We have a requirement to configure file upload utility on VA rather than IQService (Windows machine). We would like to know pros and cons and steps to follow if someone has configured it from scratch to automating file upload utility scripts on VA.
I have been trying to push JDK to VA or to search for Java in VA to see if jar execution works perfectly. Unfortunately, we couldn’t succeed on it. It would be helpful if someone who has already configured file upload utility in VA could help us with steps to follow.
Please note that on SailPoint Virtual Appliance’s, you cannot install any thirdpary or SailPoint Certified tool such as File Upload Utility in the form of File Upload Utility, etc. because its not recommended by SailPoint.
The Virtual Appliances mandatory task is to communicate with ISC and Target System for aggregation and provisioning. If you install it on VAs, there could be unforeseen issues such as performance on your VAs which could led to overall performance degradation.
Also, apart from File Upload Utility Jar, you need to install JDK as well which could be either Oracle JDK or Open JDK on your respective VA machines which is again not a recommended by SailPoint.
The best place to get it done is on IQ Service machine or any other windows machine apart from VA which can communicate with your SailPoint ISC tenant.
Thank you for the clarification. Is there any official documentation that specifies the File Upload Utility cannot be used with VA? If available, could you please share it? I couldn’t find this restriction mentioned in the VA documents I reviewed
I’m not sure about the SailPoint managed SFTP, never heard of it actually, but we have had external SFTPs in the past to fetch CSV-files into ISC via the SQL Loader connector.
To access the VA, you can only do it using “sailpoint“ user. The sailpoint user has limited amount of access/permissions, and to perform any sort of installations and all, you require sudo access to root which they don’t allow as mentioned in the guide. They have not explicitly mentioned that file upload utility cannot be installed on VA but the architecture of VA is such that its not possible to do it there due to limitations.
Hence, as suggested, its better to get it done on IQ Service Machine or any Windows machine so that you can also schedule the file upload utility execution through Task Scheduler. Its a most common practice.
To confirm, when you say “external SFTPs,” you mean an external SFTP server, correct? As I’m new to SQL Loader, it would be helpful if you could explain:
How you configured the external SFTP servers for SQL Loader.
Where these servers were hosted.
Any prerequisites required for SQL Loader to fetch CSV files.
How you handled housekeeping tasks, such as deleting files after successful aggregation or retrying in case of failure.
Our goal is to move CSV files from IQService or a Windows machine to VA, and then aggregate them into ISC.
Just a username + password, then a url as you would connect to the stfp:
Data Files URL:
jdbc:csv:/sftp://ftp-address/directory with file/
Driver Class:
com.hxtt.sql.text.TextDriver
Then construct yor specific Account SQL Query
housekeeping tasks on the stfp you’d have to set up maybe with scheduled tasks etc, but the SQL Loader works as a regular connector so it’s just ISC logic.
We’re restricted from allowing outbound connectivity from the IQService server to ISC. Given that the File Upload Utility also requires outbound access to ISC, we’re exploring what other viable options might be available.
ok now I understood as VA sits out of our core network, you are thinking to drop file in VA? it is good idea actually as a R&D we can try in lower VA env if it works well and good, otherwise we can talk this with SailPoint for this to allow or not.
Apologies, I am trying to better understand the connection flow. I am receiving a timeout error even after increasing the timeout to 60 seconds in connectorAttributes, so I want to confirm whether my understanding of the setup is correct.
Currently, the CSV file resides on the IQService server, and there is no outbound network connectivity from the IQService server to ISC.
In this scenario:
Do we need to move the CSV file from the IQService server to the VA host or any other windows server and then provide the Data Files URL pointing to the VA/WINDows server?
Or is it possible to directly use the IQService server IP in the Data Files URL, for example:
jdbc:csv:sftp://<IQserver_IP>/directory/file
instead of:
jdbc:csv:sftp://<VA_IP>/directory/file
Also, could you please elaborate your scenario like where was the csv file residing and what all ports were open for communication from VA to the server?
Please let me know if my understanding of the connection flow is correct or if there are additional constraints, I should be aware of.
You said: CSV is on the IQService server and IQService has no outbound to ISC.
That’s fine—because with SQL Loader you don’t need IQService to talk to ISC at all.
But you do need a place where:
IQService (or whatever generates the CSV) can drop the file, and
the VA can fetch it (typically via SFTP).
So the normal pattern is:
IQService/Windows → (SFTP drop zone) → VA (SQL Loader) → ISC
That “drop zone” can be:
an external SFTP server in a DMZ,
an internal SFTP server that the VA can reach,
or the IQService server only if it is running an SFTP service and the VA can connect to it on port 22.
Here are 2 options for you:
Option A (move CSV to VA or another server and point the URL there):
Works if that server is reachable from the VA and serves the file over a supported protocol (SFTP is the usual choice).
Practically: the VA is not intended to be used as a “file drop,” and you typically don’t want to manage storage/housekeeping on the VA.
Option B (directly use IQService IP in the Data Files URL):
Works only if the VA can connect from VA → IQService over SFTP (port 22) and the path/credentials are correct.
If there’s no network path from VA to IQService (routing/firewall), you’ll get timeouts no matter what you set in connectorAttributes.
So: if VA can’t reach IQService, don’t fight it—use an SFTP host both can reach.
Ports / connectivity to check
At minimum:
VA → ISC: outbound 443 (standard VA requirement)
VA → SFTP host: outbound 22 (and DNS resolution if using hostname)
If you’re seeing timeouts even with 60 seconds, it almost always points to:
port 22 blocked (firewall),
routing issue,
DNS issue,
or the SFTP endpoint isn’t actually responding (service not running / wrong IP / wrong path).
Housekeeping (delete/move after successful aggregation)
After aggregation, move them to /processed (or archive by date) using a scheduled script on the SFTP host (or whatever system is responsible for file lifecycle)
If you need “only pick up new files,” use a naming convention (timestamp) and point the SQL query/pattern at the right file set, while processed files are moved out of the input folder.