CATO always on

Question

Hi,I am currently deploying Cato across my entire organization, transitioning from Fortinet’s VPN platform to Cato’s ZTNA.We are enabling Always On to enforce the use of Cato for all users. However, this feature requires an initial login from the user. How can I force an end user (who does not use any sensitive company services but still needs enforcement as part of ZTNA) to complete the initial login to the Cato Client?Since we are rolling this out company-wide, I do not want to enforce it for all users, but rather for a specific group. Is there an option to do that?Thanks!

georgepetre · Answer

It's because the initial client doesn't have a configuration and it's the same package for everyone. To push configuration prior to authenticating even once and getting a policy, certain registry keys can be rolled out to systems alongside the install package. One is mentioned on this article for initial always on: https://support.catonetworks.com/hc/en-us/articles/4417643184529-Protecting-Users-with-Always-On-Security&nbsp;
To configure the Windows registry to enforce Always-On:

Go to the registry key:&nbsp;HKEY_LOCAL_MACHINE\SOFTWARE\CatoNetworksVPN
Define this key:

InitialAlwaysOn=1 (DWORD)

david_tudor · Answer

Roni,
Having run across this recently with another client, I am going to recommend trying the "Sign in with Windows credentials" SSO feature.
Authenticate-SDP-Users-Automatically-with-Windows-Credentials
It will only work with Windows and will require a few registry changes. Do not add the required registry entries to machines that you do not want to auto login. This should achieve what you need.

nath · Answer

To encourage users to sign-in to the Cato VPN and pickup the Always-On policy you could ensure specific applications are only accessible via your allocated IPs.For example, we direct the Microsoft Login traffic via our allocated IPs.&nbsp; We use these same IPs in an Entra Conditional Access Policy to ensure SSO can only be performed from the Cato VPN or a user at a Cato office.Because CAPs can be very granular, you can target the SSO apps or users to suit.

akh · Answer

&nbsp;Sorry,I had asked a question here, but since I was able to resolve it, I have deleted my previous comment.

Forum Discussion

CATO always on

Recent Discussions