Puppetmaster behind firewall

This is one of the joys of working for a large corporation. You may be a sysadmin for one of many small departments and not part of the I.T. department at all. You ring up the centralised help desk that supports all 10,000 desktop workers:

You: Hi, I'd like to request a modification to the office primary inbound firewall to allow 192.0.2.0/24 to access 10.0.5.0/24 on port 8140.
Them: Is it a PC or a Mac?
You: What? No, I'm requesting a firewall modification for the entire office. There's nothing wrong with my computer.
Them: OK, what I want you to do is go to the "Start" menu and <click>...

Get to know the managers of the I.T. department. Get to know the guys who work in the NOC. Actually walk down there, introduce yourself and have a chat with them. Getting things done in a large corporate is all about who you know and how much they like you.

Now, the next time you need something like this done, don't ring corporate I.T. - Call direct to the deputy I.T. director or the head of NetOps.

IT Director: Hey Brooks, what can I do for you today?
You: I'm setting up a shared Puppet for our production and dev servers and I need the Puppet clients in production to talk to the Puppet master in the office.
IT Director: OK, just send and email with the IP address details to John in the NOC and I'll approve the request when it comes through. By the way, how did your game go on the weekend?

Note that the above conversation is not the one you are going to have tomorrow. It's the one you will have in three months time when every competent sysadmin and IT manager knows your name. Tomorrow is starting to get to know these guys.

While you're working on your people skills, is it a requirement that the Puppet master be inside your office?

Why not put it in the same place as the clients? That would solve your problem and most likely other problems such as latency and dropped connections.