Local Organisations are required to carry out a number of pre-requisite checks and actions to ensure they are technically prepared for the migration to Exchange Online, by Summer 2020. Information on technical readiness for other Office 365 workloads will be made available in due course.
Failure to complete these actions may prevent users from accessing NHSmail after the migration.
If you are not responsible for ensuring configurations are current, please cascade this information to your respective IT Director/Head of IT to ensure all of the pre-requisite tasks are acknowledged, reviewed and completed.
To download a pre-requisites checklist and to acknowledge your organisation is taking action, please populate your NHSmail email address below and submit to download the checklist
Technical Pre-requisites:
Please review the technical pre-requisite material outlined below and work with your CIO/IT Director to ensure that each area is properly assessed, and necessary actions planned.
Additional communications and supporting transition materials will be provided in due course. This will include extra details around the new features, the user migration journey and functional changes to NHSmail.
For now, please focus on working with your CIO to ensure technical migration readiness for your local organisation. For any transition related queries, please contact feedback@nhs.net.
Failure to complete these actions may prevent users from accessing NHSmail after the migration.
| Pre-Requisite Items | Impact |
| Browser, Outlook, OS & Mobile Versions | Functionality is impacted if the browser, Outlook, OS or Mobile version is outdated/unsupported |
| Transport Layer Security | Any machine or application utilising TLS 1.0-1.1 will fail authentication and will not connect to O365 post migration |
| HSCN & Local Internet Bandwidth |
Exchange Online access is via the internet. This could be over your HSCN access service, or as a standalone internet breakout. For both, the local bandwidth must be suitable to support email and Office 365 traffic. |
| Local Network Settings | Organisations using local internet may have restrictions on their firewalls or web proxies for connectivity to Office 365 |
| Third Party Application integration | Organisations using third party applications must engage the provider to ensure the necessary checks and support is maintained following the migration to Exchange Online |
Supported Browser, Outlook, OS and Mobile Versions (HIGH IMPACT)
Pre-requisite
Older client systems will need to be upgraded to access NHSmail. A full list of supported Browsers, Outlook client versions, Mobile and Desktop Operating systems is shown below. These are accurate at the time of writing.
Impact
The following clients won’t be supported with NHSmail once users have moved to Office 365 which starts in Summer 2020:
IE 8,9,10,11
Older versions of Chrome, Firefox and Safari
Outlook 2010 or older
Windows XP and 7
Older Versions of Android and iOS
Support for Windows 7 ended on January 14, 2020. This means Microsoft will no longer provide technical support or software and security updates from that date. Microsoft will not take any active measures to block Windows 7 clients from connecting to Office 365 services however clients may encounter performance and/or reliability issues over time. If you haven’t already begun to upgrade your Windows 7 environment, we recommend you start now.
What action do I need to take?
Make sure systems used to access NHSmail are using supported software versions.
Supported Browser Versions
| Table 1 – Minimum browser versions |
| Windows: Microsoft Edge, Internet Explorer 11 (with latest update), latest version of Mozilla Firefox, or latest version of Google Chrome |
| Mac OS X: Apple Safari 10+ or latest version of Google Chrome |
Supported Outlook Versions
| Table 2 – Supported Outlook Versions |
| Outlook 2019 |
| Outlook 2016 |
| Outlook 2013 with SP1 (until extended support end date – (11/04/2023) |
| Outlook for Macintosh – Office for Mac2019 |
Supported OS Versions
| Table 3 – Supported OS Versions |
| Windows 10 |
| Windows 8.1 |
| Mac OS X 10.10 and later |
Supported Mobile Devices
| Table 4 – Minimum Mobile Device OS Requirements |
| A phone or tablet with Android 5.0 or later |
| An iPhone, iPad, or iPod touch with iOS 10.0 or later |
If your organisation users a third party Mobile Device Management (MDM) solution, you may be required to follow additional steps to reconfigure your organisations mobile devices following the Refresh. Please contact your MDM supplier for guidance on allowing managed devices to connect to Exchange Online.
Transport Layer Security Authentication
Pre-requisite
Microsoft plan to discontinue Transport Layer Security (TLS) versions 1.0 and 1.1 in Office 365. When TLS 1.0 and 1.1 are disabled, no access will be possible from devices or clients that do not support TLS 1.2.
Impact
Any machine or application utilising TLS 1.0 or 1.1 (i.e. Windows XP and older Windows 7 machines) will fail authentication and will not connect to Office 365 services, including Exchange, post migration.
What action do I need to take?
All client machines and applications using NHSmail must support TLS 1.2.
HSCN and Local Internet Bandwidth
Pre-requisite
After a user is migrated, they will automatically be directed to access their mailbox over the Internet via DNS.
Organisations that currently use HSCN to access the internet will need to discuss with their CNSP (Consumer Network Service provider) options for, decreasing HSCN bandwidth and increasing their internet bandwidth within that service.
Organisations using local internet connectivity, should ensure they have sufficient Internet bandwidth suitable to support using NHSmail.
Impact
Exchange Online connectivity must be available via an internet connection.
What action do I need to take?
Organisations using HSCN for NHSmail connectivity will need to ensure access is available via the internet to Exchange Online. Organisations will need to ensure their internet bandwidth is sufficient to support email traffic over the internet. Please work with your local network specialist or HSCN CNSP (Consumer Network Service provider) to understand current bandwidth utilisation and expected future volumes. Whatever bandwidth you currently have on HSCN to support using NHSmail should be equivalent to accessing it over the Internet. Microsoft guidance and tooling can be used to support this activity.
Key variables to consider, but not limited to, are:
- The peak and average number of client computers in use
- The type of task each client computer is performing
- The performance of your Internet browser software
- The performance of your Outlook desktop client
- Your company’s network topology and the capacity of the various pieces of network hardware
Required Firewall and Proxy Server Changes for Exchange Online Service
Pre-requisite
Network updates, such as firewall or web proxy changes may be required to support Exchange Online access.
Impact
Organisations may have restrictions on their firewalls or web proxies for connectivity to Office 365.
What action do I need to take?
Review Firewall restrictions, URL/IP address lists, hard coded DNS entries, web proxy configurations and configure rules accordingly. Based on the organisation’s network design, the following changes are required in the firewall and proxy server to facilitate Office 365 Exchange Online deployment. The proxy servers must be configured to allow the below service URLs outbound access.
The IPs and service endpoints listed are specific to Exchange Online. However, organisations must consider configuring their firewall and proxy servers for other Office 365 services as per following links provided by Microsoft (Office 365 IP Address and Office Endpoints).
Note that Microsoft may remove or add IP address ranges and URLs periodically, please ensure this is checked regularly by the Trust IT Department and any firewall/networking/proxy rules are updated accordingly. Failure to comply with this may result in connectivity issues to NHSmail.
| Source (From) | Destination (To) | Port or Protocol |
| Client Computers |
outlook.office.com outlook.office365.com *.outlook.com *.outlook.office.com attachments.office.net *.protection.outlook.com r1.res.office365.com r3.res.office365.com r4.res.office365.com 13.107.6.152/31 13.107.18.10/31 13.107.128.0/22 23.103.160.0/20 40.92.0.0/15 40.107.0.0/1640.96.0.0/13 40.104.0.0/15 52.96.0.0/14 52.100.0.0/14 52.238.78.88/32104.47.0.0/17 131.253.33.215/32 132.245.0.0/16 150.171.32.0/22 191.234.140.0/22 204.79.197.215/32 |
443 TCP
80 TCP |
| Any devices requiring access to SMTP to send email |
smtp.office365.com 51.143.242.91 51.141.7.11 13.107.6.152/31 13.107.18.10/31 13.107.128.0/22 23.103.160.0/20 40.96.0.0/13 40.104.0.0/15 52.96.0.0/14 131.253.33.215/32 132.245.0.0/16 150.171.32.0/22 191.234.140.0/22 204.79.197.215/32 |
587 TCP |
| Any devices requiring access to IMAP or POP3 to retrieve email |
*.outlook.office.com outlook.office365.com 13.107.6.152/31 13.107.18.10/31 13.107.128.0/22 23.103.160.0/20 40.96.0.0/13 40.104.0.0/15 52.96.0.0/14 131.253.33.215/32 132.245.0.0/16 150.171.32.0/22 191.234.140.0/22 204.79.197.215/32 |
993 TCP 995 TCP |
Network Optimisation
Network optimisation may be required if your users are experiencing any of the below issues:
- Office 365 runs slowly (maybe you have insufficient bandwidth)
- Calls via Teams keep dropping (might be due to firewall or proxy blockers)
- Calls via Teams are static-y and cut out, or voices sound like robots (could be jitter or packet loss)
It is important to note that based on Office 365 consumption across your organisation, there may be a requirement to uplift bandwidth in conjunction with your local network provider.
There are a series of self-help steps provided by Microsoft below should you experience any issues when using Office 365 services:
| Self Help Step | Description |
| External Name Resolution | Be sure that all computers running the Teams client can resolve external DNS queries to discover the services provided by Office 365 and that your firewalls are not preventing access. For information about configuring firewall ports, go to Office 365 URLs and IP ranges |
| Validate (NAT) pool size | Validate the network address translation (NAT) pool size required for user connectivity. When multiple users and devices access Office 365 using Network Address Translation (NAT) or Port Address Translation (PAT), you need to ensure that the devices hidden behind each publicly routable IP address do not exceed the supported number. Ensure that adequate public IP addresses are assigned to the NAT pools to prevent port exhaustion. Port exhaustion will contribute to internal users and devices being unable to connect to the Office 365 service |
| Intrusion Detection and Prevention Guidance | If your environment has an Intrusion Detection or Prevention System (IDS/IPS) deployed for an extra layer of security for outbound connections, be sure to allow-list all Office 365 URLs |
| Configure split-tunnel VPN | If users belonging to your organisation are connected to the corporate network using a remote access VPN solution, we recommend configuring Office 365 based traffic to bypass the VPN. This is typically referred to as a split tunnel VPN (where the corporate internal traffic is defined to go over the VPN in order reach the corporate network, whilst the internet traffic (such as Office365 or Exchange Online traffic) is separated out and sent directly to the internet from the client device). Bypassing your Clients remote access VPN will have a positive impact on Microsoft Teams’ quality, as well as reducing load from the VPN devices and the organisation’s network.To implement a split-tunnel VPN, work with your VPN vendor. In addition, organisations can connect their corporate networks to the internet either via a suitable local breakout or via a HSCN internet service provided by their HSCN Consumer Network Service providers (CNSP). HSCN and NHSmail have been working with the central internet security provider to ensure the traffic over the HSCN internet service. This is ensuring the O365 traffic that is directed through the HSCN internet service is treated as efficiently as possible. This has been centrally configured and will be in place for all organisations using the Central HSCN Secure Boundary service.
The HSCN teams are monitoring and working with each of the CNSP’s to ensure suitable capacity is in place for their customers internet traffic. |
| Optimise WiFi | Similar to VPN, WiFi networks aren’t necessarily designed or configured to support real-time media. Planning for, or optimising, a WiFi network to support Teams is an important consideration for a high-quality deployment. Consider these factors:
Each wireless vendor has its own recommendations for deploying its wireless solution. Consult your WiFi vendor for specific guidance. |
Third Party Application Integration
Pre-Requisite
Third party applications must be supported for use with Exchange Online.
Impact
Applications that are unsupported, or that have not been tested to confirm functionality with Exchange Online may fail to work post migration.
What action do I need to take?
Organisation’s local IT support teams must review all 3rd party applications in use and if integrated with NHSmail, confirm compatibility with the appropriate vendor. LA’s are responsible for checking compatibility, continued support and functionality with Exchange Online.
Key things to check, but not limited to, are:
- Hard coded IP addresses/DNS entries
- Hard coded EWS endpoints
- Firewalls or Proxy servers blocking access to Exchange Online IP ranges
Important Notes
- Office 365 uses Messaging Application Programming Interface (MAPI) over HTTP for communication between Exchange Online and the Outlook clients. This is slightly different to the Remote Procedure Call (RPC) over HTTP (Outlook Anywhere) that is currently being used by NHSmail. As outlined in the pre-requisite section, in order for MAPI to function supported, supported Outlook versions must be in use and must be communicating with Exchange Online over the Internet as opposed to HSCN
- Exchange ActiveSync will be used during the migration to ensure email is replicated to mobile devices. In some scenarios, users may be required to reconfigure email on their mobile device. This will depend on whether their specific device model supports auto-update of mailbox locations via ActiveSync
- Both Local Administrator (LA) and End User communications will be provided throughout the transition to minimise disruption. Guidance material will be made available via the NHSmail Support Site, including a transition guide and links to appropriate Microsoft training material. Please review the LA bulletins for regular programme updates.
- It is important that you carry out a review of your organisation’s use of TLS and upgrade to supported versions where appropriate. Please visit this article for more information.
- Training of end users will be the responsibility of NHS organisations.
