top of page

Load Balancing Puppet on a Netscaler VPX 1000

Updated: Dec 31, 2021

American Kestrel; photo by Ryan Murphy.

This guide will give you a high level overview of setting up Puppet Open Source in an enterprise  environment, while load balancing and content switching through a Netscaler VPX 1000. We’ll assume that you have a CA, (2) Catalog Servers and a Reporting Server already setup.

Create Servers in Netscaler

First we’ll create the server objects in the Netscaler, these will be our primary Catalog (CAT), Certificate (CA) and Report (RPT) servers.

  • Traffic Management -> Load Balancing -> Servers -> Add

  • PUPPET-CA01 /

  • PUPPET-CAT01 /

  • PUPPET-CAT02 /

  • PUPPET-RPT01 /

Create Service Group for CA, CAT and RPT servers

This will create the Service Groups in the Netscaler which are used to tie services together. When adding servers to service groups, you must specify the port the Netscaler will communicating with them on . The default check is a simple ping which will determine if the hosts are alive.

  • Traffic Management -> Load Balancing -> Service Groups -> Add


  • Add servers to their respective Service Groups and define the communication port. (18140 in this case)

Create Load Balancing Virtual Server for each of the Service Groups

This will allow communication to be load balanced between the servers within the Service Groups.

  • Traffic Management -> Load Balancing -> Virtual Servers -> Add


  • Ensure the persistence is set to SOURCEIP for each

  • Add Service Group binding

  • Select the previously created Service Group that matches this Virtual Server

  • Add persistence

Create Content Switching Actions and Policies

This will create the Content Switching action which links a Load Balancing Virtual Server and a Content Switching action. This will also create a content switching policy which will define what we content switch on.

  • Traffic Management -> Content Switching -> Actions -> Add

  • Create one each for: puppet_catalog / puppet_report / puppet_ca

  • Traffic Management -> Content Switching -> Policies -> Add

  • This will split the traffic out based on what the request URL contains. We only use

/report/ and /certificate because all the rest of the traffic will be directed to the Catalog server.

  • Create one each for: puppet_report / puppet_ca

  • The example shows puppet_report which uses the /report/ string to match traffic. The puppet_ca is identical except it matches on /certificate (note the lack of the slash at the end).

Upload Puppet Certificate Pair

This will add Puppet’s certificates to the Netscaler so the Netscaler will be able to authenticate clients.

  • Locate the Puppet certificates on the CA. Save these locally.

  • Puppet Public Key: /var/lib/puppet/ssl/certs/

  • Puppet Private Key: /var/lib/puppet/ssl/certs/private_keys

  • Copy these to the Netscaler

  • Traffic Management -> SSL -> Certificates -> Install

  • Upload and install

Create HTTP header rewrite actions and policies

This will create the HTTP header policies which will create a header called “X-Client-DN” that contains the FQDN of the requesting node.

  • AppExpert -> Rewrite -> Actions -> Add

  • Create one each for: PUPPET-AddCertVerify / PUPPET-AddCertDN

  • The example shows PUPPET-AddCertDN which uses X-Client-DN header and sets it to the subject name of the client’s cert. PUPPET-AddCertVerify is the same, except it sets X-Client-Verify to the result of certificate verification (Ex. SUCCESS /


  •  For X-Client-DN, the value should be in the format of “”

  • AppExpert -> Rewrite -> Policies / Add

Create Content Switching Virtual Server

This is the main contact point for Puppet. You must chose a unique IP which will be mapped to This is the hostname that all agents will use to connect to Puppet.

  • Traffic Management -> Content Switching -> Virtual Servers -> Add

  • Add previously created Content Switching Policies

  • Make sure to add puppet_catalog as the default load balancing virtual server to forward all non certificate/report requests there.

  • Add ECC Curves and SSL Parameters

  • Verify Client Authentication is enabled and set to optional

  • Session Reuse should be enabled.

  • Add previously created server certificates

  • Add previously created HTTP rewrite policies

  • The example shows PUPPET-AddCertVerify, you must also add PUPPET-AddCertDN which is exactly the same except Goto Expression should be END and priority should be 110


  • An issue to note, Puppet nodes by default will use a 4096 bit public key when generating certificates. As of NS 11.0 build 65.31, the Netscaler’s client authentication will fail on certificates with a 4096 bit key length and above. Therefore, you may have to force Puppet to generate 2096 bit key length certificates. In the agent’s puppet.conf (In Windows, C:ProgramDataPuppetLabspuppetetcpuppet.conf) specify the keylength option.


bottom of page