Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Part of Business Applications Guidance

Types of remote access solutions

Current Chapter

Current chapter – Types of remote access solutions

This diagram below shows a number of scenarios where you may deploy a remote access solution.


Remote access deployment scenarios


Clientless solutions

Users connect through a web browser and use HTTPS connections. Clientless solutions usually supply access to web-based corporate resources.

Clientless VPN (suppliers, lightweight access)

Clientless virtual private network lets users establish a secure, remote-access VPN tunnel to an Enterprise Security appliance that can offer administrators a single point of control to assign granular access based on both the user and the device via a web browser. Users do not need a software or hardware client.

Many sources still refer to these solutions as SSL (Secure Socket Layer) VPNs. SSL encryption has largely been replaced by a more secure protocol, Transport Layer Security (TLS). SSL protocols (SSL 2.0 and 3.0) were deprecated by the  Internet Engineering Task Force (IETF) and SSL VPNs (secure ones) now implement TLS. SSL can no longer be trusted to ensure data security and privacy. TLS successfully stops eavesdropping and tampering by ensuring data integrity between the VPN client and the VPN server.

Clientless VPN provides secure and easy access to a broad range of web resources and web-enabled applications from almost any computer on the internet. They include, but are not limited to:

  • internal websites
  • web-enabled applications
  • e-mail proxies, including POP3S, IMAP4S, and SMTPS
  • application access (smart tunnel or port forwarding access to other TCP-based applications)

Client-based solutions

Client applications are installed on endpoint computers and devices. Clients are usually installed on a managed device, such as a company-owned computer. The client supplies access to most types of corporate resources according to the access privileges of the user.

NHS client based TLS or IPSec VPN (office, home worker and mobile remote access)

With the re-deployment of staff to remote locations there may be the requirement to create a split tunnel to afford access to corporate systems as well as the internet, whilst minimising demands on your corporate network. Learn more about guidance to split tunnels [Archive Content]

Due to current circumstances, large numbers of GPs and other staff are working from remote locations but require access to their on-premise systems, such as DOCMAN. Historically this has been achieved using an RDP (Remote Desktop Protocol) session however following migration to HSCN this port (3389) has been blocked for security reasons.  We have provided a guide to the risks and mitigation's around this topic.

Traditional VPNs rely on IPSec (Internet Protocol Security) to tunnel between the two endpoints. IPSec works on the network layer of the Open Systems Interconnection (OSI) model - securing all data that travels between the two endpoints without an association to any specific application. When connected on an IPSec VPN the client computer is "virtually" a full member of the corporate network - able to see and potentially access the entire network.

The majority of IPSec VPN solutions require third-party hardware and/or software. In order to access an IPSec VPN, the workstation or device in question must have an IPSec client software application installed.

Cloud based remote access

Cloud based remote access delivers a managed service via bespoke client software that provides secure VPN connectivity. The services can be tailored to provide independent access or combined access connectivity to use other business solutions such as UC and VC services. Cloud based solutions provide low cost and scalable solutions and use industry standard security protocols and processes.

However, it is vitally important to ensure that any remote cloud access solution meets the necessary NHS and government security principles. IT departments should undertake a full risk evaluation of any cloud product to ensure it meets the necessary security criteria.

Guidance has been produced on how public cloud services are connected to HSCN and should be used to define what approvals and organisation obligations are when connecting Infrastructure from a public cloud provider directly on to HSCN.


Cloud Security Principles

There are a number of common approaches that can be used to address several Cloud Security Principles. There are 14 CESG government principles that have been created.

Examples of some of these cloud service specific principles are:

  1. Data in transit - network protection (denying your attacker access to intercept data).
  2. Encryption (denying your attacker the ability to read data).
  3. Physical location and legal jurisdiction - for organizations wishing to offshore data, or needs agreement from Cabinet Office. 
  4. Separation between consumers - separation between different consumers of the service prevents one malicious or compromised consumer from affecting the service or data of another. Specific information related to private, community and public cloud services are all represented.

Mobile based remote access

Mobile based remote access utilises the mobile network infrastructure and allows end users to remotely access applications and information from a variety of devices (such as smartphone, tablets and laptops). These connections are facilitated via secure remote access processes and procedures. Health and social care organisations must ensure deployment of appropriate user access management (such as IPSec tunnels, Smart cards, two-factor authentication processes), and that the corporate network security infrastructure is monitored and maintained correctly so that any remote access services does not become a weak point in overall IT security.

There are some essential factors to consider when choosing a remote access solution:

  1. L3 VPN tunnel vs. Secure Business portal: Is there a requirement for a full VPN tunnel to protect the access from any installed application to the organisation, or do you need a simpler portal that provides simple and secure access for published applications?
  2. Client-based vs. clientless: Does the solution require an agent to be installed on the endpoint computer, or is it clientless, for which only a web browser is required?
  3. Secure connectivity vs. endpoint security: Does the solution provide only secure connectivity, or also additional endpoint security functionalities, when the device is not connected via a VPN tunnel to the business?

Find a full list of the cloud security principles

Last edited: 30 May 2022 5:01 pm