Disable Always-On in Designated Trusted Networks

This article explains how to define Trusted Networks as part of the process of onboarding to Cato. Trusted networks are protected by a third party service, and let SDP users bypass Always-On requirements (they can disconnect the Client).


When companies onboard to Cato, there may be a period of time where SDP Clients are deployed on the employee's devices, but not all the offices are configured as Cato sites. These offices are protected with a third party solution. To ensure that business operations can continue as normal during the onboarding process, you can classify these offices as Trusted Networks.

A network can be classified as trusted based on a HTTPS resource request, a DNS query, or a ping to an IP address or URL. After checking if it is connected behind a Cato site, the Client checks if it is connected to a Trusted Network. This check occurs every time the Client connects, after every network change, and every 30 seconds while connected.

When connected to a Trusted Network, Always-On can be bypassed, the Client can be disconnected, and Connect on Boot is disabled. This results in a better user experience and increases network performance.

In addition to onboarding, Trusted Networks can be used an any scenario you want to bypass Always-On at a specific location.

Use Case - Cato Onboarding

Company ABC has 70 offices and over 1000 employees. They are a new Cato customer for remote access, networking, and security solutions, in addition they plan to configure their Clients to use Always-on. During the Cato onboarding process, the deployment of Clients will be quicker than the deployment of sockets at all the company’s offices. There is a period where employees will have the Client installed on their device but will work from an office where a Socket has not been deployed but is protected with the company’s old solution.

For the easiest onboarding, the company designates offices secured with the previous security solution as a trusted network. This lets SDP users located in the office bypass Always-on and can choose to disconnect from the network. Once a Socket is deployed at the office, the SDP users will be able to connect to Cato in Office Mode (not connected to the network).


  • Supported from Windows Client v5.8 and higher

  • Supported only on Clients where a single SDP user account is configured

Classifying a Trusted Network

A Client will classify a network as trusted if any of these criteria are met:

  • HTTPS resource request: Define a URL that is only accessible when connected to the trusted network. After accessing the URL, the Client verifies the response is either HTTP 200 or HTTP 300 and then verifies the certificate

  • DNS query: Define a hostname for the Client to send a DNS request to, and the IP address that is the expected response

  • Ping to an IP address or URL: Define an IP address or URL for the Client to ping. The Client verifies if there is a response with the ICMP protocol

Configuring Trusted Networks

You can classify a network protected with a third party solution as a Trusted Network. Once a network is classified as trusted, any SDP user connecting to that network can bypasses Always-On by disconnecting the Client.



To configure trusted networks:

  1. From the navigation menu, click Access > Trusted Networks.

  2. Select a method of classifying a Trusted Network and enter the supporting information

  3. Click Add.

  4. Repeat steps 2-3 for each Trusted Network.

  5. Enable Trusted Networks and click Save.

    The slider is green when Trusted Networks is enabled, and gray when Trusted Networks is disabled.

Was this article helpful?


Add your comment