Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Millbeck Communications Secure Remote Access Service Internet VPN Access to N3 VPN Client Set Up Guide Version 6.0 COPYRIGHT NOTICE Copyright 2013 Millbeck Communications Ltd. All Rights Reserved.

Introduction This document is a configuration guide to Secure Remote Access VPN service, approved by the NHSIA under CCN 78 of C&W s WAN Framework Contract. VPN Access to N3 for broadband users is designed to allow end NHS users to securely access N3 and their NHS local network via the Internet. User organisations are expected to provide all local IT facilities. The VPN Access to N3 service is targeted at NHS workers with a business need to work from home via broadband from any service provider. It should be noted that the use of VPN & encryption technology places a small overhead on network bandwidth. Therefore user organisations should ensure that the available broadband bandwidth, and where applicable, connections to the target system(s), are of sufficient capacity to provide acceptable performance. Service Scope The Secure Remote Access VPN service includes: VPN Client and security software licensed for end user computer Security Token per end user or administrator (remains the property of Millbeck Communications) Replacement of faulty or expired Security Tokens at no charge Use of central VPN Concentrator within C&W N3, with high bandwidth connection to the Internet Use of C&W s high availability, secure, resilient authentication platform Dedicated block of IP addresses for each customer, assigned to users when they connect Millbeck Managed customers report faults to Millbeck Communications The following are out of scope: Installation of client software on end user devices (done by the customer) Broadband Internet access from end user computer* unless provided by Millbeck Any increase in bandwidth which may be required for the Customer s N3 connection Adjustments to Personal firewall clients if needed Adjustments to broadband router configurations if needed * The platform has been tested using common Broadband providers such as BT, NTL and Telewest. We cannot guarantee that VPN Access to N3 will perform successfully with other service provider s broadband access services. AOL is an exception, AOL does not support this service. Sky Broadband customers may experience connection problems with the router that Sky supply. Fault Reporting Customers who require any assistance, or wish to report a fault, should phone Millbeck Communications on 03332 407074 or email support@millbeckcomms.co.uk. The helpdesk provides support for all queries and service requests relating to the VPN User Access to N3. Customers should say that the fault relates to VPN Access to NHS and will need to provide their user name and token serial number. Millbeck Communications will use reasonable efforts to respond to all faults within 4 hours of accepting the fault. Page 2 Date: 5 September 2013

Service Description VPN User Access to N3 is designed to allow end NHS users to securely access their NHS local network via the Internet (whether by broadband, GPRS, 3G or dial up). The service is independent of the method of Internet access. Because the service uses the Internet as an access mechanism for end user flexibility, security is particularly important. The table below shows a summary of the main security risks and how they have been addressed. Security Risk Internet traffic can be monitored Users may write down password Keyboard monitor program can be used to detect username / password Computer can be hacked before or after VPN connection Users from one organisation can get into another organisation s network as a single VPN router is used Unauthorised users could be set up Secure customer remote access solution for N3 Encrypted tunnel using VPN Token authentication Token authentication Personal firewall clients (not part of the service) Each user has a unique user name and is associated with just their organisation Users for each organisation added / deleted by organisation administrator using secure web site and token authentication The VPN Access to N3 Service uses IPSec tunnelling with authentication of end users is by means of SecureID tokens, which are two-factor, requiring the User to enter a 4 digit PIN followed by the 6-digit code on the token. The code changes every minute and can only be used once. After installation of the VPN client, the Group ID and Group password are entered (once only, afterwards stored in the client). The Group ID associates the user with a particular customer, and the Group password is used for encryption of the initial phase of IPSec negotiation between the VPN client and router. Once authenticated, and placed into the correct group, a secure IPSec tunnel is set up across the Internet using 3-DES encryption between the VPN client and the central VPN concentrators on the Core N3 Platform. Page 3 Date: 5 September 2013

A schematic of the service is shown below: C&W Security 1. User connects to Internet via broadband Broadband Service Provider RSA ACE Server Customer admin web site 2. User enters PIN and token code to VPN Client. Initial communication encrypted by hidden group password 3. VPN Concentrator confirms group password, asks RADIUS enabled ACE server to authenticate user. NHS Internet 4. ACE Server authenticates user name, PIN and token 5. VPN Concentrator assigns user to Organisation A on the basis of group ID / group password, assigns private IP address from A s IP address pool Firewall Surgery/Trust 6. VPN client creates encrypted tunnel to VPN Concentrator VPN Concentrator Firewall N3 Network server/pc Existing N3 connection 7. User has private IP address from A s pool on the VPN Concentrator, is allowed through A s firewall, connects to network servers The general approach to providing VPN Access to N3 is summarised below. Configuring VPN Access to N3 Description Set up and deliver User and Administrator Security Tokens to Customer Set up Customer group on central VPN Concentrator and assign unique IP address pool Provision of end user computer and connection to the Internet via broadband Configure local Firewall to allow access from source IP address pool Download VPN Client Software. Install and configure VPN Client software with Group ID and Group password Create user accounts using Online Configuration Tool Responsibility Millbeck Millbeck Customer Customer Customer Customer Millbeck Page 4 Date: 5 September 2013

System Requirements Computer - Pentium processor or equivalent PC Operating System: Microsoft Windows 98 Second Edition Microsoft Windows NT 4.0 (with Service Pack 6a or higher) Microsoft Windows 2000 Professional (with Service Pack 2 or higher) Microsoft Windows XP Professional Microsoft Windows Vista Microsoft Windows 7 Minimum RAM - 32 MB for Windows 98 or Windows NT, 64 MB for Windows 2000, 128 MB for Windows XP. Available Hard Disk Space - Approximately 15 MB. Software Installation - Internet connection to download software. The following client software modules are required: Avaya VPN Client Broadband and Home Router Requirements The VPN service can be used with any broadband service provider which allows IPSec VPN tunnels to be used. In practice we have found that nearly all service providers do permit IPSec VPN connections, however difficulties have been experienced with AOL which is not supported. The VPN service is generally compatible with home routers which allow IPSec VPN connections by introducing Network Address Translation (NAT). In all cases it is strongly recommended that the latest firmware be downloaded from the manufacturer s web site and installed before use, even in the case of a recently purchased home router. Many types of router can be used without any adjustments, others may require you to log on to the router and enable VPN pass-through and sometimes you may need to make other configuration changes. How Accessing the Surgery Works The connection process is in two stages, the first stage is to create a secure VPN tunnel from the users PC into the N3 network, once this tunnel has been established the user then creates a remote desktop connection session from their PC to the target PC / Server at the surgery. Installation Prerequisites At the surgery Enable remote users to connect to this computer. Identify your Servers s IP address.(vision Users,Identify your PC s IP address.(emis Users). You will need this information for the installation at home. Make sure you know your Windows username and password. (You will need this information for the installation at home) At home Download and install the Avaya VPN Client. Create a remote desktop profile. Page 5 Date: 5 September 2013

1. At the Surgery 1.1) Vision Users. You will need to know the IP address of your server and you do not need to do anything else in Section 1. You will need the servers IP address when you are carrying out the installation at home. Make sure you know your Windows username and password 1.2) EMIS Users. On each of the PCs in the surgery that each user will connect to, the following needs to be done. Right click My Computer, select Properties, this opens the Systems properties window, select the tab called Remote and ensure that there is a tick in the box that says Allow other users to connect remotely to this computer 1.3) Click Apply and OK 1.4) Find out what the IP address for each computer you may want to connect to and write it down e.g. Dr Smith = 172.111.111.11 as each of the doctors will need this information later. 1.5) Write down your windows username and password (if you re not sure what your windows username is click shut down and restart your PC. Your windows username should be presented at the log on screen. Page 6 Date: 5 September 2013

2. Install Avaya VPN Client 2.1) Double click on Avaya VPN Client executable. 2.2) Press Next 2.3) Accept the license agreement. Then Press Next Page 7 Date: 5 September 2013

2.4) Leave as seen on screen and click Next 2.5) Press Next Page 8 Date: 5 September 2013

2.6) Press Finish to restart the computer Page 9 Date: 5 September 2013

3. VPN Client configuration This section describes the configuration of the Avaya VPN Client... Now go to Start, All Programmes, Avaya VPN Client, then Avayal VPN Client, 3.1) Click the, Profile Wizard 3.2) Type in a Profile name (this can be anything you want) 3.3) Press Next Page 10 Date: 5 September 2013

3.4) Select IPSEC Tunnel 3.5) Press Next. 3.6) Enter the Destination address nhs.cwsecurity.net 3.7) Next Page 11 Date: 5 September 2013

3.8) Select Hardware or Software token card 3.9) Press Next 3.10) Select Response Only Token Card. 3.11) Put a tick in use Passcode. 3.12) Press Next. Page 12 Date: 5 September 2013

3.13) Enter the User ID, in the form joebloggs@nhs.cw.vpn (this is an example, your actual user name was supplied in a letter to the practice manager) 3.14) Enter the Token Group ID nhsvpnuser 3.15) Enter Token Group Password tick+scroll 3.16) Next 3.17) Select No, I do not want to dial first 3.18) Next Page 13 Date: 5 September 2013

4.19) Select No I do not want to launch applications * 4.20) Next *You can revisit this setup later and select yes I want to launch an application. You would then select remote desktop connection, this means that when the VPN connection has been established the client will automatically open remote desktop connection. 4.21) Select I will not define a failover profile 4.22) Next Page 14 Date: 5 September 2013

4.23) Select Active Keepalives 4.24) Next 4.25) Select Finish Page 15 Date: 5 September 2013

You will now see this box and you are ready to connect the VPN client. Enter your PIN number followed by the 6 digits displayed on your token and press Connect Page 16 Date: 5 September 2013

4. Configuring your Remote Desktop Connection 1. On the home PC set up the Remote Desk Top Connection, go to Start, All Programs, Accessories and click Remote Desktop Connection. This will open a new window called Remote Desktop Connection, click on the button labelled Options, where it says Computer enter the IP address of the Server or PC you want to connect to e.g. 172.111.111.11, in User Name enter the user name that you use to log on to Windows when they first power up their PC in the surgery (this is the log on after you have pressed control, alt, delete). Tick the Allow me to save credentials, and click Save As make the save destination the DESKTOP and name it what ever is meaningful e.g. My Surgery Server. This will create an icon on the desk top with all the user details completed, this saves you going through this set up every time you want to access the surgery. In EMIS practices you can create additional icons for other PCs in the surgery in the same way but will need to save them with different name. 2. Once the above has been done, the doctor clicks on the VPN client icon (if there isn't one on the desktop it can be found by going to Start, All Programs, Avaya VPN Client, then click Avaya VPN Client), they enter where it says Passcode the four digit PIN associated with your token and immediately follow it with the 6 digits that appear on the token and Press Connect. I.e. you are entering a 10 digit number. 3. If they get an error message it is generally due to the details not being correctly entered into VPN client at set up or there is a local firewall that is blocking the connection. If this is the case turn of all firewalls until the connection is successfully established, this includes firewalls on broadband routers. We can advise and help if anyone is having connection problems, please contact Millbeck Communications on 03332 407074, if this needs to be out of hours please pre arrange a support call by calling the above number. 4. Once the VPN connection is established, click on the My Surgery icon and a connection will be automatically made to the server or PC in the surgery and you will be asked to enter your password and then logged on. Everything that can be done in the surgery can now be done at home. EMIS Users please note that the surgery PC needs to be left on but for security purposes should be logged off, the screen can be turned off. 8. To disconnect you go to the start button and click on Disconnect, this closes down the session with the Surgery. You then need to disconnect the VPN to do this, double click the Avaya VPN client icon in the system tray (by the clock) and select disconnect and OK. The home computer is now totally disconnected from the surgery and health network and can be used as a normal home computer again. Page 17 Date: 5 September 2013

1. INFO - Connection to network services using Central VPN Concentrator If connecting to the central VPN concentrator on N3, the connection can be checked by accessing an NHS intranet sites that usually start nww. Your users will be assigned an IP address from a unique range assigned to your organisation, associated with your Group ID and Group Password. In order to allow your users to connect to home network services, appropriate rules need to be put in place on the local firewall. If the private address range of the organisation is routable from the N3, a rule can be set up allowing users direct access. More commonly, network address translation of specific servers, e.g. web mail, is introduced on the local firewall. It should be noted that traffic from the central VPN concentrator on the NHS passes through a central firewall before reaching the home network, and only certain ports and protocols are allowed. You will only be able to use a limited number of applications when connecting via the central VPN concentrator. Eg you will be able to use Outlook Web Access but not the Outlook client. Changes to the ports and protocols allowed through the central firewall can be requested via Millbeck Communications/C&W. Please note that even if a port or protocol is allowed by the central firewall, there is still the possibility that it may be blocked by access control lists at other N3 routers or firewalls. The following is a list of the standard ports allowed by the firewall to N3 TCP-1604 icabrowser TCP-4094 unassigned UDP-53 DNS TCP-53 DNS http TCP/UDP 80 https TCP/UDP 443 TCP-1352 Lotus Notes UDP-138 netbios-dgm (datagram service) UDP-137 netbios-nm (Name Service) TCP-139 netbios-ssn (session service) TCP-2000 Callbook (UDP&TCP) PAC-3010 gw 3010/tcp Telerate Workstation ping-pong 3010/udp Telerate Workstation TCP-8080 smtp TCP/UDP 25 TCP-11799 TCP-11820 UDP-11799 UDP-11820 TCP-1417 timbuktu-srv1 1417/tcp Timbuktu Service 1 Port timbuktu-srv1 1417/tcp Timbuktu Service 1 Port TCP-1418 timbuktu-srv2 1418/tcp Timbuktu Service 2 Port timbuktu-srv2 1418/udp Timbuktu Service 2 Port TCP-1666 netview-aix-6 1666/tcp netview-aix-6 netview-aix-6 1666/udp netview-aix-6 TCP-3389 TCP-3845 TCP-4006 telnet 23 UDP-407 timbuktu 407/tcp Timbuktu timbuktu 407/udp Timbuktu UDP-1494 ica TCP-1494 ica UDP-1604 icabrowser 1604/tcp icabrowser icabrowser 1604/udp icabrowser 10000 TCP/UDP ndmp - network data management protocol 7000 TCP/UDP afs3 -file server itself 995 TCP/UDP spop3 - SSL Based POP3 587 TCP/UDP unassigned TCP-7777 - cbt UDP-7777 cbt TCP-3128 unassigned TCP-3389 unassigned TCP-3845 unassigned TCP-4006 unassigned TCP-8025 - unassigned TCP-8025 - unassigned Page 18 Date: 5 September 2013

If you wish to allow your users direct access to all network servers and applications, as if they are in the office, there is an option for a Site VPN Router which terminates the VPN client sessions on the home site, with complete routing to all private IP addresses, via all ports and protocols. This has been approved by the NHSIA as CCN 79 to the C&W WAN Framework Contract. Further information can be obtained from Millbeck communications. 2. Connection to Internet using Central VPN Concentrator When connecting to the central VPN Concentrator using a VPN Client, there is no direct routing to the Internet. Users who wish to browse web servers on the Internet while connected to the VPN can use the following proxy server address on the core N3: 194.227.17.46 port 8080. If connecting to the computer via the Ethernet port, this should be set in Internet Explorer, Tools, Internet Options, Connections, LAN Settings. Tick the box Use a Proxy Server and also the box Bypass Proxy Server for Local Addresses. So that you can view NHS intranet sites, click on Advanced, and under Exceptions, enter nww.* If the computer is connected via a dial up modem or USB port, the proxy server details should be entered in Internet Explorer, Tools, Internet Options, Connections, click on the relevant dial up service name and select Settings. 3. Network Domain Login with Site VPN Router In the case that a site VPN router is used to terminate their end user clients, customers will normally expect access to all servers and applications on their local network. If the Avaya VPN Client is installed as an Application on Windows NT, 2000, XP or Win7 the user logs in with the machine offline and cached credentials. Then the user starts the VPN Client executable and connects to the network via the VPN. As the Windows logon does not happen when on the network, the login script does not run, and the user is not prompted for any password reset. Depending on details of the Windows build, settings, and domain servers, the user may sometimes be asked to reauthenticate in order to connect to certain servers, and may be unable to map to network drives. This is a Microsoft issue which can occur if a Kerberos server is not installed on the local network, and is described in more detail, with some workarounds, in Microsoft article: http://support.microsoft.com/default.aspx?scid=kb;en-us;297278 When a Kerberos server is installed, as is standard when using Active Directory, it may be necessary to change the Kerberos client settings to use TCP instead of UDP due to an issue with the AvayaVPN Client re-assembling some out of order packets. This change can be deployed centrally using Active Directory. Customers taking the Site VPN router may wish to test version 4.86 of the Avaya VPN Client installed as a GINA client, allowing connection to the VPN before the Windows login. The user will then connect to Active Directory during logon, receive any scheduled updates, and be prompted for password resets, as if they were on the LAN. The GINA VPN Client always starts up when the machine powers up, so the user has to cancel out of the application if the same machine is later used on the LAN. END Page 19 Date: 5 September 2013