1. Home
  2. NHSmail Refresh
  3. Local Administrator Guidance
  4. Getting Ready – Technical Pre-requisites

Getting Ready – Technical Pre-requisites

Local Organisations are required to carry out a number of pre-requisite checks and actions to ensure they are technically prepared for the migration to Exchange Online, by Summer 2020. Information on technical readiness for other Office 365 workloads will be made available in due course.

Failure to complete these actions may prevent users from accessing NHSmail after the migration.

If you are not responsible for ensuring configurations are current, please cascade this information to your respective IT Director/Head of IT to ensure all of the pre-requisite tasks are acknowledged, reviewed and completed.

To download a pre-requisites checklist and to acknowledge your organisation is taking action, please populate your NHSmail email address below and submit to download the checklist

Technical Pre-requisites:

Please review the technical pre-requisite material outlined below and work with your CIO/IT Director to ensure that each area is properly assessed, and necessary actions planned.

Additional communications and supporting transition materials will be provided in due course. This will include extra details around the new features, the user migration journey and functional changes to NHSmail.

For now, please focus on working with your CIO to ensure technical migration readiness for your local organisation. For any transition related queries, please contact feedback@nhs.net.

IMPORTANT

Failure to complete these actions may prevent users from accessing NHSmail after the migration.

Pre-Requisite Items Impact
Browser, Outlook, OS & Mobile Versions Functionality is impacted if the browser, Outlook, OS or Mobile version is outdated/unsupported
Transport Layer Security Any machine or application utilising TLS 1.0-1.1 will fail authentication and will not connect to O365 post migration
 HSCN & Local Internet Bandwidth  

Exchange Online access is via the internet.  This could be over your HSCN access service, or as a standalone internet breakout.  For both, the local bandwidth must be suitable to support email and Office 365 traffic.

Local Network Settings Organisations using local internet may have restrictions on their firewalls or web proxies for connectivity to Office 365
Third Party Application integration Organisations using third party applications must engage the provider to ensure the necessary checks and support is maintained following the migration to Exchange Online

Supported Browser, Outlook, OS and Mobile Versions (HIGH IMPACT)

Pre-requisite

Older client systems will need to be upgraded to access NHSmail. A full list of supported Browsers, Outlook client versions, Mobile and Desktop Operating systems is shown below. These are accurate at the time of writing.

Impact

The following clients won’t be supported with NHSmail once users have moved to Office 365 which starts in Summer 2020:

IE 8,9,10

Older versions of Chrome, Firefox and Safari

Outlook 2010 or older

Windows XP and 7

Older Versions of Android and iOS

NOTE

Support for Windows 7 ended on January 14, 2020. This means Microsoft will no longer provide technical support or software and security updates from that date. Microsoft will not take any active measures to block Windows 7 clients from connecting to Office 365 services however clients may encounter performance and/or reliability issues over time. If you haven’t already begun to upgrade your Windows 7 environment, we recommend you start now.

What action do I need to take?

Make sure systems used to access NHSmail are using supported software versions.

Supported Browser Versions

Table 1 – Minimum browser versions
Windows: Microsoft Edge, Internet Explorer 11 (with latest update), latest version of Mozilla Firefox, or latest version of Google Chrome
Mac OS X: Apple Safari 10+ or latest version of Google Chrome

Supported Outlook Versions

Table 2 – Supported Outlook Versions
Outlook 2019
Outlook 2016
Outlook 2013 with SP1 (until extended support end date – (11/04/2023)
Outlook for Macintosh – Office for Mac2019

Supported OS Versions

Table 3 – Supported OS Versions
Windows 10
Windows 8.1
Mac OS X 10.10 and later

Supported Mobile Devices

Table 4 – Minimum Mobile Device OS Requirements
A phone or tablet with Android 5.0 or later
An iPhone, iPad, or iPod touch with iOS 10.0 or later
IMPORTANT

If your organisation users a third party Mobile Device Management (MDM) solution, you may be required to follow additional steps to reconfigure your organisations mobile devices following the Refresh. Please contact your MDM supplier for guidance on allowing managed devices to connect to Exchange Online.

Transport Layer Security Authentication

Pre-requisite

Microsoft plan to discontinue Transport Layer Security (TLS) versions 1.0 and 1.1 in Office 365. When TLS 1.0 and 1.1 are disabled, no access will be possible from devices or clients that do not support TLS 1.2.

Impact

Any machine or application utilising TLS 1.0 or 1.1 (i.e. Windows XP and older Windows 7 machines) will fail authentication and will not connect to Office 365 services, including Exchange, post migration.

What action do I need to take?

All client machines and applications using NHSmail must support TLS 1.2.

HSCN and Local Internet Bandwidth

Pre-requisite

After a user is migrated, they will automatically be directed to access their mailbox over the Internet via DNS.

Organisations that currently use HSCN to access the internet will need to discuss with their CNSP (Consumer Network Service provider) options for, decreasing HSCN bandwidth and increasing their internet bandwidth within that service.

Organisations using local internet connectivity, should ensure they have sufficient Internet bandwidth suitable to support using NHSmail.

Impact

Exchange Online connectivity must be available via an internet connection.

What action do I need to take?

Organisations using HSCN for NHSmail connectivity will need to ensure access is available via the internet to Exchange Online. Organisations will need to ensure their internet bandwidth is sufficient to support email traffic over the internet. Please work with your local network specialist or HSCN CNSP (Consumer Network Service provider) to understand current bandwidth utilisation and expected future volumes. Whatever bandwidth you currently have on HSCN to support using NHSmail should be equivalent to accessing it over the Internet. Microsoft guidance and tooling can be used to support this activity.

Key variables to consider, but not limited to, are:

  • The peak and average number of client computers in use
  • The type of task each client computer is performing
  • The performance of your Internet browser software
  • The performance of your Outlook desktop client
  • Your company’s network topology and the capacity of the various pieces of network hardware

Required Firewall and Proxy Server Changes for Exchange Online Service

Pre-requisite

Network updates, such as firewall or web proxy changes may be required to support Exchange Online access.

Impact

Organisations may have restrictions on their firewalls or web proxies for connectivity to Office 365.

What action do I need to take?

Review Firewall restrictions, URL/IP address lists, hard coded DNS entries, web proxy configurations and configure rules accordingly. Based on the organisation’s network design, the following changes are required in the firewall and proxy server to facilitate Office 365 Exchange Online deployment. The proxy servers must be configured to allow the below service URLs outbound access.

The IPs and service endpoints listed are specific to Exchange Online. However, organisations must consider configuring their firewall and proxy servers for other Office 365 services as per following links provided by Microsoft (Office 365 IP Address and Office Endpoints).

Note that Microsoft may remove or add IP address ranges and URLs periodically, please ensure this is checked regularly by the Trust IT Department and any firewall/networking/proxy rules are updated accordingly. Failure to comply with this may result in connectivity issues to NHSmail.

Source (From) Destination (To) Port or Protocol
Client Computers

outlook.office.com

outlook.office365.com

*.outlook.com

*.outlook.office.com

attachments.office.net

*.protection.outlook.com

r1.res.office365.com

r3.res.office365.com

r4.res.office365.com

13.107.6.152/31

13.107.18.10/31

13.107.128.0/22

23.103.160.0/20

40.92.0.0/15

40.107.0.0/1640.96.0.0/13

40.104.0.0/15

52.96.0.0/14

52.100.0.0/14

52.238.78.88/32104.47.0.0/17

131.253.33.215/32

132.245.0.0/16

150.171.32.0/22

191.234.140.0/22

204.79.197.215/32

443 TCP

80 TCP

Any devices requiring access to SMTP to send email

smtp.office365.com

13.107.6.152/31

13.107.18.10/31

13.107.128.0/22

23.103.160.0/20

40.96.0.0/13

40.104.0.0/15

52.96.0.0/14

131.253.33.215/32

132.245.0.0/16

150.171.32.0/22

191.234.140.0/22

204.79.197.215/32

587 TCP
Any devices requiring access to IMAP or POP3 to retrieve email

*.outlook.office.com

outlook.office365.com

13.107.6.152/31

13.107.18.10/31

13.107.128.0/22

23.103.160.0/20

40.96.0.0/13

40.104.0.0/15

52.96.0.0/14

131.253.33.215/32

132.245.0.0/16

150.171.32.0/22

191.234.140.0/22

204.79.197.215/32

993 TCP

995 TCP

Network Optimisation 

Network optimisation may be required if your users are experiencing any of the below issues: 

  • Office 365 runs slowly (maybe you have insufficient bandwidth) 
  • Calls via Teams keep dropping (might be due to firewall or proxy blockers) 
  • Calls via Teams are static-y and cut out, or voices sound like robots (could be jitter or packet loss) 

It is important to note that based on Office 365 consumption across your organisation, there may be a requirement to uplift bandwidth in conjunction with your local network provider. 

There are a series of self-help steps provided by Microsoft below should you experience any issues when using Office 365 services: 

Self Help Step  Description 
External Name Resolution  Be sure that all computers running the Teams client can resolve external DNS queries to discover the services provided by Office 365 and that your firewalls are not preventing access. For information about configuring firewall ports, go to Office 365 URLs and IP ranges 
Validate (NAT) pool size  Validate the network address translation (NAT) pool size required for user connectivity. When multiple users and devices access Office 365 using Network Address Translation (NAT) or Port Address Translation (PAT), you need to ensure that the devices hidden behind each publicly routable IP address do not exceed the supported number. Ensure that adequate public IP addresses are assigned to the NAT pools to prevent port exhaustion. Port exhaustion will contribute to internal users and devices being unable to connect to the Office 365 service 
Intrusion Detection and Prevention Guidance  If your environment has an Intrusion Detection or Prevention System (IDS/IPS) deployed for an extra layer of security for outbound connections, be sure to allow-list all Office 365 URLs 
Configure split-tunnel VPN  If users belonging to your organisation are connected to the corporate network using a remote access VPN solution, we recommend configuring Office 365 based traffic to bypass the VPN. This is typically referred to as a split tunnel VPN (where the corporate internal traffic is defined to go over the VPN in order reach the corporate network, whilst the internet traffic (such as Office365 or Exchange Online traffic) is separated out and sent directly to the internet from the client device). Bypassing your Clients remote access VPN will have a positive impact on Microsoft Teams’ quality, as well as reducing load from the VPN devices and the organisation’s network.To implement a split-tunnel VPN, work with your VPN vendor. In addition,  organisations can connect their corporate networks to the internet either via a suitable local breakout or via a HSCN internet service provided by their HSCN Consumer Network Service providers (CNSP). HSCN and NHSmail have been working with the central internet security provider to ensure the traffic over the HSCN internet service. This is ensuring the O365 traffic that is directed through the HSCN internet service is treated as efficiently as possible.  This has been centrally configured and will be in place for all organisations using the Central HSCN Secure Boundary service.

The HSCN teams are monitoring and working with each of the CNSP’s to ensure suitable capacity is in place for their customers internet traffic.

OptimisWiFi  Similar to VPN, WiFi networks aren’t necessarily designed or configured to support real-time media. Planning for, or optimising, a WiFi network to support Teams is an important consideration for a high-quality deployment. Consider these factors: 

  • Plan and optimise the WiFi bands and access point placement. The 2.4 GHz range might provide an adequate experience depending on access point placement, but access points are often affected by other consumer devices that operate in that range. The 5 GHz range is better suited to real-time media due to its dense range, but it requires more access points to get sufficient coverage. Endpoints also need to support that range and be configured to leverage those bands accordingly 
  • If you’re using dual-band WiFi networks, consider implementing band steering. Band steering is a technique implemented by WiFi vendors to influence dual-band clients to use the 5 GHz range. 
  • When access points of the same channel are too close together, they can cause signal overlap and unintentionally compete, resulting in a bad experience for the user. Ensure that access points that are next to each other are on channels that don’t overlap. 

Each wireless vendor has its own recommendations for deploying its wireless solution. Consult your WiFi vendor for specific guidance. 

Third Party Application Integration

 Pre-Requisite

Third party applications must be supported for use with Exchange Online.

Impact

Applications that are unsupported, or that have not been tested to confirm functionality with Exchange Online may fail to work post migration.

What action do I need to take?

Organisation’s local IT support teams must review all 3rd party applications in use and if integrated with NHSmail, confirm compatibility with the appropriate vendor. LA’s are responsible for checking compatibility, continued support and functionality with Exchange Online.

Key things to check, but not limited to, are:

  • Hard coded IP addresses/DNS entries
  • Hard coded EWS endpoints
  • Firewalls or Proxy servers blocking access to Exchange Online IP ranges

Important Notes

  • Office 365 uses Messaging Application Programming Interface (MAPI) over HTTP for communication between Exchange Online and the Outlook clients. This is slightly different to the Remote Procedure Call (RPC) over HTTP (Outlook Anywhere) that is currently being used by NHSmail. As outlined in the pre-requisite section, in order for MAPI to function supported, supported Outlook versions must be in use and must be communicating with Exchange Online over the Internet as opposed to HSCN
  • Exchange ActiveSync will be used during the migration to ensure email is replicated to mobile devices. In some scenarios, users may be required to reconfigure email on their mobile device. This will depend on whether their specific device model supports auto-update of mailbox locations via ActiveSync
  • Both Local Administrator (LA) and End User communications will be provided throughout the transition to minimise disruption. Guidance material will be made available via the NHSmail Support Site, including a transition guide and links to appropriate Microsoft training material. Please review the LA bulletins for regular programme updates.
  • It is important that you carry out a review of your organisation’s use of TLS and upgrade to supported versions where appropriate. Please visit this article for more information.
  • Training of end users will be the responsibility of NHS organisations.

 

Updated on 17/12/2020

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top