Updated: Dec 31, 2021
This guide will give you a high level overview of setting up Puppet Open Source in an enterprise environment, while load balancing and content switching through a Netscaler VPX 1000. We’ll assume that you have a CA, (2) Catalog Servers and a Reporting Server already setup.
Create Servers in Netscaler
First we’ll create the server objects in the Netscaler, these will be our primary Catalog (CAT), Certificate (CA) and Report (RPT) servers.
Traffic Management -> Load Balancing -> Servers -> Add
PUPPET-CA01 / 192.168.0.30
PUPPET-CAT01 / 192.168.0.31
PUPPET-CAT02 / 192.168.0.32
PUPPET-RPT01 / 192.168.0.33
Create Service Group for CA, CAT and RPT servers
This will create the Service Groups in the Netscaler which are used to tie services together. When adding servers to service groups, you must specify the port the Netscaler will communicating with them on . The default check is a simple ping which will determine if the hosts are alive.
Traffic Management -> Load Balancing -> Service Groups -> Add
Create one each for: SG-PUPPET-CATALOG / SG-PUPPET-CA / SG-PUPPET-REPORT
Add servers to their respective Service Groups and define the communication port. (18140 in this case)
Create Load Balancing Virtual Server for each of the Service Groups
This will allow communication to be load balanced between the servers within the Service Groups.
Traffic Management -> Load Balancing -> Virtual Servers -> Add
Create one each for: VIP-PUPPET-CATALOG / VIP-PUPPET-CA / VIP-PUPPET-REPORT
Ensure the persistence is set to SOURCEIP for each
Add Service Group binding
Select the previously created Service Group that matches this Virtual Server
Create Content Switching Actions and Policies
This will create the Content Switching action which links a Load Balancing Virtual Server and a Content Switching action. This will also create a content switching policy which will define what we content switch on.
Traffic Management -> Content Switching -> Actions -> Add
Create one each for: puppet_catalog / puppet_report / puppet_ca
Traffic Management -> Content Switching -> Policies -> Add
This will split the traffic out based on what the request URL contains. We only use
/report/ and /certificate because all the rest of the traffic will be directed to the Catalog server.
Create one each for: puppet_report / puppet_ca
The example shows puppet_report which uses the /report/ string to match traffic. The puppet_ca is identical except it matches on /certificate (note the lack of the slash at the end).
Upload Puppet Certificate Pair
This will add Puppet’s certificates to the Netscaler so the Netscaler will be able to authenticate clients.
Locate the Puppet certificates on the CA. Save these locally.
Puppet Public Key: /var/lib/puppet/ssl/certs/
Puppet Private Key: /var/lib/puppet/ssl/certs/private_keys
Copy these to the Netscaler
Traffic Management -> SSL -> Certificates -> Install
Upload and install
Create HTTP header rewrite actions and policies
This will create the HTTP header policies which will create a header called “X-Client-DN” that contains the FQDN of the requesting node.
AppExpert -> Rewrite -> Actions -> Add
Create one each for: PUPPET-AddCertVerify / PUPPET-AddCertDN
The example shows PUPPET-AddCertDN which uses X-Client-DN header and sets it to the subject name of the client’s cert. PUPPET-AddCertVerify is the same, except it sets X-Client-Verify to the result of certificate verification (Ex. SUCCESS /
FAILURE / NONE)
For X-Client-DN, the value should be in the format of “CN=hostname.domain.com”
AppExpert -> Rewrite -> Policies / Add
Create Content Switching Virtual Server
This is the main contact point for Puppet. You must chose a unique IP which will be mapped to puppet.domain.com. This is the hostname that all agents will use to connect to Puppet.
Traffic Management -> Content Switching -> Virtual Servers -> Add
Add previously created Content Switching Policies
Make sure to add puppet_catalog as the default load balancing virtual server to forward all non certificate/report requests there.
Add ECC Curves and SSL Parameters
Verify Client Authentication is enabled and set to optional
Session Reuse should be enabled.
Add previously created server certificates
Add previously created HTTP rewrite policies
The example shows PUPPET-AddCertVerify, you must also add PUPPET-AddCertDN which is exactly the same except Goto Expression should be END and priority should be 110
An issue to note, Puppet nodes by default will use a 4096 bit public key when generating certificates. As of NS 11.0 build 65.31, the Netscaler’s client authentication will fail on certificates with a 4096 bit key length and above. Therefore, you may have to force Puppet to generate 2096 bit key length certificates. In the agent’s puppet.conf (In Windows, C:ProgramDataPuppetLabspuppetetcpuppet.conf) specify the keylength option.