This article describes how to let users enable or disable office mode on their Cato Clients.
Companies frequently give employees laptops to work from home and the office without changing computers. The Cato Client is installed on the laptops to support working from home, and sometimes the Always On policy is set so that the computer is always connected to the encrypted tunnel.
When a user is working in an office that is behind a Cato Socket or IPsec site, the Client automatically connects to that site without using the encrypted tunnel. This behavior is called office mode and it is enabled by default for all accounts, and this means that users can't disable office mode on the Client. Without office mode, the Client establishes an encrypted tunnel behind the site (tunnel-in-tunnel) and may experience a negative impact on performance. In addition, if the Client connects to a different PoP than the site, then all the Client's traffic must first route through the PoP that the site is connected to.
With office mode, the Cato Client connects to the Cato Cloud using the tunnel for the site and is treated as a regular host for that site. The Cato Client receives the networking and security settings from the site and prevents using a tunnel-in-tunnel.
Sometimes office mode can prevent someone who is visiting a branch office from connecting to resources in a different office, such as the corporate headquarters. You can choose to enable SDP users to configure the Cato Client behavior for office mode.
This is an example of the status in the Client, when it is in office mode:
This section lists the changes to Client behavior when office mode is disabled for a user.
-
Hosts behind a site always send traffic over the Client tunnel to the Cato Cloud. The traffic isn't visible in the local LAN for the office.
-
When the Client communicates with the local office, the traffic passes over the Internet to the PoP and then back to the local site.
-
The security policy of the Client is applied to the traffic and NOT the policy of the local office.
For accounts that use a private DNS server, you must add the following DNS entry to the private DNS server to support Client office mode:
-
vpn.catonetworks.net as IP address 10.254.254.5 (or the customized reserved service range x.y.z.2 IP address)
-
tunnel-api.catonetworks.com as IP address 10.254.254.3 (or the customized reserve service range x.y.z.7 IP address)
For configurations where the private DNS server is located on the local LAN, then the static DNS entry and the connectivity over the local LAN means that the SDP users are always identified as being connected with office mode. Even if the site (and the SDP users in office mode) aren't connected to the Cato Cloud, because the SDP users have connectivity to the private DNS server, they are shown as being connected using office mode.
Note
Note: Supported on Windows Client v5.8 and Linux Client v5.2
This update has no impact on Security and User Awareness policies.
For SDP users with Always-On enabled, you can choose to enforce manual authentication in Office Mode. For more information, see Protecting Users with Always-On Security.
On the Monitoring > Topology page, Clients that are connected with the updated Office Mode are not counted as Connected SDP Users.
You can configure the Cato Management Application to enable all the SDP users in the account to choose whether to enable or disable office mode for their Cato Client. By default, these are the settings for the office mode:
-
Status is Disabled (Default global setting) - Office mode is enabled for all users and they can't configure office mode in their specific Clients.
-
Status is Enabled and Value is On - All SDP users in the account can choose to enable or disable office mode for their Client.
-
Status is Enabled and Value is Off - Office mode is enabled for all users and they can't configure office mode in their specific Clients. This functionality is the same as Disabled.
To enable all users in the account to configure office mode settings in the Client:
-
From the navigation menu, click Administration > Advanced Configuration.
-
Under Name, click Office Mode.
The Edit Office Mode panel opens,
-
Click the slider so that it is colored green to indicate that the setting is enabled.
-
In the Value drop-down menu, select On to enable users to choose to enable of disable office mode for their Client.
-
Click Apply. The changes are updated.
-
Click Save. The office mode settings are configured for the account.
You can choose to configure specific users to choose to enable of disable office mode in their Client. The settings for the specific users override the global settings for the entire account.
The settings for the office mode are the same as the previous section.
To configure office mode settings for a specific SDP user:
-
From the navigation menu, click Access > Users.
-
Select a user. The General screen opens.
-
From the navigation menu, click Advanced Configuration.
-
Under Name, click Office Mode.
The Edit Office Mode panel opens,
-
Click the slider so that it is colored green to indicate that the setting is enabled.
-
In the Value drop-down menu, select On to enable users to choose to enable of disable office mode for their Client.
-
Click Apply. The changes are updated.
-
Click Save. The office mode settings are configured for this user.
The first time that users have the option to enable or disable Office Mode, they must connect the Cato Client and receive the new configuration options.
To enable or disable Office Mode for a Client:
-
Pull the new settings for the office mode feature to the Client.
-
If the Client is disconnected from the encrypted tunnel, connect the Client to the network.
The Client pulls the configuration options for this feature (this is done automatically if the client is already connected to the encrypted tunnel).
-
Disconnect the Client from the encrypted tunnel.
-
-
In the Cato Client, go to the Settings menu.
The SDP Office Mode option is selected.
-
To disable office mode, clear the SDP Office Mode option.
-
Connect the Cato Client to the network.
2 comments
I remember there used to be a description in Office Mode as follows:
In client version 5.11 and later, Office mode requires communication to 54.76.219.86 via CatoCloud.
It seems that this description has been removed from the knowledge base. Has this requirement been removed?
Hi Ryoga Jinzai,
This is no longer a requirement
Please sign in to leave a comment.