Installing the Cato Client

This article provides information about installing the Cato Client. In addition, it also discusses some common connectivity issues for the Client and suggested solutions.

For more information about the features and known limitations for each Client OS and version, see Summary of Cato Client Releases.

Prerequisites for Installing the Cato Client

Before an SDP user can use the Cato Client to connect a device or computer to the Cato Cloud, make sure that they fulfill the following requirements:

  • Install the Client on a device or computer on one of the following supported operating systems (OS):

    • Windows

    • macOS

    • iOS / iPadOS

    • Android

    • Linux

      • Ubuntu

      • Fedora

      • CentOS

      • Debian
        For more information about Minimum Supported Device Operating Systems, see below. 

  • An active SDP user account in the Cato Management Application

    • Manually created

    • User provisioning with LDAP or SCIM

  • The Cato CA certificate is installed on the device or computer

    • For Windows Clients the Cato certificate is automatically added to the Windows certificate store and supports the Chrome and Edge browsers

      You can manually install the Cato certificate for other browsers (such as Firefox), or use an MDM to install it with the browser

    • For macOS Clients, for organizations that use an MDM, the Cato certificate is automatically installed as part of the CA keychain

      Otherwise, the SDP user manually installs the Cato certificate

    • For iOS and Android Clients, the SDP user manually installs the Client or use an MDM to install the certificate with the Client

    • SDP users can get the Cato certificate and Client installation files from the Client download portal

  • Use an Internet browser that supports SSL (such as Chrome or Edge)

  • SDP users enter the following credentials to use the Client to connect to the Cato Cloud:

    • Account Name

    • User Name

    • Password

  • The Cato Cloud only supports IPv4 addresses
    • We recommend that you disable IPv6 on all physical adapters

  • Make sure that the IP addresses for PoPs in the Cato Cloud are allowlisted for any firewalls or similar devices

    For a list of the PoP IP ranges, see: Production PoP Guide

  • ​If Bandwidth Management is used in your account, we recommend the IP address 10.254.254.1 is given at least the same priority as any other address you have added

  • Review the Known Limitations for the Client version. For more information, see Summary of Cato Client Releases

Allowlisting Processes and URLs for the Cato Client

We recommend that you allowlist the following processes and URLs for all security endpoint software and solutions according to the specified OS.

  • All devices

    • vpn.catonetworks.net

    • c-me.catonetworks.net

    • v-me.catonetworks.net

    • sso.catonetworks.com

    • sso.via.catonetworks.com

    • auth.catonetworks.com

    • sso.ias.catonetworks.com

    • client-telemetry.main.prod.k8s.catonet.works

    • localhost - 127.0.0.1 (for the SSO token)

    • https://sso.catonetworks.com/login

    • https://sso.via.catonetworks.com/auth_results

    • https://auth.catonetworks.com/oauth1/broker/code/onelogin

    • https://sso.ias.catonetworks.com/auth_results (for new SDP users with Windows Client v5.1 and higher)

    • https://clients.catonetworks.com/

  • Windows OS

  • macOS

    • For accounts that use a third-party proxy (for both HTTP and HTTPS):

      • IP - 85.255.31.1

      • URL - sso.ias.catonetworks.com

Installing the Windows Client

Use one of the following options to install the Windows Client:

  • Run the EXE file in File Explorer

  • Run the EXE file using the command line: <setup_file.exe>

    • In Windows Client versions below 5.5, for silent installation use the command line: <setup_file.exe> /s /x /v"/qn"

    • In Windows Client version 5.5 and above, for silent installation use the command line: <setup_file.exe> /s

  • Run the MSI file using the command line: msiexec /i <setup_file.msi>

    • The MSI installation requires MS .NET framework installed

    • Run the MSI command line as an administrator

Automatically Launching Windows SDP Client after Initial Installation (v5.6 and Higher)

To make it easier for SDP users to authenticate to their new device, you can define the Windows registry key to enable the Client to automatically open after the initial installation. Afterwards, the Client behaves according to the settings for your account.

After the registry is changed, the Client to automatically opens for the next Windows user that logs in to the device.

To configure the Windows registry to automatically launch the Client:

  1. Go to this location in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN

  2. Define this key:

    • LaunchAuthPageOnStartup=1 (DWORD)

Minimum Supported Device Operating Systems

The following table lists the minimum OS (operating system) versions for each device that supports the Cato Client:

Client Device

Minimum Supported OS

Windows
  • Windows 11
  • Windows 10 32-bit and 64-bit
  • Windows 8.1 32-bit and 64-bit - only when all newest updates and patches are installed. (Not supported after Nov. 1st, 2023) 
  • Windows Server 2019, 2016, and 2022

macOS

macOS (Big Sur) software version 11

iOS

iPhone 6 and higher, iOS 12.0

iPadOS
iPadOS 12.0

Android (v5.0 and higher)

Android version 8.1

Linux

Linux Clients are supported for 64-bit OS (X86_64)

(There is a different Client for each Ubuntu OS version)
  • Ubuntu v18 or higher
  • CentOS v8 and higher
  • Fedora v36 and higher
  • Debian v11 and higher
  • Mint v20.3 and higher

Note

Note: The Client does not support operating systems that vendors have declared End of Life.

Cato Client Connection Process

When a user initiates a connection to Cato Cloud using the Cato Client, it connects using a DTLS tunnel.

The process for how Cato Client connects to Cato Cloud is as follows:

  1. The SDP user enters their credentials and clicks Connect.

  2. Cato Client tries to resolve and connect to vpn.catonetworks.net.

  3. Using geolocation, the Client identifies 10 of the closest PoPs.

  4. The Cato Client queries all 10 PoPs to find out which one has the best connectivity metrics.

  5. The Client then connects directly to the optimal PoP using a DTLS tunnel.

Note

Note: Once the Client is connected to a PoP, it periodically polls the Cato Cloud to see if there is a better connection (based on latency to other PoPs). If the Client finds a PoP with a better connection, it connects to that PoP.

Enhanced Cato Client Connection Process (Windows Client v5.7)

Starting from Windows Client v5.7 and above, the process for how Cato Client connects to Cato Cloud is as follows:

  1. The SDP user enters their credentials and clicks Connect.

  2. Based on a file in Cato's server, the Cato Client is provided with a list of available PoPs.

  3. Using geolocation, the Client identifies 8 of the closest PoPs.

  4. The Cato Client queries all 8 PoPs to find out which one has the best connectivity metrics.

  5. The Client then connects directly to the optimal PoP using a DTLS tunnel.

Troubleshooting Scenarios for Issues with the Cato Client

This section contains some suggestions for troubleshooting common issues with the Cato Client.

Cato Client Conflicts with Third-Party VPN Clients

Challenge

When third-party VPN clients are installed on the same computer as the Cato Client, the third-party drivers can conflict with the Cato Client and override the settings. For example, Cisco AnyConnect can override the DNS settings for the Cato Client.

Solution

Cato Network doesn’t recommend installing the Cato Client and third-party VPN clients on the same computer. Best practice is to uninstall third-party VPN clients and network adapters. It’s important to restart the computer or device after your remove the third-party VPN client.

Antivirus Blocks the Cato Client

Challenge

Antivirus software can identify the Cato VPN Client traffic as malicious and by mistake block the VPN traffic.

Solution

If you determine that the antivirus software on the laptop or device blocks the Cato Client, these are your options to allow the VPN connection:

  • Configure the antivirus settings and create an exception for the Cato Client

  • Contact Cato Networks Support to whitelist the Cato Client for your antivirus

Tip: You can temporarily disable the antivirus software to check if this software is blocking the Cato Client traffic.

Firewall Blocks the Cato Client

Challenge

It's possible that a firewall blocks the specific port that the Client uses to connect to the Cato Cloud.

Solution

There are several types of firewalls that can block the Cato Client from connecting to the Cato Cloud. The following paragraphs describe solutions for each firewall type, use the solution that is applicable for your network.

Network Firewall

Check the network firewall settings and see if it blocks UDP traffic over ports 53 and 443. If it does, add a rule that allows UDP traffic over ports 53 and 443.

Endpoint Firewall

For endpoint computers, you have to make sure that the endpoint firewall agent isn’t blocking the connection. If an endpoint firewall agent is installed on your computer, check the agent settings and see if it’s configured to block UDP traffic over port 53 or 443. We recommend that you contact the agent vendor and ask them to whitelist the Cato Client.

For Windows OS, check the Windows firewall settings and see if it’s configured to block UDP traffic over port 53 or 443. You can also change this default port for the Cato Client from 443 to 1337. For more information about changing the default port, see Configuring a Different UDP Port for Cato Client.

Cato Client IP Range Conflicts with Local Network

Challenge

If your local network uses the same subnet as the Cato VPN IP range, overlapping networks can cause IP conflicts and routing issues. For example, the Cato Clients are unable to connect to the Cato Cloud.

Solution

By default, Cato Networks uses the 10.41.0.0/16 subnet as the VPN range. You can either change the local network IP range, so it doesn't conflict with the Cato VPN IP range. Or you can change the default VPN range in the Cato Management Application (Access > Client Access > IP Range).

The following screenshot shows an example of a custom IP range of 10.43.0.0/16 subnet for VPN users:

range.png

Unable to Access WAN or Internet Resources

Challenge

The Cato Client successfully connects to the Cato Cloud, but users are unable to access WAN or Internet resources over the VPN connection.

Solution

In this situation, the Cato Client has connectivity to the Cato Cloud, but something else is blocking WAN or Internet access. You can check that the following settings are configured correctly in the Cato Management Application:

The Cato WAN or Internet firewall blocks VPN access

The Cato WAN or Internet firewall can block access for Cato Clients to the WAN or internet resource. Check the firewall rulebases in the Cato Management Application (Security > WAN Firewall or Internet Firewall) and make sure that the firewall allows VPN access. For example, does the WAN firewall have a rule that allows VPN users to access the site? The following screenshot shows an example of a Cato WAN firewall rule that allows VPN users to connect to a site in Frankfurt for DNS and HTTPS services:

For more information on the Cato firewall and best practices, see Internet and WAN Firewall Policies – Best Practices .

Unable to resolve DNS

When the DNS settings are misconfigured, then users can’t connect to the network resources. The Cato Management Applications lets you configure DNS settings for the entire account in Network > DNS Settings. You can also configure DNS settings for each site, group, and SDP user.

By default, Cato Networks uses the following DNS servers: primary DNS – 10.254.254.1 and secondary DNS – 8.8.8.8.

If you want to reach an internal resource (WAN) with a local DNS server, make sure that the DNS for your account is configured to use the local DNS. For example, users can only access the internal domain images.mycompany.com if your account is configured with your local DNS server or with DNS Forwarding. Otherwise, there is nothing to resolve the DNS for that address.

For VPN users to connect to an Internet resource, such as www.catonetworks.com, the DNS settings for your account must contain at least one public DNS server. This server allows DNS resolving for the public Internet.

For more information on how to configure the DNS settings for your account, see Configuring DNS Settings for the Account.

Geo-location restrictions block the connectivity

Some Internet content is restricted based on the geographic location of the Cato Client. If you are physically located in a country with limited Internet access, then you can’t access the blocked content from that country.

GPO Rule Blocks Cato Adapter Installation

Challenge

A restrictive GPO policy may block the installation of the Cato Adapter during the installation or upgrade process of the Cato Client. GPO rules such as “Restricted installation of devices not described by policy” may block the adapter installation.

Solution

Allow the GPO policy to permit the installation of the Cato Adapter.

Was this article helpful?

8 comments

Date Votes
Add your comment