Forum Discussion

ddaniel's avatar
ddaniel
Meteor
2 months ago

Cato SDP Client - Always On / Prelogin questions

We are switching from another VPN solution and I have some questions about the always-on / pre-login features.

Is there any way to see always-on or pre-login connections in the CMA?
Do the pre-login sessions use machine credentials?
Can we access the machines remotely during pre-login?

Use cases / background

  • if we were working on an issue we could restart the machine and login again after the reboot.
  • If the user had an issue we could remote to the machines, do an admin login and resolve issues.
  • with our previous solution we could see the machine/device connections and IP information in the management console.

We may be able to use teamviewer remote access but i don't think you can allow pre-login destinations via FQDN.  Basically, we would like to be able to see and manage our on-line devices even if they are not logged in.  Do split tunnel exceptions work pre-login for something like Teamviewer?

 

3 Replies

  • Mihai's avatar
    Mihai
    Icon for Cato Employee rankCato Employee

    Hi ddaniel,

    I will try to respond in-line:

    Is there any way to see always-on or pre-login connections in the CMA?
    Always-on are treated as a normal connection to the Cato Cloud. You can see them in the Access Overview page: You can also see here the users that did a Bypass:

    Pre-login users are not visible in the CMA.


    Do the pre-login sessions use machine credentials?
    The pre-login session is done at the machine level (not at the user level) with a certificate and a registry setting. You cannot see those sessions in the CMA. They will start the SDP connection to the Cato POP before the user is logging in. Here is the KB: https://support.catonetworks.com/hc/en-us/articles/5766368718365-Using-Windows-Pre-Login-and-the-SDP-Client


    Can we access the machines remotely during pre-login?
    Yes you can. You will need to configure the correct settings. I recommend doing so using Jump servers so you will not open the whole network to all the pre-login users.
    You can't use FQDN's, but you can use Hosts / IP's / IP ranges into the configuration.

    If you find that my post answered your question please mark it as a solution.
    Thanks,
    Mihai

  • Thank you.  This information is extremely helpful.  However, if I cannot see the pre-login session in the CMA (or by API)  then there is no good way for me to identify machines in this condition to remotely connect to them.  It would be extremely useful to me if I could see these sessions in the CMA (perhaps with a filter).  That would allow me to use a jump server to get on the machines remotely.  

    • yumdarling's avatar
      yumdarling
      Icon for Community Manager rankCommunity Manager

      Hi ddaniel​ 

      This looks like it might be a great idea to add to our Idea Hub​ here on Cato Connect. 

      Let me know if you need any further assistance!

      Yum