This article explains how the Cato Cloud platform works in China, including meeting the China government regulations and restrictions.
All Internet traffic in China is inspected by the government and backhauled through a local gateway. Cato follows all regulations in China, and the Cato SASE service is fully available in China just like in other regions.
Note
Note: Since China restricts certain websites from being accessed from within China, egressing certain traffic to bypass the Great Firewall of China to a non-China Cato POP violates the Cato MSA (Master Service Agreement). Refer to the Cato MSA, section 5.2 for questions regarding restrictions in China.
Cato provides optimal user experience within China through its PoPs and allows globally distributed companies with offices in China to have a consistent, secure connection across the Cato backbone. There are multiple Cato PoPs in China, for example, Beijing, Shanghai, Shenzhen, and Urumqi. These PoPs communicate with the Cato Cloud through Hong Kong. Meaning, that Chinese PoPs establish a full mesh between them inside of China, and the communication with other PoPs is done via Hong Kong and vice-versa.
The Chinese government restricts access to some sites and resources outside of China, which requires foreign companies to adapt to these regulations.
Note
Note: The China government can change its restrictions and prohibit access to an application or website at any time. If traffic is blocked, check this list to see if the destination is unavailable in China.
Limitations for Sites or Remote Users Located in China
- RPF is not supported in China
- Browser Access is not supported in China
- RBI is not supported in China. For more information, see Configuring the RBI Service for Browsing Sessions
Sockets that are located in China download the Socket upgrade file from a Server in Ali Cloud which improves the file download time and reduces latency, and improves the success rate for Socket upgrades.
Within China, the most commonly used DNS services are not available. Therefore, Cato uses an internal mechanism to determine the best available DNS server and the Cato DNS server,10.254.254.1, acts as a proxy.
You should configure your WAN interfaces to use the DNS servers provided by your local ISP, or the public DNS servers available in China, such as 114.114.114.114 or 114.114.115.115.
Last mile monitoring predefined web addresses are China web services such as QQ.com, baidu.com, and weibo.com (this is configurable under Network > Last Mile Monitoring Probes).
By default, Internet traffic in China egresses from the China PoP you're connected to, and through the local gateway and then to the destination. Meaning, that if you attempt to access restricted sites, the Cato PoP would allow the traffic to pass, and then it would be blocked due to local regulations, the Great Firewall of China.
UDP Port 1337 for China Socket and Client DTLS Traffic
Cato recommends as a best practice, configuring the alternate UDP port for accounts with Socket sites and Client users located in China. DTLS tunnels using UDP port 443 can experience connectivity issues such as packet loss. Configure UDP port 1337 as a preferred DTLS port for Socket and Client traffic to improve connectivity. For more information, see Understanding Cato Networking in China.
Licensing
When purchasing a license for a site in China, customers must determine what percentage of that license bandwidth is allocated to regional traffic and what percentage is dedicated to global traffic.
- Regional traffic is any traffic sent within the China region, for example, from a site in Shenzhen to a site in Beijing
- Global traffic is any traffic sent outside the region, for example, from a site in Shenzhen to a site in Europe.
Note
Note: Global traffic is inherently more expensive than regional traffic. Make sure to allocate both according to your needs.
When you configure a site in the Cato Management Application, you must assign a license to that site. The site details show the license details that combines the regional and global licenses you purchased.
The value that you need to enter in Last-mile Bandwidth for the site configuration is the total regional and global bandwidth for the site. If, for example, you purchased 100 Mbps, 70% of that regional and 30% global, then you need to configure 100 Mbps for a site located in Shenzhen.
QoS in Cato is controlled by two aspects:
- Bandwidth Management
- Network Rules
For more information, see Network Rules and QoS.
As the Bandwidth Management mechanism is not aware of any licensing limitations, when you create your profiles, you should take into account what your license allows.
If, for example, you purchased 100 Mbps in total bandwidth, with 70% regional and 30% global, when creating your Bandwidth Management profiles set limits that align with those values. As a best practice, use percentages and not hard limits of bandwidth values to avoid allocating more than you are allowed to use.
Your company has sites in Shenzhen, Shanghai, Beijing, and Europe. You want to ensure that when they have video conferencing (VC) meetings, they are able to communicate without any issues.
You can create the following profile to allocate at least 15% of your resources to P15 traffic.
You can then create a Network Rule that uses the P15 profile for VC traffic. When the traffic is between the offices within China, for example Shanghai and Beijing, the 15% of the allocated bandwidth will be based on your regional license. If Shenzhen is VCing with the Europe site, it will 15% of the global license. However, since you used percentages and not hard Mbps limits, you do not run the risk of going over your license allowance.
Based on the scenario we described above, you can also create two different profiles, one for regional VC and one for global VC, that use hard bandwidth limits. For regional video conferencing, you have a profile that allocates 10 Mbps. And for regional video conferencing a profile that allocates 5 Mbps.
In your Network Rules, you then create two separate rules to implement each of the profiles depending on the destination of the VC traffic.
0 comments
Please sign in to leave a comment.