I have set up an Active Directory source in my ISC tenant and aggregation works fine before configuring IQService. However, when I add IQService details, I get the following error during Test Connection
IQService is running on the same machine as DC and there is no TLS or any other configs. IQ Service is running fine and I have confirmed during installation that the port is configured as 5050.
Any help to resolve this would be highly appreciated
Hey @iamology, can you verify that your virtual appliances are able to reach the server where IQService is installed on the IQService port?
tb start
tb nc -zv -w 5 <IP/HostName> <IQService Port>
Try checking both the IP Address and the Hostname.
It does not seem like…
But I can ping the server
And IQService is running
Any suggestions how to fix this?
Thanks a bunch
Where is the VM this is running on? Make sure you have port 5050 opened from a network perspective including Windows local firewall.
Thanks @iamology. This is good information. This tells us that your VA is able to reach the destination server via ICMP, but is unable to reach it via port 5050 for the IQService. It’s good we are able to contact the server, but we need to be able to communicate on port 5050 in order to achieve IQService connectivity, since 5050 is the port you configured for the IQSService.
Go to the server that has the IQService installed and verify port 5050 is allowing communication from the virtual appliances. You can do this by modifying the host firewall rules and adding an ALLOW rule for port 5050 (and other ports as needed, such as 389, 636, etc.)
Once you configure the firewall to allow connections on port 5050, try the test again. You should see a successful connection like the image below:
Once you receive a connection succeeded message, you should be able to connect. Let me know how it goes!
Thank you so much… This was the root cause of the issue. I simply disabled the firewall to test and it worked.
I am not proficient in Windows Server Management and was not sure how to reach the popup window you have shared the screenshot of. It would be great if you can add the steps to follow to reach there 
The DC and Client machine with VA are in the same LAN. IQService is added to the DC. Issue was with the Firewall
Awesome! I’m glad that worked for you 
!
Here are the steps you can take in order to access the Advanced Firewall Settings to configure that rule:
cd C:\SailPoint\IQServiceIDNiqservice -v to identify the ports configured for your IQService.Open the Start Menu and search for Firewall. Open the Windows Defender Firewall option within the menu.
Click on Advanced settings on the left navigation pane.
Click on Inbound Rules on the left navigation pane, then click on New Rule on the Actions menu to the right to begin creating a new rule.
For the Rule Type, select the Port option. This will allow to define ports which you wish to allow. You can use the other rule types as well, but these steps will follow the steps for choosing Port. Click Next.
Ensure TCP is selected. Then, specify the ports which you want to configure to allow the communication on. You can enter multiple port numbers, separated by a comma. Based on my previous screenshot, I would enter ports 5051, 5527, and 5528 (5528 is the secondary TLS port).
Choose either Allow the connection or Allow the connection if it is secure. If you want to restrict which computers or IP addresses can access this server via these ports and rule, you should select Allow the connection if it is secure. Click Next.
Apply the rule to the types of networks. You should not need this on a public network; private is what you need.
Enter a name for the rule along with a description. A nice name to have is a name that shows what the rule is for and which ports it applies to. Examples:
IQService for ISC (Ports 5051, 5527, and 5528) TCP IN or LDAP & LDAPS (Ports 389 and 636) TCP IN.
Click Finish. Your rule is now created and those ports will be permitted according to your configuration.
You can add additional configuration to your rule where only specific computers or IP addresses can connect via these ports and this rule. If you configured Allow the connection if it is secure in Step 6 of Part 2, you can open the rule and configure the Scope.
