This article explains how you configure the Cato Browser Extension. You can read more about the Cato Browser Extension here.
The Browser Extension has the following prerequisites:
-
You must enable TLS Inspection for the Browser Extension to function properly
-
End users can download the relevant certificate directly from the Browser Extension home page
-
- A ZTNA (SDP) license is assigned to the user
- To generate events for the Browser Extension, you must have a Client Connectivity policy enabled
- Only HTTPS traffic is supported
- WAN routing requires SNAT or the default gateway to be configured to enable routing traffic back to Cato
- Local MFA is not supported
- When the Client Connectivity Policy includes a rule that allows only Internet traffic for the Browser Extension, WAN traffic is also allowed. To block WAN traffic, the rule must also block Internet traffic.
- Sites that bypass TLS inspection are not accessible
- DEM network path analysis is not supported for Browser Extension traffic
-
If you receive the following dialog box, it can safely be ignored, and you should click Cancel in the dialog box
This section is a high-level overview of the process to configure the Browser Extension for your account. The first two steps are configured by the CMA admin, and the third step is completed by your users with unmanaged devices.
- (Optional) For SSO authentication, enable SSO for the Cato Browser Extension.
- Define the rules for the Browser Extension in the Client Connectivity Policy to determine which users are allowed to connect via the extension.
- Enable the Browser Extension.
- Install the Browser Extension on the unmanaged devices.
If you want to use SSO to manage authentication for the browser extension, you must first enable the option in the CMA.
To enable SSO for the Cato Browser Extension:
- Navigate to Access > Single Sign-On.
- Under Browser Extension Users, select Allow login with Single Sign-On.
- Select the cookie type and for how long it's valid.
- Click Save.
-
Ensure that the following URI is listed in your SSO vendor for traffic redirecting:
https://sso.proxy.catonetworks.com/auth_resultsFor more information, refer to the SSO documentation for your vendor.
To ensure that only authorized users connect via the Browser Extension, create a rule in the Client Connectivity Policy. For example, create a User Group for all contractors and apply the rule to the contractor User Group.
To create a rule to enable Browser Extension traffic:
- Navigate to Access > Client Connectivity Policy.
-
Click New and follow these instructions.
- Under Users/Groups, select only those users you want to enable to use the Browser Extension
- Under Connection Origin, select Browser Extension
- Under Action, select Allow Internet
- Click Apply and then Save.
- Below this rule, create an additional rule for all other groups who attempt to connect to the Cato Cloud using the Browser Extension and set the Action to Block.
You must enable the Browser Extension to let your users connect through it.
The Browser Extension can be installed on any device running a version of Chrome that supports extensions. For more information, see Understanding the User Experience.
When you enable the Browser Extension and define the Client Connectivity Policy, unmanaged devices will only be able to access the designated resources once they install the extension and connect to the network.
Once connected, they will be able to access the internal resources and the profile used to connect will comply with the policies defined in your organization.
Once the extension is installed, users must connect to pull the initial configuration settings.
To connect using the Browser Extension
- Install the extension either via the Google Store or request it from your admin.
- Click the Cato icon in Extensions and select Connect.
- The first time users connect you will need to authenticate.
- Enter your corporate email address
- (Optional) Enter the sub-domain you're connecting to. This is only relevant for users who are registered on more than one corporate account.
- Provide your username and password
- Depending on the organizational policy, you might be required to configure MFA
This section shows the different Browser Extension statuses and their descriptions
| Status | Description |
|---|---|
| The extension is currently disconnected and you can't access company resources | |
| The extension is currently authenticating and you don't yet have access to company resources | |
| The extension is authenticated and you can now access company resources |
0 comments
Please sign in to leave a comment.