Thanks yumdarling and CATOwner,
This comment in the KB article has had some back and forth, so the community is actually a great place to continue to discuss the details of this question. Copying the discussion so far:
Steve Pettitt:
We are currently testing Always On, this may sound stupid, but would the option in the policy configuration to only apply Always On when a User is not behind a Socket be possible, so anyone WFH or out and about would be forced to connect to the VPN, whilst users sat behind a Socket are ignored?
Michael Goldberg:
Enabling the Always-On policy means the Client always automatically connects to the Cato Cloud. This happens whether a user is working remotely or behind a site. When a user connects behind a site, they are connected to the Cato Cloud via the site and not the Client, and the Client enters Office Mode. Users behind a socket are automatically connected to the Cato Cloud (assuming they are connected to the corporate network and not a guest network) regardless of whether they are included in an Always-On policy rule or not.
Mark Knutson:
Piggy-backing on what Michael G. is saying,
I highly recommend setting up your Trusted Networks setting (under the Access>Client Access Control section). Our org had some issues with Always-On not triggering the “Office Mode” until we got this setup correctly.
Steve Pettitt:
And therein lies the problem, we need our HelpDesk agents, and Infrastructure team to be able to connect to the VPN when on different Ethernet and WIFI subnets around our head office and remote offices that are all protected by Sockets. We use reserved IP DHCP addresses when at our Desks at our Head Office, but when migrating around the network and on alternate IP Subnets, we use a reserved VPN address to allow access to restricted devices. Office mode breaks this concept, we need to be able to, without using the bypass, connect to the VPN to access our reserved VPN IP address when on different IP subnets around our network locations. I understand this may seem counterproductive, but we really need to not be forced into office mode when connecting behind a Socket location.
Michael Goldberg:
We may have a solution for this use case. Please contact support for more information.
Trevor Grön:
Please can you let us know what the solution may be. We have an existing ticket open #675588, Callum Bisley on T3 Team has provided some useful information, however he has not has not solved our problem of “Not being forced into Office Mode when behind a CATO Socket”. We can create an “Always-On” policy with “On-Demand”, but this relies on the users connecting their CATO Client when out of the Office. Dave Cullen has also provided some further information, where the only useable option appears to be reserving IP addresses in DHCP at the necessary sites and subnets and then whitelisting those in CATO and on our Firewalls, this would work but requires a lot of setup and ongoing maintenance.
