This article explains how to use Cato features to provide users with Remote Internet Security with One Time Authentication and secured private access on demand.
Cato can provide users with secured remote Internet access after one time authentication. This means users always have Internet connection and protection with minimal interaction with the Client.
This is configured by defining the level of authentication users require for secured access to either the Internet or your private network (WAN). For example, you can always allow users to have secured access to the Internet after their initial authentication, but only allow access to your private network (WAN) after a user re-authenticates.
In addition, you can control the user re-authentication experience. A prompt can be displayed to users either before or after the authentication token expires.
Remote Internet Security with One Time Authentication is enabled by defining the user Confidence Levels and the level of access (Action) in Client Connectivity Policy rules. The Confidence Level describes how reliable the user's authentication is. The Action defines if the user can access the Internet and private network (WAN) or only the Internet.
The Confidence Level describes how reliable the user's authentication is. The Confidence Levels are:
High: The user is authenticated to the Client and the token is valid
Low: The user has authenticated to the Client, but the token has expired
Any: The user has authenticated to the Client and the token is either valid or expired
The Action defines the level of access provided to the user. The Actions are:
Allow WAN and Internet: The user has secured Internet access and can access the private network (WAN)
Allow Internet: The user only has secured Internet access and cannot access the private network (WAN)
Supported from Windows Client v5.9 and higher
Users must be assigned an SDP license to have secured Internet access
- Your account must be configured with a public DNS server
Users must authenticate and have a valid token at least once for confidence levels to be enforced
On Windows Client v5.9 and below, a private DNS server is not supported
- Continuous traffic flows to your private network that begin when a user has a High confidence level, continue once the user’s confidence level changes to Low
A publishing company has sales reps who work remotely that rarely need access to the company WAN.
The company creates these rules for the sales rep user group:
- In their Always-On policy they ensure the Client connects for anyone working remotely
- In the Client Connectivity Policy, they lets users with a Low Confidence Level access the Internet
When sales reps arrive at a prospect, they are securely connected to the Internet without any interaction with the Cato Client.
A bank has strict Internet security requirements and needs to always ensure users remotely accessing the Internet and private network (WAN) are authenticated.
The company creates these rules for all remote users:
- In their Always-On policy to ensure the Client always connects
- In the Client Connectivity Policy, they provide access to the Internet and private network (WAN) to users with a High Confidence level.
When a user connects remotely, they must authenticate before they can access the Internet or private network (WAN).
Follow these steps to enable Remote Internet Security with One Time Authentication:
Define a rule in your Always-On policy so that the Client always connects to the Cato Cloud protecting users and devices.
Define a rule in your Client Connectivity policy that defines the level of access based on the user's Confidence Level.
Configure how users are prompted to re-authenticate to provide the best experience for your users.
The Always-on Policy enhances Internet security by defining rules for when users or User groups always connect to the Cato Cloud. This ensures all traffic goes through a PoP and Cato security engines inspect the traffic to ensure it complies with your security policies.
For more information on how to create a rule in your Always-On policy, see Protecting SDP Users with Always-On Security.
If you already have a rule for the relevant user groups in your Always-On policy, this step is not required.
The Client Connectivity policy secures your network by ensuring devices or users only connect when they comply with the organizational security requirements.
Including the Confidence Level and Actions in a Client Connectivity Policy rule lets you define the access available to users and User groups based on how reliable their authentication is.
For more information on how to manage network access in your Client Connectivity Policy, see Configuring the Client Connectivity Policy.
Client Connectivity Policy rules can only be applied to users with an SDP License.
To configure access based on Confidence Level:
From the navigation menu, click Access > Client Connectivity Policy.
Click New. The New Rule panel opens.
Configure the scope of the rule:
Define the Confidence Level
Define the Action
Click Apply and then click Save.
You can choose when the Client prompts users to re-authenticate. For example:
If a user only needs secured Internet access and does not need regular access to your private network (WAN), they do not need to be disturbed by prompts to re-authenticate.
If a user always needs access to your private network (WAN), they can receive prompts to re-authenticate before and after the authentication token expires so that their access is not blocked.
For more information about available authentication methods, see Configuring the Authentication Policy for Cato Clients.
To define when users are prompted to re-authenticate:
From the navigation menu, click Access > Client Access.
Expand the Authentication section.
Choose when users are prompted to re-authenticate.
Note: You can choose, one, both, or neither options. If you leave both options unchecked, the user does not receive any prompts to re-authenticate.
You can monitor the confidence level of users at any time from the Access > Users page. The current confidence level of a user is displayed in the Users Directory tab. An event is also created whenever the Client Connectivity Policy allows a user to connect. For more information, see Configuring the Client Connectivity Policy.
If the Client has access to both the private network (WAN) and Internet
If the Client only has access to the Internet:
Enabling Remote Internet Security with One Time Authentication has impacts on other features.
The internal DNS and DNS forwarding configurations for your account are ignored for users granted access only to the Internet.
If a user has only Internet access, the Cato Internet DNS (10.254.254.1) is used as their primary DNS and their secondary DNS is 220.127.116.11.
You can configure users with Always-On enabled to require authentication to Cato when the Client is connected in Office Mode. For more information, see Protecting SDP Users with Always-On Security.
A user configured in a Client Connectivity Policy rule that allows access the Internet with a Low Confidence Level (Cato Authentication token expired) does not need to authenticate in Office Mode. The Client Connectivity Policy configuration overrides the Always-On configuration in Office Mode.
Pre-Login configurations are not impacted by configurations for Remote Internet Security with One Time Authentication. Before users authenticate, traffic is routed as follows:
Clients that with Always-On enabled are only allowed to connect to resources defined in Allowed Destinations, Internet traffic is blocked.
Clients without Always-On enabled can connect to resources defined in Allowed Destinations and access unsecured Internet access.
For more information about Pre-Login, see Using Windows Pre Login and the SDP Client.
After users authenticate and the authentication token is valid, all traffic passes through the Cato PoP and is inspected by Cato's security engines in accordance with your security policies.
After the authentication token expires, you can allow Internet traffic to continue to pass through the Cato PoP. This provides continuous secured Internet access even though the user is unauthenticated. For secured private access, users are still required to re-authenticate to gain access according to your WAN Firewall policy.