Skype for Business Federation

Guidance and technical information on how to federate with NHSmail

Introduction

This document provides organisations, seeking to federate with NHSmail Skype for Business (SfB), with a list of common questions and answers on federation. The document also provides a summary of the on-boarding, support and disconnection (de-federation)
processes. This guide only applies to NHSmail England users and any queries for NHSmail Scotland users, should be directed to National Services Scotland.

Overview

The NHSmail service has been designed to enable interoperability with third-party systems.
NHSmail SfB is one key area of the service where interoperability holds significant value in enabling collaboration across health and social care:

  •  SfB federation enables NHSmail SfB users to connect with users in other organisations that use SfB.
  •  Federated contacts can see presence, communicate using Instant Messaging and make Skype-to-Skype audio and video calls (if configured and purchased by the localorganisations).
  • All federated communications are encrypted between the SfB instances.
    SfB federation requires the consent and correct configuration of both parties of the federated relationship, which will need to be completed by the SfB system administrators. Currently, federation is only being offered to those organisations operating in a healthand care setting.
  • NHSmail SfB will not be federating with consumer Skype, just Skype for Business implementations.
  • Please note, currently NHSmail SfB federation does not support file sharing between users.
    Files should be shared via NHSmail or another recognised secure email service as this allows files to be scanned and checked, providing secure delivery.
    Recording is currently switched off, as there is no easy way to manage the resultant videoand this would lead to both clinical and information governance issues with the storage of such content.

Terminology

Interoperability – the ability of computer systems or software to exchange and make use of information
Federation – functionality which allows users to communicate with others outside their organisation
Authorised signatory – officer or representative vested (explicitly, implicitly, or through conduct) with the powers to commit the authorising organisation to a binding agreement.
Federation partner & Partner – organisation with which Skype for Business federation is enabled between
Federation Partnership Agreement (FPA) – a formal document agreeing the federation between the partner organisations
Domain Name System (DNS) – the Internet’s system for converting alphabetic names into numeric IP addresses.
De-federation – the process of removing Skype for Business federation services.
End-user – user of the Skype for Business service.
Single Point of Contact (SPOC) – a person or department serving as the co-ordinator or focal point of information, concerning an activity or program. For the purpose of Skype federation, the SPOC is each organisation’s local helpdesk purposed for providing IT support.
Session Initiated Protocol (SIP) address – a unique identifier for each user on the network, used to authenticate on to Skype for Business. Each person using Skype will type in their SIP address and then password as part of the login process.

Guidance and process flows to federate/de-federate

Federating with NHSmail Skype for Business, high-level on-boarding process

Organisations wishing to federate with the NHSmail Skype for Business platform must demonstrate that they work in a health and care environment and the system will be used forsuch purposes. Organisations must demonstrate a level of information governance maturityand will confirm that organisations hold an appropriate level IGSoC level 2 or an equivalent.

Organisations should read the Skype for Business technical guidance later in the document, to understand the requirements for federation.
For organisations seeking to federate with NHSmail SfB, the process starts by emailing [email protected] to raise a request. Please detail the health and care use in the initial request.

If the federation request is acceptable, the NHSmail team will respond with a Federation Partnership Agreement (FPA) which must be completed and signed by an authorised signatory for your organisation. If not, the organisation will be informed of the decision as to why we cannot federate.
Once completed and signed, please return the FPA via email to [email protected]. The FPA will be reviewed by NHSmail and, if approved, the request will be submitted to the NHSmail technical team who will advise when the federation will be enabled. Any concerns identified at the point of submission will be communicated back to the federation partner.
Upon enablement, the NHSmail technical contact will liaise with the federation partner’s technical contact to perform testing to ensure the service is operational. The test will incorporate instant messaging between the technical contacts.

Upon successful federation, NHSmail will publish details of federated organisations on the NHSmail support pages, including the name of the organisation, date federated and the federated partner’s statement on their intended use of the federation service.

Process representation for federation

Skype For business

High-level de-federation from NHSmail process

During the course of the federation, there are two ways a federated partner can have their federation suspended or revoked:

  1.  The term of the NHSmail contract coming to an end which will invoke the process to remove federation services with the federation partner.
  2.  If there is a change in the business, technical or operational infrastructure of the federated partner organisation, e.g. if the federated partner ceases to trade, there is a change in ownership, change of name, technology/security change or anything that would require a new application for federation.

In the second scenario, for revoking federation, it is the responsibility of the federated partner to notify NHSmail via [email protected] within 48 hours of the issue/change occurring. The appropriate contact identified within the FPA must notify their counterpart within the organisation using NHSmail.
There is no formal requirement for the renewal of an FPA. It is the partner organisation’s responsibility to notify NHSmail to remove federation or of any changes with the partner (as perde-federation process outlined) that impact the federation. The federation will be suspended when the NHSmail contract comes to an end.

Process representation for de-federation

Skype For Business

High-level process to follow for Federation support (partner organisation)

If issues are experienced with the federation service, such as a partner end-user is unable to instant message an NHSmail user via SfB, in the first instance the partner end-user must contact their own organisation’s support desk. The partner’s support desk will provide support in the first instance, using their internal escalation process. If the investigations by the partner identify that the issue lies with the NHSmail service, as identified in the FPA, the partners Single Point of Contact (SPOC) escalates the issue with the NHSmail national helpdesk. The NHSmail helpdesk will follow its standard escalation process to identify and resolve the issue.

NHSmail are only able to investigate issues on the NHSmail side of the connection. If there is a change in SPOC at the partner organisation, it is the partner’s responsibility to notify NHSmail through the NHSmail SPOC. Only the identified contacts within the FPA are authorised to request information or support from NHSmail.

Process representation for escalations

Skype for business

Skype for Business technical guidance

The NHSmail Skype for Business instance uses Direct Federation (or allowed partner server). The information given below is for an on-premise Skype for Business 2015 instance.
If you have a different configuration, some of the detail below will be different. For example, if using Office 365 and online Skype for Business then this could be the DNS configuration.

Already federated?

If you have already federated your Skype for Business (SfB) instance with other organisations, you will still need to complete the FPA.

New to federation?

The summary of network configuration information, below, will help with planning and impact assessments before starting the work.

External DNS information

The records listed below must be publicly accessible and point to addresses accessible from the internet. Replace <sip-domain> with your domain.

 

Skyper for business

Skype for business

Port requirements

The ports listed, unless others specified, are for the external Access Edge Server to the internet. Restrictions can be imposed by only opening the route to the IP address of the NHSmail Access Edge Server. This is not recommended as the IP address of the server may change without notice.

Skype for business

Important Information

Be aware of your responsibilities

As with all systems, controls can only go so far, users should always be aware of their individual responsibilities in relation to information governance and clinical situations and respond in accordance with their own organisational policies.
The NHSmail service has file sharing and recording switched off, this does not mean that federated organisations operate with the same criteria. Some may have both or one of these switched on. In certain circumstances, this may allow file sharing to be done between parties.

An example of this is when in a peer-to-peer conversation or call, if the federated partner invites a third person to the call this would result in the peer-to-peer call being hosted as a conference on the federated partner’s system. In this situation, the federated partner settings would take precedence over those of NHSmail, this could allow file sharing and/or recording to be available.

The recommendation from the NHSmail service is for users to NHSmail email for sharing files and not to use Skype for Business.

An example of this is when in a peer-to-peer conversation or call, if the federated partner invites a third person to the call this would result in the peer-to-peer call being hosted as a conference on the federated partner’s system. In this situation, the federated partner settings would take precedence over those of NHSmail, this could allow file sharing and/or recording to be available.

The recommendation from the NHSmail service is for users to NHSmail email for sharing files and not to use Skype for Business.

Frequently asked questions (FAQs)

Federating with NHSmail Skype for Business
What is Skype for Business (SfB) federation?
SfB federation allows other organisations to connect to the NHSmail platform to facilitate instant messaging and voice and video communications. For example, a council may have their own SfB implementation. By federating with the NHSmail platform, this will allow council employees to use their Skype service to communicate with NHSmail users that are using the NHSmail platform. Note, NHSmail is only federating SfB services and this does not extend to others such as Exchange.
What information do I need to provide to NHSmail?
The following information is requested in the FPA:

Skype for business

What guidance is available to enable federation?
All technical information required to enable federation with NHSmail SfB is included with the FPA and will be provided on request.
Can SfB federate with organisations using SfB on-premise?
Yes, this is the main objective, to provide a mechanism to be able to connect the implementations. Please note the current federation offering is only open to those organisations operating in a health and social care setting. Currently we are not federating with consumer Skype and non-SfB work streams.
How do we start the federation?
The process is started by contacting [email protected], with a request to federate.
If we federate with NHSmail, does that mean we will have access to all other organisations that have also federated with NHSmail?
No, users within your organisation will be able to communicate with NHSmail users only. NHSmail users will however be able to communicate with all those organisations that have an active federation. ntent
When I am looking for a person within the federated partner’s organisation, why are they not displayed like contacts within my organisation?
We are only federating at a Skype for Business level which means the full SIP address of the person you are wishing to message or initiate a call with will be required, in order to see them displayed. A SIP address is the login a user will use to access their Skype system.
Can I share files within Skype for Business?
The NHSmail platform prevents file sharing on its implementation of Skype, however if the federated parties Skype implementation allows file sharing and a meeting is created from that platform (by a federated user) then NHSmail users will be able to share files, as this is not being hosted on NHSmail. Users should only download content they trust. Our recommended process for sharing files would be to send them via email using NHSmail.
Can I record Skype Sessions?
The NHSmail platform currently prevents the recording of Skype sessions as there are potential information governance and clinical implications on saving data to a local system. If a meeting is created from outside the NHSmail platform (federated or not), connecting through to an NHSmail user and that platform has recording enabled, then the meeting may be recorded. Skype will provide an informative banner to the user to let them know this is the case. Users must consider the implications of recording in line with their local information governance and clinical policies, if in doubt the user should request the recording be switched off.
Will federation enable calendar sharing between NHSmail and federated organisations?
We are only federating Skype for Business, which means that calendar federation is not possible.
Will NHSmail SfB federate with other Unified Communications products?
Lync was the predecessor to SfB, prior to Microsoft’s re-branding. Therefore, it is possible to federate with Lync implementations of version Lync 2010 (4.0.7577.4103) or higher. Federation is not enabled for any other Unified Communications products such as Cisco Jabber.
How do I find out the SIP address for the person I want to communicate with?
Contact the person you are wishing to communicate with via an alternate means (email, phone etc.) and ask for their SIP address. This is the username by which they log in to their system. For some organisations, the SIP address is their email address, but you will need to clarify with the individual.
How long will it take to enable federation?
Once you complete the FPA and submit it to [email protected], you will be notified of approximate timelines for federation enablement.
Technical requirements for federation
What information do I need to provide to NHSmail?
You need to provide the information asked for in the FPA - this is the technical detail to allow the federation.
What information will NHSmail give to me?
Technical information to allow the federation will be provided as part of the FPA.
What do we need from a technical perspective to federate with NHSmail?
An organisation will require a fully operational SfB implementation; the technical and connection details will be detailed with the FPA. For detailed guidance, please consult Microsoft TechNet link: https://technet.microsoft.com/en-us/library/ms.lync.plan.federation.aspx.
I use a different product for instant message, voice and video services; can I still federate with NHSmail?
Currently only Microsoft Lync and SfB are supported for federation.
Technical support arrangements
If I have a technical problem with the federation, who do I contact?
You need to contact your local IT helpdesk who will provide initial triage and escalate on your behalf.
If I am having a technical problem with my SfB instance, who do I tell?
You need to contact your local IT helpdesk as per your usual organisational support arrangements.
My local IT helpdesk advised me that the issue is with the partner’s federation, what do I do?
Your local IT Helpdesk, or other SPOC, will be responsible for liaising and raising issues related to federation with NHSmail. You need to ensure you maintain contact with your local IT Helpdesk for this issue, as you would do with any other IT issue.
Are there any other support resources available?
Although there are no other documents for federation, if you have a question relating to Skype, you may wish to look at our online support pages (https://support.stg.nhs.net).
Clinical safety
What considerations should be given to clinical safety for SfB Federation?
NHSmail users must treat the transmission of NHSmail data with care and consideration, in line with the information governance training they have received. This will also be true for any federated organisation.
What safeguards exist to protect information being sent between parties?
Information is Transport Layer Security (TLS) encrypted between source and target, meaning the communication between participants of SfB communication is encrypted and secure. Any information exchanged between federated partners may be stored in the partner’s environment, which NHSmail cannot assure is safe.
What do I need to do to assure clinical safety?
Clinical use of this Skype must be in line with your organisation’s policy for clinical messaging.
In the case of Skype for Business not being available, what would happen?
You need to notify your local helpdesk, as per your organisation’s IT support arrangements and follow any business continuity plans you may have in place.

 

Connection renewal
How often will I need to renew the Federation Partnership Agreement?
There is no formal renewal for the FPA. It is the partner organisation’s responsibility to notify NHSmail to remove federation or of any changes with the partner (as per defederation process outlined) that impact the federation. The partner must ensure their information governance certification remains current and failure to maintain this will result in suspension of federation. Federation will also be suspended when the NHSmail contract comes to an end.
Who will renew the FPA if there are any changes to my organisation?
The SPOC (same role that signed the FPA originally).
If my organisation has plans to go through a change (business, technical or closing down), will the federation continue?
Each partner has a duty to notify NHSmail as per the FPA on any changes that may pose a risk to the federation. The partner must submit an updated FPA as soon as possible, to prevent loss of service.

 

 

 

Updated on 09/04/2019

Related Articles

back to top