Skip to Main Content. Please Contact Us if there is anything we can do to improve the Accessibility of this page.

Client - to - LAN

The Client-to-LAN VPN Service replaces traditional dial-in remote access by making available to the remote user the ability to connect to the State intranet through a secure encrypted tunnel built from the user's remote pc (desk or laptop) to the State VPN gateway appliance. In order to utilize the VPN service, the end-user must have access to the Internet through an Internet Service Provider (note: Internet access is not included under this service). The remote user must also download the VPN client software and digital certificate then install each on the computer that will be used for remote VPN connectivity to the State network. Each user will be issued an access policy either individually or as a member of a user group. The access permissions are configured in the VPN gateway appliance as an individual or group access policy. The access policy must be provisioned in the VPN gateway and the client VPN software installed including the digital certificate before a VPN session can be negotiated. The access policy in which the user resides governs the network(s), subnet(s), or specific host server(s) the end-user or group is permitted access and all other IP traffic is denied access into the State network. The access policy shall be configured per the information provided within the service request CSA issued to CITS by the requesting agency. Any future change(s) made to the user or group access policy will require an additional CSA be submitted specifying the requested change(s). User logon authentication is accomplished with a username / password in combination with a digital certificate issue by the CITS controlled Certificate Authority (CA).

SECURITY NOTE: Generic VPN accounts may not be used by multiple users.CITS monitors and logs user activity and must be capable of identifying any user conducting malicious activities irrefutably.

EXCEPTION: CITS will provision generic VPN accounts as requested for emergency personnel to be used during a disaster. However, the use of generic accounts is not permitted for day-to-day connectivity due to the loss of user accountability.

Note: For end users that plan to operate the VPN Client behind a broadband router utilized to connect to the Internet, CITS does not recommend any particular brand of broadband router. You should use a router that supports IPSec pass-through and/or supports a programmable MTU size. Some routers have been proven not to support IPSec pass through in the past, hence effectively blocking encrypted IP traffic. Also, if the plan includes having multiple Client-to-LAN VPN accounts, you should use a router that supports multiple encrypted tunnels (resource information on routers can be found at http://www.practicallynetworked.com).