Minimum System Requirements for Compucare (on Azure)

Contents

• Overview
• Compucare Hosting Architecture
• Pre-Deployment Checklist
• Minimum Client PC/Workstation Requirements
• User Access via EntraID
  • Azure Enterprise Application Consents
  • Azure Enterprise Application Security Groups
• Firewall/Network Requirements
• Connectivity Requirements for Compucare
• Connectivity Requirements for Interfacing
• e-RS Portal Accessibility
• PXP Payment Gateway
• Anti-Virus Exclusions

Overview

This article outlines the minimum client-side hardware, software and connectivity requirements to run Compucare effectively in an Azure-hosted environment.

Compucare is delivered via a self-updating installer, available at https://compucare.streets-heaver.com.

Compucare Hosting Architecture

Compucare is hosted in Streets Heaver's Azure environment in UK South with real-time database replication to UK West for high availability and failover.

For detailed architecture, see the White Paper for Adoption of Compucare (on Azure).

Pre-Deployment Checklist

Use this checklist to ensure all requirements are met before deploying Compucare:

Azure Administrator

• Security groups are assigned to the relevant Enterprise Applications
• Consent has been granted for the required Azure Enterprise Applications
• Entra ID is configured for single sign-on (SSO) in Compucare 8

Networking Administrator

• External IP(s) has been whitelisted, or Azure VPN Gateway and Private Endpoints have been configured (if required)
• Firewall and network access is configured (including URLs, ports, and IPs)
• Internet connectivity meets minimum speed and latency thresholds
• HL7 interfacing VPN is set up for integrations

Systems Administrator

• Client PCs meet the minimum hardware and operating system specifications
• .NET 8 Desktop Runtime is installed
• Anti-virus exclusions have been added
• e-RS portal access method is configured
• PXP Payment Gateway workstations are configured

Minimum Client PC/Workstation Requirements

• OS: Microsoft Windows 10 Professional (SP1) 64-bit or later (Windows 11 Professional recommended)
• CPU: Intel Core i5 or above
• RAM: 8GB RAM or above
• Storage: 300MB free space per user accessing Compucare on a PC/workstation.
• Display: 1920 x 1080 resolution with Windows recommended scaling & 23” widescreen monitor or larger
• .NET Runtime: .NET 8.0 Desktop Runtime

User Access via EntraID

Compucare supports SSO through Microsoft Entra ID (formerly Azure Active Directory). Licences are based on Named Users managed by the client.

To enable SSO for Compucare, the client will need an admin to grant consent for the Compucare 8 app registration into their Azure tenant and allow the following permissions:

• Compucare:
  • openid
  • User.Read
  • User.ReadBasic.All
• Report Generator:
  • People.Read
  • Presence.ReadWrite
  • User.Read
  • User.ReadBasic.All

See Overview of Azure SQL Databases and MS Entra ID (ex AAD) Authentication.

Azure Enterprise Application Consents

All applications can be granted consent at https://compucare-consent.streets-heaver.com/

Azure Enterprise Application Security Groups

• Set all Enterprise Applications to "Assignment Required".
• Assign access via security groups such as:
  • Compucare_[organisation]_Live
  • Compucare_[organisation]_Test
  • ReportGenerator_[organisation]_Live
  • ReportGenerator_[organisation]_Test

Firewall/Network Requirements

Allow outbound connections to:

• compucare.streets-heaver.com - Main Compucare product launcher
• tenants.streets-heaver.com:443 - Compucare Authentication Services
• downloads.sh-cdn.co.uk:443 - CDN for Compucare updates
• reports.streets-heaver.com - Report Generator
• clinician.streets-heaver.com - Compucare Clinician
• ward.streets-heaver.com - Compucare Ward

SQL Database Endpoints:

• sql-compucare-test-uks-001.database.windows.net:1433
• compucare-prod-failover-group-001.database.windows.net:1433
• compucare-prod-failover-group-001.secondary.database.windows.net:1433

Public IPs for Outbound email services (via the Compucare Service):

• UKW 20.68.104.20
• UKS 51.143.156.137

Access to the Compucare database is restricted to an allowlist of external IP addresses provided by the client. All traffic must route through the client’s VPN to Azure SQL.

Connectivity Requirements for Compucare

This section describes the minimum bandwidth, VPN and Endpoint requirements for Compucare on Azure.

Individual Users

• Minimum download speed: 10 Mbps
• Latency:
  • <100ms = Good
  • 100-200ms = Acceptable
  • >200ms = Poor

Organisations with a centralised VPN

• Minimum download speed: 50Mbps per 500 named users
• Split-tunnelling is recommended to reduce VPN load
  • Compucare updates (~250 MB) may be delivered daily to all users, so this should be factored in when configuring connectivity and VPN traffic. 
  • At a minimum, only SQL traffic needs to go through the VPN to the following endpoints:
    • sql-compucare-test-uks-001.database.windows.net:1433
    • compucare-prod-failover-group-001.database.windows.net:1433
  • Refer to Microsoft’s Connectivity Architecture article for the latest list of Azure IP addresses.

Actual performance is dependent on system usage, including the volume of attachments and blob storage.

VPN requirements for clients without an existing VPN

Clients without an existing VPN must:

• Deploy Azure VPN Gateway with a minimum gateway SKU of "VpnGw1AZ" using P2S tunnels. 
  • See What is Azure VPN Gateway? and VPN Gateway Pricing for more information.
• Set up an Azure Private Endpoint with Streets Heaver
  • Please contact Streets Heaver for the SQL Resource IDs.
• Register Microsoft.sql as a resource provider on your Azure subscription using any of the following methods:
  • Azure Portal:
    1. Go to Subscriptions.
    2. Select your subscription, then click Resource providers.
    3. Search for Microsoft.Sql.
    4. Click Register.
  • Azure CLI:
    1. Run the command:

       az provider register --namespace Microsoft.Sql

  • Powershell:
    1. Run the command:

       Register-AzResourceProvider -ProviderNamespace Microsoft.Sql

It is essential that remote installations and places of work, e.g. mobile clinics and transient workers, verify a stable internet connection via the VPN before going live.

Connectivity Requirements for Interfacing

An IPsec VPN is required for HL7 integration between the client or 3rd-party networks and Streets Heaver's data centre. IPs and ports for bidirectional messaging are agreed upon during setup.

e-RS Portal Accessibility

You can access e-RS and the Data Landing Portal using one of the following options:

NHS Smartcards

1. Sign up for the NHS CIS2 smartcards.
2. Uninstall any existing versions of Identity Agent and Credential Management.
3. Install the latest version of Identity Agent and Credential Management from NHS Digital.
4. Once installed, reboot your PC/laptop.

HSCN Connectivity

1. Acquire your own HSCN connectivity.
2. Follow NHS Digital's guide on How to Set Up a Smartcard User Workstation. 

In the short term, Streets Heaver will continue to facilitate the traditional Citrix connection for legacy users.

PXP Payment Gateway

Ensure all PED (Pin Entry Device) workstations are correctly configured to communicate with the payment service. Contact Streets Heaver for setup guidance.

Anti-Virus Exclusions

Add the following paths to your anti-virus exclusions:

• %LocalAppData%\Compucare_8\*.*
• %LocalAppData%\Compucare_8Pre\*.*
• %LocalAppData%\Temp\*.*
• %LocalAppData%\CompucareInstaller_*

Alternatively, allowlist using the Signed Certificate thumbprint.