Cato Networks Knowledge Base

Configuring the Browser Access Portal

This article discusses how to configure the settings for the Browser Access Portal and how clientless SDP users are authenticated.

Configuring the Basic Settings for the Browser Access Portal

The Browser Access Settings tab shows the Portal URL for end-users to access the portal. The URL is based on the subdomain for the account. Even though, dashes are a valid character in the subdomain, they are not valid for the Portal URL. For more about the subdomain for your account, see Configuring SSO and the Subdomain for the Account.

Define the logo for the portal. The maximum file size is 200 KB and these file types are supported: JPG and PNG.

You can also define if users can authenticate to the portal using their Cato username and password. Use the Single Sign-On screen to enable users to authenticate with the SSO provider.

To configure the basic settings for the Browser Access Portal:

  1. From the navigation menu, click Access > Browser Access.

  2. On the Settings tab, select Enable Remote Access.

  3. To add a custom logo to the Browser Access Portal, in Portal Logo drag and drop the logo file or click Browse to select the file.

  4. Click Save.

Authenticating Clientless Users to the Browser Access Portal

The Browser Access Portal supports authenticating users with the SSO provider for the account, and also the user credentials for the Cato Management Application. You can choose to use one or both of these methods.

For more about configuring SSO for your account, see Configuring SSO and the Subdomain for the Account.

Note

Note: Browser Access users that you create manually, are allowed to access the portal with username and password from any domain.

Configuring Browser Access Cookies

Configure the Browser Access Portal to use persistent or session cookies. For persistent cookies, you can configure the time duration that the cookie is valid. After this time, the user needs to log in to the Browser Access Portal again.

If you use session cookies, then when users close the browser or end the session they are immediately logged out of the Browser Access Portal. If the session is idle for more than the configured Duration, then the session expires and the user needs to log in to the Browser Access Portal again.

The following screenshot shows the cookies policy configured for Browser Access users in the Single Sign-on screen:

Clientless_SSO.png

To configure the authentication settings for Browser Access users:

  1. To let Browser Access users to log in using the SSO provider:

    1. From the navigation menu, click Access > Single Sign-On.

    2. In the Clientless SDP Users section, select Allow login with Single Sign-On.

    3. In Cookie type, select the type of authentication cookies that the Browser Access Portal uses: Session or Persistent.

    4. Set the Duration that the cookie is valid.

    5. Click Save.

  2. To let Browser Access users authenticate with their Cato user credentials:

    1. From the navigation menu, click Access > Browser Access.

    2. In the Authentication section, select Allow login with Cato user credentials.

    3. Click Save.

Defining the NAT IP Range for the Browser Access Portal

You can define the range of translated source IP addresses for the users that connect to the Browser Access Portal. For example, some applications use an Access Control List (ACL) to only allow connections from a specific IP range. We recommend that you define the NAT IP address range, and then enable the source NAT IP range for each of the relevant Browser Access applications.

Note

Note: You can use one of the private IP ranges for the Browser Access NAT IP range. This IP range is only used between the portal and the application server.

To define the source NAT IP range for the Browser Access Portal:

  1. In the Settings section or tab, in NAT IP Range enter the source NAT IP range with the CIDR subnet.

  2. Click Save.

  3. To enable an application to use the source NAT IP range:

    1. In the Applications tab or section, edit the application. The Edit Application panel opens.

    2. Select Use source NAT IP range.

    3. Click Apply and then click Save.

Allowing Access from Generic Domains

You can list generic domains that are allowed to use Browser Access. This provides Browser Access to third party clientless SDP users and prevents domains that are not listed from using Browser Access.

The Allowed Domain is applied to all of the Access Policy rules in your account.

To add Allowed Domains:

  1. From the navigation menu, click Access > Browser Access.

  2. On the Settings tab, in the Allowed Domains section, click the plus sign (Domain_plus.png).

  3. Add the domain(s) you want to be able to use Browser Access. Separate multiple domains with a comma.

  4. Click Save.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.