Protecting SDP Users with Always-On Security

This article discusses how to configure your Always-On policy to increase Internet security for SDP users in your account.

Overview

The Always-on Policy lets you simplify the provisioning of SDP users and enhances Internet security by ensuring traffic from defined SDP Users always passes through the Cato Cloud.

Use the Always-On Policy to define when SDP users or Clients always connect to the Cato Cloud. When the Client is connected to the Cato Cloud, all traffic passes through the secure tunnel and is inspected by the security services for your account in the Cato Cloud. If specific users need temporary access to the Internet, you can provide them a code that disconnects the Client for up to 15 minutes.

Always-On Policy Prerequisites

  • Always-On is not supported for Linux Clients

  • Always-On with SSO authentication is supported for the following versions (and higher):

    • Windows Client v5.3

    • macOS Client v5.0

    • iOS Client v5.0

    • Android Client v5.0

Use Cases for the Always-On Policy

This section contains some examples of how you can use the Always-On policy for SDP users.

Apply a Different Always-On Policy to User Groups with the Same OS

The company ABC has a Finance team and a Sales team that both use Windows devices. They create rules to ensure the Finance team is always connected to the network. However, the Sales team is able to disconnect the Client when required so traffic passes directly to the Internet and not via the Cato Cloud.

Customize the Always-On Policy for Employees and Third-Party Contractors

Company ABC's network is used by its own employees, who have access to corporate resources, and third-party contractors, who cannot access corporate resources. They create a rule to enable Always-On for their employees while the third-party contractors are able to directly access the Internet. This ensures all traffic from company employees, is passed through the Cato Cloud and is protected by security policies.

Preparing to Implement Always-On Policy

Before you enable your Always-On Policy, consider how Always-On interacts with other features and Client versions in your environment. This section provides recommendations for how to use SSO, Client Connectivity, Device Authentication, and the Windows Client with your Always-On Policy.

Working with Always-On and SSO

For accounts that use Single Sign-On authentication for SDP users, you can also configure the supported Clients to always remain connected to the Cato Cloud (Always-On). This configuration provides SDP users with the simplicity of SSO and the security of Always-On. The Client is able to access the IdP provider and access to other resources is in accordance with your security policy.

Note

Note: To help SDP users who can't authenticate to the Client, we recommend that you enable the Bypass Code feature and review bypass events. Otherwise, the unauthenticated device can't connect to the Internet or the Cato Cloud).

Implementing Always-On and SSO

This section contains best practices and recommendations for implementing Always-On with SSO in your account.

  • Start with enabling Always-On and SSO for a small number of users (see below Customizing Always-On for Specific SDP Users) to minimize the impact on your account

  • Review bypass events, to monitor the usage of Bypass codes in your organization

  • Since unauthenticated users don't have Internet connectivity, make sure that SDP users can log in to the device without relying on the Internet

  • Make sure that all the Clients are updated to the minimum supported version for the relevant OS. If a Client of an unsupported version is used, the Client cannot re-authenticate and traffic to the internet is blocked.

  • For deployments that use a third-party proxy, only In-Client Browser Authentication is supported for Always-On and SSO (for more about Browser Authentication, see Configuring the Authentication Policy for Cato Clients)

Using Client Connectivity Policy and Device Authentication with Always-On

Your Client Connectivity Policy and Device Authentication settings apply Device Postures and Checks performed on devices for SDP users. If the device fails to comply with the policy that was set for the profile, then the SDP user can't connect to the Cato Cloud. Your Client Connectivity Policy and Device Authentication settings take precedence over your Always-On Policy.

For example, a SDP User's device does not meet your Client Connectivity Policy. The device cannot connect to the Cato Cloud even if the SDP User is in a Group with Always-On enabled.

Installing Windows Clients and Always-On

For IT teams, delivering or shipping brand new devices to SDP users around the world, we can provide Always-on Security out-of-the-box.

Starting with Windows Client v5.6, you can enhance Internet security even before an SDP user authenticates to Cato. The Always-On policy is available out-of-the-box, and Internet access is only permitted after the SDP user authenticates to your Cato account.

To enable this feature, simply add a registry key to the Windows device to enable Always-On. Once the user is added to the Client, the Always-On settings defined in the Cato Management Application are applied to that user.

For accounts that use the Pre login feature, the device is only allowed to access the Allowed Destinations before the SDP user is added to the Client. All other Internet access is blocked.

Note

Note: Before SDP users are added to the Client, it's not possible to enter a bypass code to temporarily disconnect the Client.

To configure the Windows registry to enforce Always-On:

  1. Go to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN

  2. Define this key:

    • InitialAlwaysOn=1 (DWORD)

Configuring the Always-On Policy

This section explains how to create the Always-On Policy.

Working with the Ordered Always-On Policy

The Always-On Policy is an ordered rule-base. The rules in your policy are applied to a SDP User or Group as follows:

  • When they meet a rule, the Client follows the configuration set in the rule

  • If they do not meet any rules, they are able to disconnect from the network

Creating the Always-On Policy

The Always-On Policy lets you define the SDP Users or User Groups that for Clients that are required to always connect to the network.

Always-On_Policy.png

To create the Always-On Policy:

  1. From the navigation menu, click Access > Always-On Policy.

  2. Click New.

    The New Rule panel opens.

  3. Enter a Name and set the Rule Order.

  4. Define the Users & Groups, Platforms, and Connected status

  5. Click Apply.

  6. Repeat steps 2-5 for each rule in the Always-On Policy.

  7. Enable the Always-On Policy and then click Save.

    The slider enable.png is green when the rule is enabled, and gray when the rule is disabled.

Configuring the Default Settings for Windows Clients

For additional security and convenience, you can configure the Windows Client to connect to the Cato Cloud during boot phase. If a SDP User is in a policy with an On-Demand connected status, they can choose to disconnect and reconnect the Client whenever they need to. You can also configure the Windows Client to start minimized.

  • If the Connect on boot or the Start minimized checkboxes are selected in the Cato Management Application:

    • This is enforced on all Windows Clients in your environment

    • SDP Users cannot disable this setting from the Windows Client

  • If the Connect on boot or the Start minimized checkboxes are unchecked, in the Cato Management Application:

    • SDP Users can choose to enable these features on the Settings tab in the Windows Client

To configure default settings for Windows Clients:

  1. From the navigation menu, click Access > Always-On Policy.

  2. Open the Settings tab.

  3. In the Connect on Boot section, define the default settings for Windows Clients.

    Connect_On_boot.png

  4. Click Save.

Enforcing Authentication Behind a Cato Site

When a SDP user connects behind a Cato Socket or IPsec site, the Client automatically connects to that site in Office Mode. For more information on Office Mode, see Configuring Office Mode.

From Windows Client v5.8, you can configure if SDP users with always-on enabled are required to authenticate to Cato when the Client is connected in Office Mode. This configuration has no impact on security policies.

Authentication_in_Office.jpg

To enforce authentication at a Cato site

  1. From the navigation menu, click Access > Always-On Policy.

  2. Open the Settings tab.

  3. In the Enforce Always-On in Office section, select Require authentication in an office.

  4. Click Save.

Temporarily Disconnecting the Client

You can let SDP users temporarily disconnect the Windows, Android, iOS and from v5.4 macOS Clients. For example, a user might need to temporarily access a website that is blocked by your firewall policy.

This option generates a one-time password (OTP) in the Cato Management Application that you can give to any SDP user and let them temporarily disconnect the Client for up to 15 minutes at a time. Each code can be valid for up to 15 minutes.

In addition, you can use an authentication app (such as Google Authenticator) to scan the QR code in this screen. Then you can always get an OTP for SDP users from the authentication app. The authentication app refreshes the code every 30 seconds, so each code is only valid for 30 seconds.

You can use the same bypass code for multiple users, as long as the code is still valid.

Events are generated that show the user details and the time the bypass code was used. To view these events, on the Events screen apply a filter for the sub-type VPN Never-Off Bypass.

For more about events in your account, see Analyzing Events in Your Network.

To create a temporary disconnect the Client:

  1. From the navigation menu, click Access > Always-On Policy.

  2. Open the Settings tab.

  3. Expand the Show bypass code or Show QR code for authentication app section

  4. You can now send the bypass code or QR code to an SDP user.

Entering a Bypass Code in the Cato Client

To enter the bypass code:

  • In the Windows Client, SDP users can right-click the Client icon in the system tray and select Temporary Bypass

  • In the macOS Client, SDP users can right-click the Client icon in the system tray and select Temporary Disconnect

  • In the iOS Client, on the Client home screen, select Bypass Always-on

  • In the Android Client, from the side menu, select Temporary Bypass

After a valid code is entered, the Client bypasses the encrypted tunnel and the SDP user can access the Internet. The macOS, iOS and Android Clients can be temporarily disconnected for a maximum of 15 minutes.

SDP users who authenticate with SSO or MFA need to re-authenticate to the Cato Client when re-connecting after entering a bypass code.

Customizing Always-On for Specific SDP Users

You can customize the Always-On Policy for an individual SDP user.

To configure the Always-On Policy for a specific user:

  1. From the navigation menu, click Access > Always-On Policy.

  2. Click New.

    The New Rule panel opens.

  3. Enter a Name and set the Rule Order.

  4. In the User & Groups section, select SDP User.

  5. Choose the specific user.

  6. Define the Platforms and Connected status.

  7. Click Apply.

  8. Enable the Always-On Policy and then click Save.

    The slider enable.png is green when the rule is enabled, and gray when the rule is disabled.

Was this article helpful?

1 comment

Date Votes
Add your comment