SSL/TLS termination (offloading) relieves an Application or Web server of the processing burden of encrypting and/or decrypting traffic sent via TLS or SSL. Note that the SSL standard has been replaced by TLS as the encryption mechanism for most web based communications. Any use of “SSL” in this guide is strictly for convenience and is, in fact, referring to TLS.
When a DICOM server system is not capable of receiving TLS-encrypted DICOM data, the TLS termination capability of a F5 Big-IP can be used to decrypt/encrypt the data. Once the connection is terminated at the Big-IP, the unencrypted DICOM data is forwarded to the designated DICOM server.
The F5 Big-IP provides 2 ways in which SSL/TLS is processed. These are:
-
Client SSL – F5 decrypts the encrypted traffic inbound from the client.
-
Server SSL – Traffic is re-encrypted by the F5 then routed onto the backend servers.
This guide will focus on Client SSL exclusively.
In most environments, the F5 Big-IP is located in the DMZ portion of the network. In order for the device to be able to process the DICOM-TLS traffic; the Internet-facing firewall must be configured to permit traffic on the port(s) that the ADC has been configured to listen on.
-
Ensure that you have access to Butterfly Cloud (cloud.butterflynetwork.com) as an Administrator, so that you can configure the PACS connection. The PACS configuration screen will provide you with the digital certificate-key pair that will be used with the virtual servers on the F5 Big-IP.
-
A public certificate is not required for the DICOM-TLS encryption. We are only using the certificate for encryption/decryption, not for end-point trust and validation.
-
-
Note the external (Internet-facing) IP address of the firewall or F5 Big-IP.
-
For the purposes of this document, we will be creating a TLS termination Virtual Server on the F5 Big-IP.
-
A DICOM Store virtual server will be configured to use port 2761.
-
(Optional) A DICOM Worklist virtual server will be configured to use port 2762.
-
-
Ensure that the external firewall permits TCP traffic from the Internet to the above ports used by the Virtual Servers. The source IP address of Butterfly Cloud is 34.203.166.92.
-
Login access to the F5 Big-IP GUI.
-
Log in to Butterfly Cloud using your Browser - ensure that your user role in Butterfly Cloud is that of Administrator.
-
Navigate to the DICOM Configuration menu. Click your username in the upper right of the window and select Organization Settings.
-
Select the Connectivity tab and click the ‘+ Add’ option next to Connections to create a new TLS end-point that will be used with your DICOM integration.
-
Proceed to enter all of the necessary DICOM connection parameters.
-
Name = Friendly name for the Connection.
-
In the 'Security' section - set TLS to 'Active' and select the 'Generate' option.
-
Select the PEM download format, and click 'Download'. Ensure that you receive 2 files: Butterfly_SCP_Cert.pem and Butterfly_SCP_key.pem
-
The 2 files will be used in a later step; during the configuration of your TLS termination.
-
-
In the 'SCP' section - Enter the Host information, DNS name or IP of your TLS end-point.
-
Please note that the IP address must be a public IP that can be accessible from Butterfly Cloud to your network. This will typically be the IP address of your network firewall, router, or TLS termination device. Non-routable/private IP addresses are not valid.
-
-
-
Click Save, then click on the Connectivity tab to create the DICOM Integration.
-
After clicking on the Connectivity tab, click the ‘+ Add’ option next to Integrations and select PACS/VNA.
-
Give your PACS/VNA a friendly Name, and select to associate it with the TLS Connection created in Setup Connection from Butterfly Cloud and Download Digital Certificate.
-
Proceed to enter all of the necessary DICOM integration parameters.
-
SCU - Calling AET = The source AE Title of Butterfly Cloud (typically ‘BUTTERFLY’).
-
SCP - AET = the AE Title of your DICOM destination.
-
Enter a Port that you will need to forward from your firewall or router to the computer hosting the F5 Big-IP software.
-
Port 2761/TCP is typically used for DICOM-TLS.
-
Port 2762/TCP may be used in addition if DICOM Modality Worklist will be used.
-
-
Please note that the port that is entered here is the public-facing port that is exposed by your TLS termination point.
-
-
Set the Compression level of the DICOM Images and Cine Loop as required or preferred. The settings above are typical. Select ‘Save Configuration’ to complete the setup.
Configuring SSL termination consists of 4 steps:
-
Import the Butterfly SSL Certificate and Key
-
Configure the client SSL-client profile
-
Configure the Server Pool
-
Configure the Virtual Server
-
Go to ‘System ›› Certificate Management: Traffic Certificate Management: 'SSL Certificate List'.
-
Select Import.
-
Select 'Certificate' Import Type.
-
Enter the Certificate Name (e.g. Butterfly_SCP_Cert.pem).
-
Upload the certificate within the Certificate Source section. The certificate file was previously generated on Butterfly Cloud.
-
Click Import.
-
Repeat the process (above) to import the Key.
-
Select ‘Key’ Import Type.
-
Enter the Key Name (e.g. Butterfly_SCP_Key.pem ).
-
Security Type should be defaulted to ‘Normal’.
-
Upload the key within the Key Source section. The key file was previously generated on Butterfly Cloud.
-
Click Import.
-
SSL Certificate List should appear similar to below, when complete.
Next, we will need to configure the SSL Client profile.
-
Go to ‘Local Traffic ›› Profiles: SSL: 'Client’
-
Select Create.
-
Within the General Properties enter the Name (e.g. Butterfly-TLS) and select the Parent Profile as clientssl and check mark Custom.
-
Within the Configuration section select the Certificate and Key.
-
Click Finished.
This step defines the server(s) to which the Big-IP Virtual Server (Step 4) will send traffic after it has terminated TLS. In situations where you have one (1) DICOM destination (most customer sites) then you will have a Pool with 1 member server only.
Note
Setting the Health Monitor to ‘tcp_half_open’ will enable a half-open TCP monitor. It is recommended to use this setting due to observed problems with certain vendor’s DICOM services when monitored using a full-open TCP connection.
-
Go to ‘Local Traffic ›› Pools: 'Pool List’.
-
Select Create.
-
Within the Configuration enter the Name (e.g. DICOM-Store-Server-Pool) and select the Health Monitors (tcp_half_open).
-
In Resources - Add member servers to the Pool as required.
-
Click Finished.
-
Go to ‘Local Traffic ›› Virtual Servers: Virtual Server List’.
-
Select Create.
-
Within the General Properties enter the Name (e.g. Butterfly-TLS-DICOM-Store) and Destination Address and Service Port.
-
This is the (virtual) IP address and port that you are defining for this Virtual Server. Your firewall will need to permit traffic to this IP/port.
-
-
Within the Configuration section >> SSL Profile (Client), select the previously created profile (Butterfly-TLS).
-
SSL Profile (Server) should be blank.
-
In a one-armed Big-IP configuration (single interface), ensure that Source Address Translation is set to Auto Map.
-
Under Resources >> Default Pool, select the previously created Server Pool (DICOM-STore-Server-Pool).
-
Click Finished.
Repeat Configure the Server Pool and Configure the Virtual Server if you need to set up another TLS Termination - Virtual Server for your DICOM Modality Worklist.
-
Switch back to Butterfly Cloud in the Browser.
-
Navigate to the integrations menu. Click your username in the upper right of the window and select Organization Settings.
-
Select the Connectivity tab and click the ‘...’ next to the newly created DICOM integration. Select the Echo option to perform a DICOM C-ECHO from Butterfly Cloud.
-
Click Echo, then Click on ‘Echo’ again in the upper right of the pop-up menu. This triggers a new DICOM C-ECHO; please verify the output is similar to below.
-
Congratulations - you have setup an encrypted DICOM-TLS connection to your DICOM destination.
-
To automatically send any studies saved to a Butterfly Cloud folder to your DICOM end-point, you can associate it with an Archive.
-
Select the Archive folder that you would like to associate with the DICOM connection. Select Archive Settings.
-
Choose the DICOM Storage location to associate with the Archive folder.
-
Now any study saved to this folder (using the Butterfly iQ App) will automatically forward to the chosen DICOM destination.