Main Menu Dept. of Technology Services Search

Remote Access VPN

A Virtual Private Network (VPN) enables remote users to communicate confidentially over a public network (i.e., between a public Internet connection and the State of Utah network).

Note: You can read the related DTS Remote Access VPN Procedure at the end of this product description.

DTS provides two methods for State employees to connect to the state network:

  • VPN: VPN provides a convenient solution for State employees who occasionally work off-site, and, for those who access state IT resources from public facilities or kiosks. This option also provides temporary access to restricted State applications for vendors or contractors. VPN uses SSL (Secure Sockets Layer) to secure traffic between a remote computer and restricted State IT resources.
  • VPN Client: VPN provides a robust solution for power users who work off-site on a regular basis. It provides the same level of access to State IT resources as if the users were connected at their offices. The VPN Client is desktop software that secures traffic between a remote computer and restricted State IT resources—all data traffic is encrypted.

The hours of support required for Remote Access VPN are listed below.

Hours of Support

Application

Support Hours

Days of Week

VPN Appliances 24 hours a day 7 days a week
VPN Client Business Hours: 7am to 6pm Monday – Friday, excluding holidays

Product Features and Descriptions

Secure Connection

Remote Access VPN establishes a virtual private network (VPN) that enables remote users to communicate confidentially over a public network—i.e., from public Internet connections.

Data Encryption

User credentials and all data traffic are encrypted via SSL/TLS.

User Authentication

  • Users are allowed access to restricted state IT resources only if they can verify identification at login.
  • Unauthorized users are not permitted access.

Authentication Directory

  • Each user is authenticated to UtahID.
  • DTS maintains UtahID.

Palo Alto

Palo Alto Appliances provide redundant, scalable network devices that perform end-point security for remote-user configurations. DTS operates and maintains the infrastructure.

Two Factor

Two-factor authentication is enabled by default on all user VPN groups.

Solution for Infrequent or Temporary Off-site Users

  • Authorized access to restricted State IT resources for State employees who occasionally work off-site.
  • Temporary authorized access to restricted State applications for vendors, contractors, and other State business partners.

Features Not Included

Remote Access Connection

The customer must have a remote access connection—e.g., commercial DSL, cable modem service, public kiosk service, etc.

Internet Service

The user must have Internet service on his or her remote access connection.

Two Factor Support

The two factor infrastructure support and maintenance falls under DTS Identity and Access Management

Non-State Equipment

Support for non-state (i.e. personal equipment).

Ordering and Provisioning

To order the Remote Access VPN product, or to request a new VPN group, select the Order VPN Access or Request New VPN Group buttons at the top right of this page.

Note: CenturyLink FTTN and Independent Telcos providing DSL require VPN services.

DTS Responsibilities

  • DTS will deliver the product described in this product description.
  • DTS will provide instructions for product use.
  • DTS will operate and maintain Palo Alto Appliances
  • To ensure the security of State information technology resources, DTS may block telecommuters’ access to the State Network when troubleshooting security intrusions.
  • DTS will enforce the VPN, State Information Security and Appropriate Use policies.
  • VPN Client: DTS will provide instructions for installing and configuring the VPN Client software.

Agency Responsibilities

  • The customer will adhere to their agency’s policies and procedures in submitting online orders that have been properly approved.
  • The customer will obtain a remote access connection—e.g., commercial DSL or cable modem.
  • The customer must have a UtahID account.
  • Non-state employee customers must be sponsored by a State of Utah agency.*

*Note: Non-state employee customers will be sent the directions by the DTS help desk on how to install VPN.

Web VPN

  • The customer’s Web browser must support SSL.

VPN Client

  • The desktop support technician assigned to the customer’s agency will set up the customer’s computer with software required to access the agency LAN and other business software required by the VPN user.
  • The desktop support technician assigned to the customer’s agency will assist the customer with installing and configuring the VPN Client software as requested.
  • VPN customers will comply with the State Acceptable Use Policy, the State Information Security Policy, and the VPN Policy. Non-state assets must be approved by authorized agency and security personnel.

System Requirements

  • Desktop client supported include 
    • Windows 10, 
    • Apple macOS 10.11 or higher.
  • Mobile devices supported include:
    • Google Android 5.x or higher 
    • Apple iPadOS 10 (64-bit devices only) 
    • Apple iPhone iOS 10 or higher (64-bit devices only)
  • Web browsers must be SSL/TLS compliant.

DTS Networking, in coordination with DTS Security guidance, will be enabling VPN Posturing on the state VPN groups for devices accessing the state network. Posturing is the process to assess the compliance profile of a device and determine the level of network access granted. In order to be in compliance, devices must have:

  • Forescout Agent
  • Nessus Agent
  • Updated OS Version
  • Sectigo Antivirus
  • Hard Drive Disk Encryption
  • SCCM or MDM Agent’
  • Utah AD Domain Membership

If a device is considered to be out of compliance, access to the state network will be restricted or limited, and the user will need to contact the DTS Help Desk to resolve the issue and bring the device into compliance.

DTS Service Levels and Metrics

In an effort to improve service to our customer agencies, DTS will measure and report on the following enterprise metric goals:

  • Application Availability
  • Resolution Time
  • Initial Response
  • First Contact Resolution 
  • Customer Satisfaction Surveys and Reporting

Application Availability

Application availability measures DTS’s efforts to ensure that agency key business applications meet the percentage of availability goals identified in each agency’s service level agreement. DTS will determine application availability based upon the collective measurement of the configuration items (both hardware and software) that are required in order to support the agency business services applications. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php

Metric Description

Target Percentage of Application Availability*

System Availability

The VPN appliance needs to be available 24 hours a day 7 days a week excluding scheduled maintenance. We are striving for 99% availability during the supported hours. This will allow for unplanned downtime due to unforeseen events.

Table Note: *Times exclude those tickets in a “Pending” status waiting for a known bug fix.

Resolution Time

Resolution time measures DTS’s efforts to resolve customer incidents within the timelines set below based on urgent, high, medium, and low priorities. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php

Total Time to Resolution 

Target Percentage of Tickets Meeting
Priority Timelines

Low priority: 6 business hours

90%

Medium priority: 4 business hours

90%

High priority: 3 clock hours

90%

Critical priority: 3 clock hours

90%

Initial Response

Initial response measures DTS’s efforts to respond to customer incidents within the timelines set below based on urgent, high, medium, and low priorities. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php.  

Time to Initial Response

Target Percentage of Tickets Meeting
Priority Timelines

Low priority: 1 business hour

85%

Medium priority: 1 business hour

85%

High priority: 1 clock hour

90%

Critical priority: 30 clock minutes

95%

First Contact Resolution

First contact resolution measures DTS’s efforts to resolve customer incidents on a customer’s initial contact with either our help desk or a technical specialist. These metrics will be reported each month, by agency, and will be presented in a cumulative report showing DTS’s efforts over several months. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php

Metric Description

Target Percentage of Reported Incidents Resolved on Initial Contact

First Contact Resolution

65% 

Customer Satisfaction Surveys and Reporting 

All users/customers whose technical incidents are resolved by DTS staff will be given the opportunity to respond to an online survey regarding their level of satisfaction with the support received from DTS. Responding to the survey is voluntary. 

The chart below identifies DTS enterprise goals for customer satisfaction. Cumulative monthly reports will be created displaying the level of customer satisfaction with DTS support. These reports will then be posted on the DTS Metrics Web page at https://dts.utah.gov/metrics/index.php

Metric Description

Target Levels of
Customer Satisfaction

Average level of satisfaction with resolution efforts

≥ 4.5 on a scale of 0–5

Percentage of respondents expressing satisfaction (vs. dissatisfaction)

93% of respondents satisfied

 


 

Remote Access VPN Request Procedure

Purpose

This procedure describes how users can submit requests for virtual private network (VPN) access.

Scope

This procedure applies to all State of Utah VPN users.

Procedure

Users can submit VPN requests from the DTS website by going to the Remote Access VPN product description and selecting Order VPN Access.

Users can also access the Remote Access Request Form directly using the attached link or through ServiceNow by going to the Service Catalog, selecting HelpDesk, and then selecting Remote Access Request.

After selecting Remote Access Request, the submitter’s information will be autopopulated from the Requested for field. You can also search for a different user in this field.

The user should then select VPN from the Remote Request Type field, fill in the Justification field, and complete the other required fields.

Note: A user can request remote access for more than one user by:

  • selecting the Remote access is needed for more than one user checkbox, as shown in the following image; and
  • attaching to the Remote Access Request Form a csv list (using the linked template) that includes the following information for each user who requires remote access:
    • email address, and
    • VPN group name (without the VPN prefix).

To request VPN remote access, a requester must have a UtahID account with access to the state’s network. (If the requester does not have a network login already established, the requester should first submit an Agency Employee Access Request Form before submitting a remote access request. The Agency Employee Access Request Form can be accessed directly using the attached link or through ServiceNow by going to the Service Catalog, selecting Agency Requests, and then selecting Agency Employee Access Request. The Agency Employee Access Request Form can also be used for contractors.) When the requester’s account is ready, a VPN request can then be submitted.

Information Not Specified

If a user has no company, is not a State employee, or has no division, or if no approver has been specified for the user’s agency, ServiceNow checks for approval governance. The approval governance is a system that allows approvals to be customized by agency and division. If ServiceNow can’t find approvers, it will generate a task for the Enterprise Security Team to approve the request or designate an approver for the agency’s division.

Once the request is formally submitted, an automated email (as shown below) will be sent to the approver requesting VPN approval.

To approve, the approver should click on the blue text: Click here to approve RITM #

To reject, the approver should click on the blue text: Click here to reject RITM # 

Example VPN Request Email

Utah Division of Technology Services Service Desk Notification
Remote Access Requested for: Cheri Oldham
Short Description: Remote Access is being Requested
Priority: 4 – Low
Category:

Summary of Change request:
Request Type = HR Request
Requested for = Cheri Oldham
Company = Dept of Technology Services
Department = 2762
Division = DTS OPERATIONS 2700
Phone = (801) 538-3440
Alternate Phone =
Alternate Approver =
Which Agency is responsible for this Request? =
Location = CENTRAL UTAH CORRECTIONAL FACILITY
Street = 255 E 300 N
City = GUNNISON
Manager = Scott Moffitt
Manager’s Phone = 4356342129
Action = Add/Change Access
Remote Request Type = VPN
Which Group should the Requester be in, or which person should they be setup like? = general
Remote access is needed for more than one user. = false
Which Agency or Entity is making this request. = Dept of Technology Services
Pick a Division (if applicable) =
Justification =
Comments =

Click here to approve RITM0114737
Click here to reject RITM0114737

Click here to view Approval Request: LINK
Click here to view Requested Item: LINK

Having trouble? Get help at dts.utah.gov or contact your Help Desk at 801-538-3440.

Manage Preferences

Ref:MSG14845392

Once approval has been granted, ServiceNow will create a new task for your help desk to fulfill the VPN access. After your help desk grants access, an email will be sent by the help desk to the individual listed in the Requested for field of the Remote Access Request Form with instructions for installing VPN. The task can then be closed and the request is completed.