Forum Discussion
This is one of those times where I have a site that I am not an administrator over - and they are offering for us to be on a guest network that is VERY restrictive on what can get out. Unfortunately, we've gone to a different solution using hardware boxes and IPSEC - but I was looking for this to be a way to get temporarily online (if not permanent?) in the event of hardware failure, as the site is 12 hours away. The Cato client introducing tcp fallback works well enough when it has access to other ports, but this customer of ours will not bend to allowing udp443 nor will they let unfettered DNS requests to random internet endpoints. Just making sure I still have no options with Cato, which is the case right now.
Like I said above, my machine with a previous connection will fall back if I restrict to tcp443 only via firewall rules; but on an initial client install it needs that first contact using your DNS. It's not a fall back in total - the initial connect works in conjunction with raw DNS requests, so the fall back is just if you're temporarily on a network with no access but have previously connected with the client overall.
It is possible to enforce TCP per SDP user by opening a support ticket and providing the user ID. Note that though end user needs to be advised that they will experience worsened performance with TCP based TLS tunnels. I have seen customers who ultimately asked to revert back to DTLS. Far worse to resolve if you leave it ON and the user later complains after few months that they are not happy with the performance and have no history of the TCP enforcement.