Articles to refer from Microsoft .
1. This Article explains the servers needed for the Biztalk INTEGRATION project and provides the insight on the communication mechanism used by the BizTalk server 2010 to send/receive HL7/EDI or any messages.
2. Diagram 1 depicts the servers required for the INTEGRATION project and the necessary privileges/permissions to enable the transmission of the HL7 messages.
3. From the Diagram 1.0, we can understand the possibility of below 2 cases
- PartnerCompany would use the MYCOMPANY File server located at DMZ to Send/Receive the EDI messages.
- PartnerCompany would request MYCOMPANY to use their server located at their network to send/receive the EDI messages.
4. Only two widely used protocols have been taken into consideration, they are “sFTP” and “TCP/IP over secure VPN tunnel”. Https is not accounted due to the complexities/Overhead involved during the authentication.
5. The Diagram 1.1 below describes the protocols used by the BizTalk Server in detail to exchange the EDI messages
6. As shown in the diagram 1.1, there are four possibilities of establishing the connection; explained below
- Shown as 1 in the diagram, the clinic/EMR would use the FILE Server placed at MYCOMPANY DMZ; here the partner has the capability to establish the connection using the sFTP credentials MYCOMPANY has shared during the Integration.
- Shown as 2 in the diagram, the clinic can initiate the TCP/IP connection by using the VPN tunnel and exchange the EDI messages, MYCOMPANY BizTalk Server would appropriately generate the acknowledgement and send it back using the same session.
- Shown as 3 in the diagram, MYCOMPANY would initiate the TCP/IP connection with the Clinic/EMR by using the VPN tunnel and send the EDI file and receive the appropriate acknowledgement in the same session.
- Shown as 4 in the diagram, MYCOMPANY would use the sFTP credentials shared by the partner and establish the connection to push the EDI file and receive the Acknowledgement.
7. Clearly the communication Mechanism 3 in the diagram 1.1 would require the secure VPN tunnel to be opened to the Clinic/EMR server’s IP to MYCOMPANY internal network. However the security risk could mitigated by
- Restricting the access to a specific predefined port for TCP/IP Connection in the firewall.
- Adding the message validations in the BizTalk Adapter to check, only the valid EDI messages are received back and not any malicious injections.