diff --git a/management/internals/controllers/network_map/controller/controller.go b/management/internals/controllers/network_map/controller/controller.go
index 6b8045b07..b2b65f47a 100644
--- a/management/internals/controllers/network_map/controller/controller.go
+++ b/management/internals/controllers/network_map/controller/controller.go
@@ -174,7 +174,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 	var wg sync.WaitGroup
 	semaphore := make(chan struct{}, 10)
 
-	account.InjectProxyPolicies()
+	account.InjectProxyPolicies(ctx)
 	dnsCache := &cache.DNSConfigCache{}
 	dnsDomain := c.GetDNSDomain(account.Settings)
 	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
@@ -327,7 +327,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 		return fmt.Errorf("failed to get validated peers: %v", err)
 	}
 
-	account.InjectProxyPolicies()
+	account.InjectProxyPolicies(ctx)
 	dnsCache := &cache.DNSConfigCache{}
 	dnsDomain := c.GetDNSDomain(account.Settings)
 	peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
@@ -443,7 +443,7 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
 		}
 	}
 
-	account.InjectProxyPolicies()
+	account.InjectProxyPolicies(ctx)
 
 	approvedPeersMap, err := c.integratedPeerValidator.GetValidatedPeers(ctx, account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
 	if err != nil {
@@ -851,7 +851,7 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
 	if c.experimentalNetworkMap(peer.AccountID) {
 		networkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peerID, validatedPeers, peersCustomZone, accountZones, nil)
 	} else {
-		account.InjectProxyPolicies()
+		account.InjectProxyPolicies(ctx)
 		resourcePolicies := account.GetResourcePoliciesMap()
 		routers := account.GetResourceRoutersMap()
 		networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, account.GetActiveGroupUsers())
diff --git a/management/server/types/account.go b/management/server/types/account.go
index e51413668..0d0092fef 100644
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -1923,7 +1923,7 @@ func (a *Account) GetResourcesMap() map[string]*resourceTypes.NetworkResource {
 	return resourcesMap
 }
 
-func (a *Account) InjectProxyPolicies() {
+func (a *Account) InjectProxyPolicies(ctx context.Context) {
 	if len(a.ReverseProxies) == 0 {
 		return
 	}
@@ -1943,6 +1943,19 @@ func (a *Account) InjectProxyPolicies() {
 					continue
 				}
 
+				port := target.Port
+				if port == 0 {
+					switch target.Protocol {
+					case "https":
+						port = 443
+					case "http":
+						port = 80
+					default:
+						log.WithContext(ctx).Warnf("unsupported protocol %s for proxy target %s, skipping policy injection", target.Protocol, target.TargetId)
+						continue
+					}
+				}
+
 				policyID := fmt.Sprintf("proxy-access-%s-%s", service.ID, proxyPeer.ID)
 				a.Policies = append(a.Policies, &Policy{
 					ID:      policyID,