Introduction

Via the custo DynDNS service it is possible to make RDT transfer in custo diagnostic 5.x without a fixed external IP address.
The authentication is based on the custo cloud server login (kybe login).

Some words about security

With each service a custo med diagnostics owner wants to offer to colleagues, there is also a certain risk to get bad or even malicious data: Like in the real doctor's world: Everybody coming to the practice may bring along also viruses. So before setting up connection possibility as evaluation center please plan how much risk the evaluation center wants / can take:

Will it be acceptable that by offering easy access over internet for evaluations there is a certain risk to become a victim of a hacker using software security lacks? Please consider the patient data on the custo diagnostics server!

Or: Should for the evaluation center communication access possibilities be strictly limited to defined customers, even if the communication establishment will mean more effort?

There are 2 ways to provide access to the sending practices for the evaluation centers:

Virtual Private Network (VPN):

With a (site to site) VPN an additional security layer - a tunnel between the 2 medical sites / practices is established.

Advantages:

(tick) The custo med diagnostics web server of the evaluation center providing access to the sending practices is not exposed to internet hacker attacks

(tick) Less need to keep the custo diagnostics server (and its operating system platform) of the evaluation center always up to date.

Disadvantages:

(error) Higher effort to get the evaluation center's VPN setup configured and the evaluation center defined in custo diagnostics.
(error) Sending practices will need as well a VPN setup to the evaluation center

(error) The evaluation center will need a public IP 4 internet address (most internet providers offer that, but not all)

(error) Technical problems like over lapping IP addresses  may happen

(error) In case of VPNs between firewalls / routers of different vendors fixed IPs one or both sides of the VPN may be necessary


In case you consider using a virtual private network (VPN) setup please study the guidelines of the evaluations center's and the sending practices' internet routers. An example are the ones of the German market leader AVM: https://avm.de/service/vpn/uebersicht/ (German) or https://en.avm.de/service/vpn/overview/ (English)..

Please also make an internal IP address range plan covering the evaluation center and all sending practices. There must not be any overlapping IP address ranges!


 The standard internet port forwarding:

With this all internet traffic directed to the router or firewall defined port gets redirected to the custo diagnostics SSL web interface

Advantages:

(tick) Easy configuration on both the evaluation center and the sending practice

(tick) No dependency on a reliably working VPN

(tick) No need for the evaluation center to have a fixed IP address.

Disadvantages:

(error) The security measures on the evaluation centers IT side must be taken seriously. Minimum requirements are a always well updated operating system, a current virus scanner and the use of the latest custo diagnostics version
(error) Even by taking the security measure seriously some hackers may always be one step a head of the security measures. 


Important; If you use the internet port forwarding, make sure that neither on sender nor on evaluation center side application layer firewalls or proxies opening up the SSL chain block the traffic. In such setups please make sure that the network traffic from the diag sender to the evaluation center gets defined as exception (best as *.customed.de* ). Otherwise it will be possible to register the sender in the evaluation center, but it will be impossible to transfer evaluations. in network environments managed by other service providers please discuss that topic with the provider beforehand.

Configuration in custo diagnostics

Start

If nothing is set up yet, the "dynamic URL and SSL" appears as follows:

(1) Indications appear, that nothing has been configured

(2) The dynDNS configuration cannot be done, everything is locked.


cloud server

As a custo med sales partner please go the retailer web page of the custo cloud server:

Please go to http://kybe.customed.de/CustoCentral/retailer/, log in with your sales partner account and create a customer account (if the customer does not yet have any). Then wait some minutes until the user credential information is distributed among the different cloud servers.


Then open a either the Internet Explorer or the MS Edge browser on the server where the custo diagnostic server is installed and open the following web pages:

https://kybe.customed.de/CustoCentral/ (Error 404 will appear, but's ok)

and

https://letsencrypt.org/

In case any of the SSL certificates on those web pages should be considered as untrusted please get the untrusted one stored in the computer certificate store.

Then go to the services.mmc and restart the Appache Tomcat server.


Open the Service Center again and go to the Cloud Server section. Enter the customer's Kybe user credentials and test the login data:

To be able to proceed you should get a message about successful logon. The save the configuration with the save button.


Now it is time to open up the firewalls (the internet firewall or router, the Windows Firewall and the virus scanner) for the external communication.

An example how to open an inbound port from the internet to the router Fritz Box can be found here:

https://avm.de/service/fritzbox/fritzbox-7590/wissensdatenbank/publication/show/893_Statische-Portfreigaben-einrichten/ (section 3 to allow access to the Fritz Box itself is not relevant). The port which needs to be forwarded from the internet to the custo diagnostics server is the SSL port, which per default is TCP port 8443. However the installation may use also 18443 or 28443.

To test the connection from outside you can try to open the connection in a browser like this: https://<your-external-ip>:<configured-port>/diag
If the "WebViewer-coming-soon picture is coming up the external connection will be run.


Then go back to the Service Center to the Dynamic URL and SSL section:

After the cloud server access is set up, this will also appear in the status window

System physician

At least the name and email address must be entered for the system physician, as the certificate is then created for him. If the doctor is correctly configured, this appears in the status window

If all configurations are successful, the DynDNS configuration is activated and the settings can be made.

DynDNS Configuration

By default the DynDNS configuration URL is set to https://null:8080. There is no need to change that URL. This will be done automatically if you click on "Setup DynURL and certificate".

The configuration works automatically and is done by click on Setup DynURL and certificate. Creating the certificate takes a few minutes.


If everything worked, the DynDNS name appears in the field DynUrl (1) and the period of validity of the certificate at DynURL Status (2)

Functions

ping test

Attempts to ping the server that is set up under DynUrl. This is useful to check if e.g. the router (FritzBox) is configured correctly and the port is forwarded correctly. Port mapping from 8443 for SSL external to 8443 internal.

Get secured CustoCfg.ini

Saves the CustoCfg.ini with the new URL to the disk so that it can be used for future purposes.


Known issues on the sender side:

It may happen that on the sender side, that the channel to evaluation center cannot be established. One of the reasons may also be that the relevant Let's Encrypt CAs are not trusted.

In this case please open one of the system browsers (Edge or IE) on sending custo diagnostic server and go to https://letsencrypt.org/

Afterwards restart the custo diagnostic server on the sending side.



  • No labels