Summary of Cato Windows Client Releases

This article summarizes the features and enhancements of the Windows SDP Client.

In addition, it also lists the known limitations.

Admins and SDP users can easily download the Client from the Client download portal without requiring authentication.

For more information about the requirements to implement Cato's remote access in your organization, see Installing the Cato Client and Getting Started with the Windows Client.


Windows Client v5.10.26

From March 31st, 2024, we are starting the rollout of Windows Client version 5.10.26. This version contains bug fixes including:

    • Anti-Malware Device Checks could not validate Microsoft Defender for Endpoint (Defender ATP) real-time protection

Windows Client v5.10

From February 12th 2024 , we started the rollout of Windows Client v5.10. This version contains:

    • User Notifications for CASB and DLP: The device displays a notification to the user when their activity is blocked by App Control or Data Control rules. This educates the user about which app was blocked and why.
    • Improved Client messages for failed upgrades and token expiration
    • Stability enhancements, including Pre-login mode
    • Bug fixes 

Windows Client v5.9

From November 20th, 2023, we started the roll out of Windows Client version 5.9. This version contains:

    • New Experience for Secured Remote Internet Access: We are introducing new features that transform the user experience for secured Internet access. Users can benefit from Internet security based on a one time authentication and Always-On can be used while ensuring business continuity:

      • Remote Internet Security with One Time Authentication: For secured Internet access, remote users only need to authenticate once.

        • Cato Security policies are always enforced for Internet traffic with this mode, users continuous access without needing to re-authenticate.

      • New Bypass Mode for Always-On: Users can temporarily access the Internet without waiting for admin approval. Users provide a reason in the Client and they can temporarily bypass Always-On and disconnect the Client.

        • The duration of the bypass can be configured by administrators

      • Always-On Recovery Mode: Users can access the Internet if a connection to the Cato Cloud is unavailable. For example, if a Captive Portal prevents the Client connecting to the Cato Cloud, users can still access the Internet. However, Cato security is bypassed.

    • Device Posture Check Improves Security Posture: You can now include a check for DLP within your Device Posture Profiles. The Device Posture Profile can be included in your Client Connectivity and security policies.

    • Client UI Improvements: We have updated the Client UI, to display:

      • A message if the Client experiences issues establishing a connection to the Cato Cloud

      • The indication if Always-On is enforced is moved to the Statistics page

    • Updated Vendors and Versions for Device Posture Checks: We updated the OPSWAT framework used by the Client to version

Windows Client v5.8

Windows Client version 5.8 was uploaded to the Client download portal on September 14th, 2023 and includes:

  • SDP Users With Always-On Can Authenticate to a Captive Portal by Default: Captive Portal Detection temporarily bypasses Always-On to allow login to the Captive Portal. This feature is enabled by default.

    • The Captive Portal Detection checkbox is removed from the Settings page in the Client

    • No impact to SDP users that don’t connect to a captive portal, or aren’t using Always-On

  • SDP User Authentication is No Longer Required Behind a Site: To simplify the user experience for SDP users behind a site, the Windows Client can connect automatically in Office Mode without SDP users manually authenticating. There is no impact on Security and User Awareness polices.

    • Supported on Windows Client v5.8 and higher

    • This replaces the previous behavior where, behind a site, authentication was required but had no impact on Security or Access policies

  • Updated OPSWAT OESIS Framework: We updated the OPSWAT OESIS framework used by the Client to version 4.3.3644

  • Upgrade OpenSSL Library: We upgraded the OpenSSL Library used by the Client to version 3.1.1

  • Upgraded Chromium version: We upgraded the Chromium version used by the embedded browser in the Client to version 107.1.120

  • New User Interface: We improved the Client’s user interface so that it is even more intuitive and easy to use 

  • Known Limitation:
    • When the Client is in Office Mode, the Connect button in the Client is disabled, however users can click Connect from the system tray icon and may be required to re-authenticate.
    • When a user is configured for Connect on Boot only (not with Always-On), they are sometimes prompted to re-authenticate even when connected behind a Cato site. This is a UI issue, and users can ignore and close the authentication prompt, and connect to the network in Office Mode (the Client shows Office Network).
  • Windows Client v5.8 supports these features:

Windows Client v5.7

Windows Client version 5.7 was uploaded to the Client download portal on August 7th, 2023 and includes: 

  • Device Posture for SDP Users in the Office: The Device Posture Profiles and Device Checks are now also applied for SDP users in the office behind a site (connected to the network). This lets you apply the same security level by enforcing the same device requirements whether SDP users are working from home, or in the office.

  • SDP User Feedback: To help us continually improve our remote access, SDP users can now provide feedback to Cato from within the Client.

    • Every few months, users are prompted to give a rating and comments

    • SDP users can also manually provide feedback at any time

  • Improved Client Resiliency with Rapid Reconnect: The Client infrastructure now includes multiple tunnels to provide redundancy. So, if there’s an issue, there is minimal packet loss and negligible impact to the SDP user experience.

  • Enhanced Client PoP Selection: We improved the PoP selection process to better consider multiple factors including geography and availability. The Client now more accurately selects the best PoP to connect to.

    • Ensure the following URLs can be accessed to use this feature:



Windows Client v5.6

Windows Client version 5.6 was uploaded to the Client download portal on March 29th, 2023, and includes:

  • Improved Out-of-the-Box-Security:

    • Deploying Clients with Always-On Enabled: You can automatically enable Always-On for new Client installations, so that users will not have Internet access until after they are authenticated.

    • Automatically Show Client when the Device Starts: To let an SDP user set up a new device and easily find the Client and then Connect to the network, you can now use a registry flag to define if the Client app automatically opens or not.

  • Exclude Network Ranges from LAN Blocking: Use the Split Tunnel feature with LAN Blocking to define subnets that are excluded from the tunnel. For example, this lets a device connect to a LAN printer even though LAN Blocking is enabled.

  • Enhanced Windows Client Upgrade Process: We added roll-back functionality to the Client, and if there’s an issue during the upgrade, the Client automatically rolls back to the previous version.

    • The Client automatically upgrades to the next minor Client version when it is available

  • Improvements to Client Self Service: When using Self Service to troubleshoot the Client, now includes data from the Cato Cloud in addition to the local device.

Windows Client v5.5

Windows Client version 5.5 was uploaded to the Client download portal on December 15th, 2022, and includes:

  • Client Self Service: SDP users can now take steps to support the troubleshooting of issues with the Client.

    • SDP users can now record and then reproduce an issue that occurred with the Client. The traffic capture and log files can be uploaded to Cato Support for further analysis

    • SDP users can clear cookies from an embedded browser used for authentication

  • New Client Installer:  We are introducing a new installer for the Client that includes improved stability for the upgrade process.

  • Bug fixes and enhancements

Windows Client v5.4

Windows Client version 5.4 was uploaded to the User Portal on September 19th, 2022, and includes:

  • Support for First Upgraded Users for Client Upgrade

  • Improved error messages in the Client for SDP users which better explain connectivity issues

  • Bug fixes:

    • When the Client is in Office Mode, it now uses the PAC file of the local system instead of the PAC file defined in the Cato Management Application

Windows Client v5.3

Windows Client version 5.3 was uploaded to the User Portal on April 18th, 2022, and includes:

  • SDP Users Can Enjoy SSO Simplicity and with Security of Never-Off: Cato Clients now support the ability to authenticate with Single Sign-On (SSO) at same time that the Client Access Connectivity policy is set to Never-Off. Read more.

    • You can configure SSO and Never-Off for the entire account or for specific SDP users.

  • Enhanced Re-authentication Experience: A notification lets users know that the SSO or MFA session will soon expire and allows them to seamlessly re-authenticate

  • Bug fixes:

    • Computers recovering from sleep mode were unable to connect to the Cato Cloud

    • For Windows Clients with Never-Off enabled and behind a Socket, the user couldn’t use Office Mode to connect

    • Sometimes the Client didn’t reconnect when moving between different networks, such as cellular to WiFi

    • After the MFA session expires, the OS browser didn’t open the authentication page

  • For known limitations for this version, see details below.

Windows Client v5.2

Windows Client version 5.2 was uploaded to the User Portal on February 27th, 2022, and includes:

  • Improved SDP User Experience with Browser Authentication: We updated the Authentication screen (Access > Client Access > Authentication) so you can select the Browser Authentication experience for your SDP users and use the in-Client browser or the external default OS browser. Read more.

  • Enhancements:

    • Enhancements for Client SSO authentication and support for Internet Explorer as the OS browser

    • Device Posture enhancement, periodic checks that devices are compliant with the Device Posture policy

    • Cato authentication server supports CA issued certificates (non-self-signed)

  • For known limitations for this version, see details below.

Windows Client v5.0

Windows Client version 5.0 was uploaded to the User Portal on October 24th, 2021, and includes:

  • Improved SSO Workflow: Windows Client version 5.0 introduces an improved SSO authentication workflow that enhances the user experience to log in directly to the Client. Read more

  • Support for Windows 11: Cato officially supports Windows 11

  • For known limitations for this version, see details below.

Known Limitations for Windows Client v5.2 and Higher

This section lists known limitations that apply to all the Windows Clients version 5.2 and higher.

  • For deployments with a third-party proxy, Internet Explorer is not supported as the default browser.

    • Configure a different default browser on the device.

Known Limitations for Windows Client v5.0 and Higher

This section lists known limitations that apply to all the Windows Clients version 5.0 and higher.

  • This Client version uses the IP address as part of the infrastructure to support Single Sign-On (SSO)

    • Make sure that this IP address is NOT blocked by any third-party anti-malware software

  • For accounts that use Azure Conditional Access, please set the Browser Authentication to External Browser (Access > Client Access > Authentication) For more information about Browser Authentication, see Configuring the Authentication Policy for Cato Clients

  • Set Browser Authentication to internal In-Client Browser to authenticate to OneLogin

  • For OneLogin SSO, we recommend that you use the internal in-Client browser. When Browser Authentication is set to External Browser, if the browser window or tab is closed, the end-user can't authenticate to OneLogin

  • Windows 8.1 OS is only supported when all the newest Microsoft updates and patches are installed

  • Automatic Upgrade for Windows Servers is currently not supported

  • Automatic Upgrade for the Windows Client version 5.0 is disabled for hosts that use the Windows Server operating system and the Trusted Browsing feature on the Windows Server blocks the Client from authenticating

    • Solution: To use Windows Client v5.0 on a Windows Server you can use one of the following solutions and then install or upgrade the new Client version:

      • Allowlist the domains for your IdP for Trusted Browsing

      • Disable the Trusted Browsing feature

  • In some cases, for Windows devices with the Intel Killer Wireless NICs, after the Client connects to the network all traffic is blocked

    • Workaround: Disable the Killer Network Service on the Windows device, and then use the Cato Client to connect to the network

  • When using TAP virtual adapter, the MAC address of the Cato virtual adapter in the Client is randomly generated and isn’t guaranteed to be unique across the Clients in your network. Sometimes the MAC address isn’t shown for the virtual adapter.

    • When the MAC address is required, we recommend that you use the MAC address of the physical device instead of the Client virtual adapter.

  • If you change the default installation folder, during a Client upgrade or if you delete the Client, other files within the directory are deleted. If you add items to the default installation folder (C:\Program Files\Cato Networks\) they are deleted during a Client upgrade or if you delete the Client.

  • If IP routing is enabled on the device, the Client cannot authenticate.

Was this article helpful?

0 out of 1 found this helpful


Add your comment