Forum Discussion

dkoeck's avatar
dkoeck
Icon for Joining the Conversation rankJoining the Conversation
21 days ago

Pre-Login and Online Services

We currently have an on-premises Active Directory and have Pre-Login enabled with connect at boot enabled.

We defined internal destinations (domain domain controllers) as allowed destinations, so the devices can reach the domain controllers before the user has logged in. This worked fine so far.

However, now we want to migrate to Entra ID and Intune only, which means that the machines now need to reach Entra and Intune before or directly after the login.
Since the pre login mode doesn't allow them to reach all URLs of Entra ID and Intune, we get problems during log in and for the Intune enrollement (which happens after the login of a new user but before the user has authenticated with the CATO client).

We also have the same problem with NinjaOne which we use to manage endpoints: We would like to be able to reach endpoints before a user has logged in.

In the allowed destinations for the Pre login mode, I can only provide internal targets and IPs, but can't put any Internet hostnames so the devices can reach Entra ID and Intune before the user has authenticated.

So what is the solution here? We want to use Pre login to have the security it provides and prevents the devices from having open Internet access before the user has authenticated with CATO, but really need to resolve these issues that are caused by it when it comes to connect to our management services before the user has authenticated.

Thank you in advance.

access
administration
cato connect event
network
sdp

7 Replies

  • MRB's avatar
    MRB
    Icon for Making Connections rankMaking Connections
    20 days ago

    I am running into similar limitations with Pre Login and remote management tools.  Allowing FQDNs or Domains in Pre Login would resolve this issue.

  • michaelsaw's avatar
    michaelsaw
    Icon for Cato Professional Services rankCato Professional Services
    18 days ago

    Hi dkoeck, MRB, 

    Other than having the 1 IP address on Pre-Login, can we check what would  be the additional number of IP/URLs/FQDN required? 
    Entra ID - additional IP/FQDN: 1, right? (Y/N)___
    Intune - additional IP/FQDN: 1, right? (Y/N)___

    Cheers

     

    • dkoeck's avatar
      dkoeck
      Icon for Joining the Conversation rankJoining the Conversation
      17 days ago

      Yes you can also use external (Internet) IP ranges, but the problem is that those services (especially Microsoft Azure/Entra ID/Intune) have hundreds of different IP ranges, which change on a weekly basis.
      Therefore this is not a solution.

      • michaelsaw's avatar
        michaelsaw
        Icon for Cato Professional Services rankCato Professional Services
        11 days ago

        Hi dkoeck, 

        Understand your concern.
        As an alternative, would we consider to connect (and update) after the user is validated and connected on Cato Client?

        Cheers

    • Evan's avatar
      Evan
      Icon for Joining the Conversation rankJoining the Conversation
      15 days ago

      While I think FQDN/Domains should be added to allow list options for Pre Login, moving Pre Login to be policy based and not a global option should also be implemented.   This can allow you to target users/groups/etc, that need Pre Login separate from those that don't  More flexibility in where you use Pre Login would be a good thing. 

      I would also love to see SSO options moved to be policy based and not a global setting for all Client Access.