Hello everyone, I’m looking to configure Virtual Appliances with Sailpoint ISC, but i have some doubts by viewing this documentation: Configuring Virtual Appliances - SailPoint Identity Services. So I know that i can use 3 different type of infrastructure, one based on tunnelling, one based on http proxy and one based on a direct connection. One doubt is that in all of these scenario is shown that every connection is originated FROM the VA to the Sailpoint ISC. But when I’m setting up the connector on Sailpoint ISC, i will give command from Sailpoint ISC to the VA, so it’s not true that all connections are originated from VA? That implies also to not only open firewall outbound connection settings from va to Sailpoint but also to open the inbound connections?
The Virtual Appliance (VA) is like a phone that always calls SailPoint (the cloud service) and keeps the call active. Because the VA starts the connection (like making the phone call), SailPoint doesn’t need to call the VA back directly. Instead, it talks through the same ongoing call that the VA started.
So, you only need to allow the VA to “call out” to SailPoint (outbound traffic). You don’t need to worry about opening the door for “calls coming in” to the VA (inbound traffic). Everything happens through that one connection that the VA initiates. This is done to keep things secure and avoid opening up unnecessary access.
Hope you have better clarity now.
ok thanks, but keeping the connection always alive doesn’t hit the performances ?
In addition to what @officialamitguptaa explained accurately and in an easy to understand language, you also need to understand the VAs are have direct access to all machines inside the on-prem network, and opening such a machine to inbound traffic from internet is a big NO for your network security team
Excellent analogy @officialamitguptaa
The connection isn’t ‘always open’, but the VA periodically checks if there is anything for it to do. This includes config changes as well as operations to do, such as aggregating data, provisioning new users or access.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.