GovWire

Detailed guide: Maintain your systems on the Public Services Network (PSN)

Cabinet Office

February 26
15:19 2021

Look at the services your organisation uses, and work out whether and how you can migrate them from the PSN to the cloud.

The moving to modern network solutions guidance will help your organisation on this journey.

Ensure you are PSN compliant

You should continue with any work needed to secure and maintain your network to ensure it meets the existing security standards. Find out about PSN compliance here.

Get network resources

You can still request IP addresses and get approval to use your Domain Name System (DNS) name on PSN from the PSN team, although these will now be assessed in light of the move to adopt Technology Code of Practice across government.

You can use your own public IP addresses, but you may qualify for an allocation of IP addresses from the PSN team. Complete an IP address allocation form, making sure that you understand and agree to the terms and conditions.

The PSN team will allocate IP addresses if your request is approved.

In some cases, we have delegated blocks of our IP addresses to third parties. If you need addresses for the following purposes, you should contact the relevant organisation directly.

Purpose of the IP addresses Contact
PSN connections for HMRC HMRC
PSN connections for Home Office Home Office Technology
PSN connections for Police PSN in Policing
UK Cloud PSN cloud services UK Cloud
CSC PSN cloud services CSC

Nominet is the governments DNS Provider offering a secure DNS service. You should buy this DNS service through CCS and then complete the following form to request access to use the DNS Service.

Note: As of 31 March 2021 this service replaces the DNS procurement process and DNS service via the legacy GSi Convergence Framework (GCF). The GCF Service is no longer available.

Consider encrypted WAN Connectivity

You may want encryption on your network service. To do this:

  • choose a supplier that offers an IPED-connected encryption service
  • make sure the supplier knows which services you need access to
  • make sure you understand what the timescales are for you to be able to access these services

Read the Inter-Provider Encryption Domain (IPED) service document to learn more about using encryption on PSN.

Request changes from service providers

You must make sure you have access to the PSN services you need from your new connection. The PSN team will provide new IP addresses for new customers connecting to the network. Make sure that you know all the services that youre currently accessing and contact the service owners so they can make any technical changes required to give you access.

Install the new connection and configure your environment

Your connectivity supplier will do the physical installation and configuration of the PSN connectivity service. There can be a lead time of approximately 9 weeks between ordering the circuit to installation. You also need to confirm with your supplier that they have got Government Conveyance Network (GCN) connectivity. If they dont youre unlikely to be able to access other government services on PSN.

If you have services bought through the GCF framework you need to complete and return a request for change (RFC) to our current core services provider, Vodafone. You need to complete this no later than 6 weeks before the date you want to transition. You will need your PSN IP address to complete the RFC form.

Your supplier will provide specific technical details about connecting to their network following an order. We have also set out below technical steps to follow to successfully connect to PSN.

Configure your firewall

You will need to configure your firewall to access the services you need. A typical rule set is:

From To Protocol Action Comment
Your proxy/NAT PSN HTTP (TCP:80) HTTP (TCP:8080) HTTPS (TCP443) Allow Enable outbound access to applications within the PSN using HTTP & HTTPS
PSN Your web services HTTP (TCP:80) HTTPS (TCP:443) Allow Enable outbound access to applications within the PSN using HTTP & HTTPS
PSN Your email servers SMTP (TCP:25) Allow Enable inbound email from PSN
Your DNS servers PSN DNS servers DNS (UDP:53) DNS (TCP:53) Allow Allow queries to the PSN DNS servers
Any Any Any Block Default rule for all other traffic

Configure your DNS servers to use Nominet

Nominet provides the primary DNS servers and resolvers for the following domains:

  • *.gsi.gov.uk
  • *.gse.gov.uk
  • *.gsx.gov.uk
  • *.gcsx.gov.uk

The IP addresses of the PSN DNS resolvers that you should configure on your DNS servers are 51.33.255.42 and 51.33.255.58, both accessible using DNS on UDP Port 53.

All gsi-family domain names (gsi.gov.uk, gse.gov.uk, gcsx.gov.uk or gsx.gov.uk) must now be replaced with a government domain like gov.uk, gov.scot, llyw.cymru or gov.wales.

Note: Network Time Protocol (NTP) service is no longer provided.

IP addresses reachable on PSN

The summary blocks of IP addresses in the table below are set aside for use on PSN, and reachable from PSN.

If you are a PS

Related Articles

Comments

  1. We don't have any comments for this article yet. Why not join in and start a discussion.

Write a Comment

Your name:
Your email:
Comments:

Post my comment

Recent Comments

Follow Us on Twitter

Share This


Enjoyed this? Why not share it with others if you've found it useful by using one of the tools below: