IQService

So this snuck it without much fanfare but I was waiting for this feature (and just in time) as a client had just asked about it.

IDN is a great SaaS platform application which requires very little on-prem deployments. VA (Virtual Appliance) is obviously the key one but all the security and patching is managed by SailPoint itself. 

IQService is another must have tool for most clients as it is needed for AD Provisioning (among few other things it does for other connectors). So its generally deployed in nearly every client instance. One of the main thing about this is that it was not autoupdated and thus client needed to download the latest and do an update themselves. Although its not a lot (maybe twice a year) but still good to have a software which can patch itself to latest version. And of course this is optional and who don’t want this can choose not to install the feature but we highly recommend it.  

You DON’T need to give internet access to the IQService boxes to download latest updates. The latest IQService binaries are pushed to and are present on VA. This is via our existing process of update bundles being pushed to VA from cloud. At connector level, version is checked for IQService and if there is mismatch (new version available), latest version will be pushed out to UpdateService from the VA (As they already have line of sight to each other). Then UpdateService will coordinate and update local and then remote services.  It is quite simple process where in the respective services are stopped and binaries are replaced.

Article assumes you know what IQService is and where to deploy it. I will quickly give some commands on how to do so with the latest release. I will show various setups and quick commands to run to update them.

NOTE: You must have Provisioning License to use IQService. Talk to your CSM about it and make sure you are licensed to use it.

Documentation: https://documentation.sailpoint.com/connectors/iqservice/help/integrating_iqservice_admin/intro.html

Uninstall Previous IQService

Single Box install with Fallback Implementation

Assumptions

• Installing TLS port only: 5060
• UpdateService Port: 5062
• User authenticating against IQService: abc\sailpoint
• Software downloaded and extracted: C:\SailPoint\IQService\
• Domain: abc.local
• Certificates already configured and working for TLS (Check this post to do self sign cert for home labs)
• Firewall is open for TLS port. You don’t have to open for 5062 as no remote IQService is connecting to it in this configuration. 

Check Status of Services

Check Status of UpdateService

Multiple Box Install with Client Side Load Balancer

Assumptions

• Installing TLS port only: 5060
• UpdateService Port: 5062
• User authenticating against IQService: abc\sailpoint
• Software downloaded and extracted: C:\SailPoint\IQService\
• Domain: abc.local
• Certificates already configured and working for TLS (Check this post to do self sign cert for home labs)
• Firewall is open for ports 5060 TLS on both servers and on primary server for UpdateService 5062 to accept incoming requests from other IQService boxes for update check.
• Installing on two boxes: iqservice1.abc.local (considered primary) ; iqservice2.abc.local (considered secondary)
• Box boxes can talk to each other for UpdateService

iqservice1.abc.local (installing UpdateService here)

iqservice2.abc.local (Going to connect to above UpdateService Instance)

That is it!!! you should have an IQService which can update itself and keep the environment updated with latest features and bug fixes.