We’re seeking guidance on selecting the most appropriate Virtual Appliance (VA) configuration for our environment. We’d like to gain a deeper understanding of the key factors influencing this decision.
To help us confidently advise our client, we’d appreciate insights on the following:
Decision-Making Criteria: What are the critical considerations when choosing between Standard and Network Tunnel VAs? Are there specific use cases that favor one configuration over the other?
Performance Implications: Are there any anticipated performance differences between Standard and Network Tunnel VA configurations?
Management Overhead: How does the ongoing management complexity differ between Standard and Network Tunnel VAs?
Additionally, if there are any best practices or general recommendations you can share regarding VA selection, we’d be grateful to learn from your experience.
Virtual Appliance Network Configuration in SailPoint Identity Security Cloud
A Virtual Appliance (VA) connects your SailPoint Identity Security Cloud tenant to your on-premises or cloud-hosted sources. All VA communications are outbound only, No inbound connections from outside your network are requested or required.
Deep Packet Inspection (DPI) is not supported in any configuration.
When deploying a VA cluster, you select the network configuration that matches your firewall and network policy. There are three options:
Standard
Uses the standard outbound traffic generated by the VA. This is the appropriate choice for most environments where the firewall can filter traffic by hostname.
HTTP Proxy
Routes all HTTP/HTTPS traffic through a proxy server. Choose this option when your network policy requires all outbound traffic to pass through a proxy.
Network Tunnel
Limits the outbound connections generated by the VA. Choose this option only if your firewall cannot support host names. This is not a VPN tunnel — it is a firewall
traversal option for environments restricted to IP-based rules.
Data Access Security VA cluster types support only the Standard configuration — HTTP Proxy and Network Tunnel are not available for that cluster type.
Regardless of the network configuration selected, you can also enable:
TLS — Encrypts the connection between the VA and sources that support it. Recommended when the source supports TLS. Active Directory requires TLS.
Password Interceptor — Intercepts password changes on supported sources (e.g., Active Directory) and propagates them to the related source in Identity Security
Cloud.
Local NTP Server — Allows VAs to use an internal NTP server if outbound port 123 is not permitted.
Supported virtualization: vSphere 6.5+, Hyper-V (Server 2016+), AWS (M5.xlarge or equivalent), Azure (Standard_D8s_v5 or equivalent), GCP (n2-standard-4 or
equivalent).
Locate VAs close to sources — deploy in the same data center, availability zone, or region as the target systems.
Maintain a 1:1 VA to VM ratio — to avoid a single point of failure. For fault tolerance, run VAs in the same cluster on different physical servers (on-premises) or
spread across Availability Zones (cloud).
Switching deployment types requires new VAs — migrating an existing VA from one network configuration to another (e.g., Standard to Network Tunnel) is not
supported. A new VA must be created.
Monitor VA health — SailPoint collects metrics (CPU, memory, free space, restart count) averaged over recent hours. Alerts are sent when thresholds are exceeded.
HI Marco, if your client is a new customer, they likely have SASP included as part of their purchase. Please have them reach out to their customer onboarding manager, and they can engage the SASP team in order to have a conversation and help them make the right architectural decisions in that regard.