Network Configuration
This guide provides the domains and IP addresses required for integrating with Netsmart CareConnect APIs. Use this information to configure your firewalls, proxy servers, and network security policies as needed.
Overview
CareConnect integrations require two types of network access:
- Outbound connections from your application to CareConnect services
- Inbound connections from CareConnect to your application (for webhooks and SFTP)
You only need to configure domains for your specific integration type. Most developers will use 2-3 domains, not all of them. Review the tables below and configure only the domains relevant to your integration.
Outbound Connections (Your App → CareConnect)
FHIR API Integrations
Required for all FHIR integrations:
- Production
- Preview
| Domain | Purpose | Ports | TLS Type |
|---|---|---|---|
fhir.netsmartcloud.com | FHIR API endpoints & OAuth 2.0 authentication | 443 | Standard |
careconnect-prod-fhir-user-pool.auth.us-east-2.amazoncognito.com | User authentication | 443 | Standard |
oauth.netsmartcloud.com | OAuth 2.0 authentication (legacy) | 443 | Standard |
| Domain | Purpose | Ports | TLS Type |
|---|---|---|---|
fhirtest.netsmartcloud.com | FHIR API endpoints & OAuth 2.0 authentication (testing) | 443 | Standard |
careconnect-uat-fhir-user-pool.auth.us-east-2.amazoncognito.com | User authentication (testing) | 443 | Standard |
oauthtest.netsmartcloud.com | OAuth 2.0 authentication (legacy testing) | 443 | Standard |
Other API Integrations
Configure only if your integration uses these specific services:
- Production
- Preview
| Domain | Purpose | Ports | TLS Type |
|---|---|---|---|
careconnect.netsmartcloud.com | CareConnect platform APIs | 443 | Standard |
asam.netsmartcloud.com | ASAM assessment APIs | 443 | Standard |
ntstplatform.com | CareConnect platform APIs | 443, 444 | Standard (443), Mutual (444) |
mutualtls.ntstplatform.com | Mutual TLS authenticated endpoints | 443 | Mutual |
carequality.ntstplatform.com | Carequality Gateways | 443 | Mutual |
| Domain | Purpose | Ports | TLS Type |
|---|---|---|---|
careconnect-uat.netsmartcloud.com | CareConnect platform APIs (testing) | 443 | Standard |
labsdev.netsmartcloud.com | CareConnect platform APIs (testing) | 443, 444 | Standard (443), Mutual (444) |
mutualtls.netsmartcloud.com | Mutual TLS authenticated endpoints | 443 | Mutual |
carequality.netsmartcloud.com | Carequality Gateways | 443 | Mutual |
SFTP File Transfers (CareConnect → Your SFTP Server)
Some integrations require CareConnect to upload files to your SFTP server. If your integration includes file transfers:
- You must provide an SFTP server - CareConnect does not host SFTP servers
- Allow inbound SSH connections from CareConnect's egress IP addresses on port 22
- Provide SFTP credentials to Netsmart during integration setup
Inbound Connections (CareConnect → Your App)
If your application receives webhooks, notifications, or SFTP connections from CareConnect, allow inbound traffic from these IP addresses.
- Production
- Preview
Configure your firewall to allow inbound HTTPS traffic from these IP addresses:
3.14.124.21718.219.72.14718.223.226.147
Configure your firewall to allow inbound HTTPS traffic from this IP address:
3.130.157.80
Implementation Guidelines
Firewall Configuration
Required for all integrations:
- Outbound HTTPS: Allow connections to domains used by your specific integration on ports 443/444
- DNS Resolution: Ensure your network can resolve the CareConnect domains you're using
Additional rules if applicable:
- Inbound HTTPS: Allow port 443 from CareConnect egress IPs (for webhooks)
- Inbound SSH: Allow port 22 from CareConnect egress IPs (for SFTP to your server)
- Mutual TLS: Some domains require client certificates on port 443 or 444
Proxy Server Configuration
If using a proxy server, configure it to:
- Allow connections to all listed domains
- Support TLS/SSL connections (HTTPS)
- Allow SSH connections (port 22) for SFTP if your integration requires it
- Handle OAuth 2.0 authentication flows
- Support mutual TLS authentication for applicable endpoints
Security Considerations
- Use HTTPS for all connections to CareConnect APIs
- Implement proper certificate validation
- Consider implementing IP address restrictions for enhanced security
- Monitor network traffic for unusual patterns
Troubleshooting
Common Network Issues
Connection Timeouts
- Verify outbound HTTPS (443/444) is allowed to CareConnect domains
- Check proxy server configuration and DNS resolution
- Test connectivity using the commands below
SSL/TLS Errors
- Ensure TLS 1.2+ support and proper certificate validation
- Verify system time is accurate for certificate validation
- For mutual TLS domains, confirm client certificate is properly configured
Authentication Failures
- Verify OAuth endpoints (
oauth.netsmartcloud.com,oauthtest.netsmartcloud.com) are accessible - Check that authentication domains are not blocked by security policies
- Confirm API credentials and scopes are correct
Testing Connectivity
Test network connectivity using standard tools:
# Test domain resolution
nslookup fhir.netsmartcloud.com
# Test HTTPS connectivity (Production)
curl -I https://fhir.netsmartcloud.com/uscore/v1/metadata
# Test HTTPS connectivity (Preview)
curl -I https://fhirtest.netsmartcloud.com/uscore/v1/metadata
# Test OAuth endpoint
curl -I https://oauth.netsmartcloud.com/.well-known/openid_configuration
Support
For network configuration assistance or if you encounter connectivity issues, contact Netsmart support with:
- Your network configuration details
- Error messages or logs
- Results of connectivity tests
- Environment (Production or Preview)