CATO SECURE ACCESS FOR WFH EMPLOYEES




CATO Secure Access Phases


As part of the implementation of the OP360 Secure Access Service, we are deploying the secure connectivity tool from CATO Networks in phases.


Phase 1: CATO Secure Access Deployment


    

  1. CATO Client Agent Installation
    2. 

  2. Device Compliance Check
    3. 

  3. Multi-Factor Authentication (MFA)
    4. 



Phase 2: Test Access and Security Policies


    

  1. Remote User CATO Networks Access Test
    2. 



Phase 3: Restrict access to AllSec Check-In / Check-Out


    

  1. Once deployment is complete, CATO Secure Access will be required to access AllSec Check-In / Check-Out from outside the office.
    2. 



Overview.


Phase 1:


    

  1. 

    CATO Client Agent Installation Overview
    

      

    1. Automatic Deployment of the Cato Client agent by Endpoint Central
      2. 

    2. Manual Deployment of the Cato Client agent

        

      1. Download the Cato Windows Client
        2. 

      2. Install the Cato Client on your Windows device
        3. 

      

      3. 

    3. Check if the Cato Windows Client is installed in your device

        

      1. In the System Tray
        2. 

      2. In the Windows Search Box
        3. 

      3. In the Windows Menu applications
        4. 

      

      4. 

    

    2. 

  2. Device Compliance Check Overview

      

    1. Endpoint Central AND CrowdStrike agents must be installed.
      2. 

    

    3. 

  3.  Multi-Factor Authentication (MFA) Overview

      

    1. Open the Cato Client Application
      2. 

    2. Connect to the Cato Network
      3. 

    3. For First Time Users

        

      1. Setup Microsoft Authenticator for MFA.
        2. 

      2. Cache Credentials
        3. 

      

      4. 

    4. For Subsequent Logins

        

      1. Cato Client will connect automatically with the Cached Credentials
        2. 

      

      5. 

    

    4. 



Phase 2:


    

  1. Remote User CATO Networks Access Test Overview

      

    1. Remote WFH User must be able to access the test CATO network URL
      2. 

    2. A successful message must be displayed
      3. 

    

    2. 



___________________________u______________________________________


Detailed Steps and Procedures.


Phase 1:


    

  1. CATO Client Agent Installation

      

    1. Automatic Deployment of the Cato Client agent by Endpoint Central

        

      1. During Phase 1, the CATO Client Agent was deployed via Endpoint Central to all WFH computers starting on the first week of January 2025.
        2. 

      

      2. 

    

    2. 

  2.  Manual Deployment of the Cato Client agent
    
    Download the CATO Windows Client.
    3. 



    

  1. 

      

    1. From a browser, open the Client download portal, and select the Windows tab.
      

      2. 

    

    2. 



    

  1. 

      

    1. Click Cato Client for Windows. The Cato Client setup file is saved to your device. Note where it was saved.
      2. 

    

    2. 



Install the Cato Client on your Windows device.


    

  1. 

      

    1. Open the Cato Client for Windows setup file that you downloaded and follow the steps in the installation wizard.
      

      2. 

    

    2. 



 


Check if the Cato Windows Client is installed in your device


To check if the Cato agent is installed, look in the following areas of your computer.


    

  1. In the System Tray.

      

    1. Click on the up-arrow icon on the bottom-right corner of the taskbar.
      

      2. 

    2. Look for the orange square with the white ring and hover the mouse over it. It should say “Cato Client”.
      3. 

    

    2. 

  2. In the Windows Search Box.

      

    1. Type “Cato Client” in the Windows Search Box.
      

      2. 

    2. The Cato Client app should appear on the Windows menu.
      

      3. 

    

    3. 

  3. In the Windows menu applications.

      

    1. Click on the Windows icon and scroll for the Cato Networks -> Cato Client item.
      

      2. 

    

    4. 

  4. Device Compliance Check

      

    1. Endpoint Central AND CrowdStrike agents must be installed.

        

      1. In Windows Settings and Apps & Features, search for the Endpoint Central ManageEngine UEMS agent application.
        

        2. 

      2. In Windows Settings and Apps & Features, search for the CrowdStrike agent.
        

        3. 

      3. If one or both agents are not installed, an error will be displayed when connecting to CATO Networks.
        
 
        4. 

      

      2. 

    

    5. 



    

  • 

      

    • 

    

    • 



    

  1. Multi-Factor Authentication (MFA)

      

    1. Open the Cato Client Application
      
      Note: DO NOT open the Cato Client on your mobile device. It will be blocked anyway.
      2. 

    

    2. 



    

  1. 

      

    1. 

        

      1. From the System Tray.

          

        1. Click on the up-arrow in the System Tray and right-click on the Cato Client icon and click on Open Cato Client.
          

          2. 

        

        2. 

      

      2. 

    2. From Windows Search Box.

        

      1. After searching for Cato Client, click on the Cato Client icon app, or click on Open or click on Run as Administrator.
        

        2. 

      

      3. 

    3. From Windows menu applications.

        

      1. Click on the Cato Client icon in the menu.
        

        2. 

      

      4. 

    

    2. 

  2. Connect to the Cato Network

      

    1. Click on the Power or Connect button.
      

      2. 

    2. The client will begin to Connect and Authenticate to CATO network.
      

      3. 

    3. Device is Not Compliant. 

        

      1. If your computer does not have Endpoint Central and Crowdstrike agents installed, you will receive this message and will not be able to proceed.
        

        
To fix this, have the Endpoint Central agent and Crowdstrike Falcon agent installed on your computer. You may reach out to IT Operations personnel and/or file a Freshservice ticket. Resume when compliant.
        
If device is compliant, proceed with #3. Below.
        2. 

      

      4. 

    

    3. 



    

  1. For First Time Users
    
    Users connecting for the first time to CATO networks will have to set up Microsoft Authenticator for Multi-Factor Authentication.
    2. 



    

  1. 

      

    1. Setup Microsoft Authenticator for MFA
      
      Type your complete email address and click on Continue.
      
 
      2. 

    2. If Cato prompts for the Subdomain, it means that you are not licensed to join the Cato network. Inform your manager and file a Freshservice ticket for a license.
      

      3. 

    3. For now, click on the X icon on the top right of the message box to close the Cato Client app.
      4. 

    4. Proceed if you have a Cato license assigned.
      5. 

    5. Sign in with Azure.
      

      6. 

    6. Type in your User Principal Name (UPN) which is composed of your Active Directory Username or NT Login name plus the domain name. Example:
      
Login name:  sjruiz
      
      Domain name is always: @officepartners360.com
      
      Resulting UPN:  sjruiz@officepartners360.com
      

      Note: This is not your email address which can be personalized and different from your Login Name.
      

      
Disregard the Sign-in options. Click on Next.
      7. 

    7. Note: Cato MFA will work with the Microsoft Authenticator app only. Click on Next.
      

      8. 

    8. Install the Microsoft Authenticator app on your mobile if you don’t have it yet. You may download the installer from Google Play or Apple Store. Click on Next after installation. You may reach out to Desktop IT or IT Operations for assistance in the MFA installation and setup. Alternatively, you may file a Freshservice ticket.
      

      9. 

    9. Open the Microsoft Authenticator app on your mobile device and scan the QR code on the screen.
      

      10. 

    10. Enter the Cato provided verification number into the Microsoft Authenticator app on your mobile device.
      

      11. 

    11. Authorize on the mobile Microsoft Authenticator app and click on Next.
      

      12. 

    12. MFA is successfully set up. Click on Done.
      

      
CACHE YOUR CREDENTIALS.       Check Don’t show this again and click Yes. This will minimize the frequency of you having to login your credentials again.
      

      13. 

    13. You are now successfully connected to the Cato Network.
      

      14. 

    

    2. 

  2. For Subsequent Logins
    3. 



Users who have already Setup Microsoft Authentication and have Cached Credentials, will automatically be logged in to Cato Network after clicking on Connect. Just open the Cato Client and click on the Connect or Power-on button.

 


You should automatically be logged in to the Cato Network.




Phase 2: Test Access and Security Policies




Once all WFH employees have successfully logged into CATO, we will proceed with Phase 2, which involves testing of access and restrictions.


    

  1. Remote User CATO Networks Access Test
    
    Test the Secure Access page
    

    2. 



    

  1. 

      

    1. While connected to the CATO network, please access this URL https://test.officepartners360.com in a browser.
      2. 

    2. You should be getting the message on the webpage “You are all set.” This mimics the restriction set on AllSec’s Check-In/Check-Out Module once we go live in Phase 3.

        

        2. 

      

      3. 

    

    2.