[CF1] private IP and BISO limit (#22244)

* [CF1] private IP and BISO limit

* Update src/content/docs/cloudflare-one/policies/browser-isolation/known-limitations.mdx

* Update src/content/docs/cloudflare-one/policies/browser-isolation/known-limitations.mdx

* Update src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx

Co-authored-by: marciocloudflare <[email protected]>

---------

Co-authored-by: marciocloudflare <[email protected]>

Author: deadlypants1973

src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx

@@ -31,7 +31,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 6.  Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
 
     :::note
-    Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI).
+    Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI). If you are configuring a private IP on any port other than `443` and plan to use Browser Isolation, note that this [will result in a Gateway block page](/cloudflare-one/policies/browser-isolation/known-limitations/#browser-isolation-is-not-compatible-with-private-ips-on-non-443-ports).
     :::
 
 7.  <Render file="access/add-access-policies" product="cloudflare-one" />

src/content/docs/cloudflare-one/policies/browser-isolation/known-limitations.mdx

@@ -119,3 +119,9 @@ Some applications that use HTTP-POST bindings (such as Salesforce) complete SSO
 | Precedence | Selector | Operator | Value                                | Action  |
 | ---------- | -------- | -------- | ------------------------------------ | ------- |
 | 2          | Host     | in       | `your-salesforce-domain.example.com` | Isolate |
+
+## Browser Isolation is not compatible with private IPs on non-`443` ports
+
+Browser Isolation is not compatible with [self-hosted private applications](/cloudflare-one/applications/non-http/self-hosted-private-app/) that use private IP addresses on ports other than `443`. Trying to access self-hosted applications defined by private IPs on ports other than `443` will result in a Gateway block page.
+
+To use Browser Isolation for an application on a private IP address with a non-`443` port, configure a [private network application](/cloudflare-one/applications/non-http/legacy-private-network-app/) instead.