The following error is encountered when connecting to websites with non-standard SSL ports and does not have other rules in the Edge SWG (ProxySG)/ASG that will match to allow non-standard ports to be forwarded:

Error:  CONNECT to a port other than 443 (the default HTTPS port) is not permitted
Error:  Your request attempted a CONNECT to a port <port_number> that is not permitted by default.
Error:  This is typically caused by an HTTPS URL that uses a port other than the default of 443.
Exception:  CONNECT_METHOD_DENIED

Configure Edge SWG (ProxySG) or Advanced Secure Gateway (ASG) to connect to non-standard SSL ports.

Web servers are configured with non-standard SSL ports in an explicit environment.

By default, Edge SWG (ProxySG) and ASG do not allow CONNECT methods to non-standard ports because it is considered a security risk.

Important Note: This issue is not applicable if protocol detection is enabled. When protocol detection is enabled, we allow HTTP CONNECT on an arbitrary port, as long as the protocol detected inside is SSL. In cases where it is not enabled, though, only the default ports (80 or 443) would be allowed.

There may be instances where a known good web server is using a non-standard SSL port for SSL traffic; therefore the Edge SWG (ProxySG) or ASG can be configured to allow SSL connections to the non-standard SSL ports.

Here are ways to allow non-standard SSL ports:

1. If the site that is hosting the web server is using a non-standard SSL port, then bypass sending the Edge SWG (ProxySG) the request. If there is a PAC file, then create an exclusion so the web browser goes direct instead of to the Edge SWG (ProxySG). For further information, please see Steps to create or edit a PAC file to use with Edge SWG (ProxySG) for additional details on modifying PAC files. If there is no PAC file, then manually enter an exception directly into the browser. Please refer to browser documentation for further details.

2. Add the following Content Policy Language (CPL) to the Local Policy File which allows a CONNECT request to be made to the host that uses a non-standard SSL port. For information on how to add CPL code to the Local Policy File, please see How do I add CPL to a local policy file on the Edge SWG (ProxySG)? Here is the sample policy:

;Allows the Edge SWG (ProxySG) to use the CONNECT method to a port other than port 443
<proxy>
http.method=CONNECT url.host=nonstandard-ssl-host.example.com url.port=<non-standard-port-number> ALLOW
;In the above example, replace nonstandard-ssl-host.example.com with the appropriate host.
;In the above example, replace <non-standard-port-number> with an actual number, such as 4443 or whatever port to override.

 
This can also be done using the Visual Policy Manager:

A. Create a new Web Access Layer. A new layer ensures that the policy change will not overwrite any existing policy decisions.
B. Set the Destination to be the Port for allowing non-443 CONNECT requests. Make it a Combined Destination Object if the site should be added as in the CPL example above.
C. In the Service column, choose Protocol Methods, select HTTP/HTTPS from the Protocol drop-down, and check the "CONNECT" option. Click OK.
D. Set the Action to Allow

 
3. Add CPL policy that allows CONNECT requests to any site on any port. NOTE: Symantec does not recommend allowing unrestricted CONNECT requests on any TCP port. The best way to work around the issue is to place an explicit exception as in solution #2 above; however, this solution is provided as is.

;Allows the Edge SWG (ProxySG) to use the CONNECT method on ANY TCP port. Not recommended.
<proxy>
http.method=CONNECT ALLOW

NOTE: Using the action "ALLOW" in policy rules grants the Edge SWG (ProxySG) or ASG the power to overrule its default security precaution of preventing access to site via non-standard SSL port. Apply the rule with caution (i.e. policy rule with only "ALLOW" action and no condition would set Edge SWG (ProxySG) or ASG to allow requests to connect to site through any destination port).