State of Wisconsin Virtual Private Network (VPN) Service Offering Definition (SOD)
Document Revision History Date Version Creator Notes 9/15/11 1.5 Amy Dustin Annual review minor edits
Table of Contents Introduction...4 What Is Included...4 VPN Remote Appliance to DET...4 VPN Client to DET...4 What Is Not Included...5 VPN Remote Appliance to DET...5 VPN Client to DET...5 Benefits...5 Service Description...5 VPN Remote Appliance to DET Service...5 VPN Client to DET Service...5 Service Period...6 Roles and Responsibilities...6 Business Continuity...6 Monitoring...6 Configuration Overview...6 How Services Are Charged...7 Remote Appliance to DET Charges...7 Client to DET Charges...7 VPN Service Offering Definition iii Last Updated: 9/15/2011
Introduction The DET Enterprise Virtual Private Network (VPN) solution offers agencies a needed connectivity option for remote users. This option also encompasses the use of Active Directory for authentication to the state s resources. This service achieves the following: Allows for a secure, encrypted tunnel to the state s network and data center Allows remote users to authenticate to their agency Local Area Networks (LANs) Allows access to e-mail, applications, and user/group shared resources DET has two encrypted VPN service offering options: VPN Remote appliance to DET VPN Client to DET The type of VPN solution implemented at each location is determined jointly between DET staff and the requesting agency. What Is Included VPN Remote Appliance to DET VPN appliances at the Femrite Data Center and 101 E. Wilson managed by DET staff 24x7 monitoring of the VPN appliances VPN appliance at the remote site Installation of the VPN appliance on the agency-procured Internet/Telco connection VPN Client to DET VPN appliances at the Femrite Data Center and 101 E. Wilson managed by DET staff 24x7 monitoring of the VPN appliances Cisco SSL VPN client software for Windows XP/Vista/7 (32-bit and 64-bit), Linux, and Mac OS Cisco AnyConnect client software for Windows XP/Vista/7 (32-bit and 64-bit), Linux VPN Client software connection authentication is made via LDAP to the appropriate Active Directory (AD) domain for each user VPN Service Offering Definition 4 Last Updated: 9/15/2011
What Is Not Included VPN Remote Appliance to DET Procurement of the Internet/Telco connection to the remote location Management of the Internet/Telco connection to the remote location Billing for the Internet/Telco connection that the agency procures Troubleshooting of desktop issues VPN Client to DET Procurement of the Internet/Telco connection to the remote location Management of the Internet/Telco connection to the remote location Billing for the Internet/Telco connection that the agency procures Updates to VPN software clients Troubleshooting of all desktop issues or technical assistance Broadband satellite-based Internet connections due to increased latency that limits performance Benefits Provides a secure method for access to state resources from remote locations Service Description VPN Remote Appliance to DET Service This service requires a hardware VPN appliance at the remote site. It creates a point-topoint connection that can be available 24x7. Multiple users can connect to the LAN side of the VPN appliance. The remote site becomes an extension of the agency s network, and is able to access resources as determined by the security policies defined by the agency. VPN Client to DET Service This service requires a software application installed on the remote user s device. Agency technical staff has the choice of the full IPSEC client or the light-weight Cisco AnyConnect client which employs the SSL protocol. Each user must authenticate to the remote VPN appliance at DET via a LDAP call from the VPN appliance to AD to establish an encrypted tunnel. After authentication to the VPN appliance, the user will have access to resources as determined by the access and security policies defined by the agency. Note that the VPN Client to DET service is not designed to replace the full functionality of a product such as Citrix, but can be used to provide basic connectivity. A good use case for VPN is to permit users to access their office computer remotely via RDP. This model VPN Service Offering Definition 5 Last Updated: 9/15/2011
is easy to support and the user can access network resources as if they were sitting at their office desk. Service Period The SOD, Roles and Responsibilities (RnR) and rate will be reviewed annually to determine if any modifications are required. Roles and Responsibilities Roles and Responsibilities for the VPN service can be found here. Business Continuity DET has two sets of VPN appliances, one set located at the Femrite Data Center and one at 101 E. Wilson. This allows for continued service should one of the appliances fail. Monitoring Standard monitoring includes alerting and reporting to DET support staff for CPU, memory, I/O and up/down status of the appliances. Configuration Overview Overview of the current environment at DET for both VPN options: Fault-tolerant VPN hardware appliances in the DET core. These appliances are VPN appliances that take all the remote client connections and route them to the networks and resources that the end user is accessing. They work in conjunction with Active Directory (AD) for authentication to network resources. VPN hardware appliance for locations with between three and seven users to create a point-to-point connection (VPN appliance to DET option only). VPN software client for individuals (VPN Client to DET option only). Current authentication to the network via the software client (VPN Client to DET option only). Current Active Directory (AD) authentication to resources using Remote Desktop Protocol (RDP). Different VPN groups and filters are set up to control security access to agency and DET resources. VPN groups can be set up for vendor support access as well. VPN Service Offering Definition 6 Last Updated: 9/15/2011
How Services Are Charged Remote Appliance to DET Charges DET staff tracks time and bills at the current hourly consulting rate to determine the one-time installation charge. The one-time charge is billed through the Enterprise Billing System. A monthly recurring charge for each installed appliance is billed through the Enterprise Billing System. Client to DET Charges A user ID must be assigned to an AD security group that allows access to DET resources using a VPN client. The agency security officer is responsible for keeping that AD security group current. DET counts the number of users in that specific AD security group on an annual basis. DET assesses an annual charge for the number of users for each agency. This annual charge is billed through the Enterprise Billing System. Please see the IT Services Rate Sheet for rate information. VPN Service Offering Definition 7 Last Updated: 9/15/2011