Cato Windows SDP Client - TCP443 only

I've got a support ticket in - and am working on this.  But I figure I'll throw this out here too:

I have an instance of needing Cato SDP Client access - and the vendor's security team is allowing tcp443, but not udp443 nor udp1337. I saw the following recently:

https://support.catonetworks.com/hc/en-us/articles/360002577917-Client-TCP-Fallback-for-UDP-Tunnel

I have tested this with my own laptop that already has a user and was previously connected.  Blocking all ports except TCP443 outbound from my infrastructure for my laptop caused the client after about 90 seconds to connect, and only via TCP.  Success!

Installed a quick VM (win 11, same cato client version fresh) and performed the same thing.  Blocking all access except tcp443 (local DNS is still allowed, as well as ICMP outbound) and the client does not ever fail over as described in the article.

Any thoughts?  I figure there could be a hidden "registry setting" similar to what they have for changing the UDP ports in use by the client, but my searching has resulted in nothing.  Additionally the support rep states they can force TCP at an account or site level, but that isn't what I need - I don't have sockets at these affected sites, just workstations on the internet (firewalled).