Cato Networks Knowledge Base

Using Windows Pre login and the SDP Client

  • Updated

This article explains how to configure the Prel ogin settings to provide initial authentication to securely access networks and resources.

Overview of Pre login

Pre login is an essential component of Zero Trust Network Architecture (ZTNA). It provides access to devices based on their Device Authentication and before the user is authenticated. The granular Pre login policy defines a limited access policy of Allowed Destinations that are applied to trusted devices.

Cato's Pre login feature addresses the problem of the initial authentication for a device, a common example is that a new device is sent to a new remote user. The device needs to connect to the company’s Active Directory (AD) to complete the user authentication. However, since this is a new device, there are no users Windows users credentials on it, and unauthenticated users aren’t allowed to connect to the AD.

Cato’s solution is based on pre-deploying a trusted certificate and the Cato Client on the device. This establishes enough trust to let the device connect to the Pre login resources that you configure. Then the user can securely authenticate to the device.

Cato's Pre login Solution

As soon as the device can connect to the public Internet (such as, WiFi in the user’s house), the Cato Pre login feature lets the device connect to the Pre login resources.

The Windows device is pre-configured with the Cato Client, a trusted certificate, and the Windows registry is configured with the account name. The Client then connects to the relevant resources, for example, connect to the AD and the user then authenticates the device. Once the Windows device successfully authenticates to the Cato Cloud, Windows user credentials are saved to the device, and in the future it can authenticate and connect to the AD as required.

Prerequisites

Windows devices that meet all of these prerequisites can use Cato's Prelogin feature.

  • Cato SDP Client requirements:

    • Supported from Window Client v5.4 and higher

    • Client is installed on the device

  • Certificate requirements:

    • Upload signing certificate to the Cato Management Application (Access > Client Access > Device Authentication)

      For more information about uploading certificates, see Distributing Certificates for Device Authentication.

    • Install a signed device certificate on the Windows device

  • Configure the Windows registry for the Client on the device Computer\HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN:

    • Enable Prelogin for this device

      PreLogin (DWORD), value data 1

    • Configure the account name as it appears in the Cato Management Application

      Subdomain (String), value data <account subdomain>

      For example, the account name SampleCo has the subdomain: sampleco.via.catonetworks.com

      You can show the subdomain for your account in Access > Single Sign-On

Sample Pre login Use-cases

  • Challenge - A brand new Windows device is sent to an employee at their house. The corporate AD is behind a Cato site, so the new user can't connect to it.

    • Solution - The device meets the Prelogin prerequisites above. The user turns on the computer, it is allowed to connect to the AD, and the user authenticates to the AD and is allowed to connect to the network.

  • Challenge - Device Posture is configured for an account, and requires that Clients can only connect when the endpoint Anti-Malware software is up to date. A device with older Anti-Malware software isn't allowed to connect to a Cato site or to the Cato Cloud.

    • Solution - The device meets the Prelogin prerequisites above. The device is allowed to connect to the IP range for the software vendor and update to the newest version. Then the device meets the Device Posture and is allowed to connect to the network.

Configuring Pre login Settings in the Cato Management Application

Use the Pre login screen to define the resources in the Allowed Destinations that the pre-configured Windows devices can connect to. When the Client on the device attempts to connect to the Cato Cloud, the device is recognized as a Pre login device.

The Cato Cloud allows the device to connect to the resources that are configured as an Allowed Destination, and the WAN and Internal firewall rules are not applied to this connection. In addition, the Device Posture requirements are not applied to the Pre login traffic. The Cato Cloud only allows traffic that is related to the Pre login process, all other unrelated traffic is blocked.

An Allowed Destination can be a IP address, IP range, or a host (which is defined for a specific site).

Notes on Pre login and Allowed Destinations

  • For accounts that use a private DNS server, make sure that this server is defined as an Allowed Destination

  • SDP Clients that are configured with Never-Off, are only allowed to connect to:

    • WAN - Resources defined in Allowed Destinations

    • Internet - Authenticate the user with the IdP

  • SDP Clients without the Never-Off settings (including new devices), are allowed to connect to:

    • WAN - Resources defined in Allowed Destinations

    • Internet - Windows device can connect to any resource in the Internet

  • For security reasons, we recommend that you define the smallest IP range for an Allowed Destination​
Prelogin.png

To configure your account to support Pre login:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Pre login section.

  3. Select Enable Pre login.

  4. From the drop down menu, select the Host, IP address, or IP range for each Allowed Destination.
    ​Note:​ For security reasons, do not use the IP range 0.0.0.0 - 255.255.255.255 as an ​Allowed Destination​​.

  5. Click Save.

Was this article helpful?

1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.