Maintaining access to internet services after migrating to HSCN

Every computer on a network, including the internet, is allocated a unique sequence of numbers known as an Internet Protocol (IP) address that identifies the computer and enables communication over the network.

One of the security measures used by application service providers (ASP) is to restrict access to authorised users by their IP address or IP address range. This is achieved by using an access control list (ACL) that lists the IP addresses of authorised users. When a user’s range changes they will be denied access to the service until their new range is added to the ACL.

Private networks such as the BT Transition Network and the Health and Social Care Network (HSCN) utilise a private range of IP addresses to enable communication within the private network. These private ranges cannot be addressed directly from the internet, so when an internet service is accessed it is necessary to allocate an IP address that is accessible. To do this, network address translation is used to adopt an IP from the publicly addressable range on the internet gateway; this is the range of IP addresses that the ASP requires to allow access to their service.

This IP address is different on HSCN and ASPs that use ACLs will need to be advised of this change to allow access to their service. The diagrams below provide further information.

NHS organisations on the BT Transition Network (formerly N3) typically accessed the internet via the BT Transition Network Enhanced Internet Gateway (EIG) see figure 1.

Figure 1: Transition Network NHS organisations accessing internet-provided applications via BT Gateway.

To access applications and services on the internet, the service provider may have requested the source IP address of the originating traffic as highlighted in figure 1, point 1. For Transition Network consumers this would be the Transition Network EIG external Réseaux IP Européens (RIPE) IP addresses. Internet service providers would then implement an ACL permitting traffic from this source to the application or service.

When an NHS organisation migrates to HSCN, traffic will be routed to the internet by their HSCN Consumer Network Service Provider (CNSP) via the Advanced Network Monitoring (ANM) service (figure 2). NHS organisations that previously received applications and services that are hosted on the internet and have previously supplied BT Transition Network EIG RIPE IP addresses will have to ensure that they provide the new RIPE IP address of the ANM internet gateway; figure 2, point 1.

Figure 2: HSCN consumer accessing internet-provided applications via their CNSP.

The internet gateway RIPE addresses can be requested from enquiries@nhsdigital.nhs.uk after you have completed a HSCN Connection Agreement. Please provide your organisations ODS code in the request.