This topic provides information about configuring user awareness for shared hosts.
Note
Note: This is an Early Availability (EA) feature that is only available for limited release. For more information, contact your Cato Networks representative or send an email to ea@catonetworks.com.
Universal ZTNA (UZTNA) delivers identity-based, least-privilege access to private applications, SaaS, and Internet resources through its global SASE platform. It applies consistent user-to-application segmentation, real-time threat prevention, and device posture checks, enabling secure access for users across mobile, branch, and cloud environments.
With user awareness for shared hosts, Cato lets you identify and track multiple users connecting from a single device, such as a Windows Terminal Server, Citrix environment, or Azure Virtual Desktop (AVD). Users connect to the shared device from their devices and can then access resources via the shared device according to your organization's policy.
User Awareness provides critical visibility into user activities, enabling more granular policy enforcement, improving security auditing, and enhancing threat detection. It ensures that access controls and monitoring remain effective, even in environments where multiple users share the same host.
Note
Note: Contact your representative to obtain the relevant Client version, which can be installed only on shared hosts.
Users connect from their device to the shared host located behind a site (Socket, vSocket, etc), for example, via an RDP session. Each user connection to the shared host is flagged with a key specific to that user. When traffic is sent from the shared host to the Cato Cloud over the GRE tunnel, the key is matched to the user identity, and the traffic is inspected and monitored based on the policies applied to that user or user group. For example, users from R&D might be granted access to a repository, but not to Salesforce, while Sales Engineers will be granted access to Saleforce, but not the repository.
For traffic that you don't want to send to the Cato Cloud, e.g., to a DNS server, you can configure exceptions so that it does not go through the GRE tunnel. This lets you keep local traffic in the LAN so that it does not have to go out to the PoP.
To enable user awareness for shared hosts, you need to do the following:
-
Configure which traffic is sent through the shared host and which is not
-
Install the Cato Client on the shared hosts
You can configure which shared hosts can communicate with the Cato Cloud via the GRE tunnel, and the traffic to exclude. For example, internet traffic should be sent via the GRE tunnel, but DNS traffic should be excluded.
Configure traffic to the shared hosts
-
Navigate to Access > User Awareness and in the Terminal Server tab, slide the toggle to Shared Hosts Enabled.
-
Click New > New Rule.
-
In the IP Address field, select the host or CIDR to which to apply the rule.
IP ranges are not supported, e.g. 10.10.10.5-10.10.10.10.
-
Define Routing Exceptions for traffic that should not be sent through the GRE tunnel, for example, to a DNS server or Active Directory.
-
-
Click Save.
You need to install the Cato Client on the shared hosts to enable the GRE tunnel.
The following operating systems are supported:
-
Windows Server 2019 and higher
-
For Azure Virtual Desktop, Windows 10 or Windows 11
To install the Cato Client
-
Follow the instructions to install the Cato Client.
-
When running the installation, add the following flag
CATO_INSTALL_UATS=1
-
For Azure Virtual Desktop Windows 10 or Windows 11, after the installation completes:
-
In the Windows Registry, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN
-
Create the DWORD GREOverUDP and set the value to 1
-
-
In the same Windows Registry location, to verify that the install was successful, ensure that the GREMode registry was created and the value is set to 1.
0 comments
Article is closed for comments.