How to run a satellite server behind an F5 BIG-IP load balancer

Latest response

Hi, folks,

 We'd like to put a front end for our satellite server on our F5 BIG-IP load balancer as That virtual server would have a connection pool behind it containing the actual machine,

 So what are my options? Can I simply rewrite the URI as it comes in from satellite to Do I need to generate certificates on that look like they're on satellite? Do I need to do SSL at the load balancer after all? I planned to just pass it through.

 More to the point, how have +you+ made this work?


 John A


We do exactly that.. for our organization . As far as SSL certificates, we generate and provision internally signed certificates from our internal CA. We generated a Satellite certificate with multiple Subject Alternative Names that include all of the possible combinations of the host name (rhn6.ha.xxxx.nfcu,,, etc...) And then followed the documentation for using a custom SSL certificates.

I have a related question which is almost on topic so I ask in this thread.

Is it possible to have a load balanced pool of Satellite6 capsules behind a F5 BIG-IP load balancer?

Currently we have about 4500 servers managed by two Satellite 5 hosts. I hope to be able to manage all servers with one Satellite6 installation. The need for multiple capsules is particulary caused by Puppet. Currently we use PE for Prod/QA and Puppet open source for Test/Dev. We have in total 8 hosts serving Puppet catalogs (puppet masters, compile masters if you wish). I hope to migrate everything to Satellite6 to simplify and save license costs for PE.

This Satellite 6 HA Reference doc has a lot of good information and one scenario (unofficial I believe) for setting up a Satellite 6 HA Environment. Section 5 in Particular covers External Capsule and Load Balancers and you may find it useful.

All this was super helpful in making our Satellite installation work--thanks!

Now I'm trying to do a satellite-installer --scenario satellite --upgrade and failing. I'm not sure exactly what is wrong. The guide referenced above is undoubtedly helpful for load-balanced capsules, but I've got a single capsule attached to a single satellite.

Any further thoughts are welcome.

Hi Will,

could you please provide the procedure on how we need to generate a Satellite certificate with multiple Subject Alternative Names. we already applied with custom certificate by creating individual certificate for satellite and capsule servers while this was in standalone mode. shall we need to follow the , because this script doesn't point to any custom certificate .

please advise.

This kb has references to the documentation on how to use a custom certificate

as far as generating the request with SAN's there are many directions on the Net for this

but you simply generate the CSR with all of the Subject Alternative names that you want to use (eg,, etc...)

this way the SSL cert will be valid for all of the names you could potentially use to connect to it.

Does load balancing of Capsules only really provide redundancy for registering systems? Eg. vmnode1 and are registered via and are what's behind Once vmnode[1-2] are registered, what happens if I want to install/update packages on vmnode[1-2] while one of the capsule[1-2] servers is unavailable? Wouldn't a given vmnode[1-2] be registered specifically using the katello-ca-consumer*.rpm for a given capsule? Or is only helpful for registering new systems and spreading the load across capsule servers, but not necessarily redundancy for systems that are already registered? Not sure if I'm making myself clear on what I want to express here.

check out

Ah, I see now. It looks like what I needed (cough-cough...missed). I'll give it a whirl. Thanks for the quick response. Cheers!

found there is 6.5 release of the same document.

Notice to all,

I found the two articles, but due to the small environments I manage less than 30 clients per RH Satellite 6.5.1 server HA is much to expensive to deploy.


Jan Gerrit Kootstra

Hi John,

Read the documents carefully the Capsules are load-balanced, not the Satellite server itself. Some attempts have been made in the past to make Satellite server run under Pacemaker to make it HA in failover mode, not as Active-Active load-balance groups.

The reference architecture has been withdrawn, now the "HA solution" states, file a request for consultancy or contact your TAM for an advise.


Jan Gerrit Kootstra