources connecting to internal endpoints is not routed through the proxy. Traffic to external sources is routed through the proxy. Traffic to external sources can bypass the proxy. Traffic for all sources connecting to internal endpoints is routed through the proxy. HTTP/HTTPS traffic (such as virtual appliance communication and updates) is connects directly to the virtual cluster.

Where is the private key stored?. Each VA contains a 2048-bit RSA asymmetric private key (generated from the chosen key passphrase), which is used to decrypt credentials when talking to various sources. Each VA cluster contains the private key.

System notifications can be set to monitor the VA health (Admin  System Settings  System notifications). VA checks happen every 15 minutes. VA checks happen every hour. VA checks happen at midnight and midday.

VA communication flow. VA constantly poll cluster queue for work via VA cluster queue (IDN tenant). Cluster queue is a holding area of messages waiting for VA to grab. VA receives work, decrypts with local private, connects to cloud connector gateway (CCG) to execute work. VA / CCG contains enterprise grade connectors. CCG flow back to SP task processing engine.

VA’s are deployed in clusters benefits. Redundancy. Load balancing. Security. Flexibility.

To manage fault tolerance on the virtual appliance. Configuring local VAs in the same cluster to run on different servers whenever possible. VAs in the same cluster running in AWS/Azure be spread out across different Availability Zones. VAs in the same cluster running in AWS/Azure be spread out across different tenants. Confiture local Vas in different clusters when possible.

The following table lists URLs that must be accessible to the VA, regardless of the VA zone. *.flatcar-linux.net. *.flatcar-linux.org. *.identitynow.com. *.s3.<region_code>.amazonaws.com. *.s3.amazonaws.com. *.s3.us-east-1.amazonaws.com. *.sailpoint.com. 874540850173.dkr.ecr.us-east-1.amazonaws.com. api.ecr.us-east-1.amazonaws.com. app.datadoghq.com.

Match the description to URL. *.flatcar-linux.net. *.flatcar-linux.org; *.flatcar-linux.net. *.identitynow.com *.sailpoint.com. app.datadoghq.com. https://aws.amazon.com/s3/ . *.s3.amazonaws.com. api.ecr.us-east-1.amazonaws.com; ecr.us-east-1.amazonaws.com; 874540850173.dkr.ecr.us-east-1.amazonaws.com.

Match AWS regions to the code for the tenant host. US East (N. Virginia). US West (Oregon). Asia Pacific (Sydney). Asia Pacific (Tokyo). Canada (Central). Europe (Frankfurt). Europe (London).

SailPoint’s private container registry. Allows the VA to retrieve service updates. - Elastic Container Registry. api.ecr.us-east-1.amazonaws.com. ecr.us-east-1.amazonaws.com. 874540850173.dkr.ecr.us-east-1.amazonaws.com. *.s3.amazonaws.com. *.flatcar-linux.org. app.datadoghq.com.

If the region-specific URLs that must be accessible to the VA, for region us-east-1 which one is correct. *.s3.us-east-1.amazonaws.com. sqs.us-east-1.amazonaws.com . dynamodb.us-east-1.amazonaws.com . 874540850173.dkr.ecr.us-east-1.amazonaws.com . firehose.us-east-1.amazonaws.com . app.datadoghq.com. api.ecr.us-east-1.amazonaws.com. us-east-1.app.datadoghq.com.

Match region specific URLS services to url. S3. SQS. DynamoDB. Elastic Container Registry. Firehose*.

Virtual appliance deployment setup process in steps: Download virtual appliance zip file. Unzip and copy to your virtualization platform. Start the virtual appliance image. Login – User Name: sailpoint Password: S@ilp0int & Change the password. Optional – Set a static IP address and DNS settings. Download va-config-246-699.yaml. Set the value of keyPassphrass (default _ch@ngeMe_ ) in va-config-246-699.yaml to match organisation passphrase. Copy settings to ~/config.yaml on the virtual appliance:. Scp <download path>/va-config-246-699.yaml sailpoint@<ip_address>:/home/sailpoint/config.yaml. Test connection by clicking test appliance.

Set a static IP address and DNS settings process. First you must find the name of your virtual NIC card for your VA. From the list of virtual NICs displayed, find the 2nd one. (2: ens160. Next create the the static.network file:. Enter NICName and network details such as DNS. Disable the ESX DHCP bump service. Reboot the VA: sudo reboot.

Virtual appliance setup commands match. Create the file static.network command. list of virtual NICs displayed. Reboot the VA. Disable the ESX DHCP bump service.

New Virtual Appliance page in IdentityNow, under Download Configuration File. Do not leave this page until the download and configuration process is complete and you have clicked Test Appliance. Each .yaml file is unique and cannot be reused by other virtual appliances. Copying this file to your workstation might result in a file with a .txt extension. If this occurs, you must rename the file with only a .yaml extension and then copy it into the VA. Otherwise VA will not work correctly.

VA local deployment types. vSphere. Hyper-V. AWS Cloud. Azure Cloud.

VA cloud deployment types. vSphere. Hyper-V. AWS Cloud. Azure Cloud.

In hyper-V deployment type setup, which of the following steps is unique?. New Virtual Machine needs to be created. All Hyper-V images currently ship with the waagent Azure service enabled by default. This must be disabled. Disable the ESX DHCP bump service. Set Static IP for your VA must be defined.

disable the waagent service by running the following commands. sudo systemctl status waagent. sudo systemctl stop waagent. sudo systemctl disable waagent. sudo reboot.

VA Deployment type AWS. Visit Working with Support and open a support ticket requesting an Amazon Machine Image (AMI) ID to install a VA in AWS. You will need to provide your AWS account number and regions. SailPoint support will provide an AMI ID. Select Launch in the instance and select storage as m4.large or above and click configure instance details. Review & launch. Select an existing key pair or create a new key pair dialog box, select the option appropriate to your company policy. Launch instance. Change the password immediately with password S@ilp0int.

VA Deployment type Azure Cloud. Download and extract sailpoint-va.vhd from the following .zip file: https://sppcbu-va-images.s3.amazonaws.com/va-azure-latest.zip. Log in to your Azure command line tool. Upload sailpoint-va.vhd to an Azure storage container with the following command. Create a managed disk from the blob. Create the VM from the managed disk. To test the VM, SSH in using the default username/password of sailpoint/S@ilp0int. Change the password immediately with password S@ilp0int. Add the VA in IdentityNow UI in an existing VA cluster or create a new cluster.

Virtual appliance network configuration types. Standard​ - Uses the standard traffic generated by the VA. HTTP Proxy​ - Routes all HTTP/HTTPS traffic through a proxy. Secure Tunnel​ - Strictly limits the outbound connections generated by the VA.

In standard VA network configuration, which IP range is reserved?. 10.255.255.241/28. 172.16.0.0/22 IP.

In HTTP Proxy Configuration VA network configuration, which IP range is reserved?. 10.255.255.241/28. 172.16.0.0/22 IP.

In Secure Tunnel VA network configuration, which IP range is reserved?. 10.255.255.241/28. 172.16.0.0/22 IP.

In HTTP Proxy Configuration configuration, which steps is required?. edit the proxy.yaml file and add the http / https proxy comment https_proxy: http://<proxyserver>:<port>/. Disable the ESX DHCP bump service. Set Static IP for your VA must be defined.

In Secure Tunnel VA network configuration, includes the following: Allows customers to limit the various outbound connections generated by the virtual appliance. Allows customers unrestricted outbound connections generated by the virtual appliance. All HTTP/HTTPS traffic (VA communication, updates, internal or external) is routed through the secure tunnel. VA must be able to make a secure handshake connection to IdentityNow over port 80. VA must be able to make a secure handshake connection to IdentityNow over port 443.

In Secure Tunnel VA network configuration, the following additional steps are performed. Install the SSL keys you need to communicate with the tunnel server. Download the key appropriate for your location:. Copy the SSL package to your VA filesystem. From the New Virtual Appliance page in IdentityNow, under Download Configuration File, click Download. This copies the va-config-<va_id>.yaml file to your workstation. Open va-config-<va_id>.yaml amd change the keypassphrase from _ch@ngeMe_ to a unique value for your organization. Add the following line to the bottom of the file tunnelTraffic: true. Copy local .yaml file to the virtual appliance. Test the virtual appliance connection. Verify connectivity on all sources connected to the virtual appliances.

To enable debugging in IdentityNow. go to Admin > Connections > Virtual Appliance > va_cluster_name, and check Enable Debugging. go to Virtual Appliance and enable debugging on VA. Logs are recorded for 24 hours. Logs are recorded until the debugging is disabled.

Use journalctl to view the following log files on the VA: TRUE. FALSE.

Match the logs to purpose. /home/sailpoint/log/ccg.log. /home/sailpoint/log/va_agent.log. /home/sailpoint/log/fluent.log. /home/sailpoint/log/charon.log. /home/sailpoint/log/canal.log. /home/sailpoint/log/relay.log.

Match the service to purpose. Cloud Connector Gateway (ccg). Secure Tunnel (canal). PWI Proxy (relay). VA Agent (va_agent). Charon (charon). Toolbox (toolbox). Fluent (fluent/va).

Service control commands. systemctl start service_name. systemctl stop service_name. systemctl restart service_name. systemctl status service_name. systemctl issue service_name. systemctl create service_name.

Reading service logs. Check current service log: . Tail service log:. Get boot events: .

Most logs will be under . /home/sailpoint/log. /home/sailpoint/audit. /home/sailpoint/files.

clearing ccg logs before you enable debug and reproduce an issue. sudo truncate -s 0 /home/sailpoint/log/ccg.log. In log directory sudo truncate -s 0 ccg.log. sudo clear -s 0 /home/sailpoint/log/ccg.log. In log directory sudo clear -s 0 ccg.log. sudo delete -s 0 /home/sailpoint/log/ccg.log. In log directory sudo delete -s 0 ccg.log.

Which VA deployment option has one cluster and both the VA's from the primary and DR data centers. All VA's running. Switch Clusters. Standby reactive deployment.

Which VA deployment option has two clusters, one for primary and another for DR VA data centers. The sources for the DR VA's need to be reassociated when required. All VA's running. Switch Clusters. Standby reactive deployment.

Which VA deployment option has one cluster, VA's of the primary datacenter are running while the DR VA's are not deployed. All VA's running. Standby reactive deployment. Switch Clusters.

Commands Systemd (systemctl)Locations Match. systemctl status <service name> . sudo systemctl enable <service name> . sudo systemctl disable <service name> . sudo systemctl start|stop|restart <service name> . sudo systemctl daemon-reload . systemctl show <service name> .

Commands Docker Match. sudo docker images . sudo docker ps -a. sudo docker tag <existing tag|id> <new tag> . sudo docker start|stop <name> . sudo docker rm <name> . sudo docker rmi <tag> .

Commands DNS Match. more /etc/resolv.conf. dig +trace <network resource>.

Commands Match. sudo timedatectl . sudoedit /etc/systemd/timesyncd.conf . netstat -rn. sudo -l. Check open port on remote host. (/usr/bin/ldapsearch).

ldapsearch run on VA can be good utility to test following outside IDN. If the bind account/password are correct. If LDAP is actively servicing requests. If the hostname and port in source config are correct. Test that TLS is working correctly. See the actual data that is being pulled directly from the LDAP source (user attributes, group membership, service account privileges).

SailPoint Support can assist with SailPoint-created software components. VA network configurations. Static networks. Connector logging. VA client updates. Image import into supported cloud platforms (AWS and Azure). Network and platform environment configuration in supported cloud platforms (AWS and Azure). VM deployment and configuration. Deep packet inspection. Image import into unsupported cloud platforms. Network and platform environment configuration in unsupported cloud platforms.

SailPoint Support cannot assist with SailPoint-created software components. VA network configurations. Static networks. Connector logging. VA client updates. Image import into supported cloud platforms (AWS and Azure). Network and platform environment configuration in supported cloud platforms (AWS and Azure). VM deployment and configuration. Deep packet inspection. Image import into unsupported cloud platforms. Network and platform environment configuration in unsupported cloud platforms.

You can view the status of an individual VA in the following ways: click Test Appliance on the New Virtual Appliance page. On the Virtual Appliance Clusters page, click <cluster name> > Virtual Appliances to see the status of each VA in the cluster.

Virtual Appliances list displays the following information for each VA. Configured CCG Version . Actual CCG Version .

Commands match. grep -a "Networking check" log/charon.log | tail -1. sudo systemctl disable esx_dhcp_bump. nc (Netcat). curl -i (URL). sudo reboot. Ifconfig -a. cat /etc/systemd/network/static.network. Ping. netstat –rn.

Monitoring Your VA Infrastructure. SailPoint has monitoring built in to alert us if a VA goes down. Notifications - You can configure IdentityNow to send you email when a VA goes down. Admin Dashboard - Click the Clusters tile of the system components status panel. Virtual Appliance Clusters page - Click Admin > Connections > Virtual Appliances to see the status of your VA clusters. Click on a cluster. Check the widget page for virtual appliance status. Health report provides status of VA and clusters.