Defining Remote Access for Users

Overview

Remote access lets users securely connect to your organization’s network using the Cato Client when they are not behind a Cato site. As an admin, you control which users and user groups are allowed to use the Client and connect remotely.

The way you license and control remote access depends on your account license model. Cato has two license models:

  • Jul 2026 (Enforcement Model)

  • Jan 2027 (Bursting Model)

Not sure which license your account uses? See Identifying your License Model.

Defining Remote Access Users (Bursting Model)

In the bursting license model, remote connectivity to WAN and private applications is licensed using the Remote User base product, and access to the internet is licensed through the internet security product. Use the Remote Access Eligibility page to define which users or user groups are permitted to connect to the network with the Cato Client.

  • Users are measured monthly as distinct authenticated remote users per region group

  • If measured usage exceeds the licensed capacity, the excess is considered overusage

Use Case - Remote Access (Bursting Model)

A company has finance, marketing, and product development teams working in its head office in New York, and a Data Center in Virginia. The company also has sales teams working remotely in 20 different states. Teams working in the head office connect to the data center from behind a Socket site and are in a head office user group.

The sales teams connect to Cato using the Windows Client and are all assigned to a sales team user group. Remote access is only available to users in the sales team user group.

The company ensures that policies are enforced for all users, enabling all teams to securely access network resources. The company optimizes costs by only paying for the sales team to use the Cato Client for secure remote access.

Defining Remote Access

To define users and user groups that can connect with remote access:

  1. From the navigation menu, click Access > Remote Access Eligibility.

  2. Under Remote Access available to, select one of the following options:

    1. All Users

    2. Selected Users or Groups

  3. If you chose Selected Users or Groups, specify the users and groups allowed to use secure remote access.

  4. Click Save.

Assigning ZTNA Licenses (Enforcement Model)

You can manage assigning remote licenses to all your users (whether they are provisioned with SCIM or LDAP, or created manually) from the License Assignment page. In the Enforcement Model, users must have a Remote User license to connect remotely using the Cato Client. Remote access is controlled by assigning these licenses to users or groups.

You can also monitor how licenses are assigned in your account, for example, by viewing how many users have a Remote User license.

Note: All manually created users are included in the All Manual Users System group. To automatically assign manually created users a ZTNA license, add this System group to the License Assignment table.

Prerequisites

  • A license can only be assigned to users with an email address
  • A license can only be assigned to users with Usernames smaller than 57 characters
  • ​​ZTNA user licenses are based on the user’s primary work location. For example, a user located in China requires a China ZTNA license and can continue to use that license when they travel to other countries. The primary work location isn't visible or configurable in the CMA.

Use Case - ZTNA License (Enforcement Model)

A company has finance, marketing, and product development teams working in its head office in London and a data center in Frankfurt. The company also has sales teams working remotely in 20 different states. Teams working in the head office connect to the data center from behind a Socket site and are not assigned a ZTNA license. The sales teams connect to the data center through the Windows Client and are all assigned ZTNA licenses. The company ensures that policies are enforced for all users, enabling all teams to securely access network resources.

Assigning ZTNA Licenses to Users and User Groups

To assign ZTNA licenses:

  1. From the navigation menu, click Access > License Assignment.
  2. Define how licenses are assigned to your account. The options are:

    • Assign SDP licenses to all users
    • Assign SDP licenses to a selected group
  3. If you are assigning ZTNA licenses to a selected group, select the users or groups from the drop-down.
  4. Click Save.

Was this article helpful?

2 out of 2 found this helpful

0 comments