The Cato Client is proprietary software that extends Cato's network and security capabilities to remote users in any location. This article lists the prerequisites and explains how to install the Client.
The Cato Client can identify and authenticate users, enforce your network rules, and inspect remote traffic based on security policies. To ensure your users benefit from these features the Cato Client must be installed on their device. Before you install the Client on any device, ensure that the prerequisites are met and the required processes and URLs are added to the allowlists of your security software. You can then download the Client and install it on an individual device or distribute it with an MDM.
After you install the Client on a device you can configure features and policies to meet your requirements. Users can authenticate and securely to your network. For more information on the Client Connection process, see Understanding the Cato Client Connection Flow.
Before the Client is installed on a device, ensure the following prerequisites are met:
-
Install the Client on a device running a supported operating system.
-
The Cato CA certificate is installed on the device or computer
-
For Windows Clients the Cato certificate is automatically added to the Windows certificate store and supports the Chrome and Edge browsers
You can manually install the Cato certificate for other browsers (such as Firefox), or use an MDM to install it with the browser
-
For macOS Clients, for organizations that use an MDM, the Cato certificate is automatically installed as part of the CA keychain
Otherwise, the SDP user manually installs the Cato certificate. For more information, see Installing the Cato Certificate on macOS Devices.
-
For iOS and Android Clients, the SDP user manually installs the Client or use an MDM to install the certificate with the Client. For more information, see Installing the Cato Certificate on iOS Devices or Installing the Cato Certificate on Android Devices.
-
The Cato certificate and Client installation files can be downloaded from the Client download portal
-
-
Internet browser requirements:
-
Use an Internet browser that supports SSL (such as Chrome or Edge)
-
For external authentication, make sure that a default browser is configured in the device OS settings
-
-
A PPPoE connection is not used. PPPoE is not supported
-
For iOS, Android, and Linux Clients, we recommend that you disable IPv6 on all physical adapters
-
IPv6 is supported for Last Mile Connections on Windows Client v5.11 and higher and macOS Client v5.7 and higher
-
-
Make sure that the IP addresses for PoPs in the Cato Cloud are allowlisted for any firewalls or similar devices
For a list of the PoP IP ranges, see: Production PoP Guide
-
On Windows devices, IP forwarding is disabled. For more information, see IP Routing Prevents Windows Client Authentication
-
On macOS devices, no other enterprise VPN is running on the device
-
If Bandwidth Management is used in your account, we recommend the IP address 10.254.254.1 is given at least the same priority as any other address you have added
-
To receive user notifications, notifications must be enabled on the device. For more information, see Creating the Data Control Policy and Managing the Application Control Policy
-
Review the Known Limitations of the Client version. For more information, see Summary of Cato Client Releases
We recommend that you allowlist the following processes and URLs for all security endpoint software and solutions according to the specified OS.
-
All devices
-
vpn.catonetworks.net
-
c-me.catonetworks.net
-
v-me.catonetworks.net
-
sso.catonetworks.com
-
sso.via.catonetworks.com
-
auth.catonetworks.com
-
sso.ias.catonetworks.com
-
localhost - 127.0.0.1 (for the SSO token)
-
client-telemetry.main.prod.k8s.catonet.works
-
https://sso.catonetworks.com/login
-
https://sso.via.catonetworks.com/auth_results
-
https://auth.catonetworks.com/oauth1/broker/code/onelogin
-
https://sso.ias.catonetworks.com/auth_results (for new SDP users with Windows Client v5.1 and higher)
-
https://clients.catonetworks.com/
-
PoP location IP ranges, for more information see the PoP production guide
-
-
Windows OS
-
CatoClient.exe
-
winvpnclient.cli.exe
-
CatoUpgradeHelper.exe
-
CatoLogCollector.exe
-
LogLevelSetup.exe
-
CatoClient.exe.config
-
wa_3rd_party_host_32.exe
-
wa_3rd_party_host_64.exe
-
For accounts that use a third-party proxy (for both HTTP and HTTPS):
-
IP - 85.255.31.1
-
URL - sso.ias.catonetworks.com
-
-
https://network-segmentation.catonetworks.com
-
https://ip2location.catonetworks.com/pub/getMyLocation
-
https://tunnel-api.catonetworks.com
-
-
macOS
-
For accounts that use a third-party proxy (for both HTTP and HTTPS):
-
IP - 85.255.31.1
-
URL - sso.ias.catonetworks.com
-
-
For accounts that have CrowdStrike installed on devices:
-
/Applications/CatoClient.app/Contents/MacOS/CatoClient
-
/Library/SystemExtensions/*/com.catonetworks.mac.CatoClient.CatoClientSysExtension.systemextension/ Contents/MacOS/com.catonetworks.mac.CatoClient.CatoClientSysExtension
Note: Replace the "*" with the unique extension ID that is part of that file location
-
-
The following table lists the minimum OS (operating system) versions for each device that supports the Cato Client:
Client Device |
Minimum Supported OS |
Windows |
|
macOS |
|
iOS |
iPhone 6 and higher, iOS 15.0 |
iPadOS |
iPadOS 15.0 |
Android (v5.0 and higher) |
Android version 8.1 |
Linux Linux Clients are supported for 64-bit OS (X86_64) (There is a different Client for each Ubuntu OS version) |
|
Note
Note: The Client does not support operating systems that vendors have declared End of Life.
The Client can be installed on any supported device. For troubleshooting information see Troubleshooting Scenarios for Issues with the Cato Client.
The Windows Client can be downloaded from the Client download portal and installed on individual devices by following the installation wizard. You can also download the Client from the Client Rollout page and distribute the Client with an MDM. For more information, see Downloading the Cato Client.
Use one of the following options to install the Windows Client:
-
Run the EXE from the File Explorer
-
Run the EXE file using the command line: <setup_file.exe>
-
In Windows Client versions below 5.5, for silent installation use the command line: <setup_file.exe> /s /x /v"/qn"
-
In Windows Client version 5.5 and above, for silent installation use the command line: <setup_file.exe> /s
-
-
Run the MSI file using the command line: msiexec /i <setup_file.msi>
-
The MSI installation requires MS .NET framework version 4.6.2 or higher installed
-
Run the MSI command line as an administrator
Note: /j is not supported
-
In the installation wizard, there is the option to create a desktop shortcut for the Client. You can prevent users selecting this option with the command line:
msiexec /i <setup_file.msi>CATO_FORCE_DISABLE_DESKTOP_SHORTCUT=1 /qn
To make it easier for users to authenticate to their new device, you can define the Windows registry key to enable the Client to automatically open after the initial installation. Afterwards, the Client behaves according to the settings for your account.
After the registry is changed, the Client automatically opens for the next Windows user that logs in to the device.
The macOS Client can be downloaded from the Client download portal and installed on individual devices by following the installation wizard. You can also download the Client from the Client Rollout page and distribute the Client with an MDM. For more information, see Downloading the Cato Client.
To install the macOS Client run the pkg file from Finder.
For more information about installing the Linux Client, see Installing and Running the Linux Client
Once the Client is installed on a device, you can configure features and policies to meet your secure remote access requirements. The features are configured in the Cato Management Application are enforced by the Client. This lets you simply manage and enforce your requirements and ensure the protection of your network.
Here are some key features we recommend you enable. For more information about all the Client features, see the Access documentation.
-
User Awareness: Identify the user signed into the device at any point in time to control user access, and monitor user activity
-
Client Connectivity Policy: To check the posture of devices before they connect to the network
-
Always-On Policy To ensure all traffic always goes through the Cato Cloud and Cato security engines inspect the traffic to ensure it complies with your security policies
Analyzing Client Events
You view and analyze data from users connecting with the Client from the Remote User Dashboard.
11 comments
Added details for the allowlist requirements to install the Client
Removed incorrect limitation for connecting over PPPoE
Added limitation for Intel Killer wireless NIC for Windows Clients v4.7 and higher
Added Minimum Supported Device Operating Systems to this article
Added minimum supported device OS for Android Client (v5.0 and higher)
Added information about the Cato certificate automatically installed for Windows and macOS Clients
For Windows v5.6, added Automatically Launching Windows SDP Client after Initial Installation (v5.6 and Higher)
Updated after end of life for Windows and macOS Clients earlier than v5.0
how to install a cato certificate for wifi guests? is there an automatic way?
Is there a method to auto connect the client after install? I see you can run the program after install, but you still need to hit the connect button manually.
Hi Dan Pride,
Yes there is - with the Always-On policy you can define rules for when users or User groups always connect with the Client to the Cato Cloud. Depending on your use case, you can also auto connect the Client to provide users with secured remote Internet access after one time authentication.
Please sign in to leave a comment.