diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index a90187940..32e2c335e 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -913,7 +913,8 @@ class tripleo::haproxy (
     # same IP.
     ::tripleo::haproxy::endpoint { 'keystone_admin':
       internal_ip     => hiera('keystone_admin_api_vip', $controller_virtual_ip),
-      service_port    => $ports[keystone_admin_api_port],
+      service_port    => $ports[keystone_public_api_port],
+      haproxy_port    => $ports[keystone_admin_api_port],
       ip_addresses    => hiera('keystone_public_api_node_ips', $controller_hosts_real),
       server_names    => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
       mode            => 'http',
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
index 3b9715460..ac365b8ba 100644
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@@ -28,6 +28,10 @@
 #  Options for the balancer member, specified after the server declaration.
 #  These should go in the member's configuration block.
 #
+# [*haproxy_port*]
+#  An alternative port, on which haproxy will listen for incoming requests.
+#  Defaults to service_port.
+#
 # [*base_service_name*]
 #  In cases where the service name doesn't match the endpoint name, you can
 #  specify this option in order to get an appropriate value for $ip_addresses
@@ -115,6 +119,7 @@ define tripleo::haproxy::endpoint (
   $internal_ip,
   $service_port,
   $member_options,
+  $haproxy_port                = undef,
   $base_service_name           = undef,
   $ip_addresses                = hiera("${name}_node_ips", undef),
   $server_names                = hiera("${name}_node_names", undef),
@@ -135,6 +140,14 @@ define tripleo::haproxy::endpoint (
   $session_cookie              = 'STICKYSESSION',
 ) {
 
+  if $haproxy_port {
+    $haproxy_port_real = $haproxy_port
+    $service_port_real = $service_port
+  } else {
+    $haproxy_port_real = $service_port
+    $service_port_real = $service_port
+  }
+
   if $base_service_name {
     $ip_addresses_real = hiera("${base_service_name}_node_ips", undef)
   } else {
@@ -165,7 +178,7 @@ define tripleo::haproxy::endpoint (
                                         union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
     } else {
       $listen_options_precookie = merge($listen_options, $custom_options)
-      $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
+      $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
     }
   } else {
     # internal service only
@@ -197,14 +210,14 @@ define tripleo::haproxy::endpoint (
       # contain the path that we'll use under 'service_pem'.
       $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
     }
-    $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
+    $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
                                         union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
   } else {
     if $service_network == 'external' and $public_certificate {
-      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
+      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
                                           union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
     } else {
-      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
     }
   }
   if $authorized_userlist {
@@ -236,7 +249,7 @@ define tripleo::haproxy::endpoint (
       $non_colon_ip = regsubst($ip, ':', '-', 'G')
       haproxy::balancermember { "${name}_${non_colon_ip}_${server}":
         listening_service => $name,
-        ports             => $service_port,
+        ports             => $service_port_real,
         ipaddresses       => $ip,
         server_names      => $server,
         options           => union($member_options, ["cookie ${server}"]),
@@ -245,7 +258,7 @@ define tripleo::haproxy::endpoint (
   } else {
     haproxy::balancermember { "${name}":
       listening_service => $name,
-      ports             => $service_port,
+      ports             => $service_port_real,
       ipaddresses       => $ip_addresses_real,
       server_names      => $server_names_real,
       options           => $member_options,
@@ -258,10 +271,17 @@ define tripleo::haproxy::endpoint (
     # a port for the regular service and also the ssl port for the service.
     # It makes sure we're not trying to create TCP iptables rules where no port
     # is specified.
-    if $service_port {
-      $haproxy_firewall_rules = {
+    if $service_port_real {
+      $service_firewall_rules = {
         "100 ${name}_haproxy"     => {
-          'dport' => $service_port,
+          'dport' => $service_port_real,
+        },
+      }
+    }
+    if $service_port_real != $haproxy_port_real {
+      $haproxy_firewall_rules = {
+        "100 ${name}_haproxy_frontend"     => {
+          'dport' => $haproxy_port_real,
         },
       }
     }
@@ -274,8 +294,8 @@ define tripleo::haproxy::endpoint (
     } else {
       $haproxy_ssl_firewall_rules = {}
     }
-    $firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
-    if $service_port or $public_ssl_port {
+    $firewall_rules = merge($service_firewall_rules, $haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
+    if $service_port_real or $public_ssl_port {
       create_resources('tripleo::firewall::rule', $firewall_rules)
     }
   }