Configuring Office Mode

This article describes how to let users enable or disable office mode on their Cato Clients.

Overview of Office Mode

Companies frequently give employees laptops to work from home and the office without changing computers. The Cato Client is installed on the laptops to support working from home, and sometimes the Always On policy is set so that the computer is always connected to the encrypted tunnel.

When a user is working in an office that is behind a Cato Socket or IPsec site, the Client automatically connects to that site without using the encrypted tunnel. This behavior is called office mode and it is enabled by default for all accounts, and this means that users can't disable office mode on the Client. Without office mode, the Client establishes an encrypted tunnel behind the site (tunnel-in-tunnel) and may experience a negative impact on performance. In addition, if the Client connects to a different PoP than the site, then all the Client's traffic must first route through the PoP that the site is connected to.

With office mode, the Cato Client connects to the Cato Cloud using the tunnel for the site and is treated as a regular host for that site. The Cato Client receives the networking and security settings from the site and prevents using a tunnel-in-tunnel.

Sometimes office mode can prevent someone who is visiting a branch office from connecting to resources in a different office, such as the corporate headquarters. You can choose to enable SDP users to configure the Cato Client behavior for office mode.

In Client versions below 5.8, this is an example of the status in the Client, when it is in office mode:

ClientOfficeMode.png

Behavior Changes when Office Mode Is Disabled

This section lists the changes to Client behavior when office mode is disabled for a user.

  • Hosts behind a site always send traffic over the Client tunnel to the Cato Cloud. The traffic isn't visible in the local LAN for the office.

  • When the Client communicates with the local office, the traffic passes over the Internet to the PoP and then back to the local site.

  • The security policy of the Client is applied to the traffic and NOT the policy of the local office.

Using Office Mode with a Private DNS Server

For accounts that use a private DNS server, you must add the following DNS entry to the private DNS server to support Client office mode:

  • vpn.catonetworks.net as IP address 10.254.254.1, 10.254.254.2, or 10.254.254.5 (or the customized reserved service range x.y.z.2 IP address)

For configurations where the private DNS server is located on the local LAN, then the static DNS entry and the connectivity over the local LAN means that the SDP users are always identified as being connected with office mode. Even if the site (and the SDP users in office mode) aren't connected to the Cato Cloud, because the SDP users have connectivity to the private DNS server, they are shown as being connected using office mode.

Updates to Office Mode From Windows Client Version 5.8

From Windows Client v5.8 and higher, behind a site, the Client connects to Cato automatically in Office Mode without users authenticating. After the Client connects, the Connect button is automatically disabled. 

This update has no impact on Security and User Awareness policies.

For SDP users with Always-On enabled, you can choose to enforce manual authentication in Office Mode. For more information, see Protecting Users with Always-On Security

 

Known Limitations

  • Office mode is only supported with a UDP connection

Enabling Users to Configure Office Mode for the Entire Account

Note

Note: Only supported in Windows version 5.6 and earlier

You can configure the Cato Management Application to enable all the SDP users in the account to choose whether to enable or disable office mode for their Cato Client. By default, these are the settings for the office mode:

  • Status is Disabled (Default global setting) - Office mode is enabled for all users and they can't configure office mode in their specific Clients.

  • Status is Enabled and Value is On - All SDP users in the account can choose to enable or disable office mode for their Client.

  • Status is Enabled and Value is Off - Office mode is enabled for all users and they can't configure office mode in their specific Clients. This functionality is the same as Disabled.

officemode.png

To enable all users in the account to configure office mode settings in the Client:

  1. From the navigation menu, click Assets > Advanced Configuration.

  2. Under Name, click Office Mode.

    The Edit Office Mode panel opens,

  3. Click the slider so that it is colored green to indicate that the setting is enabled.

  4. In the Value drop-down menu, select On to enable users to choose to enable of disable office mode for their Client.

  5. Click Apply. The changes are updated.

  6. Click Save. The office mode settings are configured for the account.

Enabling a Specific User to Configure Office Mode

You can choose to configure specific users to choose to enable of disable office mode in their Client. The settings for the specific users override the global settings for the entire account.

The settings for the office mode are the same as the previous section.

To configure office mode settings for a specific SDP user:

  1. From the navigation menu, click Access > Users.

  2. Select a user. The General screen opens.

  3. From the navigation menu, click Advanced Configuration.

  4. Under Name, click Office Mode.

    The Edit Office Mode panel opens,

  5. Click the slider so that it is colored green to indicate that the setting is enabled.

  6. In the Value drop-down menu, select On to enable users to choose to enable of disable office mode for their Client.

  7. Click Apply. The changes are updated.

  8. Click Save. The office mode settings are configured for this user.

Disabling and Enabling Office Mode on the Cato Client

The first time that users have the option to enable or disable Office Mode, they must connect the Cato Client and receive the new configuration options.

To enable or disable Office Mode for a Client:

  1. Pull the new settings for the office mode feature to the Client.

    1. If the Client is disconnected from the encrypted tunnel, connect the Client to the VPN.

      The Client pulls the configuration options for this feature (this is done automatically if the client is already connected to the encrypted tunnel).

    2. Disconnect the Client from the encrypted tunnel.

  2. In the Cato Client, go to the Settings menu.

    The VPN Office Mode option is selected.

  3. To disable VPN office mode, clear the VPN Office Mode option.

  4. Connect the Cato Client to the VPN.

Was this article helpful?

0 comments

Add your comment