Forum Discussion

Roni's avatar
Roni
Comet
2 months ago

CATO always on

Hi,

I am currently deploying Cato across my entire organization, transitioning from Fortinet’s VPN platform to Cato’s ZTNA.

We are enabling Always On to enforce the use of Cato for all users. However, this feature requires an initial login from the user. How can I force an end user (who does not use any sensitive company services but still needs enforcement as part of ZTNA) to complete the initial login to the Cato Client?

Since we are rolling this out company-wide, I do not want to enforce it for all users, but rather for a specific group. Is there an option to do that?

Thanks!

3 Replies

  • It's because the initial client doesn't have a configuration and it's the same package for everyone. To push configuration prior to authenticating even once and getting a policy, certain registry keys can be rolled out to systems alongside the install package. One is mentioned on this article for initial always on: https://support.catonetworks.com/hc/en-us/articles/4417643184529-Protecting-Users-with-Always-On-Security 

    To configure the Windows registry to enforce Always-On:

    1. Go to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN
    2. Define this key:
      • InitialAlwaysOn=1 (DWORD)
  • Roni,

    Having run across this recently with another client, I am going to recommend trying the "Sign in with Windows credentials" SSO feature.

    Authenticate-SDP-Users-Automatically-with-Windows-Credentials

    It will only work with Windows and will require a few registry changes. Do not add the required registry entries to machines that you do not want to auto login. This should achieve what you need.

  • To encourage users to sign-in to the Cato VPN and pickup the Always-On policy you could ensure specific applications are only accessible via your allocated IPs.

    For example, we direct the Microsoft Login traffic via our allocated IPs.  We use these same IPs in an Entra Conditional Access Policy to ensure SSO can only be performed from the Cato VPN or a user at a Cato office.

    Because CAPs can be very granular, you can target the SSO apps or users to suit.