Understanding the Cato Client Connection Flow

This article explains the Windows Client connection flow to the Cato PoP.

Overview

Before the Client connects to the Cato PoP, it performs various checks based on the configuration of your Client policies. This ensures only users and devices that meet your security requirements are allowed to connect to the network. The following flow diagrams detail the order of these checks and the Client behavior if a check fails or is not enabled.

Windows Client Connection Flow

The following flow diagrams show how the Windows Client connects to the Cato PoP, if Pre Login is enabled or disabled.

Connection Flow - Pre Login Enabled

Pre Login provides access to allowed destinations, before a user is authenticated. For example, as soon as a device can connect to the Internet, it can access to your AD so that user credentials can be saved to the device. All other Internet access is blocked.

Frame_1000002917.jpg

Connection Flow - Pre Login Disabled

If Pre Login is disabled, this is the Client connection flow:

Frame_1000002918.jpg

Notes

  1. In the Pre Login State, the device is pre-configured with the Cato Client, a trusted certificate, and the Windows registry is configured with the account name. The user is unauthenticated, however the Client can connect to the PoP to validate the certificate. If the certificate is valid, this establishes enough trust to allow the Client to access allowed destinations through the PoP, even though the user is unauthenticated.

  2. Always-On ensures the Client is always connected to the PoP and all traffic is inspected by Cato's security engines. The Client automatically tries to authenticate and connect with the credentials of the last user to connect with the Client. The Client checks if Always-On is enabled after the device boots (if user credentials are saved on the device) and after the user signs into the device. Once the user is authenticated and the Client is connected, the Client cannot be disconnected.

  3. With Connect on Boot enabled, during the device boot phase, the Client automatically tries to authenticate and connect with the credentials of the last user to connect with the Client. Once the Client connects, the user is able to disconnect the Client.The Client checks if Connect on boot is enabled after the device boots (only if user credentials are saved on the device) and after the user signs into the device.

  4. The Client Connectivity Policy defines which device checks to run on the device before it connects to the network. This to ensures only devices that comply with your security requirements can connect. You can also configure a user to have secure Internet access only or secure Internet access and private network (WAN).

  5. These checks include:

    • Device Checks that define the minimum requirements a device must meet to be able to connect to your network. The Client runs checks to validate the security posture of the device.

    • The geo-location of the device

    • The device operating system

    • The user's authentication status

  6. Users can authenticate with SSO, MFA or with a username and password. Once authenticated, a Cato Token is generated by the PoP to verify the user has been authenticated so that the Client can maintain a connection to the Cato Cloud.You can configure how long the Cato authentication token is valid for. The Client can automatically authenticate with Windows credentials, making this step seamless to the user.

Understanding Client Permissions

The Client has the following permissions on a device:

Windows
  • Cato Client SDP service (CatoNetworksVPNService): Local System Account

  • Client UI processes: Standard User

macOS
  • Cato Client daemon (com.catonetworks.mac.CatoClient.helper): Root User

  • System extension: Root User (with less permission than the daemon)

  • User agent: StandardUser

Was this article helpful?

10 out of 10 found this helpful

0 comments