Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CloudFlare Migration - Customer FAQ

CloudFlare Migration - Customer FAQ

What is CloudFlare?

CloudFlare is a distributed Content Delivery Network (CDN) provider and Web Application Firewall (WAF) service provider. Its worldwide network helps protect SaaS products like IdentityNow from Distributed Denial of Service (DDoS) and other common attacks.

CloudFlare maintains numerous industry certifications, including ISO 27001, SOC 2 Type II and PCI DSS 3.1. More information about CloudFlare’s compliance information can be found here: Certifications and compliance resources | CloudFlare

 

What is SailPoint using CloudFlare for?

SailPoint is deploying CloudFlare’s vast content delivery network and security services to protect its SaaS products, including IdentityNow, from DDoS and other common attacks as part of SailPoint’s Defense in Depth security strategy.

 

What is happening in this migration and why is SailPoint doing this?

During the migration, SailPoint will be changing its Domain Name System (DNS) records for its SaaS products to route through CloudFlare’s Content Delivery Network and Web Application Firewall (WAF) services. This change is not expected to have any impact on your usage of our SaaS applications.

 

Do users need to do anything different after this migration?

Customers will not need to change anything. You will continue to access SailPoint products at their current URLs, and no changes to bookmarks or links will be required.

 

What exactly is changing and what URLs do customers have to allow in their outbound firewall?

The hostnames and URLs your users access will not change. The hostnames will now direct the traffic to our SaaS platform via the CloudFlare network whereas, before, it would go directly to our SaaS endpoints.

Specific IP addresses for those hostnames will point to CloudFlare instead directly at our edge endpoints. These IPs can change at any time, so IP-based firewall rules are not supported by SailPoint.

 

How can we make sure that our network is not blocking the SailPoint SaaS environments when they are behind CloudFlare?

To verify that your users will not be impacted by this change, you can use this web address to validate network connectivity:

https://cloudflaretest.identitynow.com/

When you open this in your browser, you should see the following response:

index.png

 

If you do not see this sign-in screen or you get an error, please contact your network administrators to allow this network connectivity. In a later question in this FAQ, we have provided a sample request you can send to your administrators that explains what is needed.

 

How can we make sure that our Virtual Appliances will not be impacted by this migration?

To validate that your Virtual Appliances' connectivity to SailPoint will not be affected, log in to the shell of one of your appliances and run this command:

 
curl https://cloudflaretest.api.identitynow.com

You should see this output:

 
{"error":"No message available"}

If you do not, please reach out to your network administrators to allow this connectivity. In a later question in this FAQ, we have provided a sample request you can send to your administrators that explains what is needed.

  

How does the provided network tests work and what do they tell us?

We have created a test tenant in our production environment and migrated it to be behind CloudFlare in the exact same way your tenant will be migrated in the future. All requests to the tenant endpoints are routed via CloudFlare’s security services. This means that if you are able to access the test tenant in your browser, you will be able to access your Sandbox and Production tenants after the migration is complete.

If either the browser login page test or the VA curl test do not produce the expected results, please contact your network administrators with the message provided below to explain the issue.

 

What do I need to tell my network administrators if the Virtual Appliance or web browser cannot connect to the test web address?

Provide this message from SailPoint to your network administration team.

Network Administration Team:

SailPoint provides Identity Management software to your company via an online SaaS platform. We are migrating our SaaS edge endpoints to be protected by CloudFlare's CDN and WAF services. We have migrated a test endpoint behind CloudFlare for our customers to use to comprehensively validate your users' ability to access our SaaS platform after we complete your site’s migration to CloudFlare. You are getting this request because our contact at your company was unable to verify successful network connectivity to our test endpoint.

There are 2 key endpoints to test.

  • The UI, which can be tested by loading this URL in any web browser:

https://cloudflaretest.identitynow.com/

This should present an IdentityNow sign-in page.

  • The API, which must be tested by logging into the console of one of the SailPoint IdentityNow Virtual Appliances running in your environment and attempting to access this API URL:

https://cloudflaretest.api.identitynow.com with the curl command:

curl https://cloudflaretest.api.identitynow.com

This should return this string: {"error":"No message available"}

If the web page does not load, there is likely an outbound network rule denying this connectivity. The same applies to the API URL test, but the block might be on the network used by the Virtual Appliance.

The method to allow this traffic will depend on the nature of the network rule blocking it. URL or DNS based allow rules will work correctly after the migration, as your tenant hostnames will not change. This can be validated by adding an allow rule for the test tenant hostnames. Other ways of filtering traffic may require additional action for both the test URL and your tenants' URLs.

If you have further questions, please work with your IdentityNow administrator to contact our Support team.

Thank you,

SailPoint SaaS DevOps

 

My tenant is using my own domain (Vanity Domain) instead of identitynow.com. Will this change affect me?

Yes, this security improvement will also be applied to tenants using their own domains to access our SaaS products. There is nothing extra that customers who use Vanity Domains need to do, and you can still use the verification link above to ensure that your users will be able to access our SaaS platform after the migration.

 

Can we test in Sandbox prior to going live in Production?

SailPoint will migrate sandbox tenants first before moving on to production tenants. We plan to complete the updates to Sandbox tenants by February 3, 2023 and start the production updates on February 6, 2023. This allows for a two week period where you will be able to ensure that your sandbox tenant and its Virtual Appliances are healthy.

 

What do we do if we are unable to validate connectivity and/or make the needed fixes before the migration?

Please reach out to our Support team with any issues you encounter, including delays.

 

What IP addresses does CloudFlare use?

CloudFlare maintains a list of the IP ranges for their networks here: IP Ranges | Cloudflare

Labels (1)
Labels:
Version history
Revision #:
2 of 2
Last update:
‎Jan 11, 2023 02:44 PM
Updated by:
 
View Article History