We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Types of remote access solutions
This diagram below shows a number of scenarios where you may deploy a remote access solution.
Users connect through a web browser and use HTTPS connections. Clientless solutions usually supply access to web-based corporate resources.
NHS clientless SSL VPN (NHS suppliers, lightweight access)
Clientless secure socket layers virtual private network (SSL VPN) lets NHS users establish a secure, remote-access VPN tunnel to an Enterprise Security appliance that can offer administrators a single point of control to assign granular access based on both the user and the device via a web browser. Users do not need a software or hardware client.
Clientless SSL VPN provides secure and easy access to a broad range of web resources and web-enabled applications from almost any computer on the internet. They include, but are not limited to:
- internal websites
- web-enabled applications
- e-mail proxies, including POP3S, IMAP4S, and SMTPS
- application access (smart tunnel or port forwarding access to other TCP-based applications)
Client applications are installed on endpoint computers and devices. Clients are usually installed on a managed device, such as a company-owned computer. The client supplies access to most types of corporate resources according to the access privileges of the user.
NHS client based SSL or IPSec VPN (office, home worker and mobile remote access)
With the re-deployment of staff to remote locations there may be the requirement to create a split tunnel to afford access to corporate systems as well as the internet, whilst minimising demands on your corporate network. Learn more about guidance to split tunnels.
Due to current circumstances, large numbers of GPs and other staff are working from remote locations but require access to their on-premise systems, such as DOCMAN. Historically this has been achieved using an RDP (Remote Desktop Protocol) session however following migration to HSCN this port (3389) has been blocked for security reasons. We have provided a guide to the risks and mitigation's around this topic.
Generally described as one of the largest pros for the SSL VPN solutions. SSL is a common protocol and most web browsers have SSL capabilities built in. Therefore almost every computer in the world is already equipped with the necessary "client software" to connect to an SSL VPN.
Traditional VPNs rely on IPSec (Internet Protocol Security) to tunnel between the two endpoints. IPSec works on the network layer of the Open Systems Interconnection (OSI) model - securing all data that travels between the two endpoints without an association to any specific application. When connected on an IPSec VPN the client computer is "virtually" a full member of the corporate network - able to see and potentially access the entire network.
The majority of IPSec VPN solutions require third-party hardware and/or software. In order to access an IPSec VPN, the workstation or device in question must have an IPSec client software application installed.
Cloud based remote access
Cloud based remote access delivers a managed service via bespoke client software that provides secure VPN connectivity. The services can be tailored to provide independent access or combined access connectivity to use other business solutions such as UC and VC services. Cloud based solutions provide low cost and scalable solutions and use industry standard security protocols and processes.
However, it is vitally important to ensure that any remote cloud access solution meets the necessary NHS and government security principles. NHS IT departments should undertake a full risk evaluation of any cloud product to ensure it meets the necessary security criteria.
Guidance has been produced on how public cloud services are connected to HSCN and should be used to define what approvals and organisation obligations are when connecting Infrastructure from a public cloud provider directly on to HSCN.
Cloud Security Principles
There are a number of common approaches that can be used to address several Cloud Security Principles. There are 14 CESG government principles that have been created.
Examples of some of these cloud service specific principles are:
- Data in transit - network protection (denying your attacker access to intercept data).
- Encryption (denying your attacker the ability to read data).
- Physical location and legal jurisdiction - for organizations wishing to offshore data, or needs agreement from Cabinet Office.
- Separation between consumers - separation between different consumers of the service prevents one malicious or compromised consumer from affecting the service or data of another. Specific information related to private, community and public cloud services are all represented.
Mobile based remote access
Mobile based remote access utilises the 3G/4G mobile network infrastructure and allows end users to remotely access applications and information from a variety of devices (such as smartphone, tablets, laptops). These connections are facilitated via secure remote access processes and procedures. NHS organisations must ensure deployment of appropriate user access management (such as IPSec tunnels, Smart cards, two-factor authentication processes), and that the corporate network security infrastructure is monitored and maintained correctly so that any remote access services does not become a weak point in overall IT security.
There are some essential factors to consider when choosing remote access solutions for an NHS mobile solution in an organisation:
- L3 VPN tunnel vs. Secure Business portal: Is there a requirement for a full VPN tunnel to protect the access from any installed application to the NHS site, or do you need a simpler portal that provides simple and secure access for published applications?
- Client-based vs. clientless: Does the solution require an agent to be installed on the endpoint computer, or is it clientless, for which only a web browser is required?
- Secure connectivity vs. endpoint security: Does the solution provide only secure connectivity, or also additional endpoint security functionalities, when the device is not connected via a VPN tunnel to the business?