Configuring Office Mode

This article describes how to let users enable or disable office mode on their Cato Clients.

Overview of Office Mode

Office Mode optimizes Client performance when users with a ZTNA license are physically located in a branch office. It avoids tunnel-within-a-tunnel scenarios by seamlessly routing traffic through the local Socket instead of the Client's encrypted tunnel. This reduces latency and simplifies traffic routing. You can configure Office Mode globally or allow users to enable or disable it manually in the Client.

Use the Advanced Configuration page to manage Office Mode behavior:

For all users in the account: go to Resources > Advanced Configuration
For an individual user: go to User Configuration > Advanced Configuration

How Office Mode Works

When Office Mode is enabled and the Client detects a direct connection to a Cato Socket at a site:

The Client tunnel is bypassed
All traffic routes through the site’s Socket
The site’s security policy is enforced instead of the Client policy

What Happens When Office Mode Is Disabled

If the user disables Office Mode while connected to the local site:

All traffic, including local LAN traffic, is routed through the Client’s encrypted tunnel
Local traffic is sent to the PoP and then back to the site, increasing latency
The security policy for the user identity is enforced instead of the site policy

Automatic Connection Behind a Site (Windows, macOS, and Linux)

Starting in Windows Client v5.10, macOS v5.11 and Linux Client v5.2:

The Client automatically connects behind a site without requiring user authentication
The Connect button is disabled while behind the site
Office Mode is enforced to avoid redundant tunnels

This simplifies the user experience and enforces consistent routing policies. For more information, see Using Cato Identity Agents for User Awareness

Using Office Mode with a Private DNS Server

For accounts that use a private DNS server, you must make these configuration changes:

Add the following DNS entry to the private DNS server to support Client office mode:
- vpn.catonetworks.net as IP address 10.254.254.5 (or the customized reserved service range x.y.z.2 IP address)
- tunnel-api.catonetworks.com as IP address 10.254.254.3 (or the customized reserve service range x.y.z.7 IP address)
Note

Note: You must also ensure that your firewall is configured to allow traffic to these addresses for Office Mode to function properly.

For configurations where the private DNS server is located on the local LAN, then the static DNS entry and the connectivity over the local LAN means that the SDP users are always identified as being connected with office mode. Even if the site (and the SDP users in office mode) aren't connected to the Cato Cloud, because the SDP users have connectivity to the private DNS server, they are shown as being connected using office mode.

Allowing Users to Configure Office Mode

By default, users cannot enable or disable Office Mode. You can configure this behavior globally or override it per user.

Status is Disabled (Default global setting) - Office mode is enabled for all users and they can't configure office mode in their specific Clients.
Status is Enabled and Value is On - All SDP users in the account can choose to enable or disable office mode for their Client.
Status is Enabled and Value is Off - Office mode is enabled for all users and they can't configure office mode in their specific Clients. This functionality is the same as Disabled.

Global Configuration: Allow Users to Control Office Mode

To allow all users in an account to control Office Mode:

From the navigation menu, select Resources > Advanced Configuration
In the Office Mode Configuration section, configure these fields:
- Status
  - Disabled – Users cannot change Office Mode, and it is enabled (default)
  - Enabled – Users can control Office Mode, based on the Value field
- Value
  - On – Office Mode is enabled by default, but users can disable it
  - Off – Users can't disable Office Mode

Per-User Configuration

You can allow individual users to override the global setting.

To configure Office Mode per user:

From the navigation menu, select Users and choose a user.
From the user configuration panel, go to Advanced Configuration:
In the Office Mode Configuration section, configure these fields:
- Status - set to Enabled
- Value
  - On – Office Mode is enabled by default, but users can disable it
  - Off – Office Mode is disabled and users cannot enable it
This setting only applies when the user connects behind a site.

Disabling or Enabling Office Mode in the Client

After the configuration is applied, users can change the setting in the Cato Client.

To enable or disable Office Mode:

Connect the Client to ensure it receives the latest configurationץ
If already connected, disconnect and reconnect.
Open the Settings panel in the Client.
Locate the SDP Office Mode option.
Toggle the checkbox to enable or disable Office Mode.
Reconnect the Client to apply the change.

Known Limitations

Office mode is only supported with a UDP connection

9 comments

Ryoga Jinzai
- September 05, 2024 08:59
I remember there used to be a description in Office Mode as follows:
　In client version 5.11 and later, Office mode requires communication to 54.76.219.86 via CatoCloud.
It seems that this description has been removed from the knowledge base. Has this requirement been removed?
Michael Goldberg
- Edited September 05, 2024 10:16
Hi Ryoga Jinzai,
This is no longer a requirement
Armand Persin
- October 31, 2024 09:03
rather than specific users, user groups would be better as an extra option
Yaakov Simon
- October 31, 2024 10:24
Armand Persin Good suggestion - please open an RFE
Ross Barrett
- November 19, 2025 23:43
Please tell me I'm reading this wrong. OK, so you define catonetworks.com and catonetworks.net on your internal DNS server so that you can add A records for vpn.catonetworks.net and tunnel-api.catonetworks.com. Great. Now you try to go to support.catonetworks.com to open a ticket, but you don't get DNS resolution for the site. You can't access the knowledgebase, open a ticket or ever login to the CATO cloud management site. Why, because you have told your Internal DNS server that it is authoritative for catonetworks.com but you don't have all of the other DNS entries for that domain. This is ridiculously poor design. At the very least they could have used an alternate domain for this test so that it doesn't kill resolution for their main domain. As it sits, you have to use a third DNS server to lookup the IP addresses of support.catonetworks.com, auth.catonetworks.com, yoursite.catonetworks.com and duplicate them in the local server domain. What happens if CATO changes IP addresses on part of their network? This can't be right.
Andrew Story
- November 20, 2025 08:05
Hello Ross, here's what we configure on our internal DNS, two distinct zones with the respective A records and it works fine - might be of use to you. Don't add in the Zone catonetworks.com, or you will observe the issue you've highlighted above.

Thanks, Andy
Ross Barrett
- November 20, 2025 15:02
That's better than the alternative but it still seems like a horrible design.
Earnest Praveen Ravi Kumar
- March 23, 2026 16:59
How often a client checks DNS resolution to “vpn.catonetworks.net” and “tunnel-api.catonetworks.net” to identify the user is in office or not ?
Eliran Zango
- March 23, 2026 18:28
Earnest Praveen Ravi Kumar
Checks for vpn.catonetworks.net happen once per connection attempt (legacy mechanism).
Checks for tunnel-api.catonetworks.com happen once during pre-connection preflight, and then periodically - every 10s for the first 10 queries after a network change, then every 60s. The periodic check also triggers immediately on network changes and wake from sleep.