This article explains how to use Cato features to provide users with Remote Internet Security with One Time Authentication and secured private access on demand.
Note: This is an Early Availability (EA) feature that is only available for limited release. For more information, contact your Cato Networks representative or send an email to email@example.com.
Cato can provide users with secured remote Internet access after one time authentication. This means users always have Internet connection and protection with minimal interaction with the Client. Access to your private network (WAN) can be provided on demand.
This is enabled by defining the level of authentication users require for secured access to either the Internet or your private network (WAN). For example, you can always allow users to have secured access to the Internet after their initial authentication, but only allow access to your private network (WAN) after a user re-authenticates.
Using configurations in the Always-On policy and the Client Connectivity Policy, after users authenticate, all traffic passes through the Cato PoP and is inspected by Cato's security engines in accordance with your security policies. Traffic continues to pass through the Cato PoP even after the authentication token expires following the user's initial authentication. For secured private access, users are required to re-authenticate to gain access according to your WAN Firewall policy.
In addition, you can control the user re-authentication experience. A prompt can be displayed to users either before or after the authentication token expires.
Remote Internet Security with One Time Authentication is enabled by defining the user Confidence Levels and the level of access (Action) in Client Connectivity Policy rules. The Confidence Level describes how reliable the user's authentication is. The Action defines if the user can access the Internet and private network (WAN) or only the Internet.
The Confidence Level describes how reliable the user's authentication is. The Confidence Levels are:
The Action defines the level of access provided to the user. The Actions are:
Allow WAN and Internet: The user has secured Internet access and can access the private network (WAN)
Allow Internet: The user only has secured Internet access and cannot access the private network (WAN)
A publishing company has sales reps who work remotely. Their day to day work relies on cloud SaaS apps and rarely need access to the company WAN.
The company creates a rule in their Always-On policy to ensure the Client connects for anyone working remotely. In the Client Connectivity Policy, they create a rule for the sales reps User group. The rule lets sales reps with a Low Confidence Level access the Internet after the initial authentication.
When sales reps arrive at a prospect, they are securely connected to the Internet without any interaction with the Cato Client.
This diagram explains the access provided to the sales reps based on the Confidence Level and Action configured in the Client Connectivity Policy:
A bank has strict Internet security requirements and needs to always ensure users remotely accessing the Internet and private network (WAN) are authenticated.
The company creates a rule in their Always-On policy to ensure the Client connects for anyone working remotely. In the Client Connectivity Policy, they create a rule for all users. The rule only provides access to the Internet and private network (WAN) to users with a High Confidence level.
When a user connects remotely, they must authenticate before they can access the Internet or private network (WAN).
This diagram explains the access provided to bank employees based on the Confidence Level and Action configured in the Client Connectivity Policy:
Follow these steps to enable Remote Internet Security with One Time Authentication:
Define a rule in your Always-On policy so that the Client always connects to the Cato Cloud protecting users and devices.
Define a rule in your Client Connectivity policy that defines the level of access based on the user's Confidence Level.
Configure how users are prompted to re-authenticate to provide the best experience for your users.
The Always-on Policy enhances Internet security by defining rules for when users or User groups always connect to the Cato Cloud. This ensures all traffic goes through a PoP and Cato security engines inspect the traffic to ensure it complies with your security policies.
For more information on how to create a rule in your Always-On policy, see Protecting SDP Users with Always-On Security.
If you already have a rule for the relevant user groups in your Always-On policy, this step is not required.
The Client Connectivity policy secures your network by ensuring devices or users only connect when they comply with the organizational security requirements.
Including the Confidence Level and Actions in a Client Connectivity Policy rule lets you define the access available to users and User groups based on how reliable their authentication is.
For more information on how to manage network access in your Client Connectivity Policy, see Configuring the Client Connectivity Policy.
Client Connectivity Policy rules can only be applied to users with an SDP License.
You can choose when the Client prompts users to re-authenticate. For example:
If a user only needs secured Internet access and does not need regular access to your private network (WAN), they do not need to be disturbed by prompts to re-authenticate.
If a user always needs access to your private network (WAN), they can receive prompts to re-authenticate before and after the authentication token expires so that their access is not blocked.
For more information about available authentication methods, see Configuring the Authentication Policy for Cato Clients.
To define when users are prompted to re-authenticate:
From the navigation menu, click Access > Client Access.
Expand the Authentication section.
Choose when users are prompted to re-authenticate.
Note: You can choose, one, both, or neither options. If you leave both options unchecked, the user does not receive any prompts to re-authenticate.
You can monitor the confidence level of users at any time from the Access > Users page. The current confidence level of a user is displayed in the Users Directory tab. An event is also created whenever the Client Connectivity Policy allows a user to connect. For more information, see Configuring the Client Connectivity Policy.
The Client displays the level of access permitted to the user based on how reliable their authentication is. For example, the Client clearly displays if a user:
Has access to both the private network (WAN) and Internet. Private access is access to your WAN.
Has secured Internet access only.
When secured Internet access is close expiring, the Client displays this message:
When access to your private access (WAN) is close expiring, the Client displays this message:
Enabling Remote Internet Security with One Time Authentication has impacts on other features.
When a user is working in an office that is behind a Cato Socket or IPsec site, the Client automatically connects to that site without using the encrypted tunnel. This behavior is called Office Mode and it is enabled by default for all accounts. Users can't disable office mode on the Client.
From Windows Client v5.8 and higher, behind a site, the Client connects to Cato automatically in Office Mode without users authenticating. After the Client connects, the Connect button is automatically disabled.
You can configure users with Always-On enabled to require authentication to Cato when the Client is connected in Office Mode. For more information, see Protecting SDP Users with Always-On Security.
A user configured in a Client Connectivity Policy rule that allows access the Internet with a Low Confidence Level (Cato Authentication token expired) does not need to authenticate in Office Mode. The Client Connectivity Policy configuration overrides the Always-On configuration in Office Mode.
Pre-Login configurations are not impacted by configurations for Remote Internet Security with One Time Authentication. Before users authenticate, traffic is routed as follows:
Clients that with Always-On enabled are only allowed to connect to resources defined in Allowed Destinations, Internet traffic is blocked.
Clients without Always-On enabled can connect to resources defined in Allowed Destinations and access unsecured Internet access.
For more information about Pre-Login, see Using Windows Pre Login and the SDP Client.
The internal DNS and DNS forwarding configurations for your account are ignored for users granted access only to the Internet.
If a user has only Internet access, the Cato Internet DNS (10.254.254.1) is used as their primary DNS and their secondary DNS is 184.108.40.206.