How IT managers can make sure that PSN services are accessible to their staff.
Look at the services your organisation uses, and work out whether and how you can access them when you migrate to PSN.
Ensure you are PSN compliant
You should start planning the work needed to make sure your network meets the standards allowing you to connect. Before your organisation can connect to PSN, or use it to receive PSN services, you must be PSN compliant. Find out about PSN compliance here.
Get network resources
You can request IP addresses and get approval to use your DNS name on PSN from the PSN team.
You can use your own public IP addresses, but you may qualify for an allocation of IP addresses from the PSN team. Complete an IP address allocation form, making sure that you understand and agree to the terms and conditions.
The PSN team will allocate IP addresses if your request is approved.
In some cases, we have delegated blocks of our IP addresses to third parties. If you need addresses for the following purposes, you should contact the relevant organisation directly.
|Purpose of the IP addresses||Contact|
|PSN connections for HMRC||HMRC|
|PSN connections for Home Office||Home Office Technology|
|PSN connections for Police||PSN in Policing|
|Skyscape PSN cloud services||Skyscape|
|CSC PSN cloud services||CSC|
|Vodafone GCF internet connectivity service||Vodafone|
If you have services like collaboration tools that you want to make available to others on PSN you’ll need to create DNS entries for them. Use our DNS forms to manage your domain names on PSN. Existing GSi Convergence Framework (GCF) customers should use the GCF request for change form for this. Non-GCF customers should use the PSN customer change form.
Consider encrypted WAN Connectivity
You may want encryption on your network service. To do this:
- choose a supplier that offers an IPED-connected encryption service
- make sure the supplier knows which services you need access to
- make sure you understand what the timescales are for you to be able to access these services
Read the Inter-Provider Encryption Domain (IPED) service document to learn more about using encryption on PSN.
Request changes from service providers
You must make sure you have access to the PSN services you need from your new connection. The PSN team will provide new IP addresses for new customers connecting to the network. Make sure that you know all the services that you’re currently accessing and contact the service owners so they can make any technical changes required to give you access.
Install the new connection and configure your environment
Your connectivity supplier will do the physical installation and configuration of the PSN connectivity service. There can be a lead time of approximately 9 weeks between ordering the circuit to installation. You also need to confirm with your supplier that they have got Government Conveyance Network (GCN) connectivity. If they don’t you’re unlikely to be able to access other government services on PSN.
If you have services bought through the GCF framework you need to complete and return a request for change (RFC) to our current core services provider, Vodafone. You need to complete this no later than 6 weeks before the date you want to transition. You will need your PSN IP address to complete the RFC form.
Your supplier will provide specific technical details about connecting to their network following an order. We have also set out below technical steps to follow to successfully connect to PSN.
Configure your firewall
You will need to configure your firewall to access the services you need. A typical rule set is:
|Your proxy/NAT||PSN||HTTP (TCP:80) HTTP (TCP:8080) HTTPS (TCP443)||Allow||Enable outbound access to applications within the PSN using HTTP & HTTPS|
|PSN||Your web services||HTTP (TCP:80) HTTPS (TCP:443)||Allow||Enable outbound access to applications within the PSN using HTTP & HTTPS|
|PSN||Your email servers||SMTP (TCP:25)||Allow||Enable inbound email from PSN|
|Your mail servers||PSN||SMTP (TCP:25)||Allow||Enable outbound email from your network to the PSN|
|Your DNS servers||PSN DNS servers||DNS (UDP:53) DNS (TCP:53)||Allow||Allow queries to the PSN DNS servers|
|Your NTP servers||PSN NTP servers||NTP (UDP:123)||Allow||Allow queries to PSN NTP servers|
|Any||Any||Any||Block||Default rule for all other traffic|
Configure your DNS servers
PSN provides the primary DNS servers and resolvers for the following domains: gcsx.gov.uk, gsi.gov.uk, gsx.gov.uk, gse.gov.uk. The IP addresses of the PSN DNS resolvers that you should configure on your DNS servers are 220.127.116.11 and 18.104.22.168, both accessible using DNS on UDP Port 53. Always use the PSN DNS resolvers, and let the PSN DNS resolvers forward any unresolved names to internet DNS servers.
These other domain names are also available for forwarding to the PSN DNS servers:
No central Network Time Protocol (NTP) service is provided. You can either continue to use a service provided from the GCF framework or request this from your DNSP.
IP addresses reachable on PSN
The summary blocks of IP addresses in the table below are set aside for use on PSN, and reachable from PSN.
If you are a PSN customer, you can choose to configure your firewalls so your users can route to some or all of these summary blocks. Alternatively, each of your service providers will confirm with you what specific IP address ranges their services are on.
If you are a PSN service provider you must use this list to maintain routing between all points on PSN. This will simplify your routing tables and firewall rules and minimise the cost of change as new end-points connect.
Any organisation may set aside a summary block of IP addresses that they own for use on PSN, and assign ranges within this block for individual customer end-points. When a summary block fills up, the organisation may set aside a new one.
If your organisation owns IP addresses and has set some aside for the PSN shared services VPN, then the PSN IP address management obligations require you to notify the PSN team of each summary block you have set aside for PSN, and state whether it is for PSN Assured or PSN Protected use.
IP address summary blocks set aside for use on PSN:
|22.214.171.124/16||PSN team||PSN Assured|
|126.96.36.199/16||PSN team||PSN Assured|
|188.8.131.52/16||PSN team||PSN Assured|
|184.108.40.206/16||PSN team||PSN Protected|
|220.127.116.11/16||PSN team||PSN Protected|
|18.104.22.168/16||PSN team||PSN Protected|
|22.214.171.124/16||PSN team||PSN Protected|
|126.96.36.199/16||PSN team||PSN Protected|
|188.8.131.52/16||PSN team||PSN Protected|
|184.108.40.206/29||Convergence Group||PSN Assured|
|220.127.116.11/29||Convergence Group||PSN Assured|
|18.104.22.168/21||Convergence Group||PSN Assured|
IP address summary blocks used for other government networks reachable from PSN, that the PSN team is aware of:
|22.214.171.124/16||legacy GSI, GSE, GSX, xGSI|
|126.96.36.199/16||legacy PNN SCN|
|188.8.131.52/19||legacy PNN CJX|
|184.108.40.206/19||legacy PNN CJX|
|220.127.116.11/24||legacy PNN SCN|
Gateways to other networks and access to government information sources
You need to identify all services and organisations that you communicate with. Some of these may be outside PSN. Email is allowed to move between these networks but for other services, like web traffic (HTML), you’ll need:
- the provider of the service or network to give you permission
- a public sector interconnect provider to enable routing between your organisation and the required service or network
- the provider of the service to enable access to the specific services you need
- your local IT team and your connectivity service provider to make sure that you can route to the destination IP address ranges, as described in IP Routing
- your local IT team and the external service provider to configure the required services appropriate to your users’ needs
Vodafone is the only public sector interconnect provider. Use the GCF request for change form to request access changes. Ensure your form is submitted to Vodafone by the authority for the service you need to access.
The external networks that you can currently access through this route are:
- NHS N3 network
- European Council of Ministers network
- Criminal Justice Extranet (CJX)
- Police National Network (PNN)
- Criminal Justice Secure Mail
- Various European Union Government Intranets (TESTA)
Test your new connection
Make sure you can access the services you use. If you are transitioning from GCF to PSN, the PSN transition team should already be engaged with your organisation and supporting your transition. If you have any questions contact us.
If you are not transitioning from GCF to PSN, contact your service providers in the first instance for help with connectivity testing and service take-on guides for PSN services.
You should receive a service take-on guide from each PSN connectivity or service provider you use.
You should run your old and new network services at the same time until you’re happy to submit a cease order with your previous supplier.