Step-by-Step Guide to Setting Up SailPoint ISC Virtual Appliance

KranthiKranthi
3 min read

How I Deployed the SailPoint Virtual Appliance (VA) on Google Cloud — A Complete Step-by-Step Guide

When I first set out to deploy the SailPoint IdentityNow Virtual Appliance (VA), I assumed it would be a quick task. Instead, I ended up navigating through CLI setups, API issues, SSH failures, and a ton of firewall rules — and learned more than I ever expected.

If you're in the IAM or IGA space and looking to deploy a VA in Google Cloud Platform (GCP) for connecting your SailPoint tenant, this post is your go-to guide. Here's a full walkthrough of setting up the SailPoint VA in GCP.

📚 For official guidance, you can also refer to SailPoint’s documentation here: SailPoint VA Setup Docs

✅ Prerequisites

Before we start, make sure you have:

  • A Google Cloud project (with billing enabled)

  • Admin access to GCP

  • Google Cloud SDK installed on your local machine (CLI access)

  • A terminal (Mac/Linux/Windows)

  • A SailPoint tenant + Virtual Appliance (VA) OVA file

Step 1: Prepare Your Environment

# Install Google Cloud SDK (if not already installed)
brew install --cask google-cloud-sdk

# Authenticate to GCP
$ gcloud init

  • Sign in with your Google account.

  • Select your GCP project or create a new one.

  • Skip zone/region setup for now.

Step 2: Create a Cloud Storage Bucket for the VA Disk

# Create a unique bucket name
$ export BUCKET_NAME=sailpoint-va-bucket-$(date +%s)

# Create bucket in a region (example: us-central1)
$ gsutil mb -l us-central1 gs://$BUCKET_NAME/

If you see an AccessDeniedException, make sure billing is enabled and your IAM permissions are sufficient.

Step 3: Upload the VA Disk (VMDK) to the Bucket

  • First, extract the .ova file using 7-Zip or a similar tool. You'll get a .vmdk disk.

  • Place the .vmdk in a folder va-latest/.

# Copy extracted VMDK to the bucket
$ gsutil cp va-latest/sailpoint-va-disk1.vmdk gs://$BUCKET_NAME/va-latest/

Step 4: Import the VMDK as a GCP Image

Enable required APIs:

$ gcloud services enable compute.googleapis.com
$ gcloud services enable cloudbuild.googleapis.com

Then import the image:

$ gcloud compute images import va-image \
    --source-file=gs://$BUCKET_NAME/va-latest/sailpoint-va-disk1.vmdk \
    --no-guest-environment \
    --data-disk

If prompted for IAM permissions for cloudbuild.gserviceaccount.com, allow them.

✅ After a few minutes, GCP will create a va-image you can use to launch your VM.

Step 5: Create the VM from the Image

$ gcloud compute instances create sailpoint-va-vm2 \
    --zone=us-east1-b \
    --image=va-image \
    --image-project=$(gcloud config get-value project) \
    --machine-type=e2-medium \
    --boot-disk-size=128GB \
    --no-service-account \
    --no-scopes \
    --tags=allow-ssh

✅ Your VA instance will now appear in Compute Engine > VM Instances.

Step 6: Access the VA via Serial Console

Since SSH may not work by default, access the serial port:

$ gcloud compute connect-to-serial-port sailpoint-va-vm2 --zone us-east1-b

Login with:

Username: sailpoint
Password: S@ilp0int

⚠️ Be sure to change the default password after first login.

Step 7: Register the VA to Your SailPoint Tenant

Once logged in:

$ sudo /opt/sailpoint/va/scripts/configure-va.sh

  • Provide the activation key/token from the SailPoint IdentityNow Admin UI.

  • Wait for the VA to register and heartbeat.

✅ You can now view the VA status in Admin > Virtual Appliances in ISC.

Step 8: Verify and Test

Check log output:

$ tail -f /opt/sailpoint/va/log/va.log

Confirm your VA is connected and healthy.

Wrap-up

This entire setup from converting the OVA to seeing my VA heartbeat in the SailPoint dashboard — took some trial and error. But once done, it gave me a strong foundation for integrating with other identity sources in SailPoint.

Let me know if you faced any issues while deploying the VA , happy to help or discuss alternate approaches!

Stay tuned I’ll publish a separate post about connecting this VA to a cloud database (like Google Cloud SQL) and aggregating data via JDBC.

0
Subscribe to my newsletter

Read articles from Kranthi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#VirtualAppliancesailpointidentityNowIAM#igaidentity-managementidentity and access management Identity Governance and Administration (IGAcloud security

Written by

Kranthi
Kranthi

👋 Hi, I’m Kranthi Kumar Puttapaka, a Certified SailPoint IAM Engineer with over 5 years of experience in building secure and scalable identity solutions. I help organizations streamline their Identity & Access Management (IAM) processes and strengthen their security posture. I specialize in designing and implementing enterprise-grade IAM systems using technologies like SailPoint IdentityIQ, Identity Security Cloud (ISC), Okta, Azure AD (Entra ID), and CyberArk. My focus areas include identity governance, access lifecycle automation, role-based access control, and Zero Trust security architectures. Over the years, I’ve led multiple SailPoint IIQ to ISC migration projects with zero downtime, developed custom connectors for seamless integrations, and implemented compliance frameworks like SOX, GDPR, HIPAA, and NIST. I also have hands-on experience with cloud platforms such as AWS and Azure, enabling organizations to adopt cloud-native identity governance. On the technical side, I work with Java, JavaScript, Python, and BeanShell for customization and automation. My toolkit includes Spring Boot, Spring Security, Docker, Terraform, and databases like MySQL, Oracle, MongoDB, and LDAP. Here on Hashnode, I write about IAM architecture patterns, SailPoint implementation deep dives, cloud identity strategies, Zero Trust security models, and real-world challenges I’ve solved in Identity Governance. Always excited to connect with fellow IAM professionals and share knowledge about building secure, scalable identity solutions. Let’s make the digital world more secure, one identity at a time!