We're here to help.

Citrix Netscaler DICOM-TLS Termination Guide

Introduction

SSL/TLS termination (offloading) relieves an Application or Web server of the processing burden of encrypting and/or decrypting traffic sent via TLS or SSL. Note that the SSL standard has been replaced by TLS as the encryption mechanism for most web based communications. Any use of “SSL” in this guide is strictly for convenience and is, in fact, referring to TLS.

When a DICOM server system is not capable of receiving TLS-encrypted DICOM data, the TLS termination capability of a Citrix ADC device can be used to decrypt/encrypt the data. In this scenario, the TLS termination function of a Citrix ADC (Netscaler) device will be used to decrypt/encrypt the data between itself and Butterfly Cloud. Once the connection is terminated at the ADC, the unencrypted DICOM data is forwarded to the designated DICOM server.

The Citrix ADC provides multiple modes for SSL/TLS processing. This guide will focus on SSL/TLS termination with a Virtual Server configured for the SSL_TCP protocol. Note that the Citrix ADC must have the following Basic Features enabled:

  • SSL Offloading (required).

  • Load Balancing (optional, if you use Service Groups).

Figure 1. DICOM-TLS Termination Using Citrix Netscaler

DICOM-TLS Termination Using Citrix Netscaler

 

Prerequisites

In most environments, the Citrix ADC is located in the DMZ portion of the network. In order for the device to be able to process the DICOM-TLS traffic; the Internet-facing firewall must be configured to permit traffic on the port(s) that the ADC has been configured to listen on.

  1. Ensure that you have access to Butterfly Cloud (https://cloud.butterflynetwork.com) as an Administrator, so that you can configure the PACS connection. The PACS configuration screen will provide you with the digital certificate-key pair that will be used with the Netscaler VIP.

    • A public certificate is not required for the DICOM-TLS encryption.  We are only using the certificate for encryption/decryption, not for end-point trust and validation.

  2. Note the external (Internet-facing) IP address of the firewall or Citrix ADC.

  3. For the purposes of this document, we will be creating an SSL_TCP, Virtual Server on the ADC.

    • A DICOM Store virtual server will be configured to use port 2761.

    • (Optional) A DICOM Worklist virtual server will be configured to use port 2762.

  4. Ensure that the external firewall permits TCP traffic from the Internet to the above ports used by the Virtual Servers.

  5. Login access to the Citrix ADC GUI.

 

Set Up Connection from Butterfly Cloud and Download Digital Certificate

  1. Log in to Butterfly Cloud using your Browser - ensure that your user role in Butterfly Cloud is that of Administrator.

  2. Navigate to the DICOM Configuration menu. Click your username in the upper right of the window and select Organization Settings.

    Org_Settings_2.png
  3. Select the Connectivity tab and click the ‘+ Add’ option next to Connections to create a new TLS end-point that will be used with your DICOM integration.

    New_Connectivity_Menu.png
  4. Proceed to enter all of the necessary DICOM connection parameters.

    Connection_Parameters.png
    1. Name = Friendly name for the Connection.

    2. In the 'Security' section - set TLS to 'Active' and select the 'Generate' option.

    3. Select the PEM download format, and click 'Download'. Ensure that you receive 2 files: Butterfly_SCP_Cert.pem and Butterfly_SCP_key.pem

      1_-_Cert_Download.png
      1. The 2 files will be used in a later step; during the configuration of your TLS termination.

    4. In the 'SCP' section - Enter the Host information, DNS name or IP of your TLS end-point.

      1. Please note that the IP address must be a public IP that can be accessible from Butterfly Cloud to your network. This will typically be the IP address of your network firewall, router, or TLS termination device. Non-routable/private IP addresses are not valid.

  5. Click Save, then click on the Connectivity tab to create the DICOM Integration.

 

Configure the DICOM Integration and Associate the TLS Connection

  1. After clicking on the Connectivity tab, click the ‘+ Add’ option next to Integrations and select PACS/VNA.

    Add_PACS_VNA.png
  2. Give your PACS/VNA a friendly Name, and select to associate it with the TLS Connection created in Setup Connection from Butterfly Cloud and Download Digital Certificate.

    NAME_PACS.png
  3. Proceed to enter all of the necessary DICOM integration parameters.

    DICOM_Parameter_Fields.png
    1. SCU - Calling AET = The source AE Title of Butterfly Cloud (typically ‘BUTTERFLY’).

    2. SCP - AET = the AE Title of your DICOM destination.

    3. Enter a Port that you will need to forward from your firewall or router to the computer hosting the Citrix ADC software.

      1. Port 2761/TCP is typically used for DICOM-TLS.

      2. Port 2762/TCP may be used in addition if DICOM Modality Worklist will be used.

    4. Please note that the port that is entered here is the public-facing port that is exposed by your TLS termination point.

  4. Set the Compression level of the DICOM Images and Cine Loop as required or preferred. The settings above are typical. Select ‘Save Configuration’ to complete the setup.

 

Citrix ADC TLS Termination Setup

Configuring SSL-TCP termination consists of 4 steps:

  1. Configure a TCP Service or Service Group

    • This will define the information for your internal DICOM system (PACS/VNA/etc.) that is to receive the studies from Butterfly.

  2. Verify or Configure SSL Cipher Group

    • This step configures a secure SSL Cipher Group for use with the TLS 1.2 connection. It is an optional step and may be skipped if you already have a preferred cipher group that supports TLS 1.2.

  3. Import the SSL Certificate and Key

    • Use the Cert and Key files Generated earlier from Butterfly Cloud. The Certificate and Key will be associated with the Virtual Server.

  4. Configure the Virtual Server

    • This is the final step to create the Virtual Server that will terminate the TLS connection, using the bound Certificate-key pair, and will forward the decrypted data to the TCP Service.

 

Configure a TCP Service

  1. Navigate to the Configuration tab.

  2. Go to ‘Traffic Management >>Load Balancing >> Services’

  3. Select Add to create a new Service.

    Services_Add.png
  4. Within the Service configuration screen enter the Service Name (e.g. Qlink-DICOM), correct IP, and Port information for your DICOM end-point. Ensure that you select TCP as the protocol. Click on ➧ More to expand the configuration options. Set the Monitoring Connection Close Bit to RESET.

    Note

    Setting the Monitoring Connection Close Bit to RESET will enable a half-open TCP monitor. It is recommended to use this setting due to observed problems with certain vendor’s DICOM services when monitored using a full-open TCP connection.

    Load_Balancing_Service.png
  5. Click OK to confirm the settings, and Done on the following details screen to accept all defaults and complete the setup.

  6. Once complete, the Service list should resemble the image below.  Ensure that the Service State is Up (green) before proceeding.

    Services.png
 

Configure the SSL Cipher Group (optional)

  1. Butterfly Cloud uses TLS 1.2 to encrypt data - the encryption process uses Cipher Groups to securely encode the data. For maximum security, it is recommended to configure a Cipher Group which contains the strongest available ciphers for TLS 3.5.2 - This step is optional if you already have an existing preferred CIpher Group for use with SSL termination.

  2. Navigate to the Configuration tab.

  3. Go to ‘Traffic Management >> SSL >> Cipher Groups’.

  4. Select Add to create a new Cipher Group.

    Cipher_Group_Add.png
  5. 2.5 - Within the Cipher Group configuration screen, enter the Cipher Group Name (e.g. TLS-1.2-Only) and click Add. Filter the Available cipher groups by entering ‘TLS1.2’ into the Search Ciphers field. Select and move the TLS 1.2 ciphers only to the Configured box by using the right-arrow.

    TLS_Default.png
  6. The Cipher Group should resemble the image below, click Create when finished.

    Create_Cipher_Group.png
 

Import the SSL Certificate and Key

The SSL Certificate-Key pair should be imported into the ADC using the Cert and Key files generated from Butterfly Cloud in Setup Connection from Butterfly Cloud and Download Digital Certificate.

Using a Certificate-Key pair from an alternate source (such as a 3rd party Certificate Authority) is not covered in this Guide - please contact Butterfly Network Support (support@butterflynetwork.com) for questions or assistance.

  1. Ensure that you have both the Certificate file (Butterfly_SCP_Cert.pem) and Key file (Butterfly_SCP_Key.pem) that form the Digital Certificate-Key pair and were generated earlier in Setup Connection from Butterfly Cloud and Download Digital Certificate.

  2. Go to ‘Traffic Management >> SSL >> SSL Certificate >> Server Certificate’.

  3. Click Install.

    Install_Server_Cert.png
  4. Enter the Certificate-Key Pair Name (e.g. Butterfly-Cert-Key-Pair). Select Local under Certificate File Name and find the Certificate file on your local computer (e.g. Butterfly_SCP_Cert.pem).

    Install_Server_Cert_Local.png
  5. Again select Local under Key File Name and find the Key file on your local computer (e.g. Butterfly_SCP_Key.pem). Click Install.

    Choose_file_Name.png
  6. The newly imported Certificate-Key pair will appear in the list of Server Certificates.

    Server_Cert_Key_Value_Pair.png
 

Configure the Virtual Server

  1. Navigate to the Configuration tab.

  2. Go to ‘Traffic Management >> Load Balancing >> Virtual Servers’.

  3. Click Add.

    Add_Virtual_Server.png
  4. Enter the Name of the Virtual Server (e.g. Butterfly-DICOM-TLS), select the protocol as SSL_TCP, enter the IP address that you wish to use for the Virtual Server (this can be any available IP address on the subnet/VLAN that the Citrix ADC has access to, you may also re-use an IP address of another Virtual Server, as long as the Port is different). Enter the Port (e.g. 2762). Click OK.

    Basic_Settings.png
  5. Click NO next to Load Balancing Virtual Server Service Binding.

    Load_Balancing_Virtual_Server.png
  6. Click the right arrow to select the previously configured TCP Service (e.g. Qlink-DICOM).  Click Select. Click Bind to complete.

    Service_Binding.png
    Service.png
  7. Click Continue on the final confirmation screen. This will expand the Certificate section.  Click NO next to Server Certificate.

    No_Server_Certificae.png
  8. Click the right arrow to select the previously imported Server Certificate-Key pair (e.g. Butterfly-Cert-Key-Pair). Click Select. Click Bind to complete.

    Select_Server_Cert.png
    Butterfly_Cert_Key_Pair.png
  9. Click Continue on the final confirmation screen. This will expand the various SSL configuration parameters.

  10. In the SSL Ciphers section click the Edit icon.

    SSL_Ciphers.png
  11. Select Cipher Groups and select the previously created Cipher Group (e.g. TLS 1.2 Only).  Click OK. Follow the same process to remove the ‘Default’ Cipher Group.

    TLS_Cipher_Groups.png
  12. Scroll down to the SSL Parameters section, click the Edit icon.

    SSL_Parameters.png
  13. Ensure that in the Protocol list, only TLS 1.2 is selected, uncheck all other protocols. Click OK.

    Protocol_List.png
  14. Scroll to the bottom of the configuration screen and click Done, to confirm completion of the Virtual Server setup.

  15. The following screen will contain the list of your Virtual Servers. Ensure that the newly created Virtual Server (e.g. Butterfly-DICOM-TLS) has a green indicator.

    Virtual_Servers.png
 

Setup Complete

Repeat Steps in Setup Connection from Butterfly Cloud and Download Digital Certificate and Configure the Virtual Server if you need to set up another TLS Termination - Virtual Server for your DICOM Modality Worklist.

Note

  • If your PACS/VNA is not operating in promiscuous mode, then you will need to add the Butterfly Cloud AE title as an approved DICOM source.

  • Please be aware that the PACS will see the IP of the Netscaler SNIP interface as the source of DICOM data from Butterfly Cloud.

 

Verify the Connection from Butterfly Cloud

  1. Switch back to Butterfly Cloud in the Browser.

  2. Navigate to the integrations menu. Click your username in the upper right of the window and select Organization Settings.

    Org_Settings.png
  3. Select the Connectivity tab and click the ‘...’ next to the newly created DICOM integration. Select the Echo option to perform a DICOM C-ECHO from Butterfly Cloud.

    Echo.png
  4. Click Echo, then Click on ‘Echo’ again in the upper right of the pop-up menu. This triggers a new  DICOM C-ECHO; please verify the output is similar to below.

    Echo_Settings.png
  5. Congratulations - you have setup an encrypted DICOM-TLS connection to your DICOM destination.

 

(Optional) - Automatic Forwarding to DICOM Storage

  1. To automatically send any studies saved to a Butterfly Cloud folder to your DICOM end-point, you can associate it with an Archive.

  2. Select the Archive folder that you would like to associate with the DICOM connection.  Select Archive Settings.

    Archive_Settings.png
  3. Choose the DICOM Storage location to associate with the Archive folder.

    PACS_Assignment.png
  4. Now any study saved to this folder (using the Butterfly iQ App) will automatically forward to the chosen DICOM destination.

 
 
Was this article helpful?
1 out of 2 found this helpful
Thank you for your feedback

We’re sorry this didn’t answer your question. We’re here to help. Contact us