Menlo Proxy port 443 and PAC configurations

The Menlo Security proxy makes several proxy ports available for general use.  The most common of these ports is 3129, which is the default proxy port used by the Menlo Proxy Auto-Config (PAC).

Proxy port 443 was added to the available proxy ports for use in a custom configuration needed for a specific use case, and was enabled in the PAC editor with the specific configuration used by this tenant.

Later, port 443 was enabled on all Menlo proxies, for use as a general proxy port available to all customers.

To use proxy port 443, there are some important considerations to be aware of:

• To show port 443 as an option in the PAC editor, Menlo Support must enable a tenant setting.
• Once enabled, port 443 will be available as an alternate port option when "SSL Inspection + Single Sign-On" is selected as the proxy mode.
  • This port description reflects the configuration of the original use of this port, but not the later broad enablement of port 443. 
  • Port 443 will be available as an "Alternate Proxy Port" in the "Proxy and Roaming Settings" section of the PAC configuration.
  • Proxy port 443's configuration is identical to that of port 3129:  "SSL Inspection + Menlo Authentication" - This means that it is NOT limited to SAML / SSO configuration and can be used with any authentication.
  • To use port 443 with SAML Authentication, Menlo Support must enable the tenant option to "Require SAML" on all proxy ports.

Proxy Port Usage Notes:

• When possible, Menlo recommends using a "dedicated proxy port" (aka COTI port) for user traffic.  The dedicate proxy port improves authentication flows and tenant policies on non-authenticated requests such as SSL decryption exception policies.
  • Dedicated proxy ports are unique ports per customer and are usually allocation in the 6000 range of ports.  Dedicated ports cannot be allocated on port chosen port numbers like 80, 443, etc.
• Proxy Port 443 is sometimes used to avoid firewall blocks of unknown high ports.  Depending on the type of firewall and the policy being used, this can be effective.  However, some firewalls will apply protocol validation on traffic leaving the network.  In this case, the firewall may disrupt proxy requests on port 443 because the proxy request protocol differs from HTTPS requests.
  • When possible, a firewall policy to permit access to the required Menlo proxy port number on the Menlo Security IP ranges is preferred to eliminate firewall issues.