Your organization can subscribe to one or more ports, associate them with a location, and then forward your remote user traffic to those ports. Forwarding remote users to your subscribed ports enables the Zscaler service to do the following:

• When SSL Inspection is enabled at the location, the service can apply all the SSL settings to remote user traffic, including the ability to exclude URL categories and custom domains from decryption. Typically, the traffic of remote users is forwarded to port 9443 where the service does not apply the SSL exclusion settings. Additionally, this allows remote users to automatically authenticate using your SAML ID provider.
• Apply the location’s policies, instead of the default policy, to remote user traffic that cannot be authenticated, such as transactions that use unknown agents or non-HTTP protocols.
• Support FTP over HTTP for remote users, enabling the anti-virus engine of the service to scan content for viruses and spyware when a remote user’s browser connects to FTP sites and downloads files.
• Identify a remote user’s organization and display its logo on the login page. In addition, if SAML authentication is used, remote users are not prompted to enter their login name.

For enhanced security and to prevent unauthorized use of the subscribed ports, authentication must be enforced for the location associated with the ports. The service blocks traffic that it cannot authenticate, such as transactions that have an unknown user-agent or a non-HTTP protocol, if it is from an IP address that an authenticated user has not used.

When traffic from a known location arrives at a subscribed proxy port, the service applies the policies of the known location and not the location associated with the subscribed port.

Additionally, you can enable the service to map users to their external IP addresses as well so it can apply user-level policies to remote user traffic that it cannot authenticate.

Configuring Dedicated Proxy Ports