Guidance and technical information on how to federate with NHSmail
Introduction
This document provides organisations, seeking to federate with NHSmail Skype for Business (SfB), with a list of common questions and answers on federation. The document also provides a summary of the on-boarding, support and disconnection (de-federation)
processes. This guide only applies to NHSmail England users and any queries for NHSmail Scotland users, should be directed to National Services Scotland.
Overview
The NHSmail service has been designed to enable interoperability with third-party systems.
NHSmail SfB is one key area of the service where interoperability holds significant value in enabling collaboration across health and social care:
- SfB federation enables NHSmail SfB users to connect with users in other organisations that use SfB.
- Federated contacts can see presence, communicate using Instant Messaging and make Skype-to-Skype audio and video calls (if configured and purchased by the localorganisations).
- All federated communications are encrypted between the SfB instances.
SfB federation requires the consent and correct configuration of both parties of the federated relationship, which will need to be completed by the SfB system administrators. Currently, federation is only being offered to those organisations operating in a healthand care setting. - NHSmail SfB will not be federating with consumer Skype, just Skype for Business implementations.
- Please note, currently NHSmail SfB federation does not support file sharing between users.
Files should be shared via NHSmail or another recognised secure email service as this allows files to be scanned and checked, providing secure delivery.
Recording is currently switched off, as there is no easy way to manage the resultant videoand this would lead to both clinical and information governance issues with the storage of such content.
Terminology
Interoperability – the ability of computer systems or software to exchange and make use of information
Federation – functionality which allows users to communicate with others outside their organisation
Authorised signatory – officer or representative vested (explicitly, implicitly, or through conduct) with the powers to commit the authorising organisation to a binding agreement.
Federation partner & Partner – organisation with which Skype for Business federation is enabled between
Federation Partnership Agreement (FPA) – a formal document agreeing the federation between the partner organisations
Domain Name System (DNS) – the Internet’s system for converting alphabetic names into numeric IP addresses.
De-federation – the process of removing Skype for Business federation services.
End-user – user of the Skype for Business service.
Single Point of Contact (SPOC) – a person or department serving as the co-ordinator or focal point of information, concerning an activity or program. For the purpose of Skype federation, the SPOC is each organisation’s local helpdesk purposed for providing IT support.
Session Initiated Protocol (SIP) address – a unique identifier for each user on the network, used to authenticate on to Skype for Business. Each person using Skype will type in their SIP address and then password as part of the login process.
Guidance and process flows to federate/de-federate
Federating with NHSmail Skype for Business, high-level on-boarding process
Organisations wishing to federate with the NHSmail Skype for Business platform must demonstrate that they work in a health and care environment and the system will be used forsuch purposes. Organisations must demonstrate a level of information governance maturityand will confirm that organisations hold an appropriate level IGSoC level 2 or an equivalent.
Organisations should read the Skype for Business technical guidance later in the document, to understand the requirements for federation.
For organisations seeking to federate with NHSmail SfB, the process starts by emailing [email protected] to raise a request. Please detail the health and care use in the initial request.
If the federation request is acceptable, the NHSmail team will respond with a Federation Partnership Agreement (FPA) which must be completed and signed by an authorised signatory for your organisation. If not, the organisation will be informed of the decision as to why we cannot federate.
Once completed and signed, please return the FPA via email to [email protected]. The FPA will be reviewed by NHSmail and, if approved, the request will be submitted to the NHSmail technical team who will advise when the federation will be enabled. Any concerns identified at the point of submission will be communicated back to the federation partner.
Upon enablement, the NHSmail technical contact will liaise with the federation partner’s technical contact to perform testing to ensure the service is operational. The test will incorporate instant messaging between the technical contacts.
Upon successful federation, NHSmail will publish details of federated organisations on the NHSmail support pages, including the name of the organisation, date federated and the federated partner’s statement on their intended use of the federation service.
Process representation for federation
High-level de-federation from NHSmail process
During the course of the federation, there are two ways a federated partner can have their federation suspended or revoked:
- The term of the NHSmail contract coming to an end which will invoke the process to remove federation services with the federation partner.
- If there is a change in the business, technical or operational infrastructure of the federated partner organisation, e.g. if the federated partner ceases to trade, there is a change in ownership, change of name, technology/security change or anything that would require a new application for federation.
In the second scenario, for revoking federation, it is the responsibility of the federated partner to notify NHSmail via [email protected] within 48 hours of the issue/change occurring. The appropriate contact identified within the FPA must notify their counterpart within the organisation using NHSmail.
There is no formal requirement for the renewal of an FPA. It is the partner organisation’s responsibility to notify NHSmail to remove federation or of any changes with the partner (as perde-federation process outlined) that impact the federation. The federation will be suspended when the NHSmail contract comes to an end.
Process representation for de-federation
High-level process to follow for Federation support (partner organisation)
If issues are experienced with the federation service, such as a partner end-user is unable to instant message an NHSmail user via SfB, in the first instance the partner end-user must contact their own organisation’s support desk. The partner’s support desk will provide support in the first instance, using their internal escalation process. If the investigations by the partner identify that the issue lies with the NHSmail service, as identified in the FPA, the partners Single Point of Contact (SPOC) escalates the issue with the NHSmail national helpdesk. The NHSmail helpdesk will follow its standard escalation process to identify and resolve the issue.
NHSmail are only able to investigate issues on the NHSmail side of the connection. If there is a change in SPOC at the partner organisation, it is the partner’s responsibility to notify NHSmail through the NHSmail SPOC. Only the identified contacts within the FPA are authorised to request information or support from NHSmail.
Process representation for escalations
Skype for Business technical guidance
The NHSmail Skype for Business instance uses Direct Federation (or allowed partner server). The information given below is for an on-premise Skype for Business 2015 instance.
If you have a different configuration, some of the detail below will be different. For example, if using Office 365 and online Skype for Business then this could be the DNS configuration.
Already federated?
If you have already federated your Skype for Business (SfB) instance with other organisations, you will still need to complete the FPA.
New to federation?
- If your organisation has never federated before:
You will have to deploy an Access Edge Server which is reachable from the internet using a Fully Qualified Domain Name (FQDN)(https://technet.microsoft.com/enus/library/dn951368.aspx), - Install a publicly issued certificate on the Access Edge Server
(https://technet.microsoft.com/en-us/library/dn951368.aspx#Anchor_2) - Configure your network, routing and firewalls as well as DNS (covered in the above two links and summarised below) and provide the information asked for above.
- The reader should consult the Microsoft deployment guidance for Edge Servers for detail. (https://technet.microsoft.com/en-us/library/dn933903.aspx).
The summary of network configuration information, below, will help with planning and impact assessments before starting the work.
External DNS information
The records listed below must be publicly accessible and point to addresses accessible from the internet. Replace <sip-domain> with your domain.
Port requirements
The ports listed, unless others specified, are for the external Access Edge Server to the internet. Restrictions can be imposed by only opening the route to the IP address of the NHSmail Access Edge Server. This is not recommended as the IP address of the server may change without notice.
Important Information
Be aware of your responsibilities
As with all systems, controls can only go so far, users should always be aware of their individual responsibilities in relation to information governance and clinical situations and respond in accordance with their own organisational policies.
The NHSmail service has file sharing and recording switched off, this does not mean that federated organisations operate with the same criteria. Some may have both or one of these switched on. In certain circumstances, this may allow file sharing to be done between parties.
An example of this is when in a peer-to-peer conversation or call, if the federated partner invites a third person to the call this would result in the peer-to-peer call being hosted as a conference on the federated partner’s system. In this situation, the federated partner settings would take precedence over those of NHSmail, this could allow file sharing and/or recording to be available.
The recommendation from the NHSmail service is for users to NHSmail email for sharing files and not to use Skype for Business.
An example of this is when in a peer-to-peer conversation or call, if the federated partner invites a third person to the call this would result in the peer-to-peer call being hosted as a conference on the federated partner’s system. In this situation, the federated partner settings would take precedence over those of NHSmail, this could allow file sharing and/or recording to be available.
The recommendation from the NHSmail service is for users to NHSmail email for sharing files and not to use Skype for Business.
Frequently asked questions (FAQs)
Federating with NHSmail Skype for Business
Technical requirements for federation
Technical support arrangements
Clinical safety
Connection renewal