Cellular boosters (also known as a signal extender, signal amplifier, or cell phone repeater) are devices that can enhance the performance and coverage of cellular providers.  Cellular boosters can be connected to a public or private network to provide enhanced cellular signal within a building with low coverage. 

DTS Networking allows the addition of cellular boosters onto the State’s network with the appropriate network configurations and approvals.  Agencies can request the installation of cellular boosters into a building where there is proven low cellular signal strength. Networking will allow data backhaul for cellular boosters on the State of Utah network via secure virtual local area networks (VLANs). DTS will not require carriers to run their own data circuits for each building with cellular boosters. 

In some buildings, there may be an installed Distributed Antenna Systems (DAS).  Distributed Antenna Systems are fixed indoor antenna systems consisting of several antennas within a building to provide extended wireless coverage. DAS can be designed and implemented and can support multiple carriers.  DAS will utilize a public or private network to connect signal back to the cellular provider. DTS Networking may allow data backhaul for a DAS on the State of Utah network via secure VLANs with appropriate configuration and approval.

Why:

Given the concrete, glass, and steel construction of state buildings, there have been notable concerns among several agencies regarding the reliability of cellular services for critical communications. This is particularly problematic as state employees heavily rely on cellular networks for both business and public safety purposes.

Features and Descriptions

Features

• Increased cellular coverage in State owned and leased buildings.
• Site surveys and installation completed by DTS technicians.
• Data backhaul for cellular boosters on the State WAN.

Security

• The CISO has approved cellular booster data to traverse the State of Utah network with secure VLANs.
• Cellular booster MAC addresses must be added to the authorized list before they will be allowed onto the State Network.

Features Not Included:

• Cellular Booster support services may require additional equipment and cabling costs that are not covered under the standard network services rate for user devices. See costs for more information.

DTS Responsibilities:

• The DTS Network team will be responsible for deployment of cellular boosters to ensure that the correct network architecture is implemented at each location to reduce the impact of critical data on the State WAN.  
• DTS Networking will deploy cellular boosters following the network architecture that has been reviewed and approved by DTS Security.
• DTS Networking will implement security policies on the cellular boosters to only allow required communication with the cellular providers. 
• DTS will maintain an approved device list in ServiceNow.

Agency Responsibilities:

• Submit a ServiceNow incident (INC) request for cellular boosters for each building with the required information. 
• Agrees to pay rates and costs associated with adding cellular boosters to a building.
• Agency representatives that are requesting cellular boosters will be required to stay engaged with DTS Networking and any other implementation groups to ensure that the cellular boosters are following the standard request and approval procedures.
• Testing of cellular booster installation to ensure that services are installed to the agency satisfaction.  
• DGO Division of Facilities and Construction Management (DFCM) may need to be engaged for approvals.

Costs:

Provider Costs

• Agencies may be required to pay the cost of the cellular boosters, if not provided by the cellular carrier. 

Installation

• Agencies will be required to cover all associated costs with installation including network cabling, power outlets, power over ethernet (POE) adaptors, and Mobile Tech labor. 
• Cellular Boosters are to be properly installed by the DTS Networking team and are not allowed on desks.

Network Rate 

• Each cellular booster will be charged a standard Network Services rate.

Bandwidth 

• The required bandwidth to support the cellular boosters will not exceed more than 10% of the location’s total bandwidth available.
  • For example, if a booster design requires 25 Mbps of bandwidth, the site will be required to have a minimum bandwidth of 250 Mbps.
• Agencies may be required to cover the cost of increasing a location’s bandwidth to meet the minimum bandwidth required to support cellular boosters. 
  • For example, if the bandwidth standard provides up to 100 Mbps for a location. Adding cellular boosters requires a minimum of 250 Mbps for that site. The agency would be responsible for the cost difference between 100 and 250 Mbps.

Processes

Ordering and Provisioning

Agencies will request the installation of cellular booster(s) to a building by submitting an ServiceNow incident (INC) to DTS Field Networking including:

• Location Name
• Address
• Billing ELCID
• Point of Contact
  • Name
  • Email 
  • Phone 
• Estimated number of employees at that location
• Requested cellular carrier(s) (AT&T, Verizon, T-Mobile) 
• Any other additional information to support your request

Cell Booster Installation Process Overview

Step Responsible Party 

1. Submits incident request Agency
2. Initial network review of site DTS Networking
3. Engage with provider(s) DTS Networking & DTS Procurement
4. Site preparation DTS Networking
5. DTS system entries DTS Networking & DTS Procurement
6. Approval for billing Agency
7. Schedule install DTS Networking
8. Close ticket DTS Networking

Service Level Objective

Service Level Objective will be “best effort” and any troubleshooting will only be to verify that the cellular booster has network connectivity and security policies are in place.  

DTS Networking is not responsible for cellular coverage or cellular connectivity. This product offering is only to provide network connectivity to the cellular booster.

The Division of Technology Services provides wireless (Wi-Fi) access to the State’s Wide Area Network (WAN) to authorized State and local government employees.

Wireless services are included as part of the Network Services rate for State agencies. State agency locations have wireless access points installed as per the defined standard depending on the building size.  

For existing locations that currently do not have wireless services please see ordering information below. Installation is dependent upon approval of the agency, network engineering team and available resources. The DTS Network team will perform an assessment and coordinate an installation plan to determine if there are any additional charges. 

DTS Networking will provide wireless access points (WAPs) based on the standard under Hardware section below. DTS Networking will maintain and replace all existing WAPs as they reach end of life (EOL).

Agencies are responsible for all cabling and the initial purchase of wireless access points for buildings that require additional WAPs above the standard. 

DTS Networking will provide recommendations to provide coverage in the requested areas. Coverage is determined by an Ekahau wireless survey report.

Features and Descriptions

SSIDs

DTS Networking currently provides wireless connectivity through four main SSIDs 

SSID Use                                                       

• UWDN Secure Employee WAN access
• UWDN – PSK Pre shared key used primarily for IoT/ devices
• CapNet Guest Access – Internet Only
• EduRoam Student Access – Internet Only

Hardware

• DTS Networking will maintain and replace all existing WAPs as they reach end of life (EOL).
• For existing buildings that do not currently have wireless, DTS Networking will provide WAPs based on the following:

         Site Size Number of Employees # of WAPs

• Small up to 25 up to 4
• Medium 26 to 50 up to 8
• Large 51 to 100 up to 16
• Extra Large over 100 employees TBD
  • Note: For buildings over 100 employees the number of WAPs will be proportional to the number of employees.

• For new or remodeled locations the initial purchase of wireless access points should be included in the construction budget. 

Standards

• 802.1x IEEE standards compliant: 802.11a; 802.11g; 802.11n;802.11 ac; 802.11ax.
• Wi-Fi Protected Access WPA2 Enterprise 
• For new wireless access points, Wi-Fi 6 enabled hardware is utilized for new deployments.

Customer Configuration

• DTS Networking will assess custom configuration requests to determine feasibility and if existing designs can fulfill customer requirements. For custom configurations, additional expenses may be incurred, and may be negotiated through a Special Billing Agreement (SBA).
  • Public Wi-Fi is an example of a custom configuration that may be requested and designed for public facing state locations.

Authentication 

• DTS Networking utilizes Radius authentication for access to UWDN for state employees. 

Road Map

DTS Networking is continually exploring the need to update our wireless networks in response to evolving telecommunications, wireless technology, and authentication standards, as well as the growing adoption of zero trust principles. 

End of Life Access Points

Cisco Meraki has announced End of Life (EOL) for specific access points. DTS Networking is in planning stages to replace access points in existing buildings.  DTS Networking will upgrade the EOL devices to newer Wi-FI 6 enabled devices. 

• January 2021  – EOL Announcement for specific MR models
• April 2022 – End of Sale
• July 2026 – End of Support 

DTS Networking will have a replacement schedule available as new hardware is delivered and installation will happen prior to the end of support date.

Authentication Enhancements

DTS Networking is undertaking several updates to our wireless network infrastructure. Here are the details of the updates:

• Certificate-based Authentication (Future Enhancement): 
  • As per the legislature bill HB0545 to move towards a zero-trust environment we are working further to secure our wireless networks. In collaboration with Desktop Support, we will be implementing the use of certificates on trusted user devices to establish secure connections to the States employee Wi-Fi. This will be implemented on WPA2-enterprise and is a requirement of the WPA3-Enterprise standards. The increasing trend is that newer devices require user or device certificates for authentication. This measure will enhance security and align with industry best practices. This effort is under development and more details will be shared in the future as we get closer to implementation. 
• Adoption of WPA3 Enterprise Authentication Standard (Future Enhancement): 
  • DTS Networking will be implementing the WPA3-Enterprise authentication standard. As part of this update, new SSIDs will be introduced. Initially, both WPA2-Enterprise and WAP3-Enterprise SSIDs will coexist to support devices that are compatible with either standard. However, the transition to WPA3 is necessary as newer devices increasingly will require this standard to make use of the latest Wi-Fi technologies.  This update ensures compatibility with evolving wireless technology standards. This effort is under development and more details will be shared in the future as we get closer to implementation. 

Features Not Included

Cabling

• Customer agencies are responsible for all cabling costs associated with installation of wireless services.

Non Executive Branch Customers

• Wireless Network configurations are not considered a standard feature.  For any Non-State or Public Entities that are supported by DTS a customizable wireless solution would be made available for additional costs and may be negotiated on a Special Billing Agreement (SBA).
• See the Network Services for Non-State Agencies product description for more information.

Ordering and Provisioning

The order form for the product information described below may be found on the right side of this page.

DTS Responsibilities

• DTS is responsible for maintaining the integrity and security of the State WAN and wireless network.
• DTS is responsible for shutting down unauthorized wireless access points.
• DTS will work with customer agencies to install wireless services.

Agency Responsibilities

• Customer agencies will submit a request for wireless services.
• Agencies are responsible for all cabling and the initial purchase of wireless access points (WAPs) for buildings that require additional WAPs above the standard.. 
• For new or remodeled locations the initial purchase of wireless access points should be included in the construction budget. 
• Customer agencies will work with DTS to install wireless services to comply with current network and wireless standards. 
• Customer agencies agree to not install unauthorized wireless devices.
  • DTS will remove unauthorized wireless devices and install approved devices.
• Wireless network users are responsible for complying with the State Acceptable Use Policy and the State Information Security Policy

The Division of Technology Services provides web URL filtering on the State’s Network. The Web URL Filter will restrict, monitor and log Internet usage of users on the State of Utah Network. The Web URL Filter assigns web sites to one of a number of predefined categories. Categories which are being blocked across all State of Utah networks are defined in the Enterprise Web Filter Policy 5000-0004. The restricted categories are subject to review and may be changed at any time. Exceptions may be granted upon request, based upon work requirements.

Support

• Web Filtering support and metrics will be based on the business support hours and the days of the week identified in this product description.  

Features Included

Palo Alto

• URL Filtering
• Blocking websites based on categorization of URL
• Category Based
• Enterprise Wide
• Exceptions Handled with AD for the UTAH Domain
• Enforcement of AD exception groups

Active Directory

• Identify Users
• Groups identify what a user can do based on membership to group
• Enforcement handled by Palo Alto

Exceptions

• Exceptions are granted on per user based on business requirements.
• Exceptions require approval by users manager and DTS Enterprise Information Security Office (EISO).

Features Not Included

Content Filtering

• Content Filtering is not provided by Web URL Filtering.

Custom Categories Per Agency

• The Web URL filter will use only the categories that will be used enterprise wide. A custom category is to create a defined category to meet the needs of the Enterprise, such as, Always Allow or Always Block.   This is needed when a state web site is categorized in a blocked category that the vendor will not re-categorized due to page content.  To request URL re-categorization, see Agency Responsibilities below.

Ordering and Provisioning

• Web URL Filtering is not a product that needs to be ordered. Web URL filtering is provided on all state networks.

• Exceptions are requested by having the user’s manager submit an email to webfiltering@utah.gov with justification. More information can be found in the DTS Web URL Standard and Process.

DTS Responsibilities

• DTS is responsible for providing Web URL filtering across the State’s Networks. Web URL filtering is provided by evaluating web URL’s and placing the URL into predefined categories. The restricted categories are subject to review and may be changed at any time.
• The EISO maintains a list of approved exceptions for users.

Agency Responsibilities

• Agency Management may request to have a website added or removed from a category (on the grounds that the website is incorrectly categorized, or website should be open to all customers) requires approval from the filtering vendor.
• Agency Management may also request to exempt an Agency employee from being blocked from a filtered category (customer has business reason for accessing website), requires approval from EISO.

Rates and Billing

• N/A

General Service Level and Metrics

• All technical incidents and service requests, and certain types of orders, related to products and services provided by DTS will be reported to the DTS Enterprise Service Desk or to specialized Help Desks that support State agencies or DTS divisions and regions.  All incidents and requests will be captured in the DTS Help Desk application. DTS staff will provide timely acknowledgement and resolution of technical incidents and service requests.

• DTS support staff, including staff directly assigned to the DTS Enterprise Service Desk, will exert all reasonable efforts to meet the Time to Initial Response (TIR) and Total Time to Resolution (TTR) targets set forth below.

• The DTS Enterprise Service Desk is accessible 24×7 by telephone at 801-538-3440 or 800-678-3440. Live chat and direct user reporting of incidents are also available on the DTS website at dts.utah.gov. Published “Business Hours” for the DTS Service Desk are 8:00 AM-5:00 PM, Monday-Friday. Hours of support/on-call coverage vary by agency/division/region and product.

Incident Response and Resolution Targets

Customer Satisfaction Surveys and Reporting

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an on-line survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary.

Periodic reports will be created showing the level of satisfaction with resolution of incidents by specific support groups and the level of satisfaction of users by agency.

Customer Satisfaction Targets

The Division of Technology Services (DTS) operates a Wide Area Network (WAN) for all State of Utah Executive Branch agencies. DTS also provides WAN services for other State and non-State government entities (cities and counties). The State WAN provides gateway services to the public Internet and functions as a private fault tolerant network, connecting facilities in geographic locations statewide.

DTS will place and install all hardware, software, and facilities necessary to connect a non-State agency to the State WAN. Network Services include IP addressing, Domain Name System (DNS), Internet access, Web content filtering, security products (firewalls), virtual private network (VPN) termination and intrusion prevention systems (IPS), and the necessary tools and staff to support these services. Services are provided in a bundled product offering (see product features below).

DTS operates on a cost recovery basis and is therefore unable to quote one price that applies to all potential customers. Variables such as geographic location and transport requirements affect customer connectivity costs; connectivity costs are different for every customer.

Product Features and Descriptions

Wide Area Network

High availability to multiple locations.

Fault tolerant network with redundant paths from data centers to geographic hubs; these diverse paths are provided by the DTS network microwave services.

Specific infrastructure information may be obtained from the DTS Communications Planning Group.

General Functions and Duties

This product provides for network consulting, planning, and engineering. Services include the deployment of network products, operational support of network products, network tuning, and network diagramming; however, services do not include the acquisition or maintenance cost of other network based multi-media products.

Connection

Network utilization monitoring and bandwidth management.

Last mile connection from remote facilities to geographic hubs.

Wide Area Network Security

Firewall services between the Internet and the State WAN.

Backbone intrusion monitoring and management.

Access Control Lists (ACLs) for local LAN segments, where technically feasible. Note: Logging ACLs on router access lists is not provided to customers.

Packet screening to prevent IP spoofing from external networks.

IP Addressing

Manage address blocks.

Manage subnets, VLANs, and public/private IP assignments.

DNS Service

Manage host, MX, alias, and PTR records.

Host newly registered DNS domains and manage DNS records.

Delegate sub-domains per agency request.

Manage changes to DNS entries.

Provide instructions for registering new DNS names.

Internet Access

Content filtering, which blocks inappropriate or unauthorized access.

Redundant access paths.

Customer-specific filtering is available on request and requires customer identification through the State authoritative directory: UtahID. To request UtahID access, please use the following URL: http://login2.utah.gov/user  (select: register here).

VPN Sessions

DTS will provide secure VPN access into the State network from the Internet; pre-authorization is required. See VPN product information.

Network Operations and Monitoring

DTS Network Operations is a 24×7 service. Customers may contact the DTS Customer Service Center to report network problems by calling 801-538-3440 or 800-678-3440.

Other Features

Enterprise Security

Enterprise Security services are available upon request. Please refer to Enterprise Services on the DTS web site.

Features Not Included

Agency-Specific Solutions

DTS will assess and engineer appropriate network bandwidth by working with agency requirements.

DTS can provide unique WAN services, at an additional negotiated cost, if it is beyond a reasonable expectation.

Acquisition and/or maintenance costs of network based multi-media products (see Product Features: General Functions and Duties).

ACL logging is not provided to customers (see Product Features: WAN Security).

Email

Google provides state email enterprise services for Executive Branch agencies. Non-state entities may take advantage of the State contract and be supported directly by the provider.

Ordering and Provisioning

To inquire or order WAN services, please contact the DTS Customer Service Center by calling 801-538-3440 or 800-678-3440.

DTS Responsibilities

• Provide network maintenance to the customer’s demarcation point.
• Coordinate and notify customers of planned maintenance and outages.
• Assess and engineer appropriate network bandwidth by working with the customer’s business requirements.
• Maintain the integrity and security of the State WAN and Local Area Networks by shutting down ports that have been penetrated, or otherwise violate network security policies.
• Conduct periodic device count audits, in accordance with the network device definition and published guidelines.
• Conduct periodic Special Billing Agreement audits and update agreements as applicable.

Customer Responsibilities

• Contact the DTS Customer Service Center to report network problems by calling 801-538-3440 or 800-678-3440.
• Comply with State acceptable use policies: http://www.rules.utah.gov/publicat/code/r895/r895-007.htm.
• Provide DTS router access lists.
• Consult the assigned Network Planner when planning facility moves.
• Pay for equipment installed by DTS and the replacement costs of any equipment that becomes obsolete. The equipment will remain under the ownership and management of DTS.
• Notify the assigned Network Planner when planning to deploy applications that might affect network traffic.
• Provide adequate space, power, cooling, etc. for State network equipment at each customer facility.
• Provide physical security in facility locations that house State network equipment.
• Provide the DTS assigned Network Planner a local contact at each facility that is capable of assisting with troubleshooting the customer’s WAN connection.
• Comply with State security policies and standards; and adhere to additional network policies and standards as drafted and approved by DTS (see: DTS Policies and Procedures).
• Adhere to State Acceptable Use Policy: http://www.rules.utah.gov/publicat/code/r895/r895-007.htm.
• Prohibit open “rogue” Access Points in the network.
• Coordinate extended network services to additional facilities with DTS WAN Planner.

The Division of Technology Services (DTS) operates a State Wide Area Network (WAN) as well as the State Local Area Networks (LAN) for all State of Utah Executive Branch agencies. DTS also provides WAN services for State and other government agencies with enterprise-wide, intra-state network services.

The State WAN provides gateway services to the public Internet and functions as a private fault tolerant network, connecting facilities in geographic locations statewide.

In FY2009, WAN and LAN services merged into Network Services, delivering jack-to-jack connectivity to agency customers, using a single rate.

Network Services include IP addressing, Domain Name System (DNS), primary domain email service, Internet access, web content filtering, security products such as firewalls, VPN termination and intrusion prevention systems (IPS), and the necessary tools and staff to support these services. Network Services will provide limited wireless connectivity for agencies (see the Wireless Services description in the following sections).

Included Functions and Duties

Services include consulting, engineering, network diagramming, deployment, and operational support.

Wide Area Network

• Connectivity to agency locations for access to the Internet and system applications that reside in our data centers or cloud environments.
• Network based encryption between remote locations and WAN Core.
• Site to Site VPN tunnels.

Local Area Network

• Connectivity from all edge network devices within agency locations to end-points using State approved best practices.
• Network utilization monitoring and bandwidth management at edge network locations.

Network Circuits

• Network circuits may be provided via several types of services including:
  • State Owned Fiber
  • Point to Point / MOE (Metro Optical Ethernet)
  • Business Class Internet (e.g. DSL, Local ISP, etc) 
  • Cellular
  • Satellite 
• DTS Networking will provide the primary network circuits between remote facilities and state data centers.
• DTS Networking may provide a secondary network circuit under the following circumstances (Secondary circuits are not guaranteed):
  • The location processes credit card payments
  • The location is a Network GeoHub or Aggregation site
  • If the primary circuit is using state owned fiber and
    • The location is providing residential housing with voice services reliant on network connectivity (e.g., USH and USDC)
    • The location is an administrative agency location (e.g. MASOB, DWS Admin) 
• Agencies requesting additional circuits not covered under the standard will be required to cover the costs via Special Billing Agreement (SBA).
• Building Entrance for fiber services will be paid for by the agency unless special funding is available and approved.

Bandwidth Standard 

• • DTS Networking will provide bandwidth based on the number of employees at a given location.
  • The bandwidth listed below is not guaranteed. 
  • Networking will complete a utilization assessment and provide bandwidth based upon findings.

• Site Size Number of Employees Bandwidth

• • Small up to 25 up to 50 Mbps
  • Medium 26 to 50 up to 100 Mbps
  • Large 51 to 100 up to 500 Mbps
  • Extra Large over 100 employees up to 1 Gbps
  • Campus Multiple Buildings up to 10 Gbps 
• Agencies requesting bandwidth above the recommended standard from the bandwidth assessment may pay the difference in cost for both circuit charges and additional hardware requirements via a Special Billing Agreement (SBA).
  • Example: The standard provides up to 100 Mbps for a location. An agency requests 200 Mbps for that site. The agency would be responsible for the cost difference between 100 and 200 mbps. 

Network Hardware

• Agencies paying DTS Network Service rates (Standard & IoT) will be provided the necessary network hardware.  
• DTS Networking will provide hardware based on the following standard:
  • Network Router / Security Appliance 
  • Network Switches 
  • Wireless Access Points (See Wireless Access product description  for more information)

Devices on the State Network

• Unmanaged switches or hubs are NOT authorized on the State WAN and will be disabled or blocked. 
  • If additional ports are needed please submit a Service Now request to have additional wiring installed. ( Network Services – Add Ons for more information)
• All devices connected to the state network (excluding Guest Wireless i.e. CapNet) must be authorized and will be billed one of the following network services rates: standard Network or Network IoT. 
• State employees covered by the monthly standard Network service rate for desktop or laptop purposes may use a mobile device, such as a phone or tablet, without incurring additional network rate: 
  • However, employees may not avoid the Network services rate by opting for a mobile device only or by “Bringing Your Own Device” (BYOD).
• The following device types will be charged the standard Network Service rate:
  • Workstations – Desktops/Laptops
  • Security cameras systems/servers
  • Streaming TVs/DVR systems (e.g. Roku)
  • Cellular Boosters 
• The following device types may be charged a Network IoT (Internet of Things) service rate (See IoT product description for more information):
  • Building or Environmental Controls (e.g. HVAC, door access)
  • Printers
  • Credit Card readers 
  • Individual cameras 
  • Miscellaneous items that may also be subject to the IoT rate 
    • Some examples include: Seismograph, warehouse crane, air monitoring, fingerprinting, scan guns, non streaming TV systems

Security

• Firewall services between the Internet and the state WAN.
• Firewall VSYS / context creation and removal.
• Backbone intrusion monitoring and management.
• GeoBlocking – limiting access to state resources based on physical location. 
• Access Control Lists (ACLs) for local LAN segments, where technically feasible.
  • Note: Logging on router access lists is not provided to customers.
• Packet screening to prevent IP spoofing from external networks.
• Firewall rule management and support (See Firewall Rule Management for more information). 
• For additional security services see the Enterprise Security product description.

IP Addressing

• Manage IP address space.
• Management of DHCP and IP address reservations.
• Manage subnets, VLANs and public/private IP assignments.

DNS Service

• Manage host, MX, alias and PTR records.
• Host newly registered DNS domains and manage DNS records.
• Delegate sub-domains per agency request.
• Manage changes to DNS entries.
• Provide instructions for registering new DNS names.

Internet Access

• High bandwidth Internet access from our primary data center with redundant internet connection
• Secondary data center Internet access available for configuration with system applications
• Content filtering and blocking inappropriate or unauthorized access.
• See the Web URL Filtering product description for more information. 

VPN

• Networking provides secure user VPN access into the state network from the Internet; pre-authorization is required.
• Networking can provide site to site VPN tunnels.
• See the VPN product description for more information.

Wireless Access 

• See Wireless Network (WiFi) product description for more information.

Cellular Boosters

• See the Cellular Boosters product description for more information.

Non Executive Branch Customers

• See the Network Services for Non-State Agencies product description for more information.

Features Not Included

See the Network Services – Add Ons product description for more information. These services may require an additional negotiated cost or be dependent on available funding. See DTS Consulting Rate table under Rates and Billing.

Additional Firewalls or Security

DTS can help evaluate and develop a solution for additional security requirements.

• Customized site to site tunnel design and configuration

Wiring and Cable Design

A DTS wiring specialist will review customer requests and will engineer a solution or plan using the latest technology in accordance with code, and industry best standards and practices. 

• Agencies will be responsible for the costs of supplying, installing, or upgrading the agency’s infrastructure cabling.
• All copper wiring must be at current standard (Cat5e or better).

Agency-Specific Solutions

• DTS will assess and engineer appropriate network bandwidth by working with agency requirements.
• DTS can provide unique WAN or LAN connections, at an additional negotiated cost via Special Billing Agreement (SBA).

DTS Responsibilities

• Provide jack-to-jack network maintenance
• Coordinate customer notification of planned maintenance and outages
• Assess and engineer appropriate network bandwidth by working with agency business requirements
• Provide network service in an efficient and economical manner—to include using bandwidth monitoring statistics to justify enhancements
• Maintain the integrity and security of the State WAN and Local Area Networks by shutting down ports that have been penetrated, or otherwise violate network security policies
• Conduct periodic device count audits, in accordance with the network device definition and published guidelines
• Conduct periodic Special Billing Agreement (SBA) audits and updating agreements as applicable
• Network Solutions Engineer and technical support staff must document the firewall configurations so that agencies that need access to applications have access—i.e., enabling state interoperability.

Agency Responsibilities

• Comply with the state Acceptable Use Policy: https://dts.utah.gov/policies/documents/1000-0003acceptableuse.pdf
• Provide security requirements.
• Consult with DTS Networking when planning facility moves.
• Notify DTS Networking when planning to deploy applications that might affect network traffic by submitting the appropriate request.
• Provide adequate space, power, cooling, etc. for state network equipment at each agency facility.
• Provide physical security in facility locations that house state network equipment.
• DTS customers should provide DTS Networking a local contact at each facility that is capable of assisting with troubleshooting customer concerns. 
• Comply with state security policies.
• Facility cabling is the responsibility of the agency.
• Agencies are responsible for reviewing their Network Bill from DTS in a timely manner for accuracy.
• Ensure that unmanaged switches or hubs are NOT installed on the State WAN. These unmanaged hubs are NOT authorized and will be disabled or blocked. 
• Contact DTS Networking if unmanaged switches are identified by submitting an incident ticket.

General Service Levels and Metrics

• See the General Service Levels and Metrics product description for more information.

All technical incidents, service requests, and certain types of orders related to products and services provided by DTS will be reported to the DTS Enterprise Service Desk or to specialized Help Desks that support State agencies or DTS divisions and regions. All incidents and requests will be captured in the DTS ServiceNow application. DTS staff will provide timely acknowledgement and resolution of technical incidents and service requests.

DTS support staff, including staff directly assigned to the DTS Enterprise Service Desk, will exert all reasonable efforts to meet the Time to Initial Response (TIR) and Total Time to Resolution (TTR) targets set forth below.

The DTS Enterprise Service Desk is accessible 24×7 by telephone at 801-538-3440 or 800-678-3440. Live chat and direct user reporting of incidents are also available on the DTS website at dts.utah.gov. Published “Business Hours” for the DTS Service Desk are 7:00 AM-6:00 PM, Monday-Friday. Hours of support/on-call coverage vary by agency/division/region and product.

Customer Satisfaction Surveys and Reporting

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an on-line survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary.

Periodic reports will be created showing the level of satisfaction with resolution of incidents by specific support groups and the level of satisfaction of users by agency.

A Virtual Private Network (VPN) enables remote users to communicate confidentially over a public network (i.e., between a public Internet connection and the State of Utah network).

Note: You can read the related DTS Remote Access VPN Procedure at the end of this product description.

DTS provides two methods for State employees to connect to the state network:

• VPN: VPN provides a convenient solution for State employees who occasionally work off-site, and, for those who access state IT resources from public facilities or kiosks. This option also provides temporary access to restricted State applications for vendors or contractors. VPN uses SSL (Secure Sockets Layer) to secure traffic between a remote computer and restricted State IT resources.
• VPN Client: VPN provides a robust solution for power users who work off-site on a regular basis. It provides the same level of access to State IT resources as if the users were connected at their offices. The VPN Client is desktop software that secures traffic between a remote computer and restricted State IT resources—all data traffic is encrypted.

The hours of support required for Remote Access VPN are listed below.

Product Features and Descriptions

Secure Connection

Remote Access VPN establishes a virtual private network (VPN) that enables remote users to communicate confidentially over a public network—i.e., from public Internet connections.

Data Encryption

User credentials and all data traffic are encrypted via SSL/TLS.

User Authentication

• Users are allowed access to restricted state IT resources only if they can verify identification at login.
• Unauthorized users are not permitted access.

Authentication Directory

• Each user is authenticated to UtahID.
• DTS maintains UtahID.

Palo Alto

Palo Alto Appliances provide redundant, scalable network devices that perform end-point security for remote-user configurations. DTS operates and maintains the infrastructure.

Two Factor

Two-factor authentication is enabled by default on all user VPN groups.

Solution for Infrequent or Temporary Off-site Users

• Authorized access to restricted State IT resources for State employees who occasionally work off-site.
• Temporary authorized access to restricted State applications for vendors, contractors, and other State business partners.

Features Not Included

Remote Access Connection

The customer must have a remote access connection—e.g., commercial DSL, cable modem service, public kiosk service, etc.

Internet Service

The user must have Internet service on his or her remote access connection.

Two Factor Support

The two factor infrastructure support and maintenance falls under DTS Identity and Access Management

Non-State Equipment

Support for non-state (i.e. personal equipment).

Ordering and Provisioning

To order the Remote Access VPN product, or to request a new VPN group, select the Order VPN Access or Request New VPN Group buttons at the top right of this page.

Note: CenturyLink FTTN and Independent Telcos providing DSL require VPN services.

DTS Responsibilities

• DTS will deliver the product described in this product description.
• DTS will provide instructions for product use.
• DTS will operate and maintain Palo Alto Appliances
• To ensure the security of State information technology resources, DTS may block telecommuters’ access to the State Network when troubleshooting security intrusions.
• DTS will enforce the VPN, State Information Security and Appropriate Use policies.
• VPN Client: DTS will provide instructions for installing and configuring the VPN Client software.

Agency Responsibilities

• The customer will adhere to their agency’s policies and procedures in submitting online orders that have been properly approved.
• The customer will obtain a remote access connection—e.g., commercial DSL or cable modem.
• The customer must have a UtahID account.
• Non-state employee customers must be sponsored by a State of Utah agency.*

*Note: Non-state employee customers will be sent the directions by the DTS help desk on how to install VPN.

Web VPN

• The customer’s Web browser must support SSL.

VPN Client

• The desktop support technician assigned to the customer’s agency will set up the customer’s computer with software required to access the agency LAN and other business software required by the VPN user.
• The desktop support technician assigned to the customer’s agency will assist the customer with installing and configuring the VPN Client software as requested.
• VPN customers will comply with the State Acceptable Use Policy, the State Information Security Policy, and the VPN Policy. Non-state assets must be approved by authorized agency and security personnel.

System Requirements

• Desktop client supported include 
  • Windows 10, 
  • Apple macOS 10.11 or higher.
• Mobile devices supported include:
  • Google Android 5.x or higher 
  • Apple iPadOS 10 (64-bit devices only) 
  • Apple iPhone iOS 10 or higher (64-bit devices only)
• Web browsers must be SSL/TLS compliant.

DTS Networking, in coordination with DTS Security guidance, will be enabling VPN Posturing on the state VPN groups for devices accessing the state network. Posturing is the process to assess the compliance profile of a device and determine the level of network access granted. In order to be in compliance, devices must have:

• Forescout Agent
• Nessus Agent
• Updated OS Version
• Sectigo Antivirus
• Hard Drive Disk Encryption
• SCCM or MDM Agent’
• Utah AD Domain Membership

If a device is considered to be out of compliance, access to the state network will be restricted or limited, and the user will need to contact the DTS Help Desk to resolve the issue and bring the device into compliance.

DTS Service Levels and Metrics

In an effort to improve service to our customer agencies, DTS will measure and report on the following enterprise metric goals:

• Application Availability
• Resolution Time
• Initial Response
• First Contact Resolution 
• Customer Satisfaction Surveys and Reporting

Application Availability

Application availability measures DTS’s efforts to ensure that agency key business applications meet the percentage of availability goals identified in each agency’s service level agreement. DTS will determine application availability based upon the collective measurement of the configuration items (both hardware and software) that are required in order to support the agency business services applications. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php. 

Table Note: *Times exclude those tickets in a “Pending” status waiting for a known bug fix.

Resolution Time

Resolution time measures DTS’s efforts to resolve customer incidents within the timelines set below based on urgent, high, medium, and low priorities. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php. 

Initial Response

Initial response measures DTS’s efforts to respond to customer incidents within the timelines set below based on urgent, high, medium, and low priorities. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php.  

First Contact Resolution

First contact resolution measures DTS’s efforts to resolve customer incidents on a customer’s initial contact with either our help desk or a technical specialist. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php. 

Customer Satisfaction Surveys and Reporting 

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an online survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary. 

The chart below identifies DTS enterprise goals for customer satisfaction. Cumulative monthly reports will be created displaying the level of customer satisfaction with DTS support. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php. 

Remote Access VPN Request Procedure

Purpose

This procedure describes how users can submit requests for virtual private network (VPN) access.

Scope

This procedure applies to all State of Utah VPN users.

Procedure

Users can submit VPN requests from the DTS website by going to the Remote Access VPN product description and selecting Order VPN Access.

Users can also access the Remote Access Request Form directly using the attached link or through ServiceNow by going to the Service Catalog, selecting HelpDesk, and then selecting Remote Access Request.

After selecting Remote Access Request, the submitter’s information will be autopopulated from the Requested for field. You can also search for a different user in this field.

The user should then select VPN from the Remote Request Type field, fill in the Justification field, and complete the other required fields.

Note: A user can request remote access for more than one user by:

• selecting the Remote access is needed for more than one user checkbox, as shown in the following image; and
• attaching to the Remote Access Request Form a csv list (using the linked template) that includes the following information for each user who requires remote access:
  • email address, and
  • VPN group name (without the VPN prefix).

To request VPN remote access, a requester must have a UtahID account with access to the state’s network. (If the requester does not have a network login already established, the requester should first submit an Agency Employee Access Request Form before submitting a remote access request. The Agency Employee Access Request Form can be accessed directly using the attached link or through ServiceNow by going to the Service Catalog, selecting Agency Requests, and then selecting Agency Employee Access Request. The Agency Employee Access Request Form can also be used for contractors.) When the requester’s account is ready, a VPN request can then be submitted.

Information Not Specified

If a user has no company, is not a State employee, or has no division, or if no approver has been specified for the user’s agency, ServiceNow checks for approval governance. The approval governance is a system that allows approvals to be customized by agency and division. If ServiceNow can’t find approvers, it will generate a task for the Enterprise Security Team to approve the request or designate an approver for the agency’s division.

Once the request is formally submitted, an automated email (as shown below) will be sent to the approver requesting VPN approval.

To approve, the approver should click on the blue text: Click here to approve RITM #

To reject, the approver should click on the blue text: Click here to reject RITM # 

Example VPN Request Email

Utah Division of Technology Services Service Desk Notification
Remote Access Requested for: Cheri Oldham
Short Description: Remote Access is being Requested
Priority: 4 – Low
Category:

Summary of Change request:
Request Type = HR Request
Requested for = Cheri Oldham
Company = Dept of Technology Services
Department = 2762
Division = DTS OPERATIONS 2700
Phone = (801) 538-3440
Alternate Phone =
Alternate Approver =
Which Agency is responsible for this Request? =
Location = CENTRAL UTAH CORRECTIONAL FACILITY
Street = 255 E 300 N
City = GUNNISON
Manager = Scott Moffitt
Manager’s Phone = 4356342129
Action = Add/Change Access
Remote Request Type = VPN
Which Group should the Requester be in, or which person should they be setup like? = general
Remote access is needed for more than one user. = false
Which Agency or Entity is making this request. = Dept of Technology Services
Pick a Division (if applicable) =
Justification =
Comments =

Click here to approve RITM0114737
Click here to reject RITM0114737

Click here to view Approval Request: LINK
Click here to view Requested Item: LINK

Having trouble? Get help at dts.utah.gov or contact your Help Desk at 801-538-3440.

Manage Preferences

Ref:MSG14845392

Once approval has been granted, ServiceNow will create a new task for your help desk to fulfill the VPN access. After your help desk grants access, an email will be sent by the help desk to the individual listed in the Requested for field of the Remote Access Request Form with instructions for installing VPN. The task can then be closed and the request is completed.

Site-to-Site VPN provides a secure and encrypted network connection for business transactions conducted between users and systems on one network  to users, systems, and applications located on another network .

Site-to-Site VPN is a service for State agencies that need secure and encrypted access to business applications located on another network—e.g., a federal agency application or an application on another State agency’s subnet.

Site-to-Site VPN service provides agency application administrators or security staff the ability to dedicate long-term access to specific restricted services for a group of users—e.g., a business to business Extranet.

LAN-to-LAN VPN Product Features

Secure Business to Business Transactions

Dedicated long-term access for a group of users (or servers) on one network to specific restricted services located on another network.

Secure Connection

A Virtual Private Network (VPN) between networks  internal or external to the state Wide Area Network.

Configuration

DTS staff work personally with the LAN Administrator assigned to an agency to configure the Site-to-Site VPN to meet specific business requirements.

ASA

Adaptive Security Appliances (ASAs) provide redundant, scalable network devices that perform end-point security for Site-to-Site configurations. DTS operates and maintains the ASAs.

Product Benefits

Security:

Many State agency businesses require access to applications maintained by other organizations located on external networks or subnets. Those organizations often require secure access to their network to reduce risk to their IT resources. Site-to-Site VPN configures a secure gateway to those business applications.

Ease of use:

Once the Site-to-Site VPN is set up, users don’t have to do anything—the service is transparent.

Business effectiveness:

State agencies can conduct requisite business transactions on other agencies’ or businesses’ secure networks.

Ordering and Provisioning

To order the Remote Access VPN product, please refer to the product request form on the  DTS web site.

DTS Responsibilities

• DTS will work with the customer or the LAN Administrator assigned to the customer agency to obtain the parameters required to set up and test the requested Site-to-Site VPN.
• DTS will provide instructions for product use.
• DTS will operate and maintain Adaptive Security Appliance (ASA).
• To ensure the security of State information technology resources, DTS may block access to any State network node when trouble-shooting security intrusions.
• DTS will enforce State Information Security, and Appropriate Use policies.

Agency Responsibilities

• The customer will adhere to their Agency’s policies and procedures in submitting orders that have been properly approved.
• The customer agency will submit Site-to-Site VPN request to DTS through the DTS website.
• Customer will complete the online request form including: Customer Contact information; IP Addresses; Internet Key Exchanges (IKE) and Internet Protocol Security (IPSEC) information.
• The customer or the LAN Administrator assigned to the customer’s agency will work with DTS Network Operations to provide network parameters required to set up and test the requested Site-to-Site VPN.
• The customer or the LAN Administrator assigned to the customer’s agency will support the end-users’ access to the business-related application or network on the far end of the Site-to-Site VPN.
• Customers will comply with the State Acceptable Use Policy, the State Information Security Policy.

System Requirements

End nodes must be IPSEC devices.