Your organization can subscribe to one or more ports, associate them with a location, and then forward your remote user traffic to those ports. Forwarding remote users to your subscribed ports enables the Zscaler service to do the following:
For enhanced security and to prevent unauthorized use of the subscribed ports, authentication must be enforced for the location associated with the ports. The service blocks traffic that it cannot authenticate, such as transactions that have an unknown user-agent or a non-HTTP protocol, if it is from an IP address that an authenticated user has not used.
When traffic from a known location arrives at a subscribed proxy port, the service applies the policies of the known location and not the location associated with the subscribed port.
Additionally, you can enable the service to map users to their external IP addresses as well so it can apply user-level policies to remote user traffic that it cannot authenticate.
After you configure the proxy ports on the Admin Portal, edit the PAC file for your remote users in order to forward their traffic to the subscribed proxy ports.