I’m working on setting up high availability for an Active Directory (AD) source in SailPoint IdentityNow, and I need some guidance on the IQService + Load Balancer setup.
I have the following requirement:
Two Windows servers, each with IQService installed and configured with TLS.
A load balancer needs to be configured between these two servers to provide high availability for the AD source integration.
As I’m new to this kind of setup, I have some basic questions:
I understand that IQService will be installed individually on both Windows servers – that’s clear.
My confusion is regarding the Load Balancer setup:
Where should the Load Balancer be configured?
If I install it on one of the two IQService servers, it would compromise high availability (in case that server goes down), so that doesn’t seem feasible.
Do I need a third, separate host/server to install and configure the load balancer?
My goal is to ensure a proper and resilient architecture. I’d really appreciate it if someone could help clarify the basics or even share a simple diagram or example setup.
In nutshell, you need to install IQService in two or more Windows servers for HA and have loadbalancer listen on port 5050/5051 and use that in your configuration.
You’ll place the load balancer in front of the IQService instances. Here’s a typical setup:
IQService Hosts: You’ll have multiple Windows servers, each with the IQService installed.
Load Balancer: The load balancer sits between these IQService hosts and the SailPoint Virtual Appliance (VA). The VA is the component that connects to ISC.
Virtual Appliance (VA): The VA communicates with the load balancer, which then distributes traffic to the available IQService instances.
Check with your team: Network or Windows team for appropriate server to install.
You absolutely should NOT install a load balancer on a server hosting the IQ Service or VA.
VA (Virtual Appliance): In the context of IdentityNow, “VA” typically refers to the Virtual Appliance for IdentityNow (VA) which hosts components like the Virtual Appliance Gateway for secure communication to certain on-premise applications (e.g., AD, LDAP). You cannot and should not install a load balancer directly on an IdentityNow VA. The VAs are purpose-built, locked-down virtual machines provided by SailPoint, and any unauthorized modification or installation is unsupported and will likely break the appliance.
After Load balancer installation applications like AD, LDAP will be pointed to load balancer URL which will finally connect to on-premise applications (e.g., AD, LDAP)
Dedicated Server for Load Balancer:
Applies: Yes. If you are implementing a load balancer, it absolutely needs its own dedicated infrastructure (physical or virtual server, or a hardware appliance). This is standard for any load balancing solution.
Network Team Responsibility/Awareness:
Applies: Yes. Even more so in IDN, as network configurations are critical for connecting your on-premise resources (like AD, databases, HRIS) to the cloud-based IdentityNow service. The network team will be responsible for firewall rules, DNS, routing, and potentially the load balancer’s setup itself.