Branch Office: building a secure, high-availability infrastructure

Primary care trusts and mental health organisations need a reliable, turnkey IT infrastructure. Microsoft's Branch Office Infrastructure Solution, already widely used in the commercial sector, is now being used to create this in the NHS.

Although most acute trusts have mature networks, many primary care trusts, mental health and community organisations have yet to deploy cost-effective IT infrastructure services across their various sites.

PCTs have mushroomed in size and assumed responsibility for GP infrastructure three years ago, while many mental health and community trusts inherited legacy systems from their predecessors.

It is not uncommon for these organisations to serve upwards of 50 remote locations. Yet many are still obliged to employ field engineers or subcontract their support to local IT companies or GP systems suppliers.

This ad hoc approach can be expensive - both in terms of the IT team's time and direct costs - and still fail to deliver a coherent support environment.

Bandwidth challenges

"...the majority of GP practices use standard, domestic ADSL, albeit with a lower contention rate. Our solution uses the bandwidth that is available more efficiently..."

The solution is a professionally managed, centralised enterprise environment that will deliver clinical and administrative applications more effectively to staff in remote locations - what business would call "branch offices".

Until now, the technology to support such an environment typically required third party add-ons. And it had to work over a wide area network (WAN), over which connectivity tended to be unreliable, difficult to manage and unacceptably slow.

"If every GP practice and community office had high availability and high bandwidth, there'd be no need for the WAN efficiencies our Branch Office Infrastructure Solution provides," says Microsoft technology analyst Gareth Hall.

"Unfortunately, they don't - the majority of GP practices use standard, domestic ADSL, albeit with a lower contention rate. Our solution uses the bandwidth that is available more efficiently - which can only be good news for everyone except bandwidth suppliers."

Branch Office: core services

Branch Office is built around Microsoft Windows Server 2003 Release 2 (R2). This provides the framework on which additional network technologies are built, as well as directory services, network addressing and name resolution services, file and print and core client management services. R2 also includes two new tools:

• Distributed File System Replication (DFS-R): DFS-R is a robust file replication service that helps to simplify branch office data management and protection. It allows branch clients to failover to the nearest data replica if connection to the central site is lost, removing or reducing the need for costly backups at outlying sites.
• DFS-R also supports file replication on demand and scheduling and bandwidth throttling of replication schemes, which removes the need for multiple replication technologies.
• Remote Differential Compression (RDC): RDC ensures fast, efficient data transfer to and from outlying units. An advanced WAN-compatible compression technology, it identifies and transmits file changes, instead of passing similar or redundant data back to the central site. As such, it optimises data transfers over networks with limited bandwidth.

"Moving a practice into an enterprise Branch Office environment will enable a PCT to manage and control passwords, closing that security hole."

ISA Server

Internet Security and Acceleration (ISA) Server is another core component of the Branch Office Infrastructure Solution and plays two roles in it. It caches and compresses web content, helping to further improve WAN performance, and it provides improved security.

ISA Server's firewall protection includes deep (application layer) inspection of all packets in and out of the network. Computers at remote sites also benefit from accelerated updates, ensuring that even outlying machines receive security protection as fast as possible.

"One reason that trusts are sometimes reluctant to put service out to their remote sites and GP practices is that they can't guarantee security," says Mr Hall.

"For instance, too many GP's use the default password on their servers; yet PCTs have a legal responsibility to manage IT security and confidentiality in these locations. Moving a practice into an enterprise Branch Office environment will enable a PCT to manage and control passwords, closing that security hole."

Mr Hall also argues that as security has to be viewed as an ongoing challenge, trusts can take reassurance from Branch Office's position in the Microsoft product hierarchy.

"Users of Branch Office will benefit from future product upgrades, which, for example, include read-only domain controllers which further mitigate exposure," he says.

More goodies

The other core components of the Branch Office Infrastructure Solution include:

• Systems Management Server 2003 (SMS): This enables automated, centralised software update distribution to Windows-based desktops, mobile computers, and servers. SMS allows administrators to control how and when programs run on client computers, including which software packages are to be distributed and to whom.
• Microsoft Operations Manager 2005(MOM): MOM provides centralised resource management, ensuring that IT facilities are optimally used and therefore generate the best possible return on investment. Features include performance management, proactive monitoring of resources and trend analysis.
• Virtual Server 2005 R2: This enables outlying units to run multiple operating systems concurrently on a single physical server, which helps to consolidate resources and reduce operating costs.
• Data Protection Manager 2006: This enables branch offices to back-up data to a local disk, providing fast and efficient data protection and further helping to reduce WAN traffic.

Local equipment, centralised management

There is, as yet, no easy solution to completely centralising the infrastructure that a PCT or mental health trust needs to run. However, Mr Hall believes that as things stand, Branch Office is the way forward.

"It enables GPs and offices to keep their `own' equipment, but to have it replicated, secured and managed by the skilled IT people at PCT headquarters or the trust's main office," he says. "The great thing about our solution that it offers a suitable compromise both for NHS trusts and for the remote locations they have to support."

Related links

• More on Microsoft Branch Office
• Review further information about Windows Server 2003 R2
• More on ISA Server 2004