Recent Discussions
Always on VPN and troubleshooting connectivity issues
Hi, I wanted to check if anyone else have experienced issues with the users enabled for Always On when their SDP client can not connect. Ocasionaly we see clients can not connect showing different errors, like username not recognized, can not connect, etc. The problem is that our Zoho Assist remote management software is not available if the user laptop is not connected to Internet which it is not when using Always On. How do you guys provide support in this scenario? What we usually do is first disable Always on policy for that user and then re-install the CAto client using either local admin or service desk user account. The problem is that we need to change the passwords to those accounts after giving out to the user by phone. Basically we just need Zoho Assist client traffic to bypass Cato tunnel, we will be testing split tunnel feature and adding Zoho IPs to bypass. Curious to hear your thoughts. Thanks!
Azure Virtual Desktop Session Host Routing
Hi, has anyone ever set up a route table on Azure so that the route to Microsoft Login subnets goes out through Cato? When we tried doing this, to make sure our AVD users are protected by Cato, users stopped being able to connect to session hosts through the AVD FQDN (broker). I suspect that its either TLS Inspection being enabled for Microsoft Login app (has never been an issue for our laptop users), or that AVD brokering system needs Microsoft Login traffic to go through the internet instead of a private route for some reason.
Disabling Connect On Boot for external user
Hi, we have activated the "Always On" policy for our users and an "on demand" rule for our external service providers. To ensure that always on is applied for our users, we have checked the "connect on boot" option, but unfortunately this option also applies to external service providers. Can our service providers override this option (registry key?) so that the CATO client doesn't launch at startup? (when I asked the CATO AI, it mentioned a key, but it doesn't seem to work). I can't see specfic configuration in user profile to override this nether. Any idea ? Thanks ! Regards
Block access to local/home network for Cato Client – force all traffic through Cato tunnel
Hi everyone, we are using the Cato Client (Windows/macOS) for remote users and would like to fully block access to the local/home network when the client is connected. Goal: No access to local LAN subnets (e.g. 192.168.0.0/16, 10.0.0.0/8, printers, NAS, routers, IoT, etc.) No split tunneling or local breakout All traffic should be forced through the Cato tunnel We checked the following areas but could not find a clear way to block local LAN access on the endpoint: Client Connectivity Policy Network Rules Internet / WAN / LAN Firewall Questions: Is it possible to block local/home network access for Cato Clients purely within Cato (endpoint-based), so that local LAN traffic is not reachable at all? If yes: which policy / feature is required (e.g. Client Advanced Controls, specific license, feature flag)? If no: is the recommended approach to enforce this via endpoint controls (e.g. OS firewall / MDM) in combination with Always-On and no split tunneling? Any guidance or best practice from real-world deployments would be highly appreciated. Thanks in advance!
Cato Client - manual PoP addressing
Has anyone tried scripting to change the manual pop location so the user can run the script and it will change their client manual pop address to a specific location. Not sure where this detail is stored on windows for the client, regkey or config file? Even a cato cli client with a switch to set it? I tried using fqdns as the pop name and having it resolve to a PoP IP in the hosts file, then using a script to change the hosts file entry to the desired PoP IP.... but the client cant use fqdns as the PoP to connect to :DCato and UPnP (hole punching)
We are a new Cato customer and are part way through deploying sockets to our sites. We have discovered an issue with an application which users UPnP. The application (https://parsec.app) typically has an app installed on a device, such as a desktop PC, behind the socket. This is known as the "host". Then the app is also installed on a personal device, outside the network, known as the "client". These should negotiate a peer-to-peer connection using UPnP, but this is not working when the socket is in place. A remote user is not able to connect to their office PC. It worked previously with our previous firewall. And if a remote users has the Cato client installed and running, they are able to connect. It seems like the Cato socket does not support, or is blocking UPnP. Can anyone at Cato confirm if UPnP is supported, and/or offer some advice? Thanks.Auto disabling of "Secured Private Access" when user in office
In Cato, there is "Cato Connectivity Policy" wherein we can either allow "Allow Internet" or "Allow WAN and Internet" or "Block". We have MPLS in our offices and we wants to have only SWG i.e "Allow Internet" when user is in office so that internal applications go through MPLS and only internet traffic goes through Cato but when same user goes out of office than automatically both Internet and WAN traffic should go through the Cato. We had similar arrangement when we were with Netskope. In Netskope, there is a feature called “Enabling Dynamic Steering” [Refer https://docs.netskope.com/en/enabling-dynamic-steering/] wherein we could decide if users is “On-Premise” then what all traffic needs to be steered to Netskope and whether Private access needs to be enabled or not or only internet traffic is need to be steered. Can this be achieved in similar fashion ?
