How to run a satellite server behind an F5 BIG-IP load balancer

Latest response

Hi, folks,

 We'd like to put a front end for our satellite server on our F5 BIG-IP load balancer as That virtual server would have a connection pool behind it containing the actual machine,

 So what are my options? Can I simply rewrite the URI as it comes in from satellite to Do I need to generate certificates on that look like they're on satellite? Do I need to do SSL at the load balancer after all? I planned to just pass it through.

 More to the point, how have +you+ made this work?


 John A


We do exactly that.. for our organization . As far as SSL certificates, we generate and provision internally signed certificates from our internal CA. We generated a Satellite certificate with multiple Subject Alternative Names that include all of the possible combinations of the host name (rhn6.ha.xxxx.nfcu,,, etc...) And then followed the documentation for using a custom SSL certificates.

I have a related question which is almost on topic so I ask in this thread.

Is it possible to have a load balanced pool of Satellite6 capsules behind a F5 BIG-IP load balancer?

Currently we have about 4500 servers managed by two Satellite 5 hosts. I hope to be able to manage all servers with one Satellite6 installation. The need for multiple capsules is particulary caused by Puppet. Currently we use PE for Prod/QA and Puppet open source for Test/Dev. We have in total 8 hosts serving Puppet catalogs (puppet masters, compile masters if you wish). I hope to migrate everything to Satellite6 to simplify and save license costs for PE.

This Satellite 6 HA Reference doc has a lot of good information and one scenario (unofficial I believe) for setting up a Satellite 6 HA Environment. Section 5 in Particular covers External Capsule and Load Balancers and you may find it useful.

All this was super helpful in making our Satellite installation work--thanks!

Now I'm trying to do a satellite-installer --scenario satellite --upgrade and failing. I'm not sure exactly what is wrong. The guide referenced above is undoubtedly helpful for load-balanced capsules, but I've got a single capsule attached to a single satellite.

Any further thoughts are welcome.

Hi Will,

could you please provide the procedure on how we need to generate a Satellite certificate with multiple Subject Alternative Names. we already applied with custom certificate by creating individual certificate for satellite and capsule servers while this was in standalone mode. shall we need to follow the , because this script doesn't point to any custom certificate .

please advise.

This kb has references to the documentation on how to use a custom certificate

as far as generating the request with SAN's there are many directions on the Net for this

but you simply generate the CSR with all of the Subject Alternative names that you want to use (eg,, etc...)

this way the SSL cert will be valid for all of the names you could potentially use to connect to it.