The easiest way is to deploy a foreman proxy + puppet master on a separate host. That frees up port 443. Then register that foreman-proxy to Foreman. It should detect the Puppet feature and allow selection. I’d also advise to remove the Puppet master from the Foreman server.
To test with this a while back I also went a step further by running Foreman, Foreman Proxy and Puppetserver on 3 separate servers. At this point I wouldn’t recommend it, but splitting of the proxy + Puppetserver is a good idea. See the PR for some inspiration: