Network connectivity guidance

Owned by Andrew Turner (Unlicensed)
Last updated: Mar 26, 2024 by Andy Clowe
3 min read

Opening your firewall

In order to interact with our APIs, you will need to ensure you have connectivity to the appropriate endpoints.

The URLs that your integrating system (e.g. your trust integration engine) will need access to are provided on our connectivity page. The following ports should be permitted on your firewall:

  • Port 7443. The PKB HL7 endpoint uses port 7443. This is a non standard port and may need to be added to your firewall rules.

    • HTTPS port 443 must be permitted to allow access to our REST and FHIR APIs.

Checking your TLS protocols and Ciphers

Ensure you are connecting to us (and can establish a handshake) using a supported TLS version and cipher by checking against our PKB SSL support report - https://www.ssllabs.com/ssltest/analyze.html?d=my.patientsknowbest.com

Whitelisting your production HL7 feed source IP(s) at PKB

PKB requires that all source IP addresses to our production HL7 endpoint are whitelisted on the PKB firewall. Whitelisting of the source IP is not required for sandbox.

The IP address to be whitelisted will be the IP address as presented to PKB once outside of your internal network. This is often the IP address once NAT’d. Please consider any failover IPs that you may need to whitelist also. Your network team will be able to help you determine the correct IP address. Please send the IP addresses to be whitelisted to integrations@patientsknowbest.com

NHS trust within the HSCN / N3 network?

If you are an NHS trust within the HSCN / N3 network you will likely be connecting to the PKB HSCN / N3 production end point - https://nww.patientsknowbest.com:7443/services/hl7.

It is likely the IP address you will need to provide to PKB to whitelist will be from the NHS private IP address space; 10.0.0.0 - 10.255.255.255. If you identify an IP address outside of that address space then this may indicate the IP address is incorrect and should be double checked before passing to PKB.

Testing your firewall access to the HL7 endpoint

URL test

A simple test to determine if your integrating system has access to the PKB HL7 end point is to open an internet browser on your server and enter the HL7 endpoint URL in the address bar. E.g.

A popup as below usually indicates firewall access. There is no need to enter any credentials. If no popup is displayed then this could mean:

  1. Your firewall has not been opened.

  2. Your IP address has not been whitelisted by PKB (only applicable to production endpoint)

Telnet test

If you have telnet installed on your server then you can test connectivity to the HL7 endpoint port.

E.g.

telnet http://sandbox.patientsknowbest.com 7443

telnet nww.patientsknowbest.com 7443

If it connects successfully it will likely result in a black box with a flashing cursor – anything else would suggest a firewall issue still exists.

HL7 QRY A19 test

If the connectivity seems OK but you have an application, e.g. your TIE, which is not working correctly, you might like to try a direct connection from the command line using curl. This will help to narrow down where the problem lies. For example, the following is a simple QRY A19 which asks for a maximum of 1 patient records to be returned. Although in theory any HL7 message could be used, the benefit of a query message is that you do not need to send any data to your patient records to confirm the connection.

curl -v --connect-timeout 10 -u username:password https://sandbox.patientsknowbest.com:7443/services/hl7 --header "Content-Type:text/xml" -X POST --data \ $'<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wss="http://wsssl.hl7api.patientsknowbest.com/"><soapenv:Header/><soapenv:Body><wss:acceptMessage><arg0> MSH|^~\&amp;|Hello7||HL7API|PKB|20231011162923+0100||QRY^A19|38efef7a-461f-4de7-8fd8-1879d4fb0118|P|2.4 QRD|20231011162923+0100|||0220d40c-9a51-446e-8642-e43f161c3b6c|||1^RD||STA </arg0></wss:acceptMessage></soapenv:Body></soapenv:Envelope>'