This article explains about the Cato Browser Extension, how to configure it, and how your users can implement it.
Note
Note: Please contact cato-releases@catonetworks.com for more information about enabling and using this feature.
Oftentimes, organizations have to work with unmanaged devices that are used by 3rd party vendors and contractors. These devices can present a challenge as a potential attack vector to your network because they do not necessarily follow the same rules and guidelines that are mapped out by your organization. The Cato Browser Extension lets you provide secure access to SaaS applications for unmanaged devices without giving them direct access to any of your resources.
Users install the extension in their browser, and when they enable it, traffic is routed to the forward proxy located on the PoP, processed by the security engines, and from there, to the relevant SaaS application.
Note
Note: The extension is installed on a specific profile and routes traffic through Cato once the user is connected.
Cato also lets you force your users to connect to the extension whenever they wish to use their unmanaged devices. They can create a rule in the conditional access policies for their IdP or Saas providers that traffic is only accepted if it originates in the Cato Cloud.
ABC Company has several SaaS apps it works with and wants to ensure that all connections to those apps are secure and authorized. They have several contractors that need to access these resources.
By installing the browser extension on unmanaged devices, and creating dedicated rules for monitoring traffic coming from the extension, they can ensure that their contractors are able to access the required resources, while reducing the attack surface using Cato.
In addition, as long as they are connected via the Browser Extension, and in the relevant profile, the traffic is inspected against the security policies to adhere to company standards.
The Browser Extension has the following prerequisites:
-
Chrome browser v88 and higher, supporting extensions
-
A ZTNA license assigned to the user
-
For monitoring, you must have a Client Connectivity policy enabled
-
WAN applications are currently not accessible when connected via the Browser Extension. To provide access to WAN application, see Browser Access Portal Overview - Securing Remote Access to Applications.
-
Route via rules for network traffic are not supported
-
DEM network path analysis is not supported for Browser Extension traffic
-
Okta SSO login is currently not supported
-
Users connecting via the Browser Extension can't be connected to the Cato Cloud, neither behind a Socket nor via the Client.
-
If you receive the following dialog box, it can safely be ignored. Click cancel to proceed.
This section is a high-level overview of the process to configure the Browser Extension for your account. The first two steps are configured by the CMA admin, and the third step is completed by your users with unmanaged devices.
-
(Optional) If you want to use SSO to authenticate, enable SSO for the Cato Browser Extension.
-
Define the rules for the Browser Extension in the Client Connectivity Policy to determine which users are allowed to connect via the extension.
-
Enable the Browser Extension.
-
Install the Browser Extension on the unmanaged devices.
If you want to use SSO to manage authentication for the browser extension, you must first enable the option in the CMA.
To enable SSO for the Cato Browser Extension:
-
Navigate to Access > Single Sign-On.
-
Under Browser Extension Users, select Allow login with Single Sign-On.
-
Select the cookie type and for how long it's valid.
-
Click Save.
-
Ensure that the following URI is listed in your SSO vendor for traffic redirecting:
https://sso.proxy.catonetworks.com/auth_results
For more information, refer to the SSO documentation for your vendor.
To ensure that only authorized users connect via the Browser Extension, create a rule in the Client Connectivity Policy.
Creating a rule
-
Navigate to Access > Client Connectivity Policy.
-
Click New and follow these instructions.
-
Under Users/Groups, select only those users you want to enable to use the Browser Extension.
-
Under Connection Origin, select Browser Extension
-
Under Action, select Allow WAN and Internet
-
-
Click Apply and then Save.
-
Below this rule, create an additional rule for all other groups who attempt to connect to the Cato Cloud using the Browser Extension and set the Action to Block.
You must enable the Browser Extension to let your users connect through it.
The Browser Extension can be installed on any device running a version of Chrome that supports extensions.
Users can install the Browser Extension through the Google Store, or admins can make it available through a link they receive in the release notes for Client releases.
When you enable the Browser Extension and define the Client Connectivity Policy, unmanaged devices will only be able to access the designated resources once they install the extension, and connect.
Once connected, they will be able to access the internal resources and the profile used to connect will comply with the policies defined in your organization.
Once the extension is installed, users must connect to pull the initial configuration settings.
To connect using the Browser Extension
-
Install the extension either via the Google Store or request it from your admin.
-
Click the Cato icon in Extensions and select Connect.
-
The first time you connect you will need to authenticate.
-
Enter the sub-domain you're connecting to
-
Provide your username and password
-
Depending on the organizational policy, you might be required to configure MFA
-
This section shows the different Browser Extension statuses and their descriptions
|
Status |
Description |
|---|---|
|
|
The extension is currently disconnected and you can't access company resources |
|
|
The extension is currently authenticating and you don't yet have access to company resources |
|
|
The extension is authenticated and you can now access company resources |
0 comments
Please sign in to leave a comment.