ProxySG fails to allow connections to SSL ports other than port 443

<< Back to Knowledge Search



Error:  CONNECT to a port other than 443 (the default HTTPS port) is not permitted
Error:  Your request attempted a CONNECT to a port <port_number> that is not permitted by default.
Error:  This is typically caused by an HTTPS URL that uses a port other than the default of 443. 

How do I allow the ProxySG to connect to non-standard SSL ports?
I have an internal web server that uses a non-standard SSL port.  How can I get the ProxySG to allow connections to that web server?
My web browsers are configured in an explicit environment.

By default the ProxySG does not allow CONNECT methods to non-standard ports because it is considered a security risk to do so.

The ProxySG is considered a security device.  As a security device, by default the ProxySG does not allow SSL connections to non-SSL ports.  However, there may be instances where a known good web server is using a non-standard SSL port for SSL traffic.  Therefore the ProxySG can be configured to allow SSL connections to the non-standard SSL ports.  There are several ways in which to do this.  They are as follows:

  1. If the site that is hosting the web server using a non-standard SSL port, then you can bypass sending the proxy the request.  If you are using a PAC file, then you can create an exclusion so the web browser goes direct instead of to the proxy.  For further information, please see 000011089 for additional details on modifying PAC files.  If you do not have a PAC file, then you may be able to manually enter an exception directly into the browser.  Please refer to your browser documentation for further details.
  2. You can add the following CPL policy to the local policy file which allows a CONNECT request to be made to the host that uses a non-standard SSL port.  For information on how to add CPL code to the local policy file, please see 000010101.  Here is the sample policy:
;  BEGIN - Allows the ProxySG to use the CONNECT method to a port other than port 443
http.method=CONNECT url.port=<non-standard-port-number> ALLOW
;  In the above example, replace with the appropriate host.
;  In the above example, replace <non-standard-port-number> with an actual number, such as 4443 or whatever port you wish to override.
;  END - Allows the ProxySG to use the CONNECT method to a port other than port 443


This can also be done using the Visual Policy Manager: 

  1. Create a new Web Access Layer.  A new layer ensures that the policy change will not overwrite any existing policy decisions.
  2.  Set the destination to be the port for which you want to allow non-443 CONNECT requests.  Make it a combined destination object if you want to add the site as in the CPL example above.
  3.  In the Service column, choose Protocol Methods, select HTTP/HTTPS from the drop-down, and check the "CONNECT" option.  Click OK.
  4. Set the action to Allow.


  1. Add CPL policy that allows CONNECT requests to any site on any port.  NOTE:  Blue Coat does not recommend allowing unrestricted CONNECT requests on any TCP port.  The best way to work around the issue is to place an explicit exception as in solution #2 above.  However, this solution is provided as is. 
;  BEGIN - Allows the ProxySG to use the CONNECT method on ANY TCP port.  Not recommended.
http.method=CONNECT ALLOW
;  END - Allows the ProxySG to use the CONNECT method on ANY TCP port.  Not recommended.

 NOTE: because using the action "ALLOW" in policy rules grants the ProxySG the power to overrule its default security precaution of preventing access to site via non-standard SSL port, apply the rule with caution; e.g. policy rule with only "ALLOW" action and no condition would set ProxySG to allow requests to connect to site through any destination ports.

Additional Information
Bug Number
InQuira Doc IdKB3730

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      01/19/2017
Last Published      01/19/2017
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5, SGOS 6
Topic      Configuration / WUI / CLI, Policy Management, Services, SSL / HTTPS
Article Number      000012999
Summary      The ProxySG will block all SSL traffic to non standard SSL ports, the following article describes why and how to workaround it
Was this helpful?
Previous MonthNext Month