Cato Networks Knowledge Base

Configuring Always-On for SDP Users

  • Updated

This article discusses how to define the Always-On policy and if the supported Cato Clients are required to always connect to the Cato Cloud.

Always-On Overview

Always-On lets you implement connectivity requirements for SDP users. When the Client is connected to the Cato Cloud, all traffic passes through the secure tunnel and is inspected by the security services for your account in the Cato Cloud.

You can define separate policy for each operating system and if the Clients are required to always connect to the Cato Cloud. In addition, you can customize Always-On for specific users.

Always-On Policy Limitations

  • Always-On is not supported for Linux Clients

  • Always-On with SSO authentication is supported for the following versions (and higher):

    • Windows Client v5.3

    • macOS Client v5.0

    • iOS Client v5.0
    • Android Client v5.0

Working with Always-On and SSO

For accounts that use Single Sign-On authentication for SDP users, you can also configure the supported Clients to always remain connected to the Cato Cloud (Always-On). This configuration provides SDP users with the simplicity of SSO and the security of Always-On.

Note

Note: We recommend that you enable the Bypass Code feature to help users who can't authenticate to the Client. Otherwise, the unauthenticated device can't connect to the Internet or the Cato Cloud).

Implementing Always-On and SSO

This section contains best practices and recommendations for implementing Always-On with SSO in your account.

  • Start with enabling Always-On and SSO for a small number of users (see below Customizing Always-On for Specific SDP Users) to minimize the impact on your account

  • Review bypass events, to monitor the usage of Bypass codes in your organization

  • Since unauthenticated users don't have Internet connectivity, make sure that SDP users can log in to the device without relying on the Internet

  • Make sure that all the Clients are updated to the minimum supported version for the relevant OS

  • For deployments that use a third-party proxy, only In-Client Browser Authentication is supported for Always-On and SSO (for more about Browser Authentication, see Configuring the Authentication Policy for Cato Clients)

Configuring Always-On for Windows for the Account

Configure the account settings for the Always-On policy and define the requirements for the Windows Clients to connect to the Cato Cloud.

When you enable the Connect on boot option, this means that when the Windows OS starts on the device, the Client automatically establishes the tunnel to the Cato Cloud during boot phase. The user can choose to disconnect and reconnect the Client whenever they need to.

For additional security, you can enable the Always-On option to require that the Windows SDP Client always remains connected. The user can't disconnect from the secure tunnel, but an admin can give a temporary bypass code to users.

always_on.png

To configure Always-On for Windows:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Always-On section.

  3. Select Windows: Connect on boot, to require that the Client always starts with the computer.

  4. (Optional) Select Start minimized, to minimize the Client to the system tray.

  5. Select Always-On, to require that the Client is always connected to the Cato Cloud.

  6. Click Save.

    Always-On is configured for the Windows Clients in your account.

Temporarily Disconnecting the Client with a Bypass Code

The Bypass code option provides a code to let users temporarily disconnect the Clients that support Always-On. For example, a user might need to temporarily access a website that is blocked by your firewall policy.

This option generates a one-time password (OTP) in the Cato Management Application that you can give to any SDP user and let them temporarily disconnect the Client for up to 15 minutes at a time. Each code can be valid for up to 15 minutes.

In addition, you can use an authentication app (such as Google Authenticator) to scan the QR code in this screen. Then you can always get an OTP for SDP users from the authentication app. The authentication app refreshes the code every 30 seconds, so each code is only valid for 30 seconds.

You can use the same bypass code for multiple users, as long as the code is still valid.

If you want to generate events that show the user details and the time the bypass code was used, select the Generate bypass events option.

For more about events in your account, see Analyzing Events in Your Network.

To create a temporary bypass code:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Always-On section.

  3. Select Enable bypass connection.

  4. Expand the Show bypass code section to show the bypass code.

  5. Click Save.

    You can now send the bypass code to an SDP user.

    Always_on_Bypass_code.png

Entering a Bypass Code in the Cato Windows Client

SDP users can right-click the Client icon in the system tray, and enter a Temporary Bypass code that they received from the admin. The Client bypasses the tunnel after the correct code is entered, and the SDP user can access the Internet.

bypass_code.png

Configuring Always-On for macOS and iOS for the Account

Configure the account settings for the Always-On policy and define requirements for the macOS and iOS Clients to connect to the Cato Cloud. You can configure separate policies for macOS and iOS.

Note

Note: SDP users with Always-On enabled can still disconnect from the secure tunnel using the OS system settings.

To configure Always-On for macOS and iOS:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Always-On section.

  3. Select macOS: Always-On or iOS: Always-On to require that the Client is always connected to the Cato Cloud.

  4. Click Save.

Customizing Always-On for Specific SDP Users

You can customize Always-On for SDP users and define the settings for that user. The user settings override the account settings for Always-On.

To configure Always-On for a specific user:

  1. From the navigation menu, click Access > Users.

  2. Click the user.

    The Network Analytics screen for that user opens.

  3. From the navigation menu, click User Configuration > Always-On. The Always-On section opens.

  4. Select Override account Connectivity Policy settings.

  5. Configure the Always-On settings for this specific user.

  6. Click Save.

Was this article helpful?

3 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.