Your organization can subscribe to one or more ports, associate them with a location, and then forward your road warrior traffic to those ports. Forwarding road warriors to your subscribed ports enables the Zscaler service to do the following:
- When SSL inspection is enabled at the location, the service can apply all the SSL settings to road warrior traffic, including the ability to exclude URL categories and custom domains from decryption. Typically, the traffic of road warriors is forwarded to port 9443 where the service does not apply the SSL exclusion settings. Additionally, this allows road warriors to automatically authenticate using your SAML ID provider.
- Apply the location’s policies, instead of the default policy, to road warrior traffic that cannot be authenticated, such as transactions that use unknown agents or non-HTTP protocols.
- Support FTP over HTTP for road warriors, enabling the anti-virus engine of the service to scan content for viruses and spyware when a road warrior’s browser connects to FTP sites and downloads files.
- Identify a road warrior’s organization and display its logo on the login page. In addition, if SAML authentication is used, road warriors are not prompted to enter their login name.
For enhanced security and to prevent unauthorized use of the subscribed ports, authentication must be enforced for the location associated with the ports. The service blocks traffic that it cannot authenticate, such as transactions that have an unknown user-agent or a non-HTTP protocol, if it is from an IP address that an authenticated user has not used.
When traffic from a known location arrives at a subscribed proxy port, the service applies the policies of the known location and not the location associated with the subscribed port.
Additionally, you can enable the service to map users to their external IP addresses as well so it can apply user-level policies to road warrior traffic that it cannot authenticate.
Configuring Dedicated Proxy Ports
- Contact Zscaler Technical Support to subscribe to proxy ports.
- After you receive the port numbers of the proxy ports, go to Administration > Resources > Locations.
- Either add a new location or edit an existing location.
- From Proxy Ports, choose the ports you want to associate with the location.
- Select Enforce Authentication.
- Click Save and activate the change.
After you configure the proxy ports on the admin portal, edit the PAC file of road warriors to forward their traffic to the subscribed proxy ports.