The Division of Technology Services provides web URL filtering on the State’s Network. The Web URL Filter will restrict, monitor and log Internet usage of users on the State of Utah Network. The Web URL Filter assigns web sites to one of a number of predefined categories. Categories which are being blocked across all State of Utah networks are defined in the Enterprise Web Filter Policy 5000-0004. The restricted categories are subject to review and may be changed at any time. Exceptions may be granted upon request, based upon work requirements.

Support

• Web Filtering support and metrics will be based on the business support hours and the days of the week identified in this product description.  

Features Included

Palo Alto

• URL Filtering
• Blocking websites based on categorization of URL
• Category Based
• Enterprise Wide
• Exceptions Handled with AD for the UTAH Domain
• Enforcement of AD exception groups

Active Directory

• Identify Users
• Groups identify what a user can do based on membership to group
• Enforcement handled by Palo Alto

Exceptions

• Exceptions are granted on per user based on business requirements.
• Exceptions require approval by users manager and DTS Enterprise Information Security Office (EISO).

Features Not Included

Content Filtering

• Content Filtering is not provided by Web URL Filtering.

Custom Categories Per Agency

• The Web URL filter will use only the categories that will be used enterprise wide. A custom category is to create a defined category to meet the needs of the Enterprise, such as, Always Allow or Always Block.   This is needed when a state web site is categorized in a blocked category that the vendor will not re-categorized due to page content.  To request URL re-categorization, see Agency Responsibilities below.

Ordering and Provisioning

• Web URL Filtering is not a product that needs to be ordered. Web URL filtering is provided on all state networks.

• Exceptions are requested by having the user’s manager submit an email to webfiltering@utah.gov with justification. More information can be found in the DTS Web URL Standard and Process.

DTS Responsibilities

• DTS is responsible for providing Web URL filtering across the State’s Networks. Web URL filtering is provided by evaluating web URL’s and placing the URL into predefined categories. The restricted categories are subject to review and may be changed at any time.
• The EISO maintains a list of approved exceptions for users.

Agency Responsibilities

• Agency Management may request to have a website added or removed from a category (on the grounds that the website is incorrectly categorized, or website should be open to all customers) requires approval from the filtering vendor.
• Agency Management may also request to exempt an Agency employee from being blocked from a filtered category (customer has business reason for accessing website), requires approval from EISO.

Rates and Billing

• N/A

General Service Level and Metrics

• All technical incidents and service requests, and certain types of orders, related to products and services provided by DTS will be reported to the DTS Enterprise Service Desk or to specialized Help Desks that support State agencies or DTS divisions and regions.  All incidents and requests will be captured in the DTS Help Desk application. DTS staff will provide timely acknowledgement and resolution of technical incidents and service requests.

• DTS support staff, including staff directly assigned to the DTS Enterprise Service Desk, will exert all reasonable efforts to meet the Time to Initial Response (TIR) and Total Time to Resolution (TTR) targets set forth below.

• The DTS Enterprise Service Desk is accessible 24×7 by telephone at 801-538-3440 or 800-678-3440. Live chat and direct user reporting of incidents are also available on the DTS website at dts.utah.gov. Published “Business Hours” for the DTS Service Desk are 8:00 AM-5:00 PM, Monday-Friday. Hours of support/on-call coverage vary by agency/division/region and product.

Incident Response and Resolution Targets

Customer Satisfaction Surveys and Reporting

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an on-line survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary.

Periodic reports will be created showing the level of satisfaction with resolution of incidents by specific support groups and the level of satisfaction of users by agency.

Customer Satisfaction Targets

The Division of Technology Services (DTS) operates a Wide Area Network (WAN) for all State of Utah Executive Branch agencies. DTS also provides WAN services for other State and non-State government entities (cities and counties). The State WAN provides gateway services to the public Internet and functions as a private fault tolerant network, connecting facilities in geographic locations statewide.

DTS will place and install all hardware, software, and facilities necessary to connect a non-State agency to the State WAN. Network Services include IP addressing, Domain Name System (DNS), Internet access, Web content filtering, security products (firewalls), virtual private network (VPN) termination and intrusion prevention systems (IPS), and the necessary tools and staff to support these services. Services are provided in a bundled product offering (see product features below).

DTS operates on a cost recovery basis and is therefore unable to quote one price that applies to all potential customers. Variables such as geographic location and transport requirements affect customer connectivity costs; connectivity costs are different for every customer.

Product Features and Descriptions

Wide Area Network

High availability to multiple locations.

Fault tolerant network with redundant paths from data centers to geographic hubs; these diverse paths are provided by the DTS network microwave services.

Specific infrastructure information may be obtained from the DTS Communications Planning Group.

General Functions and Duties

This product provides for network consulting, planning, and engineering. Services include the deployment of network products, operational support of network products, network tuning, and network diagramming; however, services do not include the acquisition or maintenance cost of other network based multi-media products.

Connection

Network utilization monitoring and bandwidth management.

Last mile connection from remote facilities to geographic hubs.

Wide Area Network Security

Firewall services between the Internet and the State WAN.

Backbone intrusion monitoring and management.

Access Control Lists (ACLs) for local LAN segments, where technically feasible. Note: Logging ACLs on router access lists is not provided to customers.

Packet screening to prevent IP spoofing from external networks.

IP Addressing

Manage address blocks.

Manage subnets, VLANs, and public/private IP assignments.

DNS Service

Manage host, MX, alias, and PTR records.

Host newly registered DNS domains and manage DNS records.

Delegate sub-domains per agency request.

Manage changes to DNS entries.

Provide instructions for registering new DNS names.

Internet Access

Content filtering, which blocks inappropriate or unauthorized access.

Redundant access paths.

Customer-specific filtering is available on request and requires customer identification through the State authoritative directory: UtahID. To request UtahID access, please use the following URL: http://login2.utah.gov/user  (select: register here).

VPN Sessions

DTS will provide secure VPN access into the State network from the Internet; pre-authorization is required. See VPN product information.

Network Operations and Monitoring

DTS Network Operations is a 24×7 service. Customers may contact the DTS Customer Service Center to report network problems by calling 801-538-3440 or 800-678-3440.

Other Features

Enterprise Security

Enterprise Security services are available upon request. Please refer to Enterprise Services on the DTS web site.

Features Not Included

Agency-Specific Solutions

DTS will assess and engineer appropriate network bandwidth by working with agency requirements.

DTS can provide unique WAN services, at an additional negotiated cost, if it is beyond a reasonable expectation.

Acquisition and/or maintenance costs of network based multi-media products (see Product Features: General Functions and Duties).

ACL logging is not provided to customers (see Product Features: WAN Security).

Email

Google provides state email enterprise services for Executive Branch agencies. Non-state entities may take advantage of the State contract and be supported directly by the provider.

Ordering and Provisioning

To inquire or order WAN services, please contact the DTS Customer Service Center by calling 801-538-3440 or 800-678-3440.

DTS Responsibilities

• Provide network maintenance to the customer’s demarcation point.
• Coordinate and notify customers of planned maintenance and outages.
• Assess and engineer appropriate network bandwidth by working with the customer’s business requirements.
• Maintain the integrity and security of the State WAN and Local Area Networks by shutting down ports that have been penetrated, or otherwise violate network security policies.
• Conduct periodic device count audits, in accordance with the network device definition and published guidelines.
• Conduct periodic Special Billing Agreement audits and update agreements as applicable.

Customer Responsibilities

• Contact the DTS Customer Service Center to report network problems by calling 801-538-3440 or 800-678-3440.
• Comply with State acceptable use policies: http://www.rules.utah.gov/publicat/code/r895/r895-007.htm.
• Provide DTS router access lists.
• Consult the assigned Network Planner when planning facility moves.
• Pay for equipment installed by DTS and the replacement costs of any equipment that becomes obsolete. The equipment will remain under the ownership and management of DTS.
• Notify the assigned Network Planner when planning to deploy applications that might affect network traffic.
• Provide adequate space, power, cooling, etc. for State network equipment at each customer facility.
• Provide physical security in facility locations that house State network equipment.
• Provide the DTS assigned Network Planner a local contact at each facility that is capable of assisting with troubleshooting the customer’s WAN connection.
• Comply with State security policies and standards; and adhere to additional network policies and standards as drafted and approved by DTS (see: DTS Policies and Procedures).
• Adhere to State Acceptable Use Policy: http://www.rules.utah.gov/publicat/code/r895/r895-007.htm.
• Prohibit open “rogue” Access Points in the network.
• Coordinate extended network services to additional facilities with DTS WAN Planner.

The Division of Technology Services provides wireless access to the State Wide Area Network (WAN) to authorized State and local government employees.

Installation of 802.11 wireless services in State facilities is requested by the customer agencies; installation is dependent upon approval of the appropriate Campus Network Engineer (CNE) and available resources. The CNE will perform an assessment of required resources and coordinate an installation plan. State agencies are not billed for the wireless services; the Network Services rate is currently supporting this product.

Features and Descriptions

802.11 Standards

• 802.1x IEEE standards compliant: 802.11a; 802.11g; 802.11n.
• WiFi Protected Access (WPA2) compatible.

Customer Configuration

An estimate of the equipment and installation costs will be assessed by the Campus Networker and presented to the Network Standards Committee for approval prior to implementation. Installation of services is based on available resources and funds. If resources and funds are unavailable, the customer may elect to fund the installation or wait for available funding—if the customer chooses to wait for funding, the customer’s request will be placed on a prioritized list.  

See site survey below.

RADIUS

Cisco Secure ACS (Access Control Server).

User Authorization

• “Challenged Access” limits access to users listed in an authentication directory.
• DTS operates and maintains VPN Concentrators.

Authentication Directory

UtahID is LDAP compliant.

Network Connection

• Provides segmented Wireless LAN security using VLANs (Virtual LANs).
• State employees have the same access as with their local wired network.
• Microsoft SMB file sharing is restricted.

Features Not Included

Cabling

Customer agencies are responsible for all cabling costs associated with installation of wireless services.

Non-State Employee Access

Encrypted 802.11 Wireless Network access is for state and local government employees. Guest access to the Internet is available to the general public.

Ordering and Provisioning

The order form for the product information described below may be found on the right side of this page.

Reminder: Please include a business case defining business needs and coverage requirements for wireless access services. DTS Business Case Form: https://utah.service-now.com/navpage.do.

DTS Responsibilities

• DTS, in its responsibility for maintaining the integrity and security of the State WAN, is responsible for shutting down unauthorized 802.11 Wireless Network access points.
• DTS will work with customer agencies to install 802.11 Wireless LAN systems that comply with product standards.

Agency Responsibilities

• Customer agencies will submit a request for wireless services or access points.
• Customer agencies are responsible for all cabling costs required and associated with the installation of wireless services.
• DTS will work with customer agencies to install 802.11 Wireless LAN systems that comply with product standards. 
  Note: DTS will remove unauthorized wireless services and work with the customer agency to install approved services.
• 802.11 Wireless Network users are responsible for complying with the State Acceptable Use Policy and the State Information Security Policy.

Rates and Billing

Site Survey

DTS will survey the site upon request to determine resource requirements and draft an estimate for management approval and resource allocation.

No charge for engineering services/labor and site survey. See Ordering and Provisioning below.

Note: Customer agencies are required to complete a business case defining the specific requirements for the requested wireless service (access points). Customer agencies’ business cases will be reviewed by the Enterprise Communications Services management—business cases will assist in the prioritization of limited resources—defined business cases will identify critical over convenience service requests.

Base Rate – NA

Installation

• One-time charge – NA
• Engineering, installation and labor – NA
• Building cabling – Customer Responsibility

Note: Installation of wireless services is dependent upon DTS approval and available funding; If resources and funds are unavailable, the customer may elect to fund the installation or wait for available resources—at this time the customer’s request will be placed on a prioritized list for future funding.

The Division of Technology Services (DTS) operates a State Wide Area Network (WAN) as well as the State Local Area Networks (LAN) for all State of Utah Executive Branch agencies. DTS also provides WAN services for State and other government agencies with enterprise-wide, intra-state network services.

The State WAN provides gateway services to the public Internet and functions as a private fault tolerant network, connecting facilities in geographic locations statewide.

In FY2009, WAN and LAN services merged into Network Services, delivering jack-to-jack connectivity to agency customers, using a single rate.

Network Services include IP addressing, Domain Name System (DNS), primary domain email service, Internet access, web content filtering, security products such as firewalls, VPN termination and intrusion prevention systems (IPS), and the necessary tools and staff to support these services. Network Services will provide limited wireless connectivity for agencies (see the Wireless Services description in the following sections).

Included Functions and Duties

Services include consulting, engineering, network diagramming, deployment, and operational support.

Wide Area Network

• Connectivity to agency locations for access to the Internet and system applications that reside in our data centers or cloud environments.
• Network based encryption between remote locations and WAN Core.
• Site to Site VPN tunnels.

Local Area Network

• Connectivity from all edge network devices within agency locations to end-points using State approved best practices.
• Network utilization monitoring and bandwidth management at edge network locations.

Network Circuits

• Network circuits may be provided via several types of services including:
  • State Owned Fiber
  • Point to Point / MOE (Metro Optical Ethernet)
  • Business Class Internet (e.g. DSL, Local ISP, etc) 
  • Cellular
  • Satellite 
• DTS Networking will provide the primary network circuits between remote facilities and state data centers.
• DTS Networking may provide a secondary network circuit under the following circumstances (Secondary circuits are not guaranteed):
  • The location processes credit card payments
  • The location is a Network GeoHub or Aggregation site
  • If the primary circuit is using state owned fiber and
    • The location is providing residential housing with voice services reliant on network connectivity (e.g., USH and USDC)
    • The location is an administrative agency location (e.g. MASOB, DWS Admin) 
• Agencies requesting additional circuits not covered under the standard will be required to cover the costs via Special Billing Agreement (SBA).
• Building Entrance for fiber services will be paid for by the agency unless special funding is available and approved.

Bandwidth Standard 

• • DTS Networking will provide bandwidth based on the number of employees at a given location.
  • The bandwidth listed below is not guaranteed. 
  • Networking will complete a utilization assessment and provide bandwidth based upon findings.

• Site Size Number of Employees Bandwidth

• • Small up to 25 up to 50 Mbps
  • Medium 26 to 50 up to 100 Mbps
  • Large 51 to 100 up to 500 Mbps
  • Extra Large over 100 employees up to 1 Gbps
  • Campus Multiple Buildings up to 10 Gbps 
• Agencies requesting bandwidth above the recommended standard from the bandwidth assessment may pay the difference in cost for both circuit charges and additional hardware requirements via a Special Billing Agreement (SBA).
  • Example: The standard provides up to 100 Mbps for a location. An agency requests 200 Mbps for that site. The agency would be responsible for the cost difference between 100 and 200 mbps. 

Network Hardware

• Agencies paying DTS Network Service rates (Standard & IoT) will be provided the necessary network hardware.  
• DTS Networking will provide hardware based on the following standard:
  • Network Router / Security Appliance 
  • Network Switches 
  • Wireless Access Points (See Wireless Access product description  for more information)

Devices on the State Network

• Unmanaged switches or hubs are NOT authorized on the State WAN and will be disabled or blocked. 
  • If additional ports are needed please submit a Service Now request to have additional wiring installed. ( Network Services – Add Ons for more information)
• All devices connected to the state network (excluding Guest Wireless i.e. CapNet) must be authorized and will be billed one of the following network services rates: standard Network or Network IoT. 
• State employees covered by the monthly standard Network service rate for desktop or laptop purposes may use a mobile device, such as a phone or tablet, without incurring additional network rate: 
  • However, employees may not avoid the Network services rate by opting for a mobile device only or by “Bringing Your Own Device” (BYOD).
• The following device types will be charged the standard Network Service rate:
  • Workstations – Desktops/Laptops
  • Security cameras systems/servers
  • Streaming TVs/DVR systems (e.g. Roku)
  • Cellular Boosters 
• The following device types may be charged a Network IoT (Internet of Things) service rate (See IoT product description for more information):
  • Building or Environmental Controls (e.g. HVAC, door access)
  • Printers
  • Credit Card readers 
  • Individual cameras 
  • Miscellaneous items that may also be subject to the IoT rate 
    • Some examples include: Seismograph, warehouse crane, air monitoring, fingerprinting, scan guns, non streaming TV systems

Security

• Firewall services between the Internet and the state WAN.
• Firewall VSYS / context creation and removal.
• Backbone intrusion monitoring and management.
• GeoBlocking – limiting access to state resources based on physical location. 
• Access Control Lists (ACLs) for local LAN segments, where technically feasible.
  • Note: Logging on router access lists is not provided to customers.
• Packet screening to prevent IP spoofing from external networks.
• Firewall rule management and support (See Firewall Rule Management for more information). 
• For additional security services see the Enterprise Security product description.

IP Addressing

• Manage IP address space.
• Management of DHCP and IP address reservations.
• Manage subnets, VLANs and public/private IP assignments.

DNS Service

• Manage host, MX, alias and PTR records.
• Host newly registered DNS domains and manage DNS records.
• Delegate sub-domains per agency request.
• Manage changes to DNS entries.
• Provide instructions for registering new DNS names.

Internet Access

• High bandwidth Internet access from our primary data center with redundant internet connection
• Secondary data center Internet access available for configuration with system applications
• Content filtering and blocking inappropriate or unauthorized access.
• See the Web URL Filtering product description for more information. 

VPN

• Networking provides secure user VPN access into the state network from the Internet; pre-authorization is required.
• Networking can provide site to site VPN tunnels.
• See the VPN product description for more information.

Wireless Access 

• See Wireless Network (WiFi) product description for more information.

Cellular Boosters

• See the Cellular Boosters product description for more information.

Non Executive Branch Customers

• See the Network Services for Non-State Agencies product description for more information.

Features Not Included

See the Network Services – Add Ons product description for more information. These services may require an additional negotiated cost or be dependent on available funding. See DTS Consulting Rate table under Rates and Billing.

Additional Firewalls or Security

DTS can help evaluate and develop a solution for additional security requirements.

• Customized site to site tunnel design and configuration

Wiring and Cable Design

A DTS wiring specialist will review customer requests and will engineer a solution or plan using the latest technology in accordance with code, and industry best standards and practices. 

• Agencies will be responsible for the costs of supplying, installing, or upgrading the agency’s infrastructure cabling.
• All copper wiring must be at current standard (Cat5e or better).

Agency-Specific Solutions

• DTS will assess and engineer appropriate network bandwidth by working with agency requirements.
• DTS can provide unique WAN or LAN connections, at an additional negotiated cost via Special Billing Agreement (SBA).

DTS Responsibilities

• Provide jack-to-jack network maintenance
• Coordinate customer notification of planned maintenance and outages
• Assess and engineer appropriate network bandwidth by working with agency business requirements
• Provide network service in an efficient and economical manner—to include using bandwidth monitoring statistics to justify enhancements
• Maintain the integrity and security of the State WAN and Local Area Networks by shutting down ports that have been penetrated, or otherwise violate network security policies
• Conduct periodic device count audits, in accordance with the network device definition and published guidelines
• Conduct periodic Special Billing Agreement (SBA) audits and updating agreements as applicable
• Network Solutions Engineer and technical support staff must document the firewall configurations so that agencies that need access to applications have access—i.e., enabling state interoperability.

Agency Responsibilities

• Comply with the state Acceptable Use Policy: https://dts.utah.gov/policies/documents/1000-0003acceptableuse.pdf
• Provide security requirements.
• Consult with DTS Networking when planning facility moves.
• Notify DTS Networking when planning to deploy applications that might affect network traffic by submitting the appropriate request.
• Provide adequate space, power, cooling, etc. for state network equipment at each agency facility.
• Provide physical security in facility locations that house state network equipment.
• DTS customers should provide DTS Networking a local contact at each facility that is capable of assisting with troubleshooting customer concerns. 
• Comply with state security policies.
• Facility cabling is the responsibility of the agency.
• Agencies are responsible for reviewing their Network Bill from DTS in a timely manner for accuracy.
• Ensure that unmanaged switches or hubs are NOT installed on the State WAN. These unmanaged hubs are NOT authorized and will be disabled or blocked. 
• Contact DTS Networking if unmanaged switches are identified by submitting an incident ticket.

General Service Levels and Metrics

• See the General Service Levels and Metrics product description for more information.

All technical incidents, service requests, and certain types of orders related to products and services provided by DTS will be reported to the DTS Enterprise Service Desk or to specialized Help Desks that support State agencies or DTS divisions and regions. All incidents and requests will be captured in the DTS ServiceNow application. DTS staff will provide timely acknowledgement and resolution of technical incidents and service requests.

DTS support staff, including staff directly assigned to the DTS Enterprise Service Desk, will exert all reasonable efforts to meet the Time to Initial Response (TIR) and Total Time to Resolution (TTR) targets set forth below.

The DTS Enterprise Service Desk is accessible 24×7 by telephone at 801-538-3440 or 800-678-3440. Live chat and direct user reporting of incidents are also available on the DTS website at dts.utah.gov. Published “Business Hours” for the DTS Service Desk are 7:00 AM-6:00 PM, Monday-Friday. Hours of support/on-call coverage vary by agency/division/region and product.

Customer Satisfaction Surveys and Reporting

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an on-line survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary.

Periodic reports will be created showing the level of satisfaction with resolution of incidents by specific support groups and the level of satisfaction of users by agency.

A Virtual Private Network (VPN) enables remote users to communicate confidentially over a public network (i.e., between a public Internet connection and the State of Utah network).

Note: You can read the related DTS Remote Access VPN Procedure at the end of this product description.

DTS provides two methods for State employees to connect to the state network:

• VPN: VPN provides a convenient solution for State employees who occasionally work off-site, and, for those who access state IT resources from public facilities or kiosks. This option also provides temporary access to restricted State applications for vendors or contractors. VPN uses SSL (Secure Sockets Layer) to secure traffic between a remote computer and restricted State IT resources.
• VPN Client: VPN provides a robust solution for power users who work off-site on a regular basis. It provides the same level of access to State IT resources as if the users were connected at their offices. The VPN Client is desktop software that secures traffic between a remote computer and restricted State IT resources—all data traffic is encrypted.

The hours of support required for Remote Access VPN are listed below.

Product Features and Descriptions

Secure Connection

Remote Access VPN establishes a virtual private network (VPN) that enables remote users to communicate confidentially over a public network—i.e., from public Internet connections.

Data Encryption

User credentials and all data traffic are encrypted via SSL/TLS.

User Authentication

• Users are allowed access to restricted state IT resources only if they can verify identification at login.
• Unauthorized users are not permitted access.

Authentication Directory

• Each user is authenticated to UtahID.
• DTS maintains UtahID.

Palo Alto

Palo Alto Appliances provide redundant, scalable network devices that perform end-point security for remote-user configurations. DTS operates and maintains the infrastructure.

Two Factor

Two-factor authentication is enabled by default on all user VPN groups.

Solution for Infrequent or Temporary Off-site Users

• Authorized access to restricted State IT resources for State employees who occasionally work off-site.
• Temporary authorized access to restricted State applications for vendors, contractors, and other State business partners.

Features Not Included

Remote Access Connection

The customer must have a remote access connection—e.g., commercial DSL, cable modem service, public kiosk service, etc.

Internet Service

The user must have Internet service on his or her remote access connection.

Two Factor Support

The two factor infrastructure support and maintenance falls under DTS Identity and Access Management

Non-State Equipment

Support for non-state (i.e. personal equipment).

Ordering and Provisioning

To order the Remote Access VPN product, or to request a new VPN group, select the Order VPN Access or Request New VPN Group buttons at the top right of this page.

Note: CenturyLink FTTN and Independent Telcos providing DSL require VPN services.

DTS Responsibilities

• DTS will deliver the product described in this product description.
• DTS will provide instructions for product use.
• DTS will operate and maintain Palo Alto Appliances
• To ensure the security of State information technology resources, DTS may block telecommuters’ access to the State Network when troubleshooting security intrusions.
• DTS will enforce the VPN, State Information Security and Appropriate Use policies.
• VPN Client: DTS will provide instructions for installing and configuring the VPN Client software.

Agency Responsibilities

• The customer will adhere to their agency’s policies and procedures in submitting online orders that have been properly approved.
• The customer will obtain a remote access connection—e.g., commercial DSL or cable modem.
• The customer must have a UtahID account.
• Non-state employee customers must be sponsored by a State of Utah agency.*

*Note: Non-state employee customers will be sent the directions by the DTS help desk on how to install VPN.

Web VPN

• The customer’s Web browser must support SSL.

VPN Client

• The desktop support technician assigned to the customer’s agency will set up the customer’s computer with software required to access the agency LAN and other business software required by the VPN user.
• The desktop support technician assigned to the customer’s agency will assist the customer with installing and configuring the VPN Client software as requested.
• VPN customers will comply with the State Acceptable Use Policy, the State Information Security Policy, and the VPN Policy. Non-state assets must be approved by authorized agency and security personnel.

System Requirements

• Desktop client supported include 
  • Windows 10, 
  • Apple macOS 10.11 or higher.
• Mobile devices supported include:
  • Google Android 5.x or higher 
  • Apple iPadOS 10 (64-bit devices only) 
  • Apple iPhone iOS 10 or higher (64-bit devices only)
• Web browsers must be SSL/TLS compliant.

DTS Service Levels and Metrics

In an effort to improve service to our customer agencies, DTS will measure and report on the following enterprise metric goals:

• Application Availability
• Resolution Time
• Initial Response
• First Contact Resolution 
• Customer Satisfaction Surveys and Reporting

Application Availability

Application availability measures DTS’s efforts to ensure that agency key business applications meet the percentage of availability goals identified in each agency’s service level agreement. DTS will determine application availability based upon the collective measurement of the configuration items (both hardware and software) that are required in order to support the agency business services applications. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php. 

Table Note: *Times exclude those tickets in a “Pending” status waiting for a known bug fix.

Resolution Time

Resolution time measures DTS’s efforts to resolve customer incidents within the timelines set below based on urgent, high, medium, and low priorities. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php. 

Initial Response

Initial response measures DTS’s efforts to respond to customer incidents within the timelines set below based on urgent, high, medium, and low priorities. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php.  

First Contact Resolution

First contact resolution measures DTS’s efforts to resolve customer incidents on a customer’s initial contact with either our help desk or a technical specialist. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php. 

Customer Satisfaction Surveys and Reporting 

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an online survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary. 

The chart below identifies DTS enterprise goals for customer satisfaction. Cumulative monthly reports will be created displaying the level of customer satisfaction with DTS support. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php. 

Remote Access VPN Request Procedure

Purpose

This procedure describes how users can submit requests for virtual private network (VPN) access.

Scope

This procedure applies to all State of Utah VPN users.

Procedure

Users can submit VPN requests from the DTS website by going to the Remote Access VPN product description and selecting Order VPN Access.

Users can also access the Remote Access Request Form directly using the attached link or through ServiceNow by going to the Service Catalog, selecting HelpDesk, and then selecting Remote Access Request.

After selecting Remote Access Request, the submitter’s information will be autopopulated from the Requested for field. You can also search for a different user in this field.

The user should then select VPN from the Remote Request Type field, fill in the Justification field, and complete the other required fields.

Note: A user can request remote access for more than one user by:

• selecting the Remote access is needed for more than one user checkbox, as shown in the following image; and
• attaching to the Remote Access Request Form a csv list (using the linked template) that includes the following information for each user who requires remote access:
  • email address, and
  • VPN group name (without the VPN prefix).

To request VPN remote access, a requester must have a UtahID account with access to the state’s network. (If the requester does not have a network login already established, the requester should first submit an Agency Employee Access Request Form before submitting a remote access request. The Agency Employee Access Request Form can be accessed directly using the attached link or through ServiceNow by going to the Service Catalog, selecting Agency Requests, and then selecting Agency Employee Access Request. The Agency Employee Access Request Form can also be used for contractors.) When the requester’s account is ready, a VPN request can then be submitted.

Information Not Specified

If a user has no company, is not a State employee, or has no division, or if no approver has been specified for the user’s agency, ServiceNow checks for approval governance. The approval governance is a system that allows approvals to be customized by agency and division. If ServiceNow can’t find approvers, it will generate a task for the Enterprise Security Team to approve the request or designate an approver for the agency’s division.

Once the request is formally submitted, an automated email (as shown below) will be sent to the approver requesting VPN approval.

To approve, the approver should click on the blue text: Click here to approve RITM #

To reject, the approver should click on the blue text: Click here to reject RITM # 

Example VPN Request Email

Utah Division of Technology Services Service Desk Notification
Remote Access Requested for: Cheri Oldham
Short Description: Remote Access is being Requested
Priority: 4 – Low
Category:

Summary of Change request:
Request Type = HR Request
Requested for = Cheri Oldham
Company = Dept of Technology Services
Department = 2762
Division = DTS OPERATIONS 2700
Phone = (801) 538-3440
Alternate Phone =
Alternate Approver =
Which Agency is responsible for this Request? =
Location = CENTRAL UTAH CORRECTIONAL FACILITY
Street = 255 E 300 N
City = GUNNISON
Manager = Scott Moffitt
Manager’s Phone = 4356342129
Action = Add/Change Access
Remote Request Type = VPN
Which Group should the Requester be in, or which person should they be setup like? = general
Remote access is needed for more than one user. = false
Which Agency or Entity is making this request. = Dept of Technology Services
Pick a Division (if applicable) =
Justification =
Comments =

Click here to approve RITM0114737
Click here to reject RITM0114737

Click here to view Approval Request: LINK
Click here to view Requested Item: LINK

Having trouble? Get help at dts.utah.gov or contact your Help Desk at 801-538-3440.

Manage Preferences

Ref:MSG14845392

Once approval has been granted, ServiceNow will create a new task for your help desk to fulfill the VPN access. After your help desk grants access, an email will be sent by the help desk to the individual listed in the Requested for field of the Remote Access Request Form with instructions for installing VPN. The task can then be closed and the request is completed.

LAN-to-LAN VPN provides a secure and encrypted network connection for business transactions conducted between users and systems on one LAN to users, systems, and applications located on another LAN.

LAN-to-LAN VPN is a service for State agencies that need secure and encrypted access to business applications located on another network—e.g., a federal agency application or an application on another State agency’s subnet.

LAN-to-LAN VPN service provides agency LAN administrators or security staff the ability to dedicate long-term access to specific restricted services for a group of users—e.g., a business to business Extranet.

LAN-to-LAN VPN Product Features

Secure Business to Business Transactions

Dedicated long-term access for a group of users (or servers) on one LAN to specific restricted services located on another LAN.

Secure Connection

A Virtual Private Network (VPN) between two LANs internal or external to the state Wide Area Network.

Configuration

DTS staff work personally with the LAN Administrator assigned to an agency to configure the LAN-to-LAN VPN to meet specific business requirements.

ASA

Adaptive Security Appliances (ASAs) provide redundant, scalable network devices that perform end-point security for LAN to LAN configurations. DTS operates and maintains the ASAs.

Product Benefits

Security:

Many State agency businesses require access to applications maintained by other organizations located on external networks or subnets. Those organizations often require secure access to their network to reduce risk to their IT resources. LAN-to-LAN VPN configures a secure gateway to those business applications.

Ease of use:

Once the LAN-to-LAN VPN is set up, users don’t have to do anything—the service is transparent.

Business effectiveness:

State agencies can conduct requisite business transactions on other agencies’ or businesses’ secure networks.

Ordering and Provisioning

To order the Remote Access VPN product, please refer to the product request form on the  DTS web site.

DTS Responsibilities

• DTS will work with the customer or the LAN Administrator assigned to the customer agency to obtain the parameters required to set up and test the requested LAN-to-LAN VPN.
• DTS will provide instructions for product use.
• DTS will operate and maintain Adaptive Security Appliance (ASA).
• To ensure the security of State information technology resources, DTS may block access to any State network node when trouble-shooting security intrusions.
• DTS will enforce State Information Security, and Appropriate Use policies.

Agency Responsibilities

• The customer will adhere to their Agency’s policies and procedures in submitting orders that have been properly approved.
• The customer agency will submit LAN-to-LAN VPN request to DTS through the DTS website.
• Customer will complete the online request form including: Customer Contact information; IP Addresses; Internet Key Exchanges (IKE) and Internet Protocol Security (IPSEC) information.
• The customer or the LAN Administrator assigned to the customer’s agency will work with DTS Network Operations to provide network parameters required to set up and test the requested LAN-to-LAN VPN.
• The customer or the LAN Administrator assigned to the customer’s agency will support the end-users’ access to the business-related application or network on the far end of the LAN-to-LAN VPN.
• Customers will comply with the State Acceptable Use Policy, the State Information Security Policy.

System Requirements

End nodes must be IPSEC devices.