Installing the Cato Client

The Cato Client is proprietary software that extends Cato's network and security capabilities to remote users in any location. This article lists the prerequisites and explains how to install the Client.

Overview

The Cato Client can identify and authenticate users, enforce your network rules, and inspect remote traffic based on security policies. To ensure your users benefit from these features the Cato Client must be installed on their device. Before you install the Client on any device, ensure that the prerequisites are met and the required processes and URLs are added to the allowlists of your security software. You can then download the Client and install it on an individual device or distribute it with an MDM.

After you install the Client on a device you can configure features and policies to meet your requirements. Users can authenticate and securely to your network. For more information on the Client Connection process, see Understanding the Cato Client Connection Flow.

Prerequisites for Installing the Cato Client

Before the Client is installed on a device, ensure the following prerequisites are met:

  • Install the Client on a device running a supported operating system.

  • The Cato CA certificate is installed on the device or computer

    • For Windows Clients the Cato certificate is automatically added to the Windows certificate store and supports the Chrome and Edge browsers

      You can manually install the Cato certificate for other browsers (such as Firefox), or use an MDM to install it with the browser

    • For macOS Clients, for organizations that use an MDM, the Cato certificate is automatically installed as part of the CA keychain

      Otherwise, the SDP user manually installs the Cato certificate. For more information, see Installing the Cato Certificate on macOS Devices.

    • For iOS and Android Clients, the SDP user manually installs the Client or use an MDM to install the certificate with the Client. For more information, see Installing the Cato Certificate on iOS Devices or Installing the Cato Certificate on Android Devices.

    • The Cato certificate and Client installation files can be downloaded from the Client download portal

  • Internet browser requirements:

    • Use an Internet browser that supports SSL (such as Chrome or Edge)

    • For external authentication, make sure that a default browser is configured in the device OS settings

  • A PPPoE connection is not used. PPPoE is not supported

  • For iOS, Android, and Linux Clients, we recommend that you disable IPv6 on all physical adapters

    • IPv6 is supported for Last Mile Connections on Windows Client v5.11 and higher and macOS Client v5.7 and higher

  • Make sure that the IP addresses for PoPs in the Cato Cloud are allowlisted for any firewalls or similar devices

    For a list of the PoP IP ranges, see: Production PoP Guide

  • On Windows devices, IP forwarding is disabled. For more information, see IP Routing Prevents Windows Client Authentication

  • On macOS devices, no other enterprise VPN is running on the device

  • If Bandwidth Management is used in your account, we recommend the IP address 10.254.254.1 is given at least the same priority as any other address you have added

  • To receive user notifications, notifications must be enabled on the device. For more information, see Creating the Data Control Policy and Managing the Application Control Policy

  • Review the Known Limitations of the Client version. For more information, see Summary of Cato Client Releases

Allowlisting Processes and URLs for the Cato Client

We recommend that you allowlist the following processes and URLs for all security endpoint software and solutions according to the specified OS.

  • All devices

    • vpn.catonetworks.net

    • c-me.catonetworks.net

    • v-me.catonetworks.net

    • sso.catonetworks.com

    • sso.via.catonetworks.com

    • auth.catonetworks.com

    • sso.ias.catonetworks.com

    • localhost - 127.0.0.1 (for the SSO token)

    • client-telemetry.main.prod.k8s.catonet.works

    • https://sso.catonetworks.com/login

    • https://sso.via.catonetworks.com/auth_results

    • https://auth.catonetworks.com/oauth1/broker/code/onelogin

    • https://sso.ias.catonetworks.com/auth_results (for new SDP users with Windows Client v5.1 and higher)

    • https://clients.catonetworks.com/

    • PoP location IP ranges, for more information see the PoP production guide

  • Windows OS

    • CatoClient.exe

    • winvpnclient.cli.exe

    • CatoUpgradeHelper.exe

    • CatoLogCollector.exe

    • LogLevelSetup.exe

    • CatoClient.exe.config

    • wa_3rd_party_host_32.exe

    • wa_3rd_party_host_64.exe

    • For accounts that use a third-party proxy (for both HTTP and HTTPS):

      • IP - 85.255.31.1

      • URL - sso.ias.catonetworks.com

    • https://network-segmentation.catonetworks.com

    • https://ip2location.catonetworks.com/pub/getMyLocation

    • https://tunnel-api.catonetworks.com

  • macOS

    • For accounts that use a third-party proxy (for both HTTP and HTTPS):

      • IP - 85.255.31.1

      • URL - sso.ias.catonetworks.com

    • For accounts that have CrowdStrike installed on devices:

      • /Applications/CatoClient.app/Contents/MacOS/CatoClient

      • /Library/SystemExtensions/*/com.catonetworks.mac.CatoClient.CatoClientSysExtension.systemextension/ Contents/MacOS/com.catonetworks.mac.CatoClient.CatoClientSysExtension

        Note: Replace the "*" with the unique extension ID that is part of that file location

Minimum Supported Device Operating Systems

The following table lists the minimum OS (operating system) versions for each device that supports the Cato Client:

Client Device

Minimum Supported OS

Windows

  • Windows 11

  • Client version 5.9 and lower - Windows 8.1 32-bit and 64-bit - only when all newest updates and patches are installed. (Not supported after Nov. 1st, 2023)

  • Client version 5.10 and higher - Windows 10 32-bit and 64-bit

  • Windows Server 2019, 2016, and 2022

macOS

  • Client version 5.6 and lower - macOS (Big Sur) software version 11

  • Client version 5.7 and higher - macOS (Monterey) software version 12

iOS

iPhone 6 and higher, iOS 15.0

iPadOS

iPadOS 15.0

Android (v5.0 and higher)

Android version 8.1

Linux

Linux Clients are supported for 64-bit OS (X86_64)

(There is a different Client for each Ubuntu OS version)

  • Ubuntu v18 and higher

  • CentOS v9 and higher

  • Fedora v36 and higher

  • Debian v11 and higher

  • Mint v20.3 and higher

  • RHEL 9.0

  • Any systems running glibc 2.31 and higher

Note

Note: The Client does not support operating systems that vendors have declared End of Life.

Installing the Cato Client

The Client can be installed on any supported device. For troubleshooting information see Troubleshooting Scenarios for Issues with the Cato Client.

Installing the Windows Client

The Windows Client can be downloaded from the Client download portal and installed on individual devices by following the installation wizard. You can also download the Client from the Client Rollout page and distribute the Client with an MDM. For more information, see Downloading the Cato Client.

Use one of the following options to install the Windows Client:

  • Run the EXE from the File Explorer

  • Run the EXE file using the command line: <setup_file.exe>

    • In Windows Client versions below 5.5, for silent installation use the command line: <setup_file.exe> /s /x /v"/qn"

    • In Windows Client version 5.5 and above, for silent installation use the command line: <setup_file.exe> /s

  • Run the MSI file using the command line: msiexec /i <setup_file.msi>

    • The MSI installation requires MS .NET framework version 4.6.2 or higher installed

    • Run the MSI command line as an administrator

    Note: /j is not supported

In the installation wizard, there is the option to create a desktop shortcut for the Client. You can prevent users selecting this option with the command line:

msiexec /i <setup_file.msi>CATO_FORCE_DISABLE_DESKTOP_SHORTCUT=1 /qn

Automatically Launching Windows Client after Initial Installation (Client v5.6 and Higher)

To make it easier for users to authenticate to their new device, you can define the Windows registry key to enable the Client to automatically open after the initial installation. Afterwards, the Client behaves according to the settings for your account.

After the registry is changed, the Client automatically opens for the next Windows user that logs in to the device.

To configure the Windows registry to automatically launch the Client:

  1. Go to this location in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN

  2. Define this value:

    • LaunchAuthPageOnStartup=1 (DWORD)

Installing the macOS Client

The macOS Client can be downloaded from the Client download portal and installed on individual devices by following the installation wizard. You can also download the Client from the Client Rollout page and distribute the Client with an MDM. For more information, see Downloading the Cato Client.

To install the macOS Client run the pkg file from Finder.

Installing the Linux Client

For more information about installing the Linux Client, see Installing and Running the Linux Client

Installing the iOS and Android Clients

The iOS and Android Clients can be downloaded from the relevant app store and installed on individual devices or distributed with an MDM.

Understanding the Next Steps After Installing the Client

Once the Client is installed on a device, you can configure features and policies to meet your secure remote access requirements. The features are configured in the Cato Management Application are enforced by the Client. This lets you simply manage and enforce your requirements and ensure the protection of your network.

Understanding Key Client Features and Policies

Here are some key features we recommend you enable. For more information about all the Client features, see the Access documentation.

  • User Awareness: Identify the user signed into the device at any point in time to control user access, and monitor user activity

  • Client Connectivity Policy: To check the posture of devices before they connect to the network

  • Always-On Policy To ensure all traffic always goes through the Cato Cloud and Cato security engines inspect the traffic to ensure it complies with your security policies

Analyzing Client Events 

You view and analyze data from users connecting with the Client from the Remote User Dashboard

Was this article helpful?

3 out of 6 found this helpful

11 comments

Add your comment