Cato Networks Knowledge Base

Configuring VPN Office Mode

  • Updated

This article describes how to let users enable or disable VPN office mode on their Cato Clients.

Overview of VPN Office Mode

Companies frequently give employees laptops to work from home and the office without changing computers. The Cato Client is installed on the laptops to support working from home, and sometimes the Never Off policy is set so that the computer is always connected to the VPN.

When a user is working in an office that is behind a Cato Socket or IPsec site, the Client automatically connects to that site without using the VPN. This behavior is called VPN office mode and it is enabled by default for all accounts, and this means that users can't disable office mode on the Client. Without office mode, the Client establishes a VPN tunnel behind the site (tunnel-in-tunnel) and may experience a negative impact on performance. In addition, if the Client connects to a different PoP than the site, then all the Client's traffic must first route through the PoP that the site is connected to.

With office mode, the Cato Client connects to the Cato Cloud using the tunnel for the site and is treated as a regular host for that site. The Cato Client receives the networking and security settings from the site and prevents using a VPN tunnel-in-tunnel.

Sometimes office mode can prevent someone who is visiting a branch office from connecting to resources in a different office, such as the corporate headquarters. You can choose to enable SDP users to configure the Cato Client behavior for VPN office mode.

Behavior Changes when VPN Office Mode Is Disabled

This section lists the changes to Client behavior when VPN office mode is disabled for a user.

  • Hosts behind a site always send traffic over the Client tunnel to the Cato Cloud. The traffic isn't visible in the local LAN for the office.

  • When the Client communicates with the local office, the traffic passes over the Internet to the PoP and then back to the local site.

  • The security policy of the Client is applied to the traffic and NOT the policy of the local office.

Using Office Mode with a Private DNS Server

For accounts that use a private DNS server, you must add the following DNS entry to the private DNS server to support VPN Client office mode:

  • vpn.catonetworks.net as IP address 10.254.254.5 (or the customized reserved service range x.y.z.2 IP address)

Known Limitations

Configuring Office Mode in the Cato Client - When you configure a user in the Cato Management Application to Never-Off, the VPN Office Mode option isn’t available in the Client. The Client behavior is that VPN office mode is always enabled.


Enabling Users to Configure VPN Office Mode for the Entire Account

You can configure the Cato Management Application Global Setting to enable all the SDP users in the account to choose whether to enable or disable office mode for their Cato Client. By default, these are the settings for the VPN office mode:

  • Status is Disabled (Default global setting) - Office mode is enabled for all users and they can't configure VPN office mode in their specific Clients.

  • Status is Enabled and Value is On - All SDP users in the account can choose to enable or disable VPN office mode for their Client.

  • Status is Enabled and Value is Off - Office mode is enabled for all users and they can't configure office mode in their specific Clients. This functionality is the same as Disabled.

To enable all users in the account to configure office mode settings in the Client:

  1. From the navigation menu, click Assets > Advanced Configuration.

  2. Under Name, click VPN Office Mode.

    The Edit VPN Office Mode panel opens,

  3. Click the slider so that it is colored green to indicate that the setting is enabled.

  4. In the Value drop-down menu, select On to enable users to choose to enable of disable VPN office mode for their Client.

  5. Click Apply. The changes are updated.

  6. Click Save. The office mode settings are configured for the account.

Enabling a Specific User to Configure VPN Office Mode

You can choose to configure specific users to choose to enable of disable VPN office mode in their Client. The settings for the specific users override the global settings for the entire account.

The settings for the VPN Office Mode are the same as the previous section.

To configure Office Mode settings for a specific SDP user:

  1. From the navigation menu, click Access > Users.

  2. Select a user. The General window opens.

  3. From the navigation menu, click Advanced Configuration.

  4. Under Name, click VPN Office Mode.

    The Edit VPN Office Mode panel opens,

  5. Click the slider so that it is colored green to indicate that the setting is enabled.

  6. In the Value drop-down menu, select On to enable users to choose to enable of disable VPN office mode for their Client.

  7. Click Apply. The changes are updated.

  8. Click Save. The office mode settings are configured for this user.

Disabling and Enabling VPN Office Mode on the Cato Client

The first time that users have the option to enable or disable VPN Office Mode, they must connect the Cato Client and receive the new configuration options.

To enable or disable VPN Office Mode for a Cato Client:

  1. Pull the new settings for the VPN office mode feature to the Cato Client.

    1. If the Client is disconnected from the VPN, connect the Client to the VPN.

      The Client pulls the configuration options for this feature (this is done automatically if the client is already connected to the VPN).

    2. Disconnect the Cato Client from the VPN.

  2. In the Cato Client, go to the Settings menu.

    The VPN Office Mode option is selected.

  3. To disable VPN office mode, clear the VPN Office Mode option.

  4. Connect the Cato Client to the VPN.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.