This article provides information about installing the Cato Client. In addition, it also discusses some common connectivity issues for the Client and suggested solutions.
For more information about the features and known limitations for each Client OS and version, see Summary of Cato Client Releases.
Before an SDP user can use the Cato Client to connect a device or computer to the Cato Cloud, make sure that they fulfill the following requirements:
-
Install the Client on a device or computer on one of the following supported operating systems (OS):
-
Windows
-
macOS
-
iOS / iPadOS
-
Android
-
Linux
-
Ubuntu
-
Fedora
-
CentOS
-
Debian
For more information about Minimum Supported Device Operating Systems, see below.
-
-
-
An active SDP user account in the Cato Management Application
-
Manually created
-
User provisioning with LDAP or SCIM
-
-
The Cato CA certificate is installed on the device or computer
-
For Windows Clients the Cato certificate is automatically added to the Windows certificate store and supports the Chrome and Edge browsers
You can manually install the Cato certificate for other browsers (such as Firefox), or use an MDM to install it with the browser
-
For macOS Clients, for organizations that use an MDM, the Cato certificate is automatically installed as part of the CA keychain
Otherwise, the SDP user manually installs the Cato certificate
-
For iOS and Android Clients, the SDP user manually installs the Client or use an MDM to install the certificate with the Client
-
SDP users can get the Cato certificate and Client installation files from the Client download portal
-
-
Use an Internet browser that supports SSL (such as Chrome or Edge)
-
SDP users enter the following credentials to use the Client to connect to the Cato Cloud:
-
Account Name
-
User Name
-
Password
-
-
The Cato Cloud only supports IPv4 addresses
- We recommend that you disable IPv6 on all physical adapters
-
Make sure that the IP addresses for PoPs in the Cato Cloud are allowlisted for any firewalls or similar devices
For a list of the PoP IP ranges, see: Production PoP Guide
- If Bandwidth Management is used in your account, we recommend the IP address 10.254.254.1 is given at least the same priority as any other address you have added
-
Review the Known Limitations for the Client version. For more information, see Summary of Cato Client Releases
We recommend that you allowlist the following processes and URLs for all security endpoint software and solutions according to the specified OS.
-
All devices
-
vpn.catonetworks.net
-
c-me.catonetworks.net
-
v-me.catonetworks.net
-
sso.catonetworks.com
-
sso.via.catonetworks.com
-
auth.catonetworks.com
-
sso.ias.catonetworks.com
- client-telemetry.main.prod.k8s.catonet.works
-
localhost - 127.0.0.1 (for the SSO token)
-
https://sso.catonetworks.com/login
-
https://sso.via.catonetworks.com/auth_results
-
https://auth.catonetworks.com/oauth1/broker/code/onelogin
-
https://sso.ias.catonetworks.com/auth_results (for new SDP users with Windows Client v5.1 and higher)
- https://clients.catonetworks.com/
-
-
Windows OS
-
CatoClient.exe
-
winvpnclient.cli.exe
-
CatoUpgradeHelper.exe
-
CatoLogCollector.exe
-
LogLevelSetup.exe
-
CatoClient.exe.config
-
For accounts that use a third-party proxy (for both HTTP and HTTPS):
-
IP - 85.255.31.1
-
URL - sso.ias.catonetworks.com
-
-
From v5.7 and higher:
-
https://network-segmentation.catonetworks.com
- https://tunnel-api.catonetworks.com
-
-
-
macOS
-
For accounts that use a third-party proxy (for both HTTP and HTTPS):
-
IP - 85.255.31.1
-
URL - sso.ias.catonetworks.com
-
-
Use one of the following options to install the Windows Client:
-
Run the EXE file in File Explorer
-
Run the EXE file using the command line: <setup_file.exe>
-
In Windows Client versions below 5.5, for silent installation use the command line: <setup_file.exe> /s /x /v"/qn"
-
In Windows Client version 5.5 and above, for silent installation use the command line: <setup_file.exe> /s
-
-
Run the MSI file using the command line: msiexec /i <setup_file.msi>
-
The MSI installation requires MS .NET framework installed
-
Run the MSI command line as an administrator
-
To make it easier for SDP users to authenticate to their new device, you can define the Windows registry key to enable the Client to automatically open after the initial installation. Afterwards, the Client behaves according to the settings for your account.
After the registry is changed, the Client to automatically opens for the next Windows user that logs in to the device.
The following table lists the minimum OS (operating system) versions for each device that supports the Cato Client:
Client Device |
Minimum Supported OS |
Windows |
|
macOS |
macOS (Big Sur) software version 11 |
iOS |
iPhone 6 and higher, iOS 12.0 |
iPadOS |
iPadOS 12.0
|
Android (v5.0 and higher) |
Android version 8.1 |
Linux Linux Clients are supported for 64-bit OS (X86_64) (There is a different Client for each Ubuntu OS version) |
|
Note
Note: The Client does not support operating systems that vendors have declared End of Life.
Cato Client Connection Process
When a user initiates a connection to Cato Cloud using the Cato Client, it connects using a DTLS tunnel.
The process for how Cato Client connects to Cato Cloud is as follows:
-
The SDP user enters their credentials and clicks Connect.
-
Cato Client tries to resolve and connect to vpn.catonetworks.net.
-
Using geolocation, the Client identifies 10 of the closest PoPs.
-
The Cato Client queries all 10 PoPs to find out which one has the best connectivity metrics.
-
The Client then connects directly to the optimal PoP using a DTLS tunnel.
Note
Note: Once the Client is connected to a PoP, it periodically polls the Cato Cloud to see if there is a better connection (based on latency to other PoPs). If the Client finds a PoP with a better connection, it connects to that PoP.
Starting from Windows Client v5.7 and above, the process for how Cato Client connects to Cato Cloud is as follows:
-
The SDP user enters their credentials and clicks Connect.
-
Based on a file in Cato's server, the Cato Client is provided with a list of available PoPs.
-
Using geolocation, the Client identifies 8 of the closest PoPs.
-
The Cato Client queries all 8 PoPs to find out which one has the best connectivity metrics.
-
The Client then connects directly to the optimal PoP using a DTLS tunnel.
This section contains some suggestions for troubleshooting common issues with the Cato Client.
Challenge
When third-party VPN clients are installed on the same computer as the Cato Client, the third-party drivers can conflict with the Cato Client and override the settings. For example, Cisco AnyConnect can override the DNS settings for the Cato Client.
Solution
Cato Network doesn’t recommend installing the Cato Client and third-party VPN clients on the same computer. Best practice is to uninstall third-party VPN clients and network adapters. It’s important to restart the computer or device after your remove the third-party VPN client.
Challenge
Antivirus software can identify the Cato VPN Client traffic as malicious and by mistake block the VPN traffic.
Solution
If you determine that the antivirus software on the laptop or device blocks the Cato Client, these are your options to allow the VPN connection:
-
Configure the antivirus settings and create an exception for the Cato Client
-
Contact Cato Networks Support to whitelist the Cato Client for your antivirus
Tip: You can temporarily disable the antivirus software to check if this software is blocking the Cato Client traffic.
Challenge
It's possible that a firewall blocks the specific port that the Client uses to connect to the Cato Cloud.
Solution
There are several types of firewalls that can block the Cato Client from connecting to the Cato Cloud. The following paragraphs describe solutions for each firewall type, use the solution that is applicable for your network.
Network Firewall
Check the network firewall settings and see if it blocks UDP traffic over ports 53 and 443. If it does, add a rule that allows UDP traffic over ports 53 and 443.
Endpoint Firewall
For endpoint computers, you have to make sure that the endpoint firewall agent isn’t blocking the connection. If an endpoint firewall agent is installed on your computer, check the agent settings and see if it’s configured to block UDP traffic over port 53 or 443. We recommend that you contact the agent vendor and ask them to whitelist the Cato Client.
For Windows OS, check the Windows firewall settings and see if it’s configured to block UDP traffic over port 53 or 443. You can also change this default port for the Cato Client from 443 to 1337. For more information about changing the default port, see Configuring a Different UDP Port for Cato Client.
Challenge
If your local network uses the same subnet as the Cato VPN IP range, overlapping networks can cause IP conflicts and routing issues. For example, the Cato Clients are unable to connect to the Cato Cloud.
Solution
By default, Cato Networks uses the 10.41.0.0/16 subnet as the VPN range. You can either change the local network IP range, so it doesn't conflict with the Cato VPN IP range. Or you can change the default VPN range in the Cato Management Application (Access > Client Access > IP Range).
The following screenshot shows an example of a custom IP range of 10.43.0.0/16 subnet for VPN users:
Challenge
The Cato Client successfully connects to the Cato Cloud, but users are unable to access WAN or Internet resources over the VPN connection.
Solution
In this situation, the Cato Client has connectivity to the Cato Cloud, but something else is blocking WAN or Internet access. You can check that the following settings are configured correctly in the Cato Management Application:
The Cato WAN or Internet firewall can block access for Cato Clients to the WAN or internet resource. Check the firewall rulebases in the Cato Management Application (Security > WAN Firewall or Internet Firewall) and make sure that the firewall allows VPN access. For example, does the WAN firewall have a rule that allows VPN users to access the site? The following screenshot shows an example of a Cato WAN firewall rule that allows VPN users to connect to a site in Frankfurt for DNS and HTTPS services:
For more information on the Cato firewall and best practices, see Internet and WAN Firewall Policies – Best Practices .
When the DNS settings are misconfigured, then users can’t connect to the network resources. The Cato Management Applications lets you configure DNS settings for the entire account in Network > DNS Settings. You can also configure DNS settings for each site, group, and SDP user.
By default, Cato Networks uses the following DNS servers: primary DNS – 10.254.254.1 and secondary DNS – 8.8.8.8.
If you want to reach an internal resource (WAN) with a local DNS server, make sure that the DNS for your account is configured to use the local DNS. For example, users can only access the internal domain images.mycompany.com if your account is configured with your local DNS server or with DNS Forwarding. Otherwise, there is nothing to resolve the DNS for that address.
For VPN users to connect to an Internet resource, such as www.catonetworks.com, the DNS settings for your account must contain at least one public DNS server. This server allows DNS resolving for the public Internet.
For more information on how to configure the DNS settings for your account, see Configuring DNS Settings for the Account.
Some Internet content is restricted based on the geographic location of the Cato Client. If you are physically located in a country with limited Internet access, then you can’t access the blocked content from that country.
GPO Rule Blocks Cato Adapter Installation
Challenge
A restrictive GPO policy may block the installation of the Cato Adapter during the installation or upgrade process of the Cato Client. GPO rules such as “Restricted installation of devices not described by policy” may block the adapter installation.
Solution
Allow the GPO policy to permit the installation of the Cato Adapter.
8 comments
Added details for the allowlist requirements to install the Client
Removed incorrect limitation for connecting over PPPoE
Added limitation for Intel Killer wireless NIC for Windows Clients v4.7 and higher
Added Minimum Supported Device Operating Systems to this article
Added minimum supported device OS for Android Client (v5.0 and higher)
Added information about the Cato certificate automatically installed for Windows and macOS Clients
For Windows v5.6, added Automatically Launching Windows SDP Client after Initial Installation (v5.6 and Higher)
Updated after end of life for Windows and macOS Clients earlier than v5.0
Please sign in to leave a comment.