Demo tenant cannot connect to IQService

Identity Security Cloud (ISC) ISC Discussion and Questions
1

I have set up an Active Directory source in my ISC tenant and aggregation works fine before configuring IQService. However, when I add IQService details, I get the following error during Test Connection
image

IQService is running on the same machine as DC and there is no TLS or any other configs. IQ Service is running fine and I have confirmed during installation that the port is configured as 5050.

Any help to resolve this would be highly appreciated

2

Hey @iamology, can you verify that your virtual appliances are able to reach the server where IQService is installed on the IQService port?

tb start
tb nc -zv -w 5 <IP/HostName> <IQService Port>

Try checking both the IP Address and the Hostname.

3

It does not seem like…

image
image756×55 1.14 KB

But I can ping the server

image
image737×135 1.87 KB

And IQService is running

Any suggestions how to fix this?

Thanks a bunch

4

Where is the VM this is running on? Make sure you have port 5050 opened from a network perspective including Windows local firewall.

1 Like
5

Thanks @iamology. This is good information. This tells us that your VA is able to reach the destination server via ICMP, but is unable to reach it via port 5050 for the IQService. It’s good we are able to contact the server, but we need to be able to communicate on port 5050 in order to achieve IQService connectivity, since 5050 is the port you configured for the IQSService.

Configure the Host Firewall

Go to the server that has the IQService installed and verify port 5050 is allowing communication from the virtual appliances. You can do this by modifying the host firewall rules and adding an ALLOW rule for port 5050 (and other ports as needed, such as 389, 636, etc.)

image
image445×581 11.6 KB

Successful Test

Once you configure the firewall to allow connections on port 5050, try the test again. You should see a successful connection like the image below:

image

Once you receive a connection succeeded message, you should be able to connect. Let me know how it goes!

1 Like
6

Thank you so much… This was the root cause of the issue. I simply disabled the firewall to test and it worked.

I am not proficient in Windows Server Management and was not sure how to reach the popup window you have shared the screenshot of. It would be great if you can add the steps to follow to reach there :blush:

7

The DC and Client machine with VA are in the same LAN. IQService is added to the DC. Issue was with the Firewall

1 Like
8

Awesome! I’m glad that worked for you :smile:!

Here are the steps you can take in order to access the Advanced Firewall Settings to configure that rule:

Configure a Windows Firewall Rule for IQService

Part 1 - Identify IQService Ports

  1. Open a Command Prompt session and proceed to the directory in which your IQService is. Example: cd C:\SailPoint\IQServiceIDN
  2. Execute the command iqservice -v to identify the ports configured for your IQService.

image
image988×508 60.8 KB

Part 2 - Create a new Firewall Rule

  1. Open the Start Menu and search for Firewall. Open the Windows Defender Firewall option within the menu.

    image
    image841×687 21.5 KB

  2. Click on Advanced settings on the left navigation pane.
    image

  3. Click on Inbound Rules on the left navigation pane, then click on New Rule on the Actions menu to the right to begin creating a new rule.

    image
    image1058×302 18.8 KB

  4. For the Rule Type, select the Port option. This will allow to define ports which you wish to allow. You can use the other rule types as well, but these steps will follow the steps for choosing Port. Click Next.

  5. Ensure TCP is selected. Then, specify the ports which you want to configure to allow the communication on. You can enter multiple port numbers, separated by a comma. Based on my previous screenshot, I would enter ports 5051, 5527, and 5528 (5528 is the secondary TLS port).
    image

  6. Choose either Allow the connection or Allow the connection if it is secure. If you want to restrict which computers or IP addresses can access this server via these ports and rule, you should select Allow the connection if it is secure. Click Next.

  7. Apply the rule to the types of networks. You should not need this on a public network; private is what you need.

  8. Enter a name for the rule along with a description. A nice name to have is a name that shows what the rule is for and which ports it applies to. Examples:
    IQService for ISC (Ports 5051, 5527, and 5528) TCP IN or LDAP & LDAPS (Ports 389 and 636) TCP IN.

  9. Click Finish. Your rule is now created and those ports will be permitted according to your configuration.

Additional Configuration As Needed

You can add additional configuration to your rule where only specific computers or IP addresses can connect via these ports and this rule. If you configured Allow the connection if it is secure in Step 6 of Part 2, you can open the rule and configure the Scope.

Additional References and Material

  1. Configure a firewall for report server access - SQL Server Reporting Services (SSRS) | Microsoft Learn
4 Likes
9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.