Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004

Microsoft 70-350
Implementing Microsoft Internet Security and

Acceleration (ISA) Server 2004
Q&A
Version 4.0
Important Note, Please Read Carefully
Other TestKing products

A) Offline Testing engine
Use the offline Testing engine product topractice the questions in an exam environment.
B) Study Guide (not available for all exams)
Build a foundation of knowledge which will be useful also after passing the exam.
Latest Version
We are constantly reviewing our products. New material is added and old material is
revised. Free updates are available for 90 days after the purchase. You should check your
member zone at TestKing and update 3-4 days before the scheduled exam date.
Here is the procedure to get the latest version:
1.Go towww.testking.com
2.Click on Member zone/Log in
3.The latest versions of all purchased products are downloadable from here. Just click the
links.
For mostupdates,itisenough just to print the new questions at the end of the new version,
not the whole document.
Feedback
If you spot a possible improvement then please let us know. We always interested in
improving product quality.
Feedback should be send to feedback@testking.com. You should include the following:
Exam number, version, page number, question number, and your login ID.
Our experts will answer your mail promptly.
Copyright
Each iPAD file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular iPAD file is
being distributed by you, TestKing reserves the right to take legal action against you
according to the International Copyright Laws.
Explanations
This product does not include explanations at the moment. If you are interested in
providing explanations for this exam, please contact feedback@testking.com.
Leading the way in IT testing and certification tools, www.testking.com

-2-
QUESTION NO: 1
You are a network administrator for TestKing.com. You plan to implement ISA
Server 2004 as a SecureNAT firewall for client computers on the network. The
implementation will consist of a Windows Server 2003 Network Load Balancing
cluster.
External client computers that connect to resources published by ISA Server must
be load balanced across the Network Load Balancing cluster when they connect by
using DNS.
You need to plan the external DNS implementation before you deploy ISA Server
2004.
What should you do?
A. Create three service locater (SRV) resource records.

Configure each record to use the _HTTP service and to reference the IP address of one of
the internal interfaces of the Network Load Balancing cluster nodes.
B. Create three host (A) resource records.
Configure each record with the IP address of one of the external interfaces of the Network
Load Balancing cluster nodes.
C. Create one host (A) resource record.
Configure the record with the virtual IP address that is assigned to the external interface
of the Network Load Balancing cluster.
D. Create one host (A) resource record.
Configure the record with the virtual IP address that is assigned to the internal interface of
the Network Load Balancing cluster.
Answer: C
Explanation:
Network Load Balancing (NLB) is a Windows service that enables network traffic to be
shared between multiple servers, while appearing to the client to be captured and
processed by a single server's IP address. It provides for load sharing between NLB
cluster members, and also provides for redundancy if one of the NLB members becomes
unavailable. Only the Enterprise version of ISA Server 2004 natively supports NLB.
In this scenario we are publishing resources for external clients, therefore we need to
configure publishing rules that are configured to use the external interface of the isa
server.

-3-
QUESTION NO: 2
You are a network administrator for TestKing.com. The network is configured as
shown in the exhibit.
You are upgrading the Routing and Remote Access server to ISA Server 2004. You
need to configure the Internal network.
You need to create a access rules that are specific for each subnet.
Which three IP address ranges should you use? (Each correct answer presents part
of the solution. (Choose three)
A. 10.0.25.1 - 10.0.25.255
B. 172.16.1.0 - 172.16.1.255

-4-
C. 172.16.2.0 - 172.16.2.255
D. 172.16.10.0 - 172.16.10.255
E. 192.168.1.0 - 192.168.255.255
Answer: B, C, D
Explanation:
two terms are distinct in the ISA world. An ISA network is defined as the grouping of
physical subnets that form a network topology that is attached to a single ISA Server
network adapter. So, a single ISA "network" could be composed of multiple physical
networks. Even though there are four physical subnets, all connected to each other with
switches, ISA sees these individual subnets as only two networks, an internal network and
a perimeter network (also called DMZ) because it has network adapters attached to only a
single subnet on each of the network. To further illustrate, a uni-homed (single NIC)
server would see the range of all IP addresses on the Internet as a single ISA network. In
our scenario the internal network consists of 172.16.1.0 - 172.16.1.255, 172.16.2.0 -
172.16.2.255 and 172.16.10.0 - 172.16.10.255. A perimeter network, also known as a
demilitarized zone (DMZ), or screened subnet, is a network that you set up separately
from an internal network and the
Internet. Perimeter networks allow external users to gain access to specific servers that
are located on the perimeter network while preventing direct access to the internal
network. In this way, even if an attacker penetrates the perimeter network security, only
the perimeter network servers are compromised.
In our scenario the DMZ consists 10.0.25.1 - 10.0.25.255.
QUESTION NO: 3
You are a network administrator for TestKing.com. Client computers on the
internal network are divided among several subnets by using routers.
You install an ISA Server 2004 computer named ISA1. ISA1 will be used to allow
users to access Web sites on the Internet. You configure TCP/IP on ISA1 as shown
in the exhibit.

-5-
After ISA1 is installed, users report that they cannot access Web sites on the
Internet.
You need to ensure that users can access Web sites on the Internet.
Which two actions should you perform? (Each correct answer presents part of the
solution. Choose two)
A. Configure the internal default gateway to match the external default gateway.
B. Configure a static route to each subnet.
C. Add the IP address of the internal default gateway to the Remote Management
Computers computer set.
D. Configure the internal network adapter with a blank default gateway.
E. Create a network set for each subnet.
Answer: B, D

-6-
Explanations:
The routing table on the ISA firewall machine should be configured before you install the
ISA firewall software. The routing table should include routes to all networks that are not
local to the ISA firewall's network interfaces. These routing table entries are required
because the ISA firewall can have only a single default gateway. Normally, the default
gateway is configured on the network interface that is used for the External Network.
Therefore, if you have an internal or or other Network that contains multiple subnets, you
should configure routing table entries that ensure the ISA firewall can communicate with
the computers and other IP devices on the appropriate subnets. The network interface
with the default gateway is the one used to connect to the Internet, either direction or via
upstream routers. After knowing this we should remove the default gateway IP Address
from the internal network card and we should configure static routes to each subnet.
QUESTION NO: 4 DRAG DROP

You are a network administrator for TestKing.com. You plan to deploy one ISA
Server 2004 computer, three routers, and one switch to provide Internet access to
client computers on the network. This planned network is shown in the answer area.
You must ensure that client computers can access the Internet as SecureNAT clients
after ISA Server is deployed. You examine several client computers and discover
that the default gateway is not configured.
You need to configure the correct default gateway for client computers.
What should you do?
To answer, drag the appropriate default gateway IP address or addresses to the

correct groups of client computers in the answer area.

-7-
Answer:
Explanation:

-8-
In the simple network scenario, the default gateway of the SecureNAT client is
configured as the IP address of the Internal interface of the ISA 2004 firewall. You can
manually configure the default gateway address, or you can use DHCP to automatically
assign addresses to the SecureNAT clients. The DHCP server can be on the ISA 2004
firewall itself, or it can be located on a separate machine on the Internal network. In the
'complex network scenario,' the Internal network consists of multiple network IDs that are
managed by a router or series of routers or layer 3 switch(s). In the case of the complex
network, the default gateway address assigned to each SecureNAT client depends on the
location of the SecureNAT client computer. The gateway address for the SecureNAT
client will be a router that allows the SecureNAT client access to other networks within
the organization, as well as the Internet. The routing infrastructure must be configured to
support the SecureNAT client so that Internet-bound requests are forwarded to the
Internal interface of the ISA 2004 firewall.
QUESTION NO: 5
You are a network administrator for TestKing.com. TestKing has a main office and
three branch offices.

-9-
You are planning to deploy ISA Server 2004 in the branch offices to provide users
which access to the Internet. The ISA Server computers will be configured as
stand-alone servers. The Firewall Client installation share will be placed on an
existing file server in each branch office.
You install Windows Server 2003 on the computers that will run ISA Server 2004.
You need to configure additional security for the ISA Server computers.
What are three possible ways to achieve this goal? (Each correct answer presents a
complete solution. Choose three)
A. Grant the Allow log on locally right to only the Administrators group.
B. Disable the external network adapter.
C. Enable the Secure Server (Require Security) IPSec policy.
D. Disable the Server service.
E. Remove all users from the Access this computer from the network right.
Answer: A, D, E
Explanations:
Secure Server (Require Security) policy - This policy is only appropriate for servers that
require all communications to be secure. Once this policy has been applied, the server
will neither send or accept insecure communications. Any client wanting to communicate
with the server must use at least the minimum level of security described by the policy. In
this scenario it will not work because the clients do not have Ipsec installed.
Allow log on locally - This logon right determines which users can interactively log on to
this computer. Logons initiated by pressing CTRL+ALT+DEL sequence on the attached
keyboard requires the user to have this logon right.
Access this computer from the network - This user right determines which users and
groups are allowed to connect to the computer over the network. This would still be
needed if the firewall client installation share resided on the isa server. In this scenario the
ISA Server2004 Client Installation Share resides on another server, so we can remove the
users from the list.
Disable the Server service - You need the Server service if you : You install ISA
Server2004 Client Installation Share or use the Routing and Remote Access Management,
rather than ISA Server Management, to configure a VPN. In this scenario we are not
using both.
Disable the external network adapter - In this scenario the external adapter has been
connected to the internet. If we disable that adapter then nobody would we able to
connect to the internet and no VPN could be set up.

- 10 -
QUESTION NO: 6
You are a network administrator for TestKing.com. The network contains a single
ISA Server 2004 computer named ISA1. ISA1 is not yet configured to allow inbound
VPN access.
You deploy a new application named App1. The server component of App1 is
installed on an internal server named Testking1. The client component of App1 is
installed on employee and partner computers. Employees and partners will establish
VPN connections when they use App1 from outside the corporate network.
You identify the following requirements regarding VPN connections to the

corporate network.
1. Employees must be allowed access to only Testking1, three file servers, and an
internal Web server named Web1.
2. Employees must have installed all current software updates and antivirus
software before connecting to any internal resources.
3. Partners must be allowed access to only Testking1.
4. You must not install any software other than the App1 client on any partner
computers.
You need to plan the VPN configuration for TestKing.
What should you do?
A. Configure ISA1 to accept incoming VPN connections from partners and employees.
Enable Quarantine Control on ISA1.
Configure Quarantine Control to disconnect users after a short period of time.
Use access rules to allow access to only the permitted resources.
B. Configure ISA1 to accept incoming VPN connections from partners and employees.
Exempt partners from Quarantine Control.
Use access rules to allow access to only the permitted resources.
C. Configure ISA1 to accept incoming VPN connections from partners and employees.
Enable RADIUS authentication and user namespace mapping.
Configure a Windows Server 2003 Routing and Remote Access server as a RADIUS
server.

- 11 -
Create a single remote access policy.
D. Add a second ISA Server 2004 computer named ISA2.
Configure ISA1 to accept VPN connections from employees. Do not enable Quarantine
Control for ISA1.
Configure ISA2 to accept VPN connections from partners. Enable Quarantine Control on
ISA2.
On each server, use access rules to allow access to only the permitted resources.
Answer: B
Explanation:
VPN quarantine control allows you to screen VPN client machines before allowing them
access to the organization's network. To enable VPN quarantine, you create a Connection
Manager Administration Kit (CMAK) package that includes a VPN client profile and a
VPN-quarantine client-side script. This
script runs on the client and checks the security configuration of the remote access client
and reports the results to the VPN server. If the client passes the security configuration
check, the client is granted access to the organizations network.
If you are using ISA Server as the VPN server, and the script reports that the client meets
the software requirements for connecting to the network, the VPN client is moved from
the VPN Quarantine network to the VPN Clients network. You can set different access
policies for hosts on the VPN Quarantine network
compared to the VPN Clients network. The partners do not need to be quarantined so we
exclude them from the Quarantine Control. ISA Server uses these networks just like it
uses any other directly connected networks. That means that you can use network rules
and access rules to define the conditions under which network packets will be passed
from one network to another.
QUESTION NO: 7
You are the network administrator for TestKing.com. The network consists of a
single Active Directory domain named testking.com. The network contains an ISA
Server 2004 computer named ISA1.
ISA1 is configured as a VPN server and allows only VPN connections that use
PPTP. ISA1 is configured to use a RADIUS server named Testking1 to provide
authentication and authorization for VPN client connections.

- 12 -
You want to configure ISA1 to also allow VPN connections that use L2TP. For
testing purposes, you want VPN clients to be able to use preshared keys for
authentication.
You perform the following actions on ISA1:
1. In the Routing and Remote Access console, you enable the Allow custom IPSec
policy for L2TP connection option and enter a value for a preshared key.
2. In the ISA Server Management console, you enable L2TP over IPSec settings in
the VPN Clients Properties dialog box.
You test L2TP functionality by configuring a VPN connection object on a computer

named Workstation1, which runs Windows XP Professional with Service Pack 2.
The VPN connection object is configured to use the same preshared key that you
configured on ISA1. However, when you try to connect to ISA1 by using L2TP, you
receive the following error message: "Error 792: The L2TP connection failed
because security negotiation timed out."
You need to configure ISA1 to support L2TP connections that use preshared keys.
What should you do?
A. In the ISA Server Management console, enable the use of a custom IPSec policy and
configure a preshared key in the Virtual Private Networks (VPN) Properties dialog
box.
B. In the ISA Server Management console, enable EAP in the Virtual Private Networks
(VPN) Properties dialog box.
C. In the RADIUS remote access policy profile for the VPN connection, add
MD5-Challenge as an authentication method.
D. In the RADIUS remote access policy profile for the VPN connection, add Protected
Extensible Authentication Protocol (PEAP) as an authentication method.
Answer: A
Explanation:
Error 792 can be caused by :
* You have a preshared key that is configured on the client, but the key is not configured
on the Routing and Remote Access Service server.
* VPN server is not a valid machine certificate or is missing.
* The IPSec Policy Agent service is stopped and started without stopping and starting the
Routing and Remote Access service on the remote computer.

- 13 -
* The IPSec Policy Agent service is not running when you start the Routing and Remote
Access service.
* The ISA Server computer is configured to block IP fragments.
In this scenario we need to : In the ISA Server Management console, enable the use of a
custom IPSec policy and configure a preshared key in the Virtual Private Networks
(VPN) Properties dialog box and NOT in the RRAS console. VPN properties should be
configured in the ISA Console and not in the RRAS console because the ISA console
overrides RRAS settings.
QUESTION NO: 8
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. ISA1 functions as a remote access VPN server
for the network. Remote access VPN clients can use either PPTP or L2TP over
IPSec to connect to ISA1.
Users report that after connecting to the corporate network, they cannot access file
shared on the network file server without first being presented with an
authentication prompt.
You need to ensure that users are not asked for credentials when they access file
shares.
A. Instruct the users to log on by using their domain credentials via dial-up networking.
B. Configure ISA1 as a RADIUS client.
C. Create an access rule to enable the LDAP and LDAP5 protocols form the Local Host
network to the Internal network.
D. Join ISA1 to the domain.
Answer: A, D
Explanation:
The placement of the ISA VPN server ultimately governs how user accounts are accessed
during authentication. The following authentication methods are available:
* Authenticating directly against Active Directory - If the ISA VPN server is installed as
a domain member server, users can be authenticated directly against the internal Active
Directory domain without any additional configuration.

- 14 -
* Implement RADIUS Authentication - A RADIUS server, such as Microsoft's IAS,
included with both the Windows 2000 Server and Windows Server 2003, can allow the
stand-alone ISA VPN server to authenticate users against the internal domain. This
service is very useful when the ISA VPN server has been implemented in a DMZ
configuring.
* Authenticate against local users - It is possible to configure local users on the ISA VPN
server. This type of configuration is usually not recommended in a production
environment, but may be acceptable in specific lab scenarios.
In this scenario we need to join the ISA server to the domain. After that we can simply
instruct the users to logon by using their domain credentials via dial-up networking. Now
they won't be prompted anymore to access the files.
QUESTION NO: 9
You are the network administrator for TestKing.com. TestKing has a main office
and one branch office. The network contains two ISA Server 2004 computers named
ISA1 and ISA2. ISA1 is located at the main office. ISA1 is located at the branch
office.
An IPSec tunnel mode site-to-site VPN connects the main office and branch office
networks. ISA1 has three addresses bound to its external network adapter, and
ISA2 uses a non-primary IP address to establish the IPSec tunnel mode connection
to ISA1.
Users at the branch office report that they can connect to file shares at the main
office, but they cannot connect to the Microsoft Outlook Web Access Web site.
You need to ensure that users at the branch office can access the Outlook Web
Access Web site.
What should you do?
A. Use a network address translation (NAT) relationship between the branch office
network and the main office network.
B. Add IP addresses to the external network adapter of ISA2.
C. Change the Phase II IPsec configuration on both ISA1 and ISA2 to use Message Digest
5 (MD5) as its integrity algorithm.
D. Create a new protocol definition for TCP port 80 outbound and use the definition in
the access rule.

- 15 -
Answer: D
Explanation:
As the scenario stated : Users at the branch office report that they can connect to file
shares at the main office.
Therefore we can assume that the VPN tunnel has been correctly setup and is fully
functional. All we need to do is create a rule that allow the branch office users to connect
to the OWA website. We can achieve this by creating a new protocol definition for TCP
port 80 outbound and use the definition in the access rule.
QUESTION NO: 10
Server 2004 computer named IS1, which is configured as a remote access VPN
server. You configure ISA1 to accept both PPTP and L2TP over IPSec VPN
connections from remote access clients.
Several users report that they cannot connect to the network. You review the log
files on ISA1 and discover that the users with failed connection attempts are all
using L2TP over IPSec.
You need to ensure that the users can connect to the network.
What should you do?
A. Disable IP fragment blocking.

B. Disable IP routing.
C. Disable IP options filtering
D. Disable verification of incoming client certificates.
Answer: A
Explanation:

- 16 -
You can also configure ISA Server to drop all IP fragments. A single IP datagram can be
divided into multiple datagrams of smaller sizes known as IP fragments. If you enable
this option, then all fragmented packets are dropped when ISA Server filters packet
fragments. A common attack that uses IP fragments is the teardrop. In this attack,
multiple IP fragments are sent to a server. However, the IP fragments are modified so that
the offset fields within the packet overlap. When the destination computer tries to
reassemble these packets, it is unable to do so. It may fail, stop responding, or restart.
Enabling IP fragment filtering can interfere with streaming audio and video. In addition,
Layer Two Tunneling Protocol (L2TP) over IPSec connections may not be successfully
established because packet fragmentation may take place during certificate exchange.
This scenario has IP fragment blocking enabled, therefor we must disable it to allow
L2TP over Ipsec communication.
QUESTION NO: 11
You enable VPN Quarantine Control on ISA1. You create a Connection Manager
(CM) profile and install it on VPN client computers.
The CM profile contains a script named quarantine.vbs that performs several tests
on VPN client computers to ensure conformance with TestKing policy. If a
computer passes the tests, the script executes the following command:
RQC %1 %2 %3 %4 SV1.
The variables in the command represent the parameters inherited from the CM
profile. The parameters are shown in the following table.
Variable Parameter
%1 %DialRasEntry%
%2 %TunnelRasEntry%
%3 %Domain%
%4 %UserName%
Users report that after they establish a VPN connection with ISA1, they receive a
message stating that their computer has been placed in quarantine mode. The VPN
connection is terminated, and they are prompted to reconnect. You verify that the
client computer configurations conform to TestKing policies and pas the tests on the
quarantine.vbs script.

- 17 -
The System log displays a large number of instance of the following warning
message: "A remote access client at IP address w.x.y.z connected by
Testking\username has been rejected because it presented the following
unrecognized quarantine string: SV1"
You need to ensure that VPN client computers can be moved out of the Quarantined
VPN Clients network when the quarantine.vbs script executes successfully.
What should you do?
A. Create a new CM profile by using the Connection Manager Administration Kit

(CMAK). Append the text string "SV1" to the lost of parameters for the custom action.
B. Edit the quarantine.vbs scipt so that it used the following command:

RQC %DialRasEntry% %TunnelRasEntry% 7250 %Domain% %UserName%
C. On ISA1, configure the AllowedSets values for the RQS service by including the text
string "SV1".
D. Use the Connection Manager Administration Kit (CMAK) to change the post-connect
action to Rqc.exe.
Answer: C
Explanation:
The VPN quarantine control feature allows you to screen VPN client machines before
allowing them access to the organizations network. VPN quarantine control can delay
normal remote access to a private network until the remote access client configuration has
been validated by a client-side script. Configuring quarantine control on ISA Server
requires a number of configuration steps. Before you enable quarantine mode, you must
complete the following steps:
* Create a client-side script that validates client configuration information.

* Use CMAK to create a CM profile that includes a notification component and the
client-side script.
* Create and install a listener component on the ISA Server.
* Enable quarantine control on ISA Server.
* Configure network rules and access rules for the Quarantined VPN Clients network.

- 18 -
The Network Quarantine Service (Rqs.exe) provides the listener service for computers
running ISA Server to support VPN Quarantine. This component must be installed on all
computers running ISA Server that will provide quarantine services.
The easiest way to install the Network Quarantine Service and configure ISA Server to
support listener network traffic is to use the ConfigureRQSForISA.vbs script provided
with ISA Server 2004. The syntax to use this script is:
Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 <pathto RQS.exe>
* The /install command line switch installs the listener service. To uninstall the listener
service, use /remove.
* The SharedKey value is the key that the notification component will send to the listener
component. The notification message sent by Rqc.exe contains a text string that indicates
the version of the quarantine script being run. This string is configured for Rqc.exe as part
of its command-line parameters, as run from the quarantine script. Rqs.exe compares this
text string to a set of text strings stored in the registry of the computer running ISA
Server. If there is a match, the quarantine conditions are removed from the connection. If
the client provides a shared key that is not in the allowed set, it will be disconnected.
There can be more than one shared key, separated by \0".
* <The path to RQS.exe> defines where the listener executable is located.
However in this scenario we can see that the scriptversion name is SV1. This script will
be executed on the client side. On the ISA server there must be a registry entry called
allowedsets with a value SV1. otherwise we will get the error mentioned in the scenario.
QUESTION NO: 12
and one branch office.
The main office has one ISA Server 2004 computer named ISA1, which runs
Windows Server 2003. The branch office has one ISA Server 2004 computer named
ISA2, which runs Windows 2000 Server.
You create a site-to-site VPN connection between ISA1 and ISA2. You configure
IPSec tunnel mode for the site-to-site connection.
When you test the site-to-site site VPN connection, the connection attempt fails.
You need to enable the IPSec tunnel mode site-to-site VPN connection between the
main office and the branch office.

- 19 -
What should you do?
A. Install the IPSecPol tool on ISA1.

B. Install the IPSecPol tool on ISA2.
C. Configure a custom IPSec policy on ISA1.
D. Configure a custom IPSec policy on ISA2.
Answer: B
Explanation:
IPSec tunnel mode - Tunneling is the entire process of encapsulation, routing, and
decapsulation. Tunneling wraps, or encapsulates, the original packet inside a new packet.
This new packet might have new addressing and routing information, which enables it to
travel through a network. When tunneling is combined with data confidentiality, the
original packet data (as well as the original source and destination) is not revealed to
those listening to traffic on the network. After the encapsulated packets reach their
destination, the encapsulation is removed, and the original packet header is used to route
the packet to its final destination.
The tunnel itself is the logical data path through which the encapsulated packets travel.
To the original source and destination peer, the tunnel is usually transparent and appears
as just another point-to-point connection in the network path. The peers are unaware of
any routers, switches, proxy servers, or other security gateways between the tunnels
beginning point and the tunnels endpoint. When tunneling is combined with data
confidentiality, it can be used to provide a VPN.
The encapsulated packets travel through the network inside the tunnel. In this example,
the network is the Internet. The gateway might be an edge gateway that stands between
the outside Internet and the private network. The edge gateway can be a router, firewall,
proxy server, or other security gateway. Also, two gateways can be used inside the private
network to protect traffic across untrusted parts of the network.
When Internet Protocol security (IPSec) is used in tunnel mode, IPSec itself provides
encapsulation for IP traffic only. The primary reason for using IPSec tunnel mode is
interoperability with other routers, gateways, or end systems that do not support L2TP
over IPSec or PPTP VPN tunneling.
To create a remote site network that uses the IPSec protocol tunneling mode on a
computer running Windows 2000 (ISA2 in our scenario), you must install the IPSecPol
tool, available on the Microsoft website.
QUESTION NO: 13

- 20 -
and is adding a branch office.
You are connecting the main office and branch office networks. You install ISA
Server 2004 on a computer at each office, and you create a site-to-site VPN
connection between the ISA Server computers.
You create remote site networks on the ISA Server computers at both offices. You
choose the L2TP over IPSec VPN protocol. You want to use a preshared key for the
IPSec authentication. You open the Routing and Remote Access console and enter
the preshared key in the Properties dialog box for the Routing and Remote Access
server.
The site-to-site L2TP over IPsec connection is successful. You then restart the ISA
Server computers and discover that the site-to-site connection fails.
You need to ensure that the L2TP over IPSec site-to-site VPN connections continue
to function properly after the ISA Server computers are restarted.
What should you do?
A. Re-enter the preshared keys on the ISA Server computers at both offices. Chang the
preshared keys so that they include mixed-case letters, numbers, and symbols.
B. Remove all certificates for the ISA Server computers at both offices.
C. On the ISA Server computers at both offices, remove the preshared key from the
Routing and Remote Access console, and enter the key on the Authentication tab of
the Virtual Private Networks (VPN) Properties dialog box.
D. Install user certificates on the ISA Server computers in both offices and enable EAP
user authentication for the demand-dial accounts.
Answer: C
Explanation:
Error 792 or pre-shared key issues can be caused by :
* You have a preshared key that is configured on the client, but the key is not configured
on the Routing and Remote Access Service server.
* VPN server is not a valid machine certificate or is missing.
* The IPSec Policy Agent service is stopped and started without stopping and starting the
Routing and Remote Access service on the remote computer.
* The IPSec Policy Agent service is not running when you start the Routing and Remote
Access service.

- 21 -
* The ISA Server computer is configured to block IP fragments.
In this scenario we need to : In the ISA Server Management console, enable the use of a
custom IPSec policy and configure a preshared key in the Virtual Private Networks
(VPN) Properties dialog box and NOT in the RRAS console. VPN properties should be
configured in the ISA Console and not in the RRAS console because the ISA console
overrides RRAS settings.
QUESTION NO: 14
and is adding a branch office.
The main office and the new branch each have an ISA Server 2004 computer. You
want to connect the main office and the branch office networks by using a
site-to-site VPN.
You create a site-to-site VPN connection that connects the office networks by using
the L2TP over IPSec VPN protocol. Computer certificates are installed on the ISA
Server computer at each office. When you create the remote site network on each
ISA Server computer, you configure it to use certificates and a preshared key. At
each office, the preshared key is configured as the office name on the ISA Server
computer at that office.
From the ISA Server computer at the main office, you repeatedly run the ping
command to a host on the branch office network. The site-to-site VPN fails. You
open the Routing and Remote Access console and manually dial the demand-dial
interface. You receive the following error message: "The last connection attempt
failed because: The L2TP connection attempt failed because the security layer
encountered a processing error during initial negotiations with the remote
computer."
You need to enable the site-to-site VPN connection by using the most secure IPSec
authentication method possible.
What should you do?
A. Restart the ISA Server computer at both offices.

B. Re-enter the preshard keys on the ISA Server computer at both offices. Change the
preshared keys so that they include mixed-case letters, numbers, and symbols.
C. Remove the preshared key from the remote site network configuration on the ISA
Server computer at both offices.

- 22 -
D. Delete the remote site network on the ISA Server computer at both offices, and
re-create the remote site networks with the original parameters.
Answer: C
Explanation:
Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPSec) - Layer
Two Tunneling Protocol (L2TP) is an industry-standard Internet tunneling protocol that
provides encapsulation for sending Point-to-Point Protocol (PPP) across IP networks. The
Microsoft implementation of the L2TP protocol uses Internet Protocol security (IPSec)
encryption to protect the data stream from the VPN client to the VPN server. L2TP/IPSec
connections require user-level authentication and, in addition, computerlevel
authentication using computer certificates OR a pre-shared key. In this scenario we are
using both, thus we need to remove the per-shared keys to achieve highest possible
security.
QUESTION NO: 15
Server 2004 computer named ISA1. ISA1 functions as a VPN remote access server.
Remote access VPN clients use either PPTP or L2TP over IPSec to connect to ISA1.
All remote access VPN client computers are configured as both Web Proxy and
Firewall clients of ISA1.
You create an access rule to allow domain users on the VPN Clients network access
to all protocols and Web sites on the Internet.
A user named Bob logs on to his portable computer by using a local user account
and establishes a VPN connection to ISA1 by using his domain credentials. You
discover that Bob cannot connect to the Internal network when the VPN connection
to ISA1 is active.
You need to ensure that Bob can access the Internet network while maintaining a
VPN connection to ISA1.
What should you do?
A. Disable the Firewall client before establishing the VPN connection.

- 23 -
B. Disable the Web Proxy configuration before establishing the VPN connection.
C. Create an access rule to allow connections from the VPN Clients network to the
Internal network.
D. Remote the authentication requirement on the access rule that allows VPN Clients
access to the Internet.
Answer: C
Explanation:
As the scenario stated : A user named Bob logs on to his portable computer by using a
local user account and establishes a VPN connection to ISA1 by using his domain
credentials.
Therefore we can assume that the VPN tunnel has been correctly setup and is fully
functional. All we need to do is create a rule that allow Bob to connect to the internal
network. We can achieve this by creating n access rule to allow connections from the
VPN Clients network to the Internal network.
QUESTION NO: 16
Server 2004 computer named ISA1. ISA1 provides Internet access for all users on
TestKing's network.
All computers on the network are configured as SecureNAT clients. You create an
access rule on ISA1 that allows all users access to all protocols on the External
network.
You view the Firewall log and the Web Proxy filter log on ISA1 and notice that the
URLs of Web sites visited by TestKing users are not displayed.
You need to ensure that the URLs of Web sites visited by TestKing users are
displayed in the ISA1 log files.
What should you do?
A. Configure all network computers as Web Proxy clients.

B. Configure all network computers as Firewall clients.
C. Configure ISA1 to require authentication for Web requests.
D. Configure ISA1 to require authentication for all protocols.

- 24 -
Answer: A
Explanation:
The user name is only included in Firewall and Web Proxy logs when a client sends that
information to the ISA firewall. A client piece is always required to send user information
to the firewall since there are no provisions in the layer 1 through 6 headers to provide
this information. Only the Firewall client and Web Proxy client configurations can send
user information to the ISA firewall and have this information included in the log files.
SecureNAT client connections allow for logging of the source IP address, but user
information is never recorded for machines configured as only SecureNAT clients. Note
that there is no option to log the URL in the Firewall Logging Properties. The reason for
this is that the Firewall client doesn't send the URL for Web sites accessed via the
Firewall client. However you can fix this by correctly setting up the Web proxy client
configuration.
QUESTION NO: 17
Server 2004 computer named ISA1. ISA1 is configured to provide forward Web
caching for users on the Internet network.
During periods of peak usage, users report that it takes longer than usual for Web
pages to appear. You suspect that insufficient memory is the source of the slow
performance of ISA1.
You need to verify whether insufficient memory is the source of the slow
performance.
Which two System Monitor performance counters should you add? (Each correct
answer presents part of the solution. Choose two)
A. Memory\Pages/sec
B. Process(W3Prefch)\Pool Nonpaged Bytes
C. ISA Server Cache\Memory Usage Ratio Percent (%)
D. Physical Disk\Avg. Disk Queue Length
E. ISA Server Cache\Disk Write Rate (writes/sec)
F. Memory\Pool Nonpaged Bytes
Answer: A, C

- 25 -
Explanation:
The ISA Server installation configures several new performance objects that you can use
to monitor system performance on the computer running ISA Server. You view the
performance objects and their associated
performance counters in real time in System Monitor. System Monitor is a monitoring
tool that is included with Windows 2000 and Windows Server 2003.
Memory\Pages/sec - Pages/sec is the rate at which pages are read from or written to disk
to resolve hard page faults. This counter is a primary indicator of the kinds of faults that
cause system-wide delays. Process(W3Prefch)\Pool Nonpaged Bytes - Pool Nonpaged
Bytes is the size, in bytes, of the nonpaged pool, an area of system memory (physical
memory used by the operating system) for objects that cannot be written to disk, but must
remain in physical memory as long as they are allocated.
ISA Server Cache\Memory Usage Ratio Percent (%) - Shows the percentage of the total
amount of cache fetches that are from the memory cache. A high percentage may indicate
that it is worthwhile allocating more available memory resources to the cache. A low
percentage may indicate that memory resources may be better used elsewhere.
Physical Disk\Avg. Disk Queue Length - Is the average number of both read and write
requests that were queued for the selected disk during the sample interval.
ISA Server Cache\Disk Write Rate (writes/sec) - Measures the number of writes per
second to the disk cache for the purpose of writing URL content to the cache disk.
Memory\Pool Nonpaged Bytes - Pool Nonpaged Bytes is the size, in bytes, of the
nonpaged pool, an area of system memory (physical memory used by the operating
system) for objects that cannot be written to disk, but must remain in physical memory as
long as they are allocated.
QUESTION NO: 18 HOTSPOT

Server 2004 computer names ISA1.
You use Network Monitor to capture and analyze inbound traffic from the Internet
to ISA1. You notice a high volume of TCP traffic that is sent in quick succession to
random TCP ports on ISA1. The flag settings of the traffic are shown in the
following example.
TCP: Flags = 0x00 : ......

TCP: ..0...... = No urgent data
TCP: ...0.... = Acknowledgment field not significant
TCP: ....0... = No Push function
TCP: .....0.. = No Reset

- 26 -
TCP: ......0. = No Synchronize
TCP: .......0 = No Fin
This traffic slows the performance of ISA1.
You want to be able to create a custom alert that is triggered whenever ISA1
experience traffic that uses invalid flag settings to discover open ports. You do not
want the alert to be triggered by traffic that uses valid flag settings in an attempt to
discover open ports. You want to accomplish this goal by selecting only the
minimum number of options in the Intrusion Detection dialog box.
What should you do?
To answer, configure the appropriate option or options in the dialog box in the
answer area.
Answer:
Explanation:

- 27 -
Windows out-of-band attack - This alert notifies you that there was an out-of-band
denial-ofservice attack attempted against a computer protected by ISA Server. An
out-of-band attack occurs when a Windows system receives a packet with the URGENT
flag set. The system expects data will follow that flag. The exploit consists
of setting the URGENT flag, but not following it with data. The port most susceptible is
TCP Port 139, the Netbios Session Service port. If mounted successfully, this attack
causes the computer to fail or causes a loss of network connectivity on vulnerable
computers.
Land attack - This alert notifies you that a TCP SYN packet was sent with a spoofed
source IP address and port number that match those of the destination IP address and port.
If the attack is successfully mounted, it can cause some TCP implementations to go into a
loop that causes the computer to fail.
Ping-of-death attack - This alert notifies you that an IP fragment was received with more
data than the maximum IP packet size. If the attack is successfully mounted, a kernel
buffer overflows, which causes the computer to fail.
Port scan - This alert notifies you that an attempt was made to access more than the
preconfigured number of ports. You can specify a threshold, indicating the number of
ports that can be accessed.

- 28 -
IP half scan - This alert notifies you that repeated attempts to send TCP packets with
invalid flags were made. During an IP half scan attack, the attacking computer does not
send the final ACK packet during the TCP three-way handshake. Instead, it sends other
types of packets that can elicit useful responses from the target host without causing a
connection to be logged. This is also known as a stealth scan, because it does not generate
a log entry on the scanned host. If this alert occurs, log the address from which the scan
occurs. If appropriate, configure the ISA Server rules to block traffic from the source of
the scans.
UDP bomb - This alert notifies you that there is an attempt to send an illegal User
Datagram Protocol (UDP) packet. These UDP packets will cause some older operating
systems to fail when the packet is received. If the target machine does fail, it is often
difficult to determine the cause.
QUESTION NO: 19
You are the administrator of an ISA Server 2004 computer named ISA1. ISA1 is
configured to publish two Web sites named www.fabrikam.com and
www.testking.com. Both Web sites are located on a Windows Server 2003 computer
named Testking1. The IP address of Testking1 is 10.0.0.2.
The Web publishing rules are configured as shown in the following display.
Both the www.fabrikam.com/info and www.testking.com/info virtual point to a

common share file.
The default log view does not allow you to easily distinguish between requests for
www.fabrikam.com/info and requests for www.testking.com/info. A sample of the
log with the relevant entries is shown in the following table.
Destination IP Rule URL

10.0.0.2 Web Publish 1 10.0.0.2/info
10.0.0.2 Web Publish 2 10.0.0.2/info

- 29 -
You need to ensure that the log viewer displays the fully qualified domain names
(FQDNs) for the Web site requests. In addition, you need to filter the log viewer to
display only the requests for both the www.testking.com/info and the
www.fabrikam.com/info virtual subdirectories.
What should you do?
A. On ISA1, configure two Hosts file entries that resolve both FQDNs to 10.0.0.2.
Configure each Web publishing rule to use the FQDN of its respective Web site on the To
tab.
In the log viewer, add to the default log filter expression a condition where the URL
contains the text string "info".
B. On ISA1 configure two Hosts file entries that resolve both FQDNs to the external IP
address of ISA1.
Configure each Web publishing rule so that requests appear to come from the original
client computer.
In the log viewer, add a column to display the destination host name.
In the log viewer, add to the default log filter expression a condition where the URL
contains the text string "info".
C. In the log viewer, add two conditions to the default log filter expression.
Configure the first condition so that the Rule equals Web Publish 1.
Configure the second condition so that the Rule equals Web publish 2.
D. In the log viewer, add two conditions to the default log filter expression.
Configure the first condition so that Server contains Fabrikam.
Configure the second condition so that Server contains Testking.
Answer: A
Explanation:

- 30 -
The ISA firewall's Web Proxy filter handles all incoming Web connections made through
Web Publishing Rules. Even when you unbind the Web Proxy filter from the HTTP
protocol definition, the Web Proxy filter is always enabled for Web Publishing Rules. We
can see in the exhibit that there is an web publishing rule created by using using ip
addresses in the to column, but we should use FQDN instead. One of the primary
advantages of using a FQDN in the Computer name or IP address field is that the Web
site name shows up in the URL field in the ISA firewall's Web Proxy log. If you use an IP
address, only the IP address of the published server will appear in this field and make log
analysis more difficult to perform efficiently. The ISA Server should know that
www.testking.com and www.fabrikam.com are webservers residing on the internal
network, otherwise the isa server will try to resolve the DNS name and the request will
loopback through the firewall. We can resolve this issue by creating entries in the ISA's
hostfile. The hostfile will be checked first by the ISA Server before it tries to resolve the
DNS queries by other DNS servers.
QUESTION NO: 20
Server 2004 computer named ISA1 and a Windows Server 2003 computer named
Testking1. Both ISA1 and Testking1 are members of an Active Directory domain
named testking.com
You configure ISA1 to generate daily reports and automatically publish them to a
shared folder named DailyReports on Testking1. You create an account named
Testking\IsaReports. You configure ISA to create reports in the security context of
the Testking\IsaReports account.
The current permissions on the DailyReports folder are shown in the following
table.
Group or user name Allow permissions

Testking1\Administrators Full Control
System Full Control
Read
Testking\Manageers List Folder Contents
Read & Execute
Testking\IsaReports Full Control
You need to configure the minimum NTFS permissions on the DailyReports folder.

- 31 -
What should you do?
A. Change the allowed permissions for the system object from Full Control to Modify.
B. Change the allowed permissions for the Testking\IsaReports object from Full Control
to Read.
C. Change the allowed permissions for the Testking\IsaReports object from Full Control
to Write.
D. Change the allowed permissions for the system object from Full Control to Read and
Write.
Answer: C
Explanation:
Reports are collections of information generated from data collected from the ISA Server
log files. You can use the reporting feature to summarize and analyze common usage
patterns such as:
* Internet users and the Web sites that are accessed.
* The protocols and applications most often used.
* General traffic patterns.
* The cache hit ratio.
You can also use reports to monitor the security of your network, such as attempts to
access internal resources or the number of connections to a published server. You can
generate a report immediately or you can schedule reports to generate on a recurring
basis. The report can include daily, weekly, monthly, or yearly data.
The Microsoft ISA Server Job Scheduler service must be running to create a report and if
you publish the report to a shared folder, be sure to supply credentials that will be used by
the reporting engine for publishing. These credentials should have write permissions in
the specified folder. To allow others to view the published report, give them read
permissions to that folder. In this scenario we are using the Testking\IsaReports account,
therefore we should remove the FULL Control permissions and change it to write
permissions.
QUESTION NO: 21
You are the network administrator for TestKing.com. The network consist of a
single Active Directory domain. All client computers run either Windows 2000
Professional or Windows XP Professional. All client computers are members of the
domain.

- 32 -
Users in the network use an IP-based client/server application on a server named
Testking1 to record company data.
To increase network security, you install ISA Server 2004 on a computer named
ISA1. ISA1 connects to the Internet. You configure automatic discovery on the
network. You configure client computers as SecureNAT clients. You verify that
client computers can use the application on Testking1.
You then distribute the Firewall Client software to all client computers by using
Group Policy.
Users now report that they cannot use the application on Testking1.
You need to configure client computers on the network to allow the application on
Testking1 to function properly. Your solution must not affect other applications.
What should you do?
A. Configure a Wspcfg.ini file.

B. Configure an Application.ini file.
C. Configure the Management.ini file.
D. Configure the Common.ini file.
Answer: B
Explanation:
For most Winsock applications, the default Firewall Client configuration that is
downloaded from the ISA Server computer works with no further modification needed.
However, in some cases, you will need to add specific client configuration information.
For example, if one Firewall client computer requires an application setting that is
different from all other clients, you will need to configure the application settings on that
particular computer. The configuration is done by making changes to Firewall Client .ini
files. The Firewall Client configuration information is stored in a set of files, which are
installed on the Firewall client computer. The following files are used to configure the
local Firewall client settings:
* Common.ini - Specifies the common configuration for all applications

* Management.ini - Specifies Firewall Client Management configuration settings
* Application.ini - Specifies application-specific configurations settings

- 33 -
The Common.ini file and the Management.ini file are created for all users logged on to
the computer and can also be created manually for each specific user on the computer. By
default, the Application.ini file is not created, so you must create it manually. The
per-user settings override the general configuration settings. These files are created in
different locations, depending on the operating system.
The settings in these files are applied as follows:

* The .ini files in the user's folder take precedence. Any configuration settings specified
in the user's profile are used by Firewall Client to determine how the application will
function.
* The .ini files in the All Users folder are applied next. If a specified configuration setting
contradicts the user-specific settings, it is ignored.
* Finally, Firewall Client examines the server-level settings. Any configuration settings
specified on ISA Server are applied. If a specified configuration setting contradicts the
user-specific or computer-specific settings, it is ignored.
Wspcfg.ini - This was previously used with ISA 2000 and Proxy server 2.0 and this file is
located in a specific client program folder. The ISA Server computer does not overwrite
this file. As a result, if you make configuration changes in this file, these changes apply
only to the specific client.
QUESTION NO: 22
and one branch office. The network contains two ISA Server 2004 computers named
ISA1 and ISA2. The relevant portion of the network is configured as shown in the
exhibit.

- 34 -
ISA1 is located at the main office. ISA2 is located at the branch office and connects
to the main office by using a dedicated WAN connection. You configure ISA2 to
forward Web requests to ISA1. All client computers are configured to use an
internal DNS server in each office. All client computers are configured as
SecureNAT clients.
While monitoring ISA2, you discover that Web requests from client computers in
the branch office for servers located in the branch office are being resolved by ISA2.

- 35 -
You need to configure the client computers in the branch office to directly access
servers in the branch office.
What are two possible ways to achieve this goal? (Each correct answer presents a
complete solution. Choose two)
A. Configure the client computers as Web Proxy clients of ISA2. Configure the list of
domain names available on the Internal network on ISA1 to include the *.testking.com
domain.
B. Configure the client computers as Web Proxy clients of ISA2. Configure the Web
browser to include the *.branch.testking.com domain.
C. Configure the client computers as Firewall clients. Configure the list of domain names
available on the Internal network on ISA2 to include the *.branch.testking.com domain.
D. Configure the client computers as Firewall clients. Configure the list of domain names
available on the Internal network on ISA1 to include the *.branch.testking.com domain.
Answer: B, C
Explanation:
The Internal Network Domain Tab - Here you enter a list of internal network domains.
When the firewall client connects to a host located in one of these domains, the
connection request bypasses the Firewall client application. The primary rationale for this
is that if all the machines located in the same domain are located behind the same NIC,
then the Firewall client machine can communicate directly without looping back through
the ISA firewall. This reduces the overall load on the ISA firewall and improves client
performance because the connection doesn't incur any Firewall processing overhead.
Further, the Domains tab can be used to control the behavior of Web Proxy clients when
accessing external sites.
Directly access computers specified on the Domains tab - This allows the Web Proxy
client configured with the autoconfiguration script to use the domains listed on the
Domains tab for Direct Access. Direct Access for Web Proxy clients allows the Web
Proxy client computer to bypass the Web Proxy on the ISA firewall and connect directly
to the destination, either via the machines SecureNAT client configuration or via the
machines Firewall client configuration. This is useful if you want to leverage the domains
already entered on the domains tab and use them for Direct Access. In our scenario we
must also enter the *.branch.testking.com domain in the web browser exception list.

- 36 -
QUESTION NO: 23
You are the network administrator for TestKing.com. The network contains a single
ISA Server 2004 computer, which is named IS1. ISA1 provides access to the Internet
for computers on the Internal network, which consists of a single subnet.
TestKing'swritten security policy states that the ISA Server logs must record the
user name for all outbound Internet access. All client computers are configured with
the Firewall client and the Web Proxy client and are not configured with a default
gateway.
Users in the marketing department require access to an external POP3 and SMTP
mail server so that they can use an alternate e-mail address when they sign up for
subscriptions on competitors Web sites. You create and apply an ISA Server access
rile as shown in the following display.
The marketing department users configure Microsoft Outlook to connect to the

external mail server. They report that they receive error messages when they
attempt to read or send e-mail from the external mail server. You examine the ISA1
logs and discover that ISA1 denies POP3 and SMTP connections from the client
computers.
You need to ensure that the marketing department users can connect to the external
mail server.
What should you do?
A. Configure the marketing computers with the IP address of a DNS server that can
resolve external names to IP addresses.
B. Configure the marketing computers with a default gateway address that corresponds to
the IP address of ISA1 on the Internal network.
C. On ISA1, enable Outlook in the Firewall client settings.
D. On ISA1, create a computer set that contains the marketing computers.
Answer: C

- 37 -
Explanation:
Outlook 2003 (and 2000 and 2002) can access external POP3 and SMTP servers on the
Internet. The Firewall client is not required, and if you have the Firewall client installed,
you do not need to remove it. Issues people have with the Firewall client and Microsoft
Outlook 2003 relate to the default Firewall client configuration, where the Firewall client
ignores connections from the Outlook.exe application. If the Firewall client ignores
connections attempts from Outlook, then user credentials are not sent to the ISA firewall.
If the ISA firewall requires authentication to access the POP3 and SMTP protocols, then
the connection attempt fails. You can solve the problem by either removing the
authentication requirement from the Access Rule (not recommended) or configure the
Firewall client configuration settings so that the Firewall client handles connections
coming from the Outlook 2003 application. In this scenario the connection will fail
because the application settings for the Firewall client (for the outlook application) has
the Disable setting at 1. When the Outlook.exe executable is run, the Firewall client will
ignore the connection. Therefore we need to change the value from 1 to 0.
QUESTION NO: 24
All client computers have the ISA Server 2000 Firewall Client software installed.
Client computers are configured to use an internal DNS server. Two Windows
Server 2003 computers named App1 and App2 run a Web-based application that is
used to process TestKing data.
You configure ISA1 with protocol rules to allow HTTP, HTTPS, RDP, POP3, and
SMTP access.
The list of domain names available on the Internal network on ISA1 contains the
following entries:
1. *.south.testking.com
2. *.north.testking.com
3. *.east.testking.com
4. *.west.testking.com
You perform an in-place upgrade of ISA1 by using the ISA Server 2004 Migration
Tool. When you use Network Monitor on ISA1, you discover that client requests for
App1 and App2 are being passed through ISA1.

- 38 -
You need to provide a solution that will allow clients to directly access TestKing
data on App1 and App2.
What should you do?
A. Create and configure HTTP, HTTPS, RDP, POP3, and SMTP access rules on ISA1.
B. Configure an Application.ini file on the client computers.
C. Redeploy the ISA Server 2004 Firewall Client software by distributing it to the client
computers by using Group Policy.
D. Add app1.testking.com and app2.testking.com to the list of domain names available on
the Internal network on ISA1.
Answer: D
Explanation:
already entered on the domains tab and use them for Direct Access.
QUESTION NO: 25
Server 2004 computer named ISA1. The relevant portion of the network is shown in
the exhibit.

- 39 -
You configure ISA1 by using the Edge Firewall network template. You create access
rules to allow Internet access for users on the network.
Users on the network report that they cannot access the Internet.
You need to configure the client computers on the network to allow Internet access.
A. Configure client computers in BuildingA with a default gateway IP address of

172.16.100.1.
B. Configure client computers in BuildingB with a default gateway IP address of
172.16.50.1.
C. Configure client computers in BuildingA with a default gateway IP address of
10.10.10.1.
D.

- 40 -
Configure client computers in BuildingB with a default gateway IP address of
172.16.100.1.
E. Configure client computers in BuildingA with a default gateway IP address of
172.16.30.1.
F. Configure client computers in BuildingB with a default gateway IP address of
10.10.10.1
Answer: B, E
Explanation:
In the simple network scenario, the default gateway of the SecureNAT client is
configured as the IP address of the Internal interface of the ISA 2004 firewall. You can
manually configure the default gateway address, or you can use DHCP to automatically
assign addresses to the SecureNAT clients. The DHCP server can be on the ISA 2004
firewall itself, or it can be located on a separate machine on the Internal network. In the
'complex network scenario,' the Internal network consists of multiple network IDs that are
managed by a router or series of routers or layer 3 switch(s). In the case of the complex
network, the default gateway address assigned to each SecureNAT client depends on the
location of the SecureNAT client computer. The gateway address for the SecureNAT
client will be a router that allows the SecureNAT client access to other networks within
the organization, as well as the Internet. The routing infrastructure must be configured to
support the SecureNAT client so that Internet-bound requests are forwarded to the
Internal interface of the ISA 2004 firewall.
QUESTION NO: 26
ISA Server 2004 computer named ISA1. All Internet access for the local network
occurs through ISA1.
The network contains a Web server named Testking1. Testking1 is configured as a

SecureNAT client. A Web application runs on Testking1 that communicates with an
external Web site named www.testking.com.
You configure ISA1 with two access rules for outbound HTTP access. The rules are
named HTTP Access 1 and HTTP Access 2.
HTTP Access 1 is configured to use the All Authenticated Users user set as a
condition. HTTP Access 2 is configured to use the All Users ser set as a condition,
and it restricts outbound HTTP traffic to the IP address of Tetsking1.

- 41 -
You verify that users can access external Web sites. However, you discover that the
Web application cannot access www.testking.com
You need to allow the Web application to use anonymous credentials when it
communicates with www.testking.com. You also need to require authentication on
ISA1 for all users when they access all external Web sites.
What should you do?
A. On Testking1, configure Web Proxy clients to bypass the proxy sever for the IP
address of the server that hosts www.testking.com
B. On ISA1, add the fully qualified domain name (FQDN) www.testking.com to the list
of domain names available on the Internal network.
C. On ISA1, disable the Web Proxy filter for the HTTP protocol.
D. Modify the order of the access rules so that HTTP Access 2 is processed before HTTP
Access 1.
Answer: D
Explanation:
The ordering of Access Rules is important to ensure that your Access Policy works the
way you expect it to work. We recommend the follow ordering of Access Rules:
* Put Web Publishing Rules and Server Publishing Rules on the top of the list.
* Place anonymous Deny Access Rules under the Web Publishing Rules and Server
Publishing Rules. These rules do not require user authentication and do not require the
client to be from a specific location (such as part of a Computer Set)
* Place anonymous Allow Access Rules under the Anonymous Deny Access Rules.
These rules do not require user authentication and do not require the client to be from a
specific location (such as part of a Computer Set)
* Place Deny Access Rules requiring authentication below the anonymous Allow Access
Rules.
* Place Allow Access Rules requiring authentication below the Deny Access Rules
requiring authentication.
It is important that anonymous rules that apply to the same protocol as an authenticated
access rule be applied first if it is your intent to allow anonymous access for that protocol.
If you do not put the anonymous access rule before the authenticated Access Rule, then
the connection request will be denied to the anonymous user (typically a SecureNAT
client) for that protocol.

- 42 -
QUESTION NO: 27
Server 2004 computer named ISA1. ISA1 is connected to the Internet.
All client computers run Windows XP Professional. All client computers are
configured as SecureNAT clients and require access to the Internet.
Client computers in the marketing department are located in an organizational unit

(OU) named Marketing_Computers.
An external partner company hosts a custom marketing application named

Webapp. Webapp uses SSL and TCP port 3333.
You create a security group named Marketing for the marketing department. You
add the users in the marketing department to the Marketing group. You create an
access rule to allow TCP port 3333 for only the users in the marketing department.
Members of the Marketing group report that they cannot connect to Webapp.
You need to ensure that only users in the marketing department can connect to
Webapp.
What should you do?
A. Enable the Firewall Client installation configuration group on ISA1. Add the
marketing client computers to the list of trusted computers.
B. Use Group Policy to assign the MS_FWC.msi file to the client computers in the
Marketing group.
C. Enable Web Proxy client support on the Local Host network. Enable SSL listening on
port 8443.
D. Configure the Internal network on ISA1 to require authentication for all users. Enable
SSL certificate authentication on the Internal network.
Answer: B
Explanation:
The Firewall client software is an optional client piece that can be installed on any
supported Windows operating system to provide enhanced security and accessibility. The
Firewall client software provides the following enhancements to Windows clients:

- 43 -
* Allows strong user/group-based authentication for all Winsock applications using the
TCP and UDP protocols.
* Allows user and application information to be recorded in the ISA 2004 firewall's log
files.
* Provides enhanced support for network applications, including complex protocols that
require secondary connections.
* Provides 'proxy' DNS support for Firewall client machines.
* Allows you to publish servers requiring complex protocols without the aid of an
application filter.
* The network routing infrastructure is transparent to the Firewall client.
* Provides encrypted traffc between the firewall client and the ISA Server.
In this scenario we must use the firewall client to support the custom port 3333. The
easiest way to deploy the firewall client is to assign the MS_FWC.msi file to the client
computers in the Marketing group via active directory.
QUESTION NO: 28
You are a network administrator for TestKing.com. The network contains an ISA
Remote users establish VPN connections to ISA1 to access resources on the Internal
network. Remote users are required to use a smart card when they establish VPN
connections.
Another administrator reports that remote users can still establish VPN connections
to ISA1 after their smart card certificate has been revoked and a new certification
revocation list (CRL) has been published.
You need to ensure that users whose smart card certificates are revoked cannot
establish VPN connections to ISA1.
What should you do?
A. Select the Use RADIUS for authentication check box.

B. Select the Extensible authentication protocol (EAP) with smart card or another
certificate check box.
C. Select the Verify that incoming client certificates are not revoked check box.
D. Select the Verify that incoming server certificates are not revoked in a reverse scenario
check box.

- 44 -
Answer: C
Explanation:
Verify that incoming client certificates are not revoked - Select this check box to specify
that when ISA Server receives a certificate from a client, it will automatically check if the
certificate is revoked. If the certificate is revoked, the client request will be denied.
Verify that incoming server certificates are not revoked in a forward scenario - Select this
check box to specify that ISA Server will automatically check if incoming server
certificates, in an SSL bridging scenario, are revoked. If the certificate is revoked, the
request will be denied.
Verify that incoming server certificates are not revoked in a reverse scenario - Select this
check box to specify that ISA Server will automatically check if server certificates, in a
Web publishing scenario, are revoked. If the certificate is revoked, the request will be
denied.
In this scenario we must ensure that can users cannot establish VPN connections to ISA1
after their smart card certificate has been revoked and a new certification revocation list
(CRL) has been published. Therefore we must enable the Verify that incoming client
certificates are not revoked checkbox in the general settings of the isa server.
QUESTION NO: 29
You are the network administrator for TestKing.com. You install ISA Server 2004
on a computer that has three network adapters. One of the network adapters is
connected to the Internet, one is connected to the Internal network, and one is
connected to a perimeter network.
The perimeter network adapter and the internal network adapter are connected to
private address networks.
You configure ISA Server by applying the 3-Leg Perimeter network template. You
run the 3-Leg Perimeter Network Template wizard. You then make the following
changes to the firewall policy:
1. Create an access rule to allow all traffic between the Internal network and the
Internet.
2. Create an access rule to allow all traffic between the Internal network and the
perimeter network.
3. Create an access rule to allow SMTP traffic from an SMTP server on the
perimeter network to a Microsoft Exchange Server computer on the Internal
network.
4.

- 45 -
Create a server publishing rule to allow SMTP traffic from the External network to
the SMTP server on the perimeter network.
Users report that they cannot receive e-mail messages from users outside of the
Internal network.
You need to allow users to receive e-mail messages from other users on the Internet.
You do not want to create a server publishing rule.
What should you do?
A. Change the network rule that controls the route relationship between the perimeter
network and the Internal network to Route.
B. Change all network rules that control the route relationship between the Internal
network, perimeter network, and External network to Route.
C. Change the network rule that controls the route relationship between the perimeter
network and the External network to Nat.
D. Change all network rules that control the route relationship between the Internal
network, perimeter network, and External network to Nat.
Answer: A
Explanation:
The trihomed DMZ Template allows you to configure the ISA firewall with three or more
network adapters to use the additional network adapters are Perimeter network or DMZ
segments. The trihomed DMZ Network Template is interesting because it sets some
interesting Network Rules, which might be counterintuitive to the majority of ISA
firewall administrators.After running the trihomed DMZ Network Template, you'll find
that:
* A new Network Object, the Perimeter Network Object, is created.

* A Network Rule named Perimeter Access sets a Route relationship from the Perimeter
Network to the Internet
* A Network Rule name Perimeter Configuration sets a NAT relationship between the
Internal and VPN Clients network and the Perimeter Network.

- 46 -
The Network Rules are a bit problematic. The Perimeter Access Network Rule sets a
route relationship between the Perimeter Network and the Internet. This means that you'll
need to use public addresses in the DMZ segment. You're going to find that things don't
work the way you planned if you use private addresses in the DMZ segment. If you use
this trihomed DMZ Network Template you'll need to change the Perimeter Access
Network Rule to NAT if you use private addresses in the DMZ segment. Even more
problematic is that the Template sets the route relationship between the DMZ segment
and the Internal network to NAT. While this is a reasonable configuration if you use
public addresses on the DMZ segment, it isn't our preferred configuration when private
addresses are used on the DMZ segment.
The Perimeter Configuration Network Rule sets the route relationship between the
Internal and VPN clients Networks to NAT. While NAT will work, it doesn't work with
all protocols, and you can run into issues that you wouldn't have problems with if you
chose a Route relationship between the Internal and VPN Clients Networks and the DMZ
segment. If you use public addresses on the DMZ segment, then you need to leave the
route relationship as NAT. But if you are using private addresses on the trihomed DMZ
segment, then change the route relationship to Route.
QUESTION NO: 30
You are the network administrator for TestKing.com. The relevant portion of the
network is configured as shown in the Network exhibit.
TestKinghas a main office and one branch office. An ISA Server 2004 computer
named ISA2 connects to a Routing and Remote Access server named RRAS1.

- 47 -
You create a mailbox for the securityadmin user account on a Microsoft Exchange
Server computer named EXCH2.
You view the firewall policy on ISA2 as shown in the Firewall Policy exhibit.
You configure the dial-on-demand failure alert on ISA2 to send an e-mail alert to
the securityadmin@testking.com SMTP alias. EXCH2 is listed as the mail server on
the dial-on-demand failure alert. You confirm that the alert is issued, but the e-mail
for the alert is not received.
You need to configure ISA2 to ensure that the e-mail alert is received.
What should you do?
A. Enable the RPC from ISA Server to trusted servers system policy rule.
B. Enable the Allow SMTP from ISA Server to trusted servers system policy rule.
C. On ISA2, configure an access rule to allow POP3 from the Local Host network to
EXCH2.
D. On ISA2, configure a server publishing rule to EXCH2 for Exchange RPC.

- 48 -
Answer: B
Explanation:
To maintain the functionality and security of ISA Server and the networks protected by
ISA Server, you must know when specific events occur on the ISA Server computer. For
example, you need to know if an ISA Server service stops responding, or if a specific type
of intrusion is detected. You can use the ISA Server alert service to notify you when
specific events occur, as well as to configure alert definitions to trigger a series of actions
when an event occurs.
An alert is a notification of an event or action that has occurred on ISA Server. When the
event occurs, an alert is triggered according to the conditions and trigger thresholds
specified for the event.
In our scenario we want to send an email to securityadmin@testking.com if an alert
occurs. Therefore SMTP traffic must be allowed from ISA2 to the EXCH2 server. We
can achieve this by enabling the Allow SMTP from ISA Server to trusted servers system
policy rule, since it is disabled according to the exhibit.
QUESTION NO: 31
You are the administrator of an ISA Server 2004 computer named ISA1. ISA1 has
two network adapters. Access rules allow users on the Internal network to have
HTTP access to the Internet.
You add a third network adapter to ISA1 and connect the third network adapter to
a perimeter network. You place a Web server named WebServerTK2 on this
perimeter network segment.
WebServerTK2 must be accessible to computers on the Internal network. You

create a computer object for WebServerTK2 and then create an access rule that
allows Internal network clients HTTP access to WebServerTK2. Users are not
required to authenticate with ISA1 to access WebServerTK2.
Users report that they cannot access information on WebServerTK2. When they
attempt to access the Web site, they receive the following error message: "Error
Code 10060: Connection timeout. Background: There was a time out before the
page could be retrieved. This might indicate that the network is congested or that
the website is experiencing technical difficulties."
You need to ensure that users on the Internal network can access information on
WebServerTK2. First, you verify that WebServerTK2 is operation.

- 49 -
What should you do next?
A. Create a network rule that sets a route relationship between the Internal network and
the perimeter network.
B. Create a server publishing rule that publishes WebServerTK2 to the Internal network.
C. Create a Web publishing rule that publishes WebServerTK2 to the Internal network.
D. Create an access rule that allows WebServerTK2 access to the Internal network.
Answer: A
Explanation:
You will need to create new Networks whenever a new Network is introduced into your
environment. A common reason to add a new Network is when you install additional
NICs into the ISA firewall. Since all addresses located behind any particular NIC are
considered a Network by the ISA firewall, you need to create a new Network when
additional NICs are added to the firewall. Also we must create a network relationship
between networks. This can be a route or NAT relationship. If there is no relationship
between networks, then all traffic will be dropped by the ISA Server. Therefore we need
to create a route relationship between the internal network and perimeter network to make
it work.
QUESTION NO: 32
and three branch offices. The network contains an ISA Server 2004 computer
named ISA1, which is located at the main office.
You plan to deploy new ISA Server 2004 computers for the branch offices. You
name one of the new computers ISA2. You perform the following tasks:
1. Export the ISA Server 2004 configuration on ISA1 to a file named

ISASETUPCONFIG.XML.
2. Edit the ISASETUPCONFIG.XML file to include a valid external IP address.
3. Create a file named C:\Msisaund.ini on ISA2.
You install ISA Server 2004 on ISA2 by using an unattended installation. When the
installation is finished, you discover that the ISA Server 2004 configuration settings
from ISA1 are not copied to ISA2.

- 50 -
You need to deploy the ISA Server 2004 computers in the branch offices with the
configuration settings from ISA1. You want to accomplish this goal by using the
minimum amount of administrative effort.
What should you do?
A. Export the system policy rules on ISA1 to another file named ISA1SystemPolicy.xml.
Add the following lines to the C:\Msisaund.ini file on ISA2:
IMPORTISACONFIG=1
IMPORT_CONFIG=ISASETUPCONFIG.XML
IMPORT_CONFIG=ISA1SystemPolicy.xml
Run an unattended setup by using this Msisaund.ini file on each new ISA Server 2004
computer.
B. Back up the array configuration on ISA1. Save the file as C:\Msisaunattended.xml.
Run the following command from the ISA Server 2004 installation media:
setup.exe /unattended:ISASETUPCONFIG.XML C:\Msisaund.ini
C. Create an individual ISASETUPCONFIG.XML file for each branch office ISA Server
2004 computer.
Edit each ISASETUPCONFIG.XML file to include the internal network addresses for the
respective branch office.
Edit the Msisaund.ini file from ISA2 by adding the following line.
IMPORT_CONFIG_FILE=ISASETUPCONFIG.XML
Run an unattended setup by using the Msisaund.ini file from ISA2 on each new ISA
Server 2004 computer.
D. Create a file named Msisaunattend.txt. Include the following lines:
UNATTENDED=1
EXPORT_ISACONFIG=0
FILEPATH=ISASETUPCONFIG.XML
Run an unattended setup by using this Msisaunattend.txt file on each new ISA Server
2004 computer.
Answer: C
Explanation:
You can perform an unattended installation of the ISA firewall to simplify provisioning
multiple ISA firewalls using a common installation and configuration scheme. The
unintended installation depends on the proper configuration of the msisaund.ini file,
which contains the configuration information used by ISA firewall setup in unattended
mode.
One of the values you can configure in msisaund.ini is : IMPORT_CONFIG_FILE =
<configfilename>. It specifies a configuration file to import.

- 51 -
ISA Server 2004 includes export and import features that enable you to save and restore
most ISA Server configuration information. The configuration parameters can be
exported and stored in an .xml file.
When you export an entire configuration, all general configuration information is
exported. This includes access rules, publishing rules, rule elements, alert configuration,
cache configuration, and ISA Server properties. Therefore we need to change the internal
and external network addresses, otherwise they will conflict with ISA1. In addition, you
can select to export user permission settings and confidential information such as user
passwords. Confidential information included in the exported file is encrypted.
QUESTION NO: 33
You deploy an internal certification authority (CA). You deploy client certificates to
users. You configure client certificate mapping for internal network users.
All client computers are configured as Web Proxy clients. You configure the
Internal network to allow only certificate-based authentication for Web Proxy
clients.
You revoke a user's certificate. After one week, you discover that ISA1 is still
authenticating Web requests for that user.
You need to configure ISA1 to deny Internet access to the user.
What should you do on ISA1?
A. Add the All Networks (and Local Host) network set as a destination for the Allow
access to directory services for authentication purposes system policy rule.
B. Create a new content type set. Select the application/pkix-crl and
application/x-x509-ca-cert MIME types as the content type to allow.
C. Enable the Verify that incoming server certificates are not revoked in reverse scenario
certificate validation setting on ISA1, and enable the related system policy rule.
D. Enable the Verify that incoming client certificates are not revoked certificate
validation setting on ISA1, and enable the related system policy rule.
Answer: D

- 52 -
Explanation:
Verify that incoming client certificates are not revoked - Select this check box to specify
that when ISA Server receives a certificate from a client, it will automatically check if the
certificate is revoked. If the certificate is revoked, the client request will be denied.
Verify that incoming server certificates are not revoked in a forward scenario - Select this
check box to specify that ISA Server will automatically check if incoming server
certificates, in an SSL bridging scenario, are revoked. If the certificate is revoked, the
request will be denied.
Verify that incoming server certificates are not revoked in a reverse scenario - Select this
check box to specify that ISA Server will automatically check if server certificates, in a
Web publishing scenario, are revoked. If the certificate is revoked, the request will be
denied.
QUESTION NO: 34
Server 2004 array that is configured to use Network Load Balancing. The array
contains two members. The array is used to publish internal Web servers. Users
access internal Web servers by using the URL http://www.testking.com. The URL
resolves to a single virtual IP address.
You implement a new Web site named Testking1. To access Testking1, users must
authenticate by using credentials that are stored on a third-party RADIUS server.
You publish Testking1 on the array.
You need to ensure that users can access Testking1 by using the third-party
RADIUS server. You must ensure that requests are load balanced by all array
members.
What should you do?
A. On each array member, add a second IP address. Create a new listener that uses the
new address. Configure the listener to use RADIUS authentication.
B. Configure one array member to listen for requests to www.testking.com on one
listener. Configure the other array member to listen for requests to Testking1 on a new
listener. Configure each listener to use the appropriate authentication method.
C. Use the Network Load Balancing console to configure each array member to use an
affinity setting for None. Configure the listener to use RADIUS authentication.
D. Add a second unique network address to the external interface of each array member.
Configure www.testking.com to resolve to the new addresses by using DNS round
robin. Configure the listener to use RADIUS authentication.

- 53 -
Answer: A
Explanation:
Network Load Balancing provides high availability and scalability of servers using a
cluster of two or more host computers working together. Clients access the cluster using
either an IP address or a set of addresses. The clients are unable to distinguish the cluster
from a single server. Server applications do not identify that they are running in a cluster.
However, an NLB cluster differs significantly from a single host running a single server
application because it can provide uninterrupted service even if a cluster host fails. The
cluster can also respond more quickly to client requests than to a single host. You can
configure NLB on the External network of an ISA Server Enterprise Edition array, so that
client requests from the Internet are distributed among the array computers. NLB will be
automatically configured in unicast mode and single affinity. Single affinity ensures that
all network traffic from a particular client be directed to the same host.
You may want to publish your Web sites using Network Load Balancing (NLB) in your
ISA Server array. For the most effective use of NLB, your Web listener should listen on
the NLB virtual IP address. If you configure your Web listener to listen on all of the IP
addresses for the network adapters, it will listen on the virtual IP address, which will
distribute requests using NLB. Therefore we need to add a second ip addresses on all
external adapters of the array and configure a listener with radius authentication.
QUESTION NO: 35
ISA1 connects to the Internet. ISA1 is configured with access rules to allow Internet
access for all users. All client computers are configured as Web Proxy clients of
ISA1.
You are deploying a new ISA Server 2004 computer named ISA2 for use by the
research department. You run the ISA Server 2004 Migration Tool on ISA1. You
save the resulting configuration to a file named Backupconfig.xml. You install ISA
Server 2004 on ISA2, and you import Backupconfig,xml on ISA2.
On ISA2, you configure the Internal network with a valid IP address range for the
research department client computers. You configure a Web chaining rule on ISA2
to redirect Web requests to ISA1. You configure client computers in the research
department as Web Proxy clients of ISA2.

- 54 -
Users of the research department client computers report that they cannot connect
to the Internet.
You need to ensure that users of client computers in the research department can
connect to the Internet.
What should you do?
A. Change the external IP address on ISA2 to a valid IP address for the external network.
B. On ISA2, save its configuration as ISAbackup.xml. Restart the Microsoft Firewall
service on ISA2. Then import the configuration.
C. Configure the research department client computers as Firewall clients of ISA2.
Enable automatic discovery on ISA2.
D. Perform an ISA Server 2004 in-place upgrade on ISA1. On ISA2, configure access
rules to allow Internet access for the research department users.
Answer: A
Explanation:
Microsoft ISA Server 2004 includes an export and import feature that you can use to save
ISA Server configuration parameters to an .xml file. You can use the configuration in the
file as a backup to your configuration, or to copy the configuration to another ISA Server
computer. You can export on many levels in ISA Server. For example, you can export an
entire firewall policy, a single rule, or a single network object. Also, you can back up your
entire configuration so that you can restore it at a later date.
If you Want to set up another ISA Server computer with the same policy as the one that
you have configured, but the server is located in a different part of the network, possibly
in another domain, and has different network relationships. You cannot use the complete
configuration. The solution is to export the firewall policy, import it to the other ISA
Server computer, and then modify network details in the firewall policy rules as
necessary. After that you can import it on the new ISA Server.
In this scenario we need to change the ISA2 external network adapter ip address, because
it needs an ip address that differs from ISA1.
QUESTION NO: 36
You are a network administrator for TestKing.com. TestKing has a main office and
one branch office. The main office has a high-speed Internet connection. The branch
office has a dial-up Internet connection.

- 55 -
An administrator in the main office configures one ISA Server 2004 computer to
provide Internet access to users in the main office. The administrator configures
access rules and enables VPN access to the ISA Server computer. The access rules
allow only authorized users access to the Internet.
You install an ISA Server 2004 computer in the branch office.
You need to configure the branch office ISA Server computer to meet the following
requirements:
1. Ensure that users in the branch office can access the Internet.
2. Ensure that users in the branch office are restricted by the main office access riles
when accessing the Internet.
3. Ensure that all information sent over the Internet is encrypted between the
offices.
What should you do?
A. Create a dial-up connection to the main office. Configure ISA Server to use the dial-up
connection as the default gateway. Configure a dial-up user account.
B. Create a dial-up connection to an ISP. Configure ISA Server to use the dial-up
connection as the default gateway. Configure Web Proxy chaining.
C. Create a demand-dial VPN connection to the main office. Configure ISA Server to use
the VPN connection as the default gateway. Configure firewall chaining. Configure a
firewall chaining user account.
D. Create a demand-dial VPN connection to an ISP. Configure firewall chaining.
Configure a firewall chaining user account.
Answer: C
Explanation:
Web Proxy Chaining is a method you can use to forward Web Proxy connections from
one ISA firewall to another ISA firewall. Web Proxy chains consist of upstream and
downstream ISA firewalls. The upstream ISA firewalls are those closer to the Internet
connection, and the downstream ISA firewalls are those further away from the Internet
connection. Downstream ISA firewalls forward Web Proxy requests to upstream ISA
firewalls. The first ISA firewall in the Web Proxy chain is the one closest to the Internet
and the one responsible for obtaining the Internet content.

- 56 -
Firewall chaining is similar to Web Proxy chaining. In a Firewall chaining arrangement,
the downstream ISA firewall is configured to be a Firewall client of the upstream ISA
firewall. The advantages of the Firewall chaining configuration over the Web Proxy
configuration is that Firewall chaining supports all TCP and UDP Winsock protocols, not
just Web protocols (HTTP/HTTPS/FTP). In addition, Web Proxy chaining supports
complex protocols that require secondary connections. Microsoft highly recommends that
you require authentication on the upstream Web Proxy. When authentication is forced on
the upstream Web Proxy, the downstream Web Proxy must be able to send credentials to
the upstream to access the Internet. Therefore we must configure a firewall chaining user
account. To securely encrypt the traffic we will use a VPN connection.
QUESTION NO: 37
You are the network administrator for TestKing.com. The network contains two
ISA Server 2004 computers named ISA1 and ISA2. TestKing has a main office and
one branch office.
ISA1 is located in the main office and connects to the Internet. ISA2 is located in the
branch office and connects to the main office over a dedicated WAN link. All client
computers run Windows XP Professional.
All client computers can update virus definitions from the virus update Web site.
ISA2 can connect to the virus update Web site and the Windows Update Web site.
You discover that ISA1 cannot connect to the virus update Web site or the Windows
Update Web site. The firewall policy on ISA1 is configured as shown in the exhibit.

- 57 -
You need to ensure that ISA1 can connect to the virus update Web site and the
Windows Update Web site.
What should you do?
A. Enable the HTTP connectivity verifiers configuration group.

On ISA1, create a network set that has the IP addresses of both the virus update Web site
and the Windows Update Web site.
B. Enable the Allowed sites configuration group.
On ISA1, add the URL of the virus update Web site to the System Policy Allowed Sites
domain name set.
C. Create a new URL set named VirusUpdates that includes the URLs for the virus
update Web site and the Windows Update Web site.
On ISA2, create a new HTTP access rule that includes the VirusUpdates URL set.
D. Create a new domain name set named VirusUpdates that includes the URLs for the
virus update Web site and the Windows Update Web site.
On ISA1, create a new HTTP access rule from the Internal network to the VirusUpdates
domain name set.
Answer: B
Explanation:
ISA Server introduces a system policy, a set of firewall policy rules that control how the
ISA Server computer enables the infrastructure necessary to manage network security and
connectivity. ISA Server is installed with a default system policy, designed to address the
balance between security and connectivity. Some system policy rules are enabled upon
installation. These are considered the most basic and necessary rules for effectively
managing the ISA Server environment. You can subsequently identify those services and
tasks that you require to manage your network, and enable the appropriate system policy
rules. In our scenario however, we need to enable HTTP traffic form ISA1 to the virus
update site. But we can see in the exhibit that the corresponding rule 17 is disabled.
Therefore we need to enable that rule and add the the URL of the virus update Web site to
the System Policy Allowed Sites.
QUESTION NO: 38
Server 2004 array. The array contains six members.

- 58 -
You enable Cache Array Routing Protocol (CARP) so that outbound Web requests
are resolved within the array.
Soon after you enable CARP on the array, Web users on the corporate network
report that Internet access is slower then normal.
You use Network Monitor to check network traffic patterns on each of the ISA
Server 2004 array members. You discover that there is very high network utilization
on the intra-array network.
You need to reduce the amount of intra-array traffic.
What should you do?
A. Enable Network Load Balancing on the intra-array network.

B. Configure the client computers as SecureNAT clients.
C. Use automatic discovery to configure the client computers as Web Proxy clients.
D. Enable CARP on the intra-array network.
Answer: C
Explanation:
ISA Server Enterprise Edition provides distributed caching through the use of CARP.
CARP distributes the cache used by Web proxies across an array of ISA Server
computers. Although CARP assigns each ISA Server computer a unique set of cached
data (thus you need to configure the cache on each array member), the array of computers
functions as a single, logical cache. CARP is used by Web browsers and by ISA Server to
increase performance in operations accessing a Web proxy cache that is distributed across
multiple ISA Server computers. CARP uses hash-based routing to determine which ISA
Server computer will respond to a client request and cache specific Web content. CARP
provides the following benefits:
* CARP eliminates the duplication of cache contents across multiple ISA Server
computers. The result is a faster response to queries and a more efficient use of server
resources.
* Because CARP determines which ISA Server computer will cache any specific content,
no traffic is required among ISA Server computers to determine which server is caching
the content.
* CARP automatically adjusts when array members are added or removed. The
hash-based routing means that, when a server is either taken offline or added, only
minimal reassignment of URL caches is required.

- 59 -
* CARP ensures that the cache objects are either distributed evenly between all servers in
the array or by the load factor that is configured for each server.
When client-side CARP is enabled, the Web browser downloads the
Array.dll?Get.Routing.Script from an ISA Server computer in the array. When a user
types a URL into a Web browser, the URL is handed off to the script, which calculates
which ISA Server computer in the array will be used to cache the content. The script
always returns the same server list for a given URL, ensuring that each URL is cached on
one array server only.
QUESTION NO: 39
ISA Server 2004 computers named ISA1 and ISA2. The network also contains a
Routing and Remote Access server named RRAS1. TestKing has a main office and
one branch office.
ISA2 uses a dial-up connection to connect to RRAS1. On ISA2, you create a Web
chaining rule that redirects requests to ISA1. Users in the branch office frequently
access a published Web site named http://sales.testking.com. This sales Web site
resides on a Web server in the perimeter network.
Users in the branch office report that occasionally during business hours they
cannot connect to http://sales.testking.com. You configure and enable a content
download job to ensure that Web site content is loaded into the Web cache on ISA2.
You need to ensure that content from http://sales.testking.com will always be

available to users in the branch office, even if the connection is unavailable.
What should you do on ISA2?
A. Create a new Web chaining rule. On the rule, enable a backup route to ISA1. Add a
URL set for http://sales.testking.ocm to the Web chaining rule. On the default cache
rule, increase the Time to Live (TTL) for HTTP objects.
B. Create a new Web caching rule. On the rule, redirect SSL requests as SSL requests.
Add a URL set for http://sales.testking.com to the Web chaining rule. On the default
cache rule, decrease the Time to Live (TTL) for HTTP objects.
C. Create a cache rule. Enable If any version of the object exists in cache. If none exists,
route the request. Enable Content for offline browsing. On the cache rule, decrease
the Time to Live (TTL) for HTTP objects.
D. Create a cache rule. Enable Only

- 60 -
if a valid version of the object exist in cache. If no valid version exists, route the request.
Enable Content for offline browsing. On the cache rule, increase the Time to Live
(TTL) for HTTP objects.
Answer: D
Explanation:
ISA Server 2004 uses cache rules to allow you to customize what types of content will be
stored in the cache and exactly how that content will be handled when a request is made
for objects stored in cache. You can create rules to control the length of time that a cache
object is considered to be valid (ensuring that objects in the cache don't get hopelessly out
of date), and you can specify how cached objects are to be handled after they expire. ISA
Server 2004 gives you the flexibility to apply cache rules to all sites or just to specific
sites. A rule can further be configured to apply to all types of content or just to specified
types. In addition to controlling content type and object size, a cache rule can control how
ISA Server will handle the retrieval and service of objects from the cache. This refers to
the validity of the object. An object's validity is determined by whether its Time to Live
(TTL) has expired. Thus increasing the TTL will increase the object's validity in the
cache. Expiration times are determined by the HTTP or FTP caching properties or the
object's properties. Your options include:
* Setting ISA Server 2004 to retrieve only valid objects from cache (those that have not
expired). If the object has expired, the ISA server will send the request on to the Web
server where the object is stored and retrieve it from there.
* Setting ISA Server 2004 to retrieve requested objects from the cache even if they aren't
valid. In other words, if the object exists in the cache, ISA Server will retrieve and serve
it from there even if it has expired. If there is no version of the object in the cache, the
ISA Server will send the request to the Web server and retrieve it from there.
* Setting ISA Server to never route the request. In this case, the ISA Server relies only
upon the cache to retrieve the object. Objects will be returned from cache whether or not
they are valid. If there is no version of the object in the cache, the ISA Server will return
an error. It will not send the request to the Web server.
* Setting ISA Server to never save the object to cache. If you configure the rule this way,
the requested object will never be saved to the cache.
The scenario stated that we need to ensure that content from http://sales.testking.com will
always be available to users in the branch office, even if the connection is unavailable.
Thus we need to increase the TTL for the cached objects. If we would decrease the TTL,
the objects in the cache would be flushed quicker, and users would get page not found if
the connection between the main office and branchoffice was down.

- 61 -
QUESTION NO: 40
Server 2004 computer named ISA1. You enable a cache drive on ISA1. ISA1 is a
multi-homed server.
A Web server named Testking2 resides in a perimeter network. Testking2 contains

two company Web sites named http://internal.testking.com and
http://external.testking.com.
Members of the graphical team make frequent changes to the Web site named
http://internal.testking.com. When the team members update the Web site, they
cannot see changes from other members of the team.
You need to configure ISA1 to allow members of the graphics team to immediately
view updates to http://internal.testking.com.
What should you do?
A. Add the testking.com domain name to the list of domains on the Internet network.
Disable the Bypass proxy for Web servers in this network option.
B. Add the client computers used by the members of the graphics team to a computer set.
Create a cache rule to include the computer set. Enable the Never. No content will
ever be cached setting.
C. Create URL set for http://internal.testking.com Create a cache rule to include the URL
set. Enable the Never. No content will ever be cached setting.
D. Create a new computer set for Testking2. Create a cache rule to include the computer
set. Disable HTTP caching on the cache rule
Answer: C
Explanation:

- 62 -
for objects stored in cache. You can create rules to control the length of time that a cache
object is considered to be valid (ensuring that objects in the cache don't get hopelessly out
of date), and you can specify how cached objects are to be handled after they expire. ISA
Server 2004 gives you the flexibility to apply cache rules to all sites or just to specific
sites. A rule can further be configured to apply to all types of content or just to specified
types. In addition to controlling content type and object size, a cache rule can control how
ISA Server will handle the retrieval and service of objects from the cache. This refers to
the validity of the object. An object's validity is determined by whether its Time to Live
(TTL) has expired. Expiration times are determined by the HTTP or FTP caching
properties or the object's properties. Your options include:
* Setting ISA Server 2004 to retrieve only valid objects from cache (those that have not
expired). If the object has expired, the ISA server will send the request on to the Web
server where the object is stored and retrieve it from there.
* Setting ISA Server 2004 to retrieve requested objects from the cache even if they aren't
valid. In other words, if the object exists in the cache, ISA Server will retrieve and serve
it from there even if it has expired. If there is no version of the object in the cache, the
ISA Server will send the request to the Web server and retrieve it from there.
* Setting ISA Server to never route the request. In this case, the ISA Server relies only
upon the cache to retrieve the object. Objects will be returned from cache whether or not
they are valid. If there is no version of the object in the cache, the ISA Server will return
an error. It will not send the request to the Web server.
* Setting ISA Server to never save the object to cache. If you configure the rule this way,
the requested object will never be saved to the cache.
In this scenario the content of the internal.testking.com website is being cached by the
ISA Server. And it seems that not the latest content is residing in the cache. Therefore we
must create a caching rule to disable caching for internal.testking.com.
QUESTION NO: 41
Server 2004 computer named ISA1. TestKing uses Microsoft Exchange Server 2003
as its e-mail server.
TestKing'swritten security policy states that all user names and passwords must be
encrypted when they are sent over the Internet.

- 63 -
TestKingis adopting Web-enabled cellular phones and wants to allow users to use
these phones to access their e-mail over the Internet. The phones have a Wireless
Access Protocol (WAP) browser and an e-mail client that is capable of only POP3
and IMAP4.
You need to configure ISA1 to give users access from their cellular phones to e-mail.
You need to ensure that you adhere to TestKing's security policy.
What should you do?
A. Create an HTTPS server publishing rule. Configure the rule to point to the Microsoft
Outlook Web Access site.
B. Create an HTTPS server publishing rule. Configure the rule to point to the Microsoft
Outlook Mobile Access site.
C. Create a POP3 server publishing rule. Configure the rule to point to en Exchange
D. Create an IMAP server publishing rule. Configure the rule to point to an Exchange
Answer: B
Explanation:
Exchange Server 2003 allows users of wireless and small devices, such as mobile phones,
personal digital assistants (PDAs), or smart phones (hybrid devices that combine the
functionality of mobile phones and PDAs), access to xchange data. Exchange ActiveSync
and Outlook Mobile Access (OMA) are two of the mobile service components that are
Internet Explorer and desktop personal computers using Internet Explorer 6.0 or later also
support OMA.
Outlook Web Access provides access to a computer running Exchange Server through a
Web browser. OWA does not require any client software or client configuration other
than a Web browser. Although OWA does not provide all of the functionality provided by
a full Outlook client, the fact that it is easy to deploy and does not require any special
client makes OWA an attractive option for providing remote access.
By default, OMA and OWA areconfigured to use HTTP. This means that all user logon
information is passed in clear text to the computer running Exchange Server. In addition,
authentication to the SMTP server is passed in clear text. This issue can be easily
addressed using SSL to encrypt all user sessions.

- 64 -
The POP3, IMAP4, and SMTP options allow you to publish both secure and non-secure
versions (default settings) of these protocols. Secure versions of these protocols use SSL
to encrypt both user credentials and data. The ISA firewall will publish these protocols
using Server Publishing Rules, but you must configure the Exchange Server with the
appropriate Web site certificates to complete the configuration if you want to use the
secure version of these protocols.
QUESTION NO: 42
ISA Server 2004 computers named ISA1 and ISA2. The relevant portion of the
network is shown in the exhibit.
TestKing'swritten security policy states that employees must connect to the VPN
server installed on ISA2 by using the most secure method possible.
You need to configure ISA1 to allow employees to connect to the VPN server on
ISA2.
What should you do?
A. On ISA1, create a PPTP server publishing rule.

On ISA2, configure VPN connections to use EAP authentication.
B. On ISA1, create an L2TP server publishing rule.
On ISA2, configure VPN connections to use EAP authentication.
C. On ISA1, create a PPTP server publishing rule.
On ISA2, configure VPN connections to use PAP authentication.
D. On ISA1, create an L2TP server publishing rule.

- 65 -
On ISA2, configure VPN connections to use PAP authentication.
Answer: B
Explanation:
When you configure a VPN, you create a secured, point-to-point connection across a
public network such as the Internet. A VPN client uses special Transmission Control
Protocol/Internet Protocol (TCP/IP)-based protocols called tunneling protocols to connect
to a virtual connection port on a VPN server. The tunneling protocols use encryption
protocols to provide data security as the data is sent across the public network. The two
VPN protocols supported by ISA Server are Microsoft Point-to-Point Tunneling Protocol
(PPTP) or the Layer 2 Tunneling Protocol (L2TP).
PPTP and L2TP use encryption protocols ensure that the connection is private or secure
by encrypting all traffic sent across a public network. The PPTP VPN protocol uses the
Microsoft Point-to-Point Encryption protocol (MPPE) to protect data moving through the
PPTP virtual networking connection. The L2TP/IPSec VPN protocol uses Internet
Protocol Security (IPSec) to encrypt data moving through the L2TP virtual network.
Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure
authentication protocol. It is typically used if the remote access client and remote access
server cannot negotiate a more secure form of authentication.
Extensible Authentication Protocol (EAP) is the most secure remote authentication
protocol. It uses certificates on both the client and the server to provide mutual
authentication, data integrity, and data confidentiality. It negotiates encryption algorithms
and secures the exchange of session keys. Use EAP if you are implementing multifactor
authentication technologies such as smart cards or universal serial bus (USB) token
devices.
QUESTION NO: 43
You are the network administrator for TestKing.com. ISA Server 2004 is installed
as TestKing's firewall. All of TestKing's portable computers run Microsoft Outlook
2003.
TestKing'swritten security policy states that all e-mail communications to the

Microsoft Exchange Server 2003 computer over the Internet must be encrypted.
You need to ensure that all employees use Outlook 2003, whether they use e-mail in
the office or use e-mail remotely over the Internet.
What should you do?

- 66 -
A. Configure Microsoft Outlook Web Access on internal server. Configure an HTTP
Web publishing rule to direct traffic to the Exchange Server computer.
B. Configure Microsoft Outlook Web Access on an internal server. Configure an HTTP
Web publishing rile to direct traffic to the Exchange Server computer.
C. Configure an RPC Proxy server. Create a server publishing rule to direct all Exchange
RPC traffic to the RPC Proxy server.
D. Configure an RPC Proxy server. Create an HTTPS Web publishing rule to direct
traffic to the RPC Proxy server.
Answer: D
Explanation:
Outlook 2003 with Exchange 2003 running on Microsoft Windows Server 2003 supports
RPC over HTTP, which simplifies the network and firewall configuration needed to
support a MAPI client. Using RPC over HTTP provides all the benefits of using an
Outlook client without needing multiple ports open on the firewall. Users running
Outlook 2003 can connect directly to a computer running Exchange Server 2003 over the
Internet by using HTTP or HTTPS-even if both the computer running Exchange Server
and Outlook are behind firewalls and located on different networks. Only the HTTP and
HTTPS ports need to be opened on the firewall.
RPC over HTTP can be deployed using front-end and back-end servers. The front-end
server is an RPC proxy server that converts the RPC over HTTP packets into normal RPC
packets, which are forwarded to the back-end computer running Exchange Server. The
back-end server replies to the frontend server, which converts the response back into
HTTP packets and replies to the client. In this case, the RPC proxy server does not need
to be running Exchange. RPC over HTTP can also be deployed in a single server
configuration where the Exchange Server is also configured as the RPC proxy server. In
either case, RPC over HTTP requires the use of SSL to encrypt the traffic between the
Outlook client and the RPC proxy server.
We can not use OWA in this scenario because the question stated : Outlook 2003 clients
only.
QUESTION NO: 44
You are the administrator of an ISA Server 2004 computer named ISA1. ISA1 is
connected to the Internet. All client computers are configured as SecureNAT clients.

- 67 -
TestKing'snew written security policy states that only Web-based traffic will be
allowed on the network. In the past, all instant messaging applications were allowed.
You need to configure ISA1 to block all instant messaging traffic and all other
non-Web traffic.
What should you do?
A. Delete all current access rules.

Create a new access rule that has only HTTP and HTTPS as the allowed protocols.
Configure HTTP filtering and add signatures for instant messaging applications.
B. Create a new access rule that denies all instant messaging protocols.
C. Create a new access rule that has only HTTP and HTTPS as the allowed protocols.
Configure HTTP filtering and add signatures for instant messaging applications.
Unbind the HTTP filter from the HTTP protocol definition.
D. Create a computer set definition for instant messaging servers on the Internet.
Create a new access rule that denies all instant messaging protocols to the computer set
you defined.
Answer: A
Explanation:
Access rules determine how clients on a source network can access resources on a
destination network. To enable access to Internet resources for users on your internal
network, you need to configure an access rule that enables this access. Access rules are
used to configure all traffic flowing through ISA Server, including all traffic from the
internal network to the Internet, and from the Internet to the internal network.
One of the most important Web filters included with ISA Server 2004 is the HTTP filter.
Many Internet applications now use HTTP to tunnel the application traffic. For example,
Microsoft MSN® Messenger uses HTTP as the application-layer protocol. The only way
to block these types of applications without blocking all HTTP traffic is to use HTTP
filtering.
An HTTP signature can be any string of characters in the HTTP header or body. To block
an application based on signatures, you need to identify the specific patterns the
application uses in request headers, response headers, and body, and then modify the
HTTP policy to block packets based on that string.For example, to block MSN
Messenger, configure the rule to block User-Agent: MSN Messenger in the request
header.

- 68 -
QUESTION NO: 45
Server 2004 computer named ISA1, which was recently installed.
TestKing'swritten security policy states that all HTTP traffic must go through ISA1.
The human resources (HR) department creates a new HR Web site, which
employees use to access and manage their benefits. The HR Web site has its own
Windows Server 2003 Web server and its own server publishing rule on ISA1.
Security requirements dictate that employees must not be able to access the HR Web
site from an untrusted client computer.
You need to configure the server publishing rule to meet the security requirements.
Which network object should you enable?
A. External
B. Local Host
C. Quarantined VPN Clients
D. All Protected Networks
Answer: D
Explanation:
The All Protected Networks Network Object includes all Networks defined on the ISA
firewall except for the default External Network. You might use the All Protected
Networks Network Object when you want to apply an Access Rule that controls outbound
access for all networks behind the ISA firewall.
The Quarantined VPN Clients Network is a "virtual" or "just in time" Network where
addresses are dynamically assigned to this Network when quarantined VPN clients
connect to the ISA firewall. The Quarantined VPN Client Network is only used when
VPN Quarantine is enabled on the ISA firewall.
Internal Network includes all computers (IP addresses) that were specified as internal
during the installation process.

- 69 -
The default External network created during ISA firewall setup includes all addresses that
are not already defined by another Network on the ISA firewall. The default External
Network doesn't contain any dialog boxes for you to perform customer configurations.
Any address that isn't defined by some other Network on the ISA firewall is automatically
included in the default External Network.
QUESTION NO: 46
Server 2004 computer. Users on the Internet network require access to a partner
VPN server. The partner VPN server does not support machine certificate
authentication for VPN connections. You enable a route relationship between the
Internal network and the External network.
You need to ensure that TestKing users can access the partner VPN server.
What should you do?
A. Create an access rule to enable outbound access to the PPTP Client protocol.
B. Create an access rule to enable outbound access to the IPSec with Encapsulation
Security Payload (ESP) Server protocol.
C. Create an access rule to enable outbound access to the IKE Client protocol.
D. Create an access rule to enable outbound access to the L2TP Client protocol.
Answer: A
Explanation:
A remote access VPN server accepts VPN calls from VPN client machines. A remote
access VPN server allows single client machines and users access to corporate network
resources after the VPN connection is established.
You can use any VPN client software that supports PPTP or L2TP/IPSec to connect to a
VPN server.
PPTP uses Point-to-Point Protocol (PPP) user authentication methods and Microsoft
Point-to-Point Encryption (MPPE) to encrypt IP traffic. PPTP supports the use of
Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) for
password-based authentication. For stronger authentication for PPTP connections, you
can implement a public key infrastructure (PKI) using smart cards or certificates and
Extensible Authentication Protocol Transport Level Security (EAP-TLS).

- 70 -
L2TP/IPSec is the more secure of the two VPN protocols it uses PPP user authentication
methods and IPSec encryption to encrypt IP traffic. This combination uses
certificate-based computer authentication to create IPSec security associations in addition
to PPP-based user authentication. L2TP/IPSec provides data integrity, data origin
authentication, data confidentiality, and replay protection for each packet.
The ISA firewall can pass PPTP VPN connections from any Protected Network to the
Internet with the help of its PPTP filter. The ISA firewall's PPTP filter intercepts the
outbound PPTP connection from the Protected Network client and mediates the GRE
(Generic Routing Encapsulation/IP Protocol 47) Protocol and the PPTP control channel
(TCP 1723) communications. The only thing you need to do is create an Access Rule
allowing outbound access to PPTP.
QUESTION NO: 47
A network rule defines a network address translation (NAT) relationship between

the Internal network and the External network. The Internal network contains a
Windows Server 2003 computer named Testking1.
You need perform remote administration of Testking1 by using Remote Desktop.

You also need to allow users to establish a Remote Desktop connection to Testking1
by using the non-standard TCP port 12345.
A. Configure a new protocol definition for TCP port 12345 inbound named RDP-x.
B. Configure a new protocol definition for TCP port 12345 outbound named RDP-x.
C. Create an access rule that uses RDP-x.
D. Create a server publishing rule that uses RDP-x.
Answer: A, D
Explanation:
Creating Server Publishing Rules is simple compared to Web Publishing Rules. The only
things you need to know when creating a Server Publishing Rule are:
* The protocol or protocols you want to publish
* The IP address where the ISA firewall accepts the incoming connections

- 71 -
* The IP address of the Protected Network server you want to publish
A Server Publishing Rule uses protocols with the primary connection set as Inbound,
Receive or Receive/Send.
Since there is no protocol called RDP-x using port 12345, we must create it. After the
creation we can create a server publishing rule that uses this custom protocol. We
configure this rule for inbound traffic.
QUESTION NO: 48
ISA Server 2004 computer.
TestKingis creating a new Web site for access by a business partner. The Web site
will be hosted on an internal Web server. The Web site will be accessed by
customers. Requests from client computers should first be validated by using SSL
authentication. However, if client certificate requests fail, customers should still be
prompted to log in by using a user name and password.
You need to configure a publishing rule to allow access to the new Web site and to
fulfil the authentication requirements.
What should you do?
A. Create an HTTP server publishing rule. Configure the rule to accept connections from
client computers at the partner location.
B. Create an HTTPS server publishing rule. Configure the rule to accept connections
from client computers at the partner location.
C. Create a Web publishing rule. Configure a new Web listener for the HTTP protocol.
Configure the Web listener to allow both Integrated Windows authentication and Digest
authentication.
D. Create a Web publishing rule. Configure a new Web listener for the HTTPS protocol.
Configure the Web listener to allow both SSL certificate authentication and Basic
authentication.
Answer: D
Explanation:

- 72 -
ISA Server uses server publishing rules to make servers on protected networks available
to users on the Internet. Server publishing rules are firewall rules that specify how ISA
Server will route incoming requests to internal servers. Secure Web publishing provides
an additional layer of security when publishing an internal Web site by enabling the
option to use Secure Sockets Layer (SSL) to encrypt all network traffic to and from the
Web site.
For Web publishing and secure Web publishing rules, you must configure a Web listener
as part of the rule definition. The Web listener defines which authentication methods are
enabled. You can configure a Web listener to use more than one authentication
mechanism. These authentication mechanisms can be used simultaneously on a Web
listener: Basic, Digest, Integrated, and Client Certificate Authentication. When selected,
RADIUS, SecurID, or forms-based authentication methods must be the only
authentication mechanism configured. The authentication option you select applies only if
you limit access to the Web Publishing Rule to a user or group. If you allow All Users
access to the Web Publishing Rule, then the authentication option is ignored. These
authentication options apply only to authentication performed by the ISA firewall itself,
not to authentication that may be required by the published Web site.
When you enable basic authentication delegation, ISA Server authenticates the users, and
then forwards the user credentials to the Web server, allowing the Web server to
authenticate users without requesting credentials a second time. To enable basic
authentication delegation, select the check box for Forward Basic authentication
credentials (Basic delegation) on the Users tab of the Web publishing or secure Web
publishing rule.
QUESTION NO: 49
ISA Server 2004 Enterprise Edition computers named ISA1 and ISA2. ISA1 and
ISA2 are configured as members of an ISA Server 2004 array.
You configure the array to cache outgoing Web requests. You configure the array so
that the cached Web content is distributed between ISA1 and ISA2.
You want to minimize the traffic on the intra-array network.
What should you do?
A. Enable Cache Array Routing Protocol (CARP) on the Local Host network.
B. Enable the client computers to download the automatic configuration script.
C. Configure a content download job on the array.
D. Configure Network Load Balancing on the Internal network.

- 73 -
Answer: B
Explanation:
resources.
the content.
When client-side CARP is enabled, the Web browser downloads the
Array.dll?Get.Routing.Script from an ISA Server computer in the array. When a user
types a URL into a Web browser, the URL is handed off to the script, which calculates
which ISA Server computer in the array will be used to cache the content. The script
always returns the same server list for a given URL, ensuring that each URL is cached on
one array server only.
QUESTION NO: 50
ISA Server 2004 computer named ISA1.
TestKing'swritten security policy states that ISA1 must authenticate users before
users on the Internet are allowed to access corporate Web servers.
You install a new Web server on the Internal network. Partners and customers will
access the Web pages hosted by this Web server only from the Internet.

- 74 -
You need to configure ISA1 to publish the Web site hosted by this Web server, and
you need to adhere to TestKing's security policy.
What should you do?
A. Create a Web publishing rule. Configure the rule to require user authentication.
B. Create a Web publishing rule. Configure the rule to perform link translation.
C. Create an HTTP server publishing rule. Configure the rule to specify that requests
appear to come from ISA1.
D. Create an HTTP access rule. Configure the rule to allow connections from the External
network to the Internal network
Answer: A
Explanation:
ISA Server uses Web publishing rules to make Web sites on protected networks available
to users on other networks, such as the Internet. A Web publishing rule is a firewall rule
that specifies how ISA Server will route incoming requests to internal Web servers.
User authentication - You can configure ISA Server to require that all external users
authenticate before their requests are forwarded to the Web server hosting the published
content. This protects the internal Web server from authentication attacks. Web
publishing rules support several methods of authentication, including Remote
Authentication Dial-In User Service (RADIUS), integrated, basic, digest, digital
certificates, and RSA SecurID.
Link translation - With link translation, you can provide access to complex Web pages
that include references to other internal Web servers that are not directly accessible from
the Internet. Without link translation, any link to a server that is not accessible from the
Internet would appear as a broken link. Link translation can be used to publish complex
Web sites providing content from many servers while hiding the complexity from the
Internet users.
QUESTION NO: 51
You are network administrator for TestKing.com. TestKing.com have a main office
and two branch office. Users in the main office use client computers that run
Windows XP. Users in the branch office use Macintosh.

- 75 -
You deploy one ISA Server 2004 in the main office and one ISA Server 2004 in each
branch office. You configure an access rule on the main office ISA server. The rule
allow authenticated users to download e-mail by using the POP3 protocol. You
install Firewall Client on XP computers.
Users in the branch office report that they cannot download e-mail by using the
POP3 protocol.
You need to ensure that the user in the branch office report that they can download
e-mail by using the POP3 protocol.
You also need to ensure that authentication is required for all outbound traffic from
the main office.
A. On each brain office ISA server computers configure Firewall Client Settings. Allow
non-encrypted Firewall Client to connect to ISA server computers.
B. On each brain office ISA server computers configure Firewall chaining. Configure
Firewall chaining to use a user account.
C. On the main office ISA server computer, configure a server publish rule. Publish the
POP3 Server the users are attempting to connect to.
D. On the main office ISA server computer configure IP-preferences. Disable IP-routing.
Answer: B
Explanation:
Since we are having Macintosh PC's in the branchoffice we must configure them as
SecureNAT or Web Proxy clients. The firewall Client can only be installed on Windows
Operating systems. In this scenario we can not use a web proxy configuration because the
web proxy configuration only support HTTP, HTTPS & FTP and no POP3. Therefore we
configure the Macintosh PC's as SecureNAT clients. SecureNAT does not support user
authentication (this was a demand in the scenario) therefore we must configure firewall
chaining with user authentication.
ISA Server 2004 Standard Edition supports the chaining of multiple servers running ISA
Server together to provide flexible Web proxy services. These servers can be chained in a
hierarchical manner so that one ISA Server computer routes Internet requests to another
ISA Server computer, rather than routing the request directly to the Internet.
ISA Server 2004 also supports Firewall chaining to allow requests from SecureNAT and
Firewall clients to be forwarded to another ISA Server computer. The advantages of the
Firewall chaining configuration over the Web Proxy configuration is that Firewall
chaining supports all TCP and UDP Winsock protocols, not just Web protocols
(HTTP/HTTPS/FTP).

- 76 -
QUESTION NO: 51
Exhibit
ISA Server 2004 computers named ISA1 and ISA2.
The company has a main office and one branch office. The main office connects to
the branch office over a dedicated 56-Kbps frame relay WAN link. A client
computer named Client2 in the branch office connects to the main office through
ISA2.
Two computers in each office are configured as shown in the following table.
Users of Client1 and Client2 report that they cannot connect to the Internet. Client2
can connect to the main office network.
You want to maintain a high level of security on the external network adapter on
ISA1 and on ISA2.
You need to verify connectivity to ISA1 from either Client1 or Client2.
What should you do?
A. Configure Client1 with the default gateway IP address of the internal network adapter
of ISA1. Issue the ping command to 192.168.100.1 from Client1.
B. Configure Client2 with the default gateway IP address of the internal network adapter
of ISA2. Issue the tracert command to 172.16.1.1 from Client2.
C. Edit the Diagnostic Services ICMP configuration group on ISA1 by adding the main
office network as a destination network.
Issue the pathping command to 192.168.100.1 from Client1.
D. Edit the Remote Management ICMP (PING) configuration group on ISA1 by adding
Client1 to the Remote Management Computers computer set.
Issue the ping command to 192.168.100.1 from Client1.

- 77 -
Answer: D
Explanation:
The system policy is used primarily to enable sufficient access between the ISA Server
computer and the connected networks so that you can manage ISA Server. All of the
system policies define access between the Local Network, which is the ISA Server
computer itself, and the connected networks rather than defining access between
networks. Configuration groups are used in several of these system policies.
Remote Management ICMP (PING) configuration group - Enabling this configuration
group enables system policy rules that allow ICMP ping requests from selected computers
to the isa server.
Diagnostic Services ICMP configuration group - Enabling this configuration group
enables system policy rules that ICMP ping from the isa server to selecters computers.
In this scenario we want to diagnose connectivity from source client1 to destination ISA1.
Therefore we need to add client 1 to the Remote Management Computers computer set
that is used in the Remote Management ICMP (PING) configuration group.
QUESTION NO: 52
ISA1 connects to the Internet. ISA1 is configured with access rules for Internet
access. A Windows Server 2003 computer named CERT1 is configured as an
internal certification authority (CA). ISA1 can download the certificate revocation
list (CRL) from CERT1.
You are deploying 10 new ISA Server 2004 computers on the network. On ISA1 you
export the firewall policy settings into a file named ISA1export.xml. You configure
the network configuration settings on each new ISA Server computer. You import
the firewall policy settings from the ISA1export.xml file on each new ISA Server
computer.
You test the imported configuration on each of the new ISA Server computers. You
discover that each new ISA Server computer cannot download the CRL from
CERT1.
You need to ensure that the new ISA Server computers can download the CRL.
What should you do?

- 78 -
A. Edit the ISA1export.xml file by adding the following lines:
StorageType=Allow HTTP from ISA Server to all networks (for CRL downloads)
String=0
Enabled=1
Import the ISA1export.xml file on each new ISA Server computer.
B. Export the system policy rules on ISA1 by using the Export System Policy task. Import
the system policy rules on each new ISA Server computer.
C. Export the array configuration settings on ISA1 to an .xml file. Import the .xml file on
the new ISA Server computers.
D. Create a destination set for the new ISA Server 2004 computers. Add this destination
set to the destination list on the Allow all HTTP traffic from ISA Server to all
networks (for CRL downloads) system policy rule.
Answer: B
Explanation:
You can export the entire ISA Server configuration, or just parts of it, depending on your
specific needs. When you export an entire configuration, all general configuration
information is exported. This includes access rules, publishing rules, rule elements, alert
configuration, cache configuration, and ISA Server properties. In addition, you can select
to export user permission settings and confidential information such as user passwords.
Confidential information included in the exported file is encrypted. You van also choose
to export the firewall policies or system policies seperately. In this scenario only the
firewall policy was exported and then imported. But we must also export end import the
system policies since it contains the Allow all HTTP traffic from ISA Server to all
networks (for CRL downloads) rule.
QUESTION NO: 53
Exhibit

- 79 -
Server 2004 computer named TESTKINGA. The relevant portion of the network is
configured as shown in the exhibit.
When you install ISA Server 2004 on TESTKINGA, you defined the Internal
network address range as 10.0.1.0 through 10.0.1.255.
You create an access rule to allow all traffic from the Internal network to the
External network. Users are not required to be authenticated to use this rule.
Users on network IDs 10.0.2.0/24 and 10.0.3.0/24 report that they cannot connect to
the Internet. You examine the routing tables on the router and on TESTKINGA and
confirm that they are correctly configured.
You need to ensure that users on network IDs 10.0.2.0/24 and 10.0.3.0/24 can
connect to the Internet.
What should you do?
A. Create a subnet network object for network ID 10.0.2.0/24 and for network ID
10.0.3.0/24.
B. Add the address ranges 10.0.2.0 through 10.0.2.255 and 10.0.3.0 through 10.0.3.0
through 10.0.3.255 to the definition of the Internal network.
C. Create two new networks, one for network ID 10.0.2.0/24 and one for 10.0.3.0/24.
Create access rules to allow these networks access to the Internet.
D.

- 80 -
Create two new networks, one for network ID 10.0.3.0/24 and one for 10.0.3.0/24. Create
a new network set containing these networks. Create an access rule to allow this network
set access to the Internet.
Answer: B
Explanation:
2003 or Windows® 2000 Server routing table. You can also select the private IP address
ranges, as defined by IANA in RFC 1918. These three blocks of addresses are reserved
for private intranets only and are never used on the public Internet.
The routing table reflects a topology of the Internal network, in this scenario it is
comprised of the subnets 10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24. When you configure
the Internal network for ISA Server, it should include all those ranges (subnets). If you
create distinct networks for each of those subnets, rather than a single network, then ISA
Server will consider the 10.0.2.x and 10.0.3.x networks temporarily disconnected,
because there is no network adapter associated with them. In this scenario we need to add
the 10.0.2.x and 10.0.3.x networks to the addresses tab of the internal network properties
to make it work. Just adding a subnet network object is not sufficient since there are no
access rules configured for it.
QUESTION NO: 54
Exhibit
The network contains an ISA Server array. The array contains two ISA Server 2003
computers named TestKing1 and TestKing2. TestKing1 and TestKing2 connect to
the Internet. All client computers on the network are configured as Web Proxy
clients.

- 81 -
The firewall policy on the ISA Server array is configured as shown in the exhibit.
Users report that when they access www.testking.com Web pages, the network is
very slow. You discover that the content download jobs to www.testking.com have
failed.
You need to configure the array to allow users on the network to access
www.contoso.com Web pages more quickly.
What should you do?
A. Enable the Allow HTTP/HTTPS requests from ISA Server to selected servers for
connectivity verifiers system policy rule.
B. Enable the Allow HTTP from ISA Server to selected computers for Content Download
Jobs system policy rule.
C. Enable a new HTTP access rule that includes the Internal network. Configure the rule
to use port 8080.
D. Enable Cache Array Routing Protocol (CARP) on the Local Host network.
Answer: B
Explanation:
ISA Server introduces a system policy, a set of firewall policy rules that control how the
ISA Server computer enables the infrastructure necessary to manage network security and
connectivity. ISA Server is installed with a default system policy, designed to address the
balance between security and connectivity. Some system policy rules are enabled upon
installation. These are considered the most basic and necessary rules for effectively
managing the ISA Server environment. You can subsequently identify those services and
tasks that you require to manage your network, and enable the appropriate system policy
rules. By default, the scheduled download jobs feature is disabled. When you create a
content download job, you will be prompted to enable this system policy rule. ISA Server
will be able to access the sites specified in the content download job. In this scenario we
can see that the scheduled download job system policy is disabled and we can read that
the content download of the testking.com is failing. Therefore we need to enable this rule
to successfully retrieve the content of the website.
QUESTION NO: 55
You are the network administrator for TestKing. The network consists of a single
Active Directory domain named TestKing.com.

- 82 -
The network contains a Windows Server 2003 domain controller named TestKingA
and a Windows Server 2003 RADIUS server named TestKing1. Both TestKingA
and TestKing1 are members of the TestKing.com domain. The relevant portion of
the network is configured as shown in the Network exhibit.
You configure an ISA Server 2004 computer named ISA1-VPN to meet the
following requirements:
1. Allow external VPN connections.
2. Allow Internet VPN server access for internal VPN clients.
3. Allow only RADIUS authentication for VPN connections.
The system policy on ISA1-VPN is configured as shown in the System Policy exhibit.

- 83 -
A client computer named Client1 can connect to VPN servers on the Internet.
However, external VPN client computers cannot be authenticated when they try to
connect to ISA1-VPN.
You need to ensure that external VPN client computers can create VPN connections
to ISA1-VPN.
What should you do?
A. Create a new server publishing rule by using testking1.testking.com.

Configure the new publishing rule to use L2TP Server as the protocol.
Configure the publishing rule to use the External network as the listener.
B. Create a new server publishing rule by using testking1.testking.com.
Configure the new publishing rule to use PPTP Server as the protocol.
Configure the publishing rule to use the Internal network as the listener.
C. Edit the Allow access to directory services for authentication purposes system policy
rule by replacing the computer element testkingA.testking.com with
TestKing1.testking.com.
D. Edit the Allow RADIUS authentication from ISA Server to trusted RADIUS servers
system policy rule by replacing the computer element TestKingA.testking.com with
testking1.testking.com.
Answer: D
Explanation:

- 84 -
A remote access VPN server accepts VPN calls from VPN client machines. A remote
access VPN server allows single client machines and users access to corporate network
resources after the VPN connection is established. You can use any VPN client software
that supports PPTP or L2TP/IPSec to connect to a VPN server. Like the ISA Server 2000
firewall, the ISA firewall (ISA Server 2004) supports RADIUS authentication for VPN
clients. The RADIUS server forwards the user credentials to an authentication server. In
an Active Directory environment, the authentication server is an Active Directory domain
controller. The authentication server sends its response to the RADIUS Server and the
RADIUS server sends the response to the ISA firewall. If the credentials are valid and the
user has dial-in permissions, the VPN connection is allowed. If the credentials are not
valid or if the user does not have dial-in permissions, then the connection is dropped. The
ISA firewall is a RADIUS client when it is configured to use RADIUS authentication.
The ISA firewall must be configured to use one or more RADIUS servers and the
RADIUS servers must be configured to communicate with the ISA firewall as a RADIUS
client. So, both the ISA firewall and the RADIUS server must be configured to "know"
each other in order for RADIUS authentication to work correctly. For this to work we
need to enable and correctly configure a system policy called : RADIUS authentication
from ISA Server to trusted RADIUS servers.
QUESTION NO: 56
ISA1 is connected to the Internet. VPN access is configured to ISA1. RADIUS is

configured as the only type of authentication for VPN connections. All remote users
can connect to ISA1 by using a VPN connection. All internal users can connect to
the Internet.
You are replacing ISA1 with a new ISA Server computer named ISA1. You export
the network-level node configuration settings on ISA1 to a file named
ISAconfig.xml. You import the ISAconfig.xml file on ISA2. You replace ISA1 with
ISA2 on the network.
Remote VPN users report that they cannot authenticate to gain access to the
network. Internal network users report that they cannot connect to the Internet.
You need to configure ISA1 to allow incoming and outgoing access for company
users.
What should you do?

- 85 -
A. Export the system policy configuration settings on ISA1 to an .xml file. Import the
.xml file on ISA2.
B. Export the array configuration settings on ISA1. Include confidential information in
the exported configuration file. Import the file on ISA2.
C. Export the array configuration settings on ISA1. Include user permission settings in the
exported configuration file. Import the file on ISA2.
D. Export the VPN Clients configuration on ISA1. Include confidential information in the
exported configuration file. Import the file on ISA2.
Answer: B
Explanation:
ISA Server 2004 includes export and import features that enable you to save and restore
most ISA Server configuration information. The configuration parameters can be
exported and stored in an .xml file.
When you export an entire configuration, all general configuration information is
exported. This includes access rules, publishing rules, rule elements, alert configuration,
cache configuration, VPN configuration and ISA Server properties. Confidential
information included in the exported file is encrypted.
In this scenario we need to export the entire array configuration. If we only exported,
change and imported the VPN configuration only then we still have a problem with the
internal users that could not connect to the internet.
QUESTION NO: 57
You are a network administrator for TestKing.com. The company has a main office
and two branch offices.
Users in the main office use client computers that run Windows XP Professional.
Users in the branch offices use Macintosh-based client computers.
You deploy one ISA Server 2004 computer in the main office and one ISA Server
2004 computer in each branch office. You configure an access rule on the main
office ISA Server computer. The rule allows authenticated users to download e-mail
by using the POP3 protocol. You install the Firewall Client on the Windows XP
Professional computers.
Users in the branch offices report that they cannot download e-mail by using the
POP3 protocol.

- 86 -
You need to ensure that users in the branch offices can download e-mail by using
the POP3 protocol. You also need to ensure that authentication is required for all
outbound traffic from the main office.
What should you do?
A. On each branch office ISA Server computer, configure Firewall client settings. Allow
non-encrypted Firewall clients to connect to the ISA Server computer.
B. On each branch office ISA Server computer, configure firewall chaining. Configure
firewall chaining to use a user account.
C. On the main office ISA Server computer, configure a server publishing rule. Publish
the POP3 server the users are attempting to connect to.
D. On the main office ISA Server computer, configure IP preferences. Disable IP routing.
Answer: B
Explanation:
Since we are having Macintosh PC's in the branchoffice we must configure them as
SecureNAT or Web Proxy clients. The firewall Client can only be installed on Windows
Operating systems. In this scenario we can not use a web proxy configuration because the
web proxy configuration only support HTTP, HTTPS & FTP and no POP3. Therefore we
configure the Macintosh PC's as SecureNAT clients. SecureNAT does not support user
authentication (this was a demand in the scenario) therefore we must configure firewall
chaining with user authentication.
ISA Server 2004 Standard Edition supports the chaining of multiple servers running ISA
Server together to provide flexible Web proxy services. These servers can be chained in a
hierarchical manner so that one ISA Server computer routes Internet requests to another
ISA Server computer, rather than routing the request directly to the Internet.
ISA Server 2004 also supports Firewall chaining to allow requests from SecureNAT and
Firewall clients to be forwarded to another ISA Server computer. The advantages of the
Firewall chaining configuration over the Web Proxy configuration is that Firewall
chaining supports all TCP and UDP Winsock protocols, not just Web protocols
(HTTP/HTTPS/FTP).
QUESTION NO: 58
You are the administrator of an ISA Server 2004 computer named ISA1. ISA1 has
two network adapters. Access rules allow users on the Internal network to have
HTTP access to the Internet.

- 87 -
You add a third network adapter to ISA1 and connect the third network adapter to
a perimeter network. You place a Web server named WebServer2 on this perimeter
network segment.
WebServer2 must be accessible to computers on the Internal network. You create a

computer object for WebServer2 and then create an access rule that allows Internal
network clients HTTP access to WebServer2. Users are not required to authenticate
with ISA1 to access WebServer2.
Users report that they cannot access information on WebServer2. When they
attempt to access the Web site, they receive the following error message: "Error
Code 10060: Connection timeout. Background: There was a time out before the
page should be retrieved. This might indicate that the network is congested or that
the website is experiencing technical difficulties."
You need to ensure that users on the Internal network can access information on
WebServer2. First, you verify that WebServer2 is operational.
A. Create a network rule that sets a route relationship between the Internal network and
the perimeter network.
B. Create a server publishing rule that publishes WebServer2 to the Internal network.
C. Create a Web publishing rule that publishes WebServer2 to the Internal network.
D. Create an access rule that allows WebServer2 access to the Internal network.
Answer: A
Explanation:
You will need to create new Networks whenever a new Network is introduced into your
environment. A common reason to add a new Network is when you install additional
NICs into the ISA firewall. Since all addresses located behind any particular NIC are
considered a Network by the ISA firewall, you need to create a new Network when
additional NICs are added to the firewall. Also we must create a network relationship
between networks. This can be a route or NAT relationship. If there is no relationship
between networks, then all traffic will be dropped by the ISA Server. Therefore we need
to create a route relationship between the internal network and perimeter network to make
it work.

- 88 -
QUESTION NO: 59
Exhibit
Server 2004 computer named ISA1. The IP address bound to the external network
adapter of ISA1 is 192.168.100.141.
You run the netstat - na command on ISA1. The relevant portion of the output is
shown in the following table.
You need to ensure that ISA1 accepts connection requests for only HTTP traffic.
You need to be able to quickly verify whether ISA1 is listening on TCP port 139.
What should you do?
A. From a remote computer, run the pathping command to query ISA1.

B. From a remote computer, use a port scanner to query ISA1.
C. On ISA1, use the Portqry.exe tool to query ISA1.
D. On ISA1, use the Netdiag.exe tool to query ISA1.
Answer: B
Explanation:
Portqry.exe is a microsoft command-line utility that you can use to help troubleshoot
TCP/IP connectivity issues. Portqry.exe runs on Windows 2000-based computers, on
Windows XP-based computers, and on Windows Server 2003-based computers. The
utility reports the port status of TCP and UDP ports on a computer that you select.
PortQry version 2.0 supports the following session layer and application layer protocols:
* Lightweight Directory Access Protocol (LDAP)
* Remote Procedure Calls (RPC)
* Domain Name System (DNS)
* NetBIOS Name Service
* Simple Network Management Protocol (SNMP)

- 89 -
* Internet Security and Acceleration Server (ISA)
* SQL Server 2000 Named Instances
* Trivial File Transfer Protocol (TFTP)
* Layer Two Tunneling Protocol (L2TP)
This question looks like a trick question because we could also use a portscanner on the
local device. But the results from a local scan could be confusing and being influenced
from the local host itself. Therefore we use a portscanner (you could use portqry) from a
remote device and scan the external interface of the isa server.
QUESTION NO: 60
You are the administrator of an ISA Sever 2004 computer named ISA1. ISA1 is
configured to generate daily and monthly reports. ISA1 publishes the reports to a
folder named IsaReports.
You generate custom reports to indicate user activity during the weekends of the
last three months.
The reports for the last five weekends display correct data. However, reports for
previous weekends cannot be displayed. Only monthly activity summary reports are
available for previous months.
You need to provide custom reports that show the actual activity for all the
weekends during the last three months.
What should you do?
A. Configure the Microsoft Data Engine (MSDE) database log files to be saved for 130
days. Restore the MSDE database log files from backup for the last three months.
B. Configure daily reports to be saved for 130 days. Restore the log summary files from
backup for the last three months.
C. Delete the log summary files. Configure daily reports to be saved for 130 days. Disable
and then re-enable log summary reports.
D. In the IsaReports folder, create a new folder for each of the weekends. Copy the
respective daily report files for each day of a weekend into their corresponding folders.
Answer: B
Explanation:

- 90 -
ISA Server can be configured to produce reports that provide summary information about
activity that occurs on the server. These reports can be created on an on-demand basis, or
can be scheduled to be created on a recurring scheduled basis. Reports are collections of
information generated from data collected from the ISA Server log files. The ISA Server
reporting mechanism collates data from ISA Server logs into a database on each ISA
Server computer. By default 35 daily summaries, and at least 13 monthly summaries will
be saved. Thus daily information from the last month will be available. But in this
scenario we will need daily information (log summaries) from previous months.
Therefore we need to restore these log summaries from backup and generate reports from
these log summaries.
QUESTION NO: 61
You enable the default Network configuration changed alert. You add a custom
alert named Network Connectivity. The properties of the Network Connectivity
alert are configured as shown in the Alert Events exhibit and the Alert Actions
exhibit.

- 91 -
- 92 -
You test the Network Connectivity alert by disabling the ISA1 network adapter that
is connected to the perimeter network. You see the corresponding alert in both the
Alerts view and the application log of Event Viewer. However, the message is not
received on any of the administrative computers.
You need to ensure that the administrative computers receive the text message when
the Network Connectivity alert is triggered. You also need to be able to test the alert
by disabling any of the network adapters on ISA1.
What should you do?
A. Disable the default Network configuration changed alert.

- 93 -
B. Enable and start the messenger service and the alert service on ISA1 and on your
administrative computer.
C. On ISA1, configure the DisableDHCPMediaSense entry with a value of 1.
D. Configure the Network Connectivity alert actions to run NetworkAlert.cmd by using
an account that has the Log on as a batch job right.
Answer: D
Explanation:
With the release of Windows Server 2003, the situation changed again when two new
built-in account types similar to Local System were added: the Network Service account
and the Local Service account.
The new Network Service account also uses the computer's credentials when it
authenticates remotely, but has a greatly reduced privilege level on the server itself and,
therefore, does not have local administrator privileges. The new Local Service account
has the same reduced privileges as the Network Service account, but as the name
suggests, it does not have the ability to authenticate to network resources.
Log on as a batch job - Allows a user to be logged on by means of a batch-queue facility.
For example, when a user submits a job by means of the task scheduler, the task
scheduler logs that user on as a batch user rather than as an interactive user. By default,
only the Local Service account and the support group has the privilege to be logged on as
a batch job on the ISA Server. In this scenario the networkalert.cmd will not run because
the local system account does not have the Log on as a batch job right. Therefore we need
to configure the Network Connectivity alert actions to run NetworkAlert.cmd by using an
account that has the Log on as a batch job right.
QUESTION NO: 62
Server 2004 computer named ISA1. ISA1 is configured to provide forward Web
caching for users on the Internal network.
Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) database logging is
enabled on ISA1. ISA1 is configured with 512 MB or RAM and a single 60-GB hard
disk.
During periods of peak usage, users report that it takes longer than usual for Web
pages to appear.
You need to identify the source of the slow performance.

- 94 -
Which two System Monitor performance counters should you add? (Each correct
answer presents part of the solution. Choose two.)
A. Memory\Pages/sec
B. Memory\Pool Nonpaged Bytes
C. MSSQL$MSFW:Databases(*)\Transactions/sec
D. MSSQL$MSFW:MemoryManager\Target Server Memory (KB)
E. Physical Disk\Avg. Disk Queue Length
F. Physical Disk\SplitIO/sec
Answer: A, E
Explanation:
The ISA Server installation configures several new performance objects that you can use
to monitor system performance on the computer running ISA Server. You view the
performance objects and their associated performance counters in real time in System
Monitor. System Monitor is a monitoring tool that is included with Windows 2000 and
Windows Server 2003.
Memory\Pages/sec - Pages/sec is the rate at which pages are read from or written to disk
to resolve hard page faults. This counter is a primary indicator of the kinds of faults that
cause system-wide delays.
Memory\Pool Nonpaged Bytes - Pool Nonpaged Bytes is the size, in bytes, of the
nonpaged pool, an area of system memory (physical memory used by the operating
system) for objects that cannot be written to disk, but must remain in physical memory as
long as they are allocated.
Physical Disk\Avg. Disk Queue Length - Is the average number of both read and write
requests that were queued for the selected disk during the sample interval.
MSSQL$MSFW:Databases(*)\Transactions/sec - Number of transactions started for the
database.
MSSQL$MSFW:MemoryManager\Target Server Memory - Total amount of dynamic
memory the server is willing to consume.
QUESTION NO: 63
You are the network administrator for TestKing.com. The company has a main
office, two branch offices and one research office. An ISA Server array is configured
for each of these three offices. All arrays are members of the same ISA Server 2004
enterprise.

- 95 -
A Configuration Storage server is located in the main office. Replica Configuration
Storage servers are located in each branch office. Administrators at the main office
administer the enterprise settings and the main office array. The administrators at
each branch office administer the arrays at their respective branch offices.
You need to install a new ISA Server array in the research office. You need to
ensure that only research office administrators can manage access rules that affect
client computers in the research office.
What should you do?
A. Configure a replica Configuration Storage server. Assign the research office

administrators the ISA Server Array Administrator role.
B. Configure a new array in the existing enterprise. Assign the research office
administrators the ISA Server Array Administrator role.
C. Configure a new array in the existing enterprise. Assign the research office
administrators the ISA Server Enterprise Administrator role.
D. Configure a new Configuration Storage server in the research office. Configure it as a
new enterprise. Assign the research office administrators the ISA Server Enterprise
Administrator role.
Answer: D
Explanation:
A Configuration Storage server stores the configuration for all the arrays in the enterprise.
There can be multiple configuration storage servers in the enterprise, with each
replicating to the rest any updates to enterprise configuration. Configuration Storage
servers store the configuration in ADAM. Hence, there is no centralized master copy of
directory information. Instead, any change committed on any Configuration Storage
server is replicated to every other onfiguration Storage server within the enterprise.
ADAM is a special mode of the Active Directory directory service that is designed for
directory-enabled applications. ADAM is a Lightweight Directory Access Protocol
(LDAP) compatible directory service that runs on servers running Microsoft Windows
the deployment of Domain Name System (DNS), domains, or domain controllers.

You can define any access rules or publishing rules at the array level. These rules will be
applied to all array members. herefore we need to create a new configuration storage
server for a new enterprise, because we need to make sure that only research office
administrators can manage access rules that affect client computers in the research office.

- 96 -
QUESTION NO: 64
You are a network administrator for TestKing, Inc. The network contains an ISA
Server 2004 computer named ISA1. ISA1 is configured to allow outbound Internet
access only. A listener named DefaultHTTP is configured to listen for requests on
port 80 on the external interface.
The Internal network contains two Web sites named HR and Sales, which are used
by employees. The HR Web site is stored on a Web server named
Web1.TestKing.com. The Sales Web site is stored on a Web server named
http://www.TestKing.com.
You must allow employees to access both the HR Web site and the Sales Web site
from the Internet. You must ensure that employees can access the HR Web site by
using the URL http://www.TestKing.com/hr. You must also ensure that employees
can access the Sales Web site by using the URL http://www.TestKing.com/sales.
What should you do?
A. Configure one of the Web servers to listen for HTTP requests on port 8080.
Create two server publishing rules. Create one of the rules to respond to requests on port
8080, and configure this rule to forward requests to one internal Web server. Create the
other rule to use the DefaultHTTP listener, and configure this rule to forward to the other
internal Web server.
B. Configure one of the Web servers to listen for HTTP request on port 8080.
Create a new listener that uses HTTP on port 8080.
Create two Web publishing rules. Configure each rule to forward to a different internal
Web server. Configure each rule to use a different listener.
C. Create two server publishing rules. Configure each rule to forward to a different
internal Web server. Configure each internal Web server to listen for HTTP requests on
an unused port.
D. Create two Web publishing rules. Configure each rule to forward to a different internal
Web server. Configure each rule to use the DefaultHTTP listener.
Answer: D
Explanation:

- 97 -
Web publishing rules map incoming requests to the appropriate Web servers located on
the internal or perimeter network. Web publishing rules determine how ISA Server will
intercept incoming requests for HTTP objects on a Web server, and how ISA Server will
respond on behalf of the Web server. Requests
are forwarded to the Web server located on the internal or perimeter network. If caching
is enabled on ISA Server, the request may be serviced from the ISA Server cache.
Path mapping is an ISA Server feature that enables ISA Server to redirect user requests to
multiple internal Web servers or to multiple locations on the same Web server. Path
mapping is used for Web and secure Web publishing rules. Path mapping is used on ISA
Server to hide the complexity of the internal Web server configuration from the Internet.
When a user connects to a Web site protected by ISA Server, the user types a specific
URL. Before forwarding a request to the published Web server, ISA Server checks the
URL specified in the request. If path mapping is configured, ISA Server will replace the
path specified in the request with the corresponding path name.
In this scenario a client request for http://www.testking.com/hr will be intercepted by the
defaultHTTP listener and will be redirected by the path mapping to webserver
web1.testking.com. A client request for http://www.testking.com/sales will be intercepted
by the defaultHTTP listener and will be redirected by the path mapping to webserver
www.testking.com.
QUESTION NO: 65
You are a network administrator for TestKing.com. You are installing ISA Server
2004 on two computers named TESTKING1 and TESTKING2. The network is
configured as shown in the exhibit.
You need to ensure that the implementation plan meets the following requirements:
1. All devices that pass outbound traffic must perform network address translation
(NAT).
2. All Internet-accessible internal resources must be published.

- 98 -
3. All traffic between two network interfaces on an ISA Server computer must be
subject to inspection.
Which interface or interfaces should be configured as an internal interface? (Choose

all that apply.)
A. Adapter A
B. Adapter B
C. Adapter C
D. Adapter D
Answer: B, D
Explanations:
Many organizations implement a back-to-back firewall configuration. In this scenario,
one firewall Testking1 is directly connected to the Internet while the second network
adapter on the firewall is connected to the creened subnet (An internal network for
Testking1). The second firewall Testking2 is connected to the screened subnet and the
internal network. All network traffic must flow through both firewalls and through the
screened network to pass between the Internet and the internal network. In this
configuration, there is no single point of access from the Internet to the internal network.
To reach the internal network, an attacker would need to get past both firewalls. It is
common to use two different firewall vendors in this configuration for maximum
security. This dual-vendor configuration prevents an exploit on one firewall from being
easily exploited on both firewalls.
QUESTION NO: 66
single Active Directory domain. The network contains an ISA Server 2004 computer
named ISA1. ISA1 is a member of the Active Directory domain.
You configure ISA1 as a remote access VPN server that allows both PPTP and
L2TP over IPSec remote access client connections. You want to control VPN access
by using a remote access policy.
You configure ISA1 to allow VPN access to members of the Domain Users global
group. However, VPN connections fail. You examine the properties of several
domain user accounts and you discover that the Control access through Remote
Access Policy option is not available.

- 99 -
You need to enable remote access permission by using a remote access policy.
What should you do?
A. Configure a RADIUS-based remote access policy.

B. Configure the ISA Server remote access policy.
C. Elevate the domain functional level.
D. Enable user mapping for VPN client connections.
Answer: C
Explanation:
The Control access through remote access policy option is unavailable while the Active
Directory is in Mixed mode. Therefore we must enable these options and change the
Active Directory to Native mode. Note that when you change the Active Directory from
Mixed mode to Native mode, it cannot be reversed.
QUESTION NO: 67
ISA1 is configured with two network adapters. The external network adapter is
connected to the Internet. The internal network adapter is connected to the Internal
network. The Internal network address range is 10.0.0.0 through 10.0.0.255.
You define the VPN assignment as a static pool that extends from 10.0.1.0 through
10.0.1.255. You enable VPN client access. You test the VPN configuration and
successfully establish a VPN connection to ISA1 from an external Windows XP
Professional client computer named XP1.
You discover that you cannot browse external Web sites from XP1 while it has a
VPN session with ISA1. You confirm that internal client computers can browse
external Web sites.
You need to ensure that VPN clients can browse external Web sites while connected
to ISA1. You also need to ensure that all requests for external Web sites from VPN
clients are processed through ISA1.

- 100 -
What should you do?
A. On the VPN clients, in the VPN connection object in the Network Connections folder,
clear the check box to use the default gateway on the remote network.
B. On the VPN clients, in the Internet Explorer, configure the dial-up and virtual network
settings for the VPN connection object to use the proxy server settings for ISA1.
C. On ISA1, reconfigure the VPN address assignments to use DHCP. Ensure that the
address assignments are within the range defined for the Internal network.
D. On ISA1, create an access rule that allows outbound HTTP and HTTPS access from
the VPN client network for the All Authenticated Users user set.
Answer: D
Explanation:
ISA Server assigns computers to networks and then uses network rules, network access
rules, and publishing rules to restrict the movement of network traffic between networks.
These concepts are also used by ISA Server to manage VPN connections. ISA Server uses
the following networks for VPN connections:
* VPN Clients network. This network contains the IP addresses of all of the VPN clients
that have connected using VPN client access.
* Quarantined VPN Clients network. This network contains the IP addresses of all of the
VPN clients that have connected using VPN client access but have not yet cleared
quarantine.
* Remote-site network. This network contains the IP addresses of all of the computers in
a remote site when a site-to-site VPN connection is configured. Additional remote-site
networks are created for each remote-site connection.
ISA Server uses these networks just like it uses any other directly connected networks.
That means that you can use network rules and access rules to define the conditions under
which network packets will be passed from one network to another. In this scenario the
VPN Clients network does not have access to the internet because there is no access rule
that allow that traffic. Therefore we need create an access rule that allows outbound
HTTP and HTTPS access from the VPN client network for the All Authenticated Users
user set to the external network.
QUESTION NO: 68
office and one branch office. You want to connect the main office to the branch
office by using a site-to-site VPN connection.

- 101 -
The main office has an ISA Server 2004 computer named ISA1. The branch office
has an ISA Server 2004 computer named ISA2. The relevant portion of the network
is configured as shown in the exhibit.
The main office network includes two network IDs: 192.168.1.0/24. The
192.168.1.0/24 network is directly connected to ISA1 and is configured as the default
Internal network. The 192.168.2.0/24 network is connected to the 192.168.1.0/24
network by a router on the main office Internal network. You create two subnet
network objects in the ISA Server Management console: one network for the
192.168.1.0/24 network and one for the 192.168.2.0/24 network.
The internal network adapter on ISA2 is on network ID 10.0.0.0/24.
You create an access rule on ISA1 and on ISA2 to allow all traffic to and from the
main office and branch office networks. You create an access rule on ISA1 to allow
all traffic between the default Internal network and the branch office network.
Users on network ID 192.168.2.0/24 report they cannot connect to computers at the

branch office.
You need to ensure that all users at the main office can connect to resources located
on the branch office network.
What should you do?
A. Add the addresses in network ID 192.168.2.0/24 to the default Internal network at the
main office.
B. Add the addresses in network ID 10.0.0.0/24 to the default Internal network at the
main office.
C. Remove the router connecting the two networks at the main office and place both
network IDs on a single Ethernet broadcast segment.
D.

- 102 -
On ISA2, create a subnet network object representing the 192.168.2.0/24 network. Add
this network object to the list of destination computers that the branch office computers
can connect to.
Answer: A
Explanation:
Site-to-site VPNs allow you to connect entire networks to one another. This can lead to
significant cost savings for organizations that are using dedicated frame relay links to
connect branch offices to the main office, or branch offices to one another. The ISA
firewall supports site-to-site VPN networking using the following VPN protocols:
* PTP (Point-to-Point Tunneling Protocol)
* 2TP/IPSec (Layer Two Tunneling Protocol over IPSec)
* PSec Tunnel Mode
In this scenario we can read that the site-to-site configuration is fully working between
the two sites. Thus the internal network users (192.168.1.0/24) from the main office can
connect to the internal network (10.0.0.0/24) in the branch office. However the network
users behind the router (192.168.2.0/24) can not. We did create a new subnet object but
we forgot to add the 192.168.2.0/24 subnet to the internal network addresses.
QUESTION NO: 69
Server 2004 computer named ISA1, which allows outgoing connections to the
Internet. A network rule defines a network address translation (NAT) relationship
between the Internal network and the Internet.
Users on ISA Server protected networks require access to PPTP and L2TP over
IPSec VPN servers on the Internet.
You configure all network computers, except ISA1, as both Web Proxy and Firewall
clients. You create access rules on ISA1 to allow outbound connections to the
Internet by using PPTP Client, IPSec NAT Traversal (NAT-T) Client, and IKE
Client protocols. You discover that users cannot connect to Internet PPTP and
L2TP over IPSec VPN servers.
You need to ensure that users can connect to PPTP and L2TP over IPSec VPN
servers on the Internet.
What should you do?

- 103 -
A. Disable the Web Proxy client configuration on the network computers.
B. Disable the Firewall client configuration on the network computers.
C. Configure the network computers as SecureNAT clients.
D. Configure the network computers to use IPSec tunnel mode.
Answer: C
Explanation:
You can configure the ISA firewall to allow outbound access to VPN servers on the
Internet. The ISA firewall supports all true VPN protocols, including PPTP, L2TP/IPSec,
and IPSec NAT Traversal (NAT-T).
Although ISA Server supports PPTP passthrough out of the box, there is no built-in
support for IPSec passthrough. The reason for this is that the IPSec protocols are not
NAPT (Network Address & Port Translation) compatible. The IPSec protocols are
designed to authenticate and/or encrypt information in the packet. When a NAPT device
(i.e. an ISA server) tries to change the information in the packet, it will either cause the
packet to be considered invalid by an IPSec protocol, or it will be unable to perform the
translation because information the NAPT device needs to access is encrypted. The IPSec
Working Group has worked out a solution called NAT Traversal or in short NAT-T. To
make NAT-T work on the ISA Server we need to create an access rule that uses the IPSec
IKE Clients protocol and the IPSec NAT-T protocol.
Because the PPTP VPN protocol requires GRE (an IP level protocol that does not use
TCP or UDP as a transport), machines configured as only Firewall and/or Web Proxy
clients will not be able to connect to Internet VPN servers using PPTP. The machine must
also be configured as a SecureNAT client to successfully complete the PPTP connection.
QUESTION NO: 70
Server 2004 computer named ISA1. ISA1 is a member of the domain.
The fabrikam.com domain contains an enterprise certification authority (CA) that is

installed on a Windows Server 2003 computer named TestKing3.
You want to configure ISA1 as a VPN server. You want VPN clients to connect by
using L2TP over IPSec. You want the VPN clients to use certificate-based
authentication.

- 104 -
You configure a Group Policy object (GPO) so that ISA1 and other member
computers acquire computer certificates through automatic enrollment. ISA1 does
not receive a computer certificate through automatic enrollment. However,
automatic enrollment of the computer certificate is successful for other member
computers.
You examine the system log and the application log on ISA1. You discover several
events related to the failure of the automatic enrollment of the certificate. The events
indicate an inability of ISA1 to use RPC and Distributed Component Object Model
(DCOM) to acquire the certificate through automatic enrollment.
You need to install a computer certificate on ISA1 from the enterprise CA. You also
need to ensure that the computer certificate can be used for only client
authentication and server authentication.
What should you do?
A. On ISA1, add the Certificates snap-in for the local computer to an MMC console. In
the Personal certificate store of the Certificates snap-in, use the Certificate Request
wizard to manually request a computer certificate.
B. On ISA1, using Internet Explorer, connect to the certificate server Web enrollment
pages on TestKing3. Use the Advanced Certificate Web enrollment pages to request a
certificate based on the Administrator certificate template and to store the certificate in
the local computer certificate store.
C. From a Web server on the Internal network, request a Web certificate from TestKing3
that uses ISA1.fabrikam.com as the common name and that contains an exportable
private key. Import the certificate to the Personal certificate store for the local computer
on ISA1.
D. On ISA1, temporarily disable the RPC application filter and create an access rule to
allow all protocols from ISA1 to the Internal network. Temporarily, disable the setting to
enforce strict RPC compliance. Manually refresh the GPO.
Answer: D
Explanation:

- 105 -
In the default configuration, a Windows Server 2003 Certificate Authority communicates
with its clients via RPC and DCOM. To obtain a certificate on a Web server behind ISA
Server from a CA in a different network, modify settings on the rule (or rules) to allow
DCOM traffic between the networks, as follows: In the Firewall Policy node of ISA
Server Management, click the required rule, and on the Tasks tab, click Edit Selected
Rule. On the access rule Protocols tab, click Filtering, and then click Configure RPC
Protocol. On the Protocol tab, clear the Enforce strict RPC compliance check box. Then
in the Configuration node of ISA Server Management, click Add-Ins. Right-click RPC
Filter in the details pane, and then click Disable. You will have to repeat this for any other
access rules that are configured between the networks.
QUESTION NO: 71
office and is adding a branch office.
You need to connect the two offices to each other so that employees in the branch
office can access file, Web and database servers at the main office.
You create a site-to-site VPN by creating remote site networks on ISA Server 2004
computers in both offices. You configure L2TP over IPSec as the VPN protocol for
the site-to-site connection. You configure the ISA Server computers in both offices
to use computer certificates and to use a preshared key.
The L2TP over IPSec connection is successfully established, but when you view the
connection parameters in the IPSec console, you discover that the preshared key is
used to establish the IPSec connection.
You need to allow the computer certificates to be used instead of the preshared key
for the IPSec negotiations.
What should you do?
A. Remove the preshared key from only the main office ISA Server computer's remote
site network configuration.
B. Remove the preshared key from only the branch office ISA Server computer's remote
site network configuration.
C. Remove the preshared key from the ISA Server computer's remote site network
configuration at both offices.
D. Remove the computer certificates on the ISA Server computers at both offices and
replace them with user certificates.

- 106 -
Answer: C
Explanation:
* PPTP (Point-to-Point Tunneling Protocol)
* L2TP/IPSec (Layer Two Tunneling Protocol over IPSec)
* IPSec Tunnel Mode
L2TP/IPSec is more secure than PPTP and IPSec tunnel mode. However, to ensure that
you have a secure site-to-site VPN connection using L2TP/IPSec, you must use machine
certificates (thus you should have a PKI) on all ISA firewall VPN gateways. If you don't
have a PKI in place yet, or if you do not plan on implementing a certificate infrastructure,
you can use pre-shared keys for the computer authentication component of L2TP/IPSec
connection establishment. However in this scenario we have a certificate infrastructure
thus we do not need the pre-shared keys. Therefore we can remove the pre-shared keys
settings on both Isa servers.
QUESTION NO: 72
Server 2004 computer named ISA1. ISA1 is configured as a remote access VPN
server and as a DHCP server.
VPN client computers need to be assigned the following DHCP options:

1. DNS
2. WINS
3. Domain name
On the DHCP server, you create a DHCP scope that includes the three DHCP
options.
VPN users report that they cannot connect to file shares after logging on to the
network. You discover that no WINS or DNS server address is assigned to the VPN
clients, and no primary domain name is listed.
You need to ensure that the DHCP options are assigned to the VPN client
computers.

- 107 -
solution. Choose two.)
A. Remove the DHCP server from ISA1 and place it on a computer that is behind ISA1.
B. Configure the Routing and Remote Access internal network adapter as a DHCP client.
C. In the ISA Server Management console, configure VPN address assignment to use the
Internal network for the DHCP, DNS and WINS services.
D. Install a DHCP Relay Agent on ISA1
Answer: A, D
Explanation:
The Dynamic Host Configuration Protocol (DHCP) allows you to automatically assign IP
addressing information to VPN clients. IP addressing information the DHCP server can
assign to VPN clients includes:
* IP address
* WINS server address
* DNS server address
* Primary domain name
The ISA Server firewall/VPN server can be configured to use a static address pool or
DHCP to assign IP addresses to VPN clients and gateways. When you use a static address
pool, the IP address pool is configured on the ISA Server firewall/VPN server, and WINS
and DNS server addresses are assigned based on the WINS and DNS server address
settings on the internal interface of the ISA Server firewall/VPN server. You can use
DHCP to assign VPN clients an IP address, a WINS server address, a DNS server
address, and a primary domain name, as well as other DHCP options. In order to fully
utilize the information a DHCP server can provide to the VPN client, the ISA Server
firewall/VPN server must be configured with a DHCP Relay Agent. The DHCP Relay
Agent acts as a "DHCP proxy" between the VPN client and the DHCP server. The DHCP
Relay Agent forwards the DHCP messages between the VPN client and DHCP server and
back.
QUESTION NO: 73
Server 2004 computer named ISA1, which functions as a remote access VPN server
for the network. ISA1 is a member of a workgroup.

- 108 -
ISA1 is configured to accept only EAP authentication for VPN clients. All VPN
clients have been assigned user certificates from the corporate enterprise
certification authority (CA).
Users report that they cannot connect to the network. They state that they receive
the following error message: "Error 691: Access was denied because the username
and/or password was invalid for the domain."
You need to ensure that VPN users can connect to the network.
What should you do?
A. Join ISA1 to the corporate network domain.

B. Place the CA certificate into the VPN clients' Trusted Root Certification Authorities
computer certificate store.
C. Enable remote access permissions for the VPN user accounts in Active Directory.
D. Configure ISA1 to use RADIUS authentication.
Answer: A
Explanation:
You can significantly enhance the security of your ISA firewall's VPN remote access
client connections by using EAP user certificate authentication. User certificate
authentication requires that the user possess a user certificate issued by a trusted
certificate authority.
Both the ISA firewall and the remote access VPN client must have the appropriate
certificates assignment to them. You must assign the ISA firewall a machine certificate
that the firewall can use to identify itself. Users must be assigned user certificates from a
certificate authority that the ISA firewall trusts. When both the remote access client
machine presenting the user certificate and the ISA firewall contain a common CA
certificate in their Trusted Root Certification Authorities certificate stores, the client and
server trust the same certificate hierarchy. Before we are able to use EAP we must join
the ISA Server to the domain. Otherwise we get the dreaded error 691 as stated in this
scenario.
QUESTION NO: 74
office and is adding a branch office. ISA Server 2004 Standard Edition is deployed
at the main office and at the branch office.

- 109 -
You are connecting the main office with the new branch office by using a site-to-site
VPN. You configure the remote site networks and access rules to allow
communications between the main and branch office networks.
Users at the main office report that they cannot connect to servers at the branch
office. Users at the branch office report that they cannot connect to servers at the
main office.
You view the Event Viewer services log on the ISA Server computer in each office.
You see the following error message: "Unable to contact a DHCP server. The
Automatic Private IP Address 169.254.99.87 will be assigned to dial-in clients.
Clients may be unable to access resources on the network."
You need to enable users at the main and the branch office to connect to resources
on the other side of the site-to-site VPN connection.
What should you do?
A. Install and configure a DHCP server at the main office.

B. Install and configure a DHCP server at the branch office.
C. Install and configure a DHCP server at each office.
D. Configure both ISA Server computers to use their ISP's DHCP server.
Answer: C
Explanation:
* PPTP (Point-to-Point Tunneling Protocol)
* L2TP/IPSec (Layer Two Tunneling Protocol over IPSec)
* IPSec Tunnel Mode

- 110 -
One of the considerations could be to configure DHCP to assign IP addresses to VPN
clients and gateways. You can use either DHCP or a static address pool. However, if you
choose to use a static address pool and you assign on subnet IP addresses to VPN clients
and gateways, then you will need to remove those addresses from the definition of the
Internal Network (or any other Network for which these might represent overlapping
addresses). In this scenario we can see that DHCP is not correctly configured or missing.
Therefore we need to install DHCP server in the main office and branch office, because
the scenario stated that both offices could not connect to eachother.
QUESTION NO: 75
ISA Server 2004 computer.
Employees use an application named App1, which is hosted on a server named

Server1. Server1 has Terminal Services installed. On a Windows Server 2003
computer, you enable Remote Desktop connections. You create a Web publishing
rule to publish the Remote Desktop connections virtual directory.
Users can connect to the Remote Desktop Web Connection site by using Internet
Explorer. However, they cannot establish a Terminal Services connection.
You need to ensure that users can access App1.
What should you do?
A. Configure an RDP server publishing rule.

B. Configure an RPC Services server publishing rule.
C. Configure a new RDP protocol definition.
D. Configure a new RPC protocol definition.
Answer: A
Explanation:

- 111 -
The Windows XP and Windows Server 2003 Remote Desktop Web Connection feature
allows you to connect to RDP servers through an easy to use Web browser interface. The
remote desktop Web connection client on the Internet establishes an HTTP connection
(which can be secured with SSL) to the Web listener on the external interface of the ISA
firewall. The ISA firewall then performs stateful application layer inspection on the
connection, and then reverse proxies the connection to the Remote Desktop Web Services
Server on the corporate network. At this point, the Web server returns to the remote client
the option to install the RDP ActiveX control. After the ActiveX control is installed, the
user can then enter the RDP server name and domain. He can optionally enter a user
name and domain name that will be forwarded to the RDP server's logon page. After the
user enters this information, a second connection is established from the remote desktop
Web client to the ISA firewall. This is not an HTTP connection - it is an RDP connection.
Unlike the first connection that was made to the Remote Desktop Web Service Server on
TCP port 80 (or TCP 443 if SSL encryption is used for the HTTP connection), the second
connection is made to the default RDP protocol port, which is TCP port 3389. The ISA
firewall's RDP Server Publishing Rule listener intercepts the second connection and the
connection attempt is forwarded to the RDP server the user wants to connect to.
QUESTION NO: 76
The company's written security policy states that all incoming connections from the
Internet into the corporate network must be encrypted, and only SSL Web
connections are allowed.
The company upgrades to the latest version of Microsoft Exchange Server. You
configure a server publishing rule to allow inbound secure Exchange RPC
connections to the Exchange Server computer.
You need to allow users to connect to Outlook Web Access and you need to adhere
to the company's security policy.
What should you do?
A. Create an NNTPS server publishing rule.

B. Create an HTTP Web publishing rule.
C. Delete the current Exchange RPC server publishing rule.
Create an HTTPS Web publishing rule.

- 112 -
D. Delete the current Exchange RPC server publishing rule.
Create an IMAPS server publishing rule.
Answer: C
Explanation:
Outlook Web Access (OWA) provides access to a computer running Exchange Server
through a Web browser. OWA does not require any client software or client configuration
other than a Web browser. Although OWA does not provide all of the functionality
provided by a full Outlook client, the fact that it is easy to deploy and does not require
any special client makes OWA an attractive option for providing remote access.
The use of OWA raises several issues with e-mail security, including:
* Securing the user logon. By default, OWA is configured to use Hypertext Transfer
Protocol (HTTP). This means that all user logon information is passed in clear text to the
computer running Exchange Server. This issue can be easily addressed using Secure
Sockets Layer (SSL) to encrypt all user sessions. However, some clients may cache the
user logon credentials so that if the user does not close all Web browser sessions, another
user may be able to access the user's e-mail without logging on.
* Securing e-mail contents. Because all messages are sent in clear text using HTTP, the
e-mail contents may not be secure while crossing the Internet. You can use Hypertext
Transfer Protocol Secure (HTTPS) to secure the e-mail. However, some Web browsers
may cache the e-mail contents on the local computer. For example, when you open an
attachment using OWA, itis stored in the temporary Internet files on the computer.
Another user may be able to gain access to the files.Another option for providing remote
access to e-mail on a computer running Exchange Server is to use an Outlook client
configured to use Messaging Application Programming Interface (MAPI) to communicate
with Exchange. The Outlook client provides the most functionality, but also introduces
some security risks when used to provide access from the Internet.
Outlook 2003 with Exchange 2003 running on Microsoft Windows Server 2003 supports
RPC over HTTP, which simplifies the network and firewall configuration needed to
support a MAPI client. Using RPC over HTTP provides all the benefits of using an
Outlook client without needing multiple ports open on the firewall. Users running
Outlook 2003 can connect directly to a computer running Exchange Server 2003 over the
Internet by using HTTP or HTTPS even if both the computer running Exchange Server
and Outlook are behind firewalls and located on different networks. Only the HTTP and
HTTPS ports need to be opened on the firewall.
In this scenario we are having OWA clients, so we do not need RPC over HTTP
functionality. So we must delete the current RPC Server Publishing Rule and create an
new HTTPS Web Publishing rule for our OWA Clients.

- 113 -
QUESTION NO: 77
You are the network administrator for TestKing.com. You plan to install an ISA
Server 2004 array on the network.
Users access a Secure Shell protocol (SSH)-based application on a partner Web site.
Access to this application is mission-critical to TestKing.com.
You need to configure ISA Server 2004 to ensure that Internet access is still
available if the ISA Server computer fails.
What should you do?
A. Configure Network Load Balancing on the array.

B. Configure Cache Array Routing Protocol (CARP) on the array.
C. Create a new enterprise policy on the array and apply the policy to the array.
D. Create two publishing rules for the partner Web site.
Answer: A
Explanation:
Network Load Balancing (NLB) is a Windows network component that is used to create a
cluster of computers that can be addressed by a single-cluster IP address. NLB provides
load balancing and high availability for IP-based services. ISA Server Enterprise Edition
integrates with NLB so that you can configure and manage the NLB functionality using
the ISA Server Management tools. One of the NLB features is NLB health monitoring,
this feature discontinues NLB on a particular computer if the server is not available or if
the Firewall Service on the server has stopped. In this scenario we need to ensure that
internet access is still available if one of the isa servers does not function. We can achieve
this by configuring NLB on the array.
QUESTION NO: 78
Server 2004 computer named ISA1 and a Web server named Web1.
The company has two Web sites named SiteA and SiteB. Both Web sites are hosted
on Web1. SiteA requires users to be authenticated. SiteB needs to have only
anonymous access configured.

- 114 -
You need to configure TESTKING1 to publish both Web sites and to meet the
security requirements of each Web site.
What should you do?
A. On TESTKING1, configure a Web publishing rule for each Web site.

Configure the rule for SiteA to allow anonymous connections.
B. On TESTKING1, configure a Web publishing rule for each Web site.
Configure the rule for SiteA to use Basic authentication.
C. Configure one Web publishing rule for the two Web sites.
Configure the rule to use EAP authentication.
D. Configure one Web publishing rule for the two Web sites.
Configure the rule to use forms-based authentication.
Answer: B
Explanation:
ISA Server uses Web publishing rules to make Web sites available to users on the
Internet. A Web publishing rule is a firewall rule that specifies how ISA Server will route
incoming requests to internal Web servers. Use Web publishing rules to provide:
* Access to Web servers running HTTP protocol. When you configure a Web publishing
rule, you configure ISA Server to listen for HTTP requests from the Internet and to
forward that request to a Web server on a protected network. To publish servers using any
other protocols, you need to use a server publishing rule.
* Application-layer filtering. Application-layer filtering enables ISA Server to inspect the
application data in each packet passing through ISA Server. This includes filtering of
Secure Sockets Layer (SSL) packets if you enable SSL bridging. This provides an
additional layer of security not provided by server publishing rules.
* Path mapping. Path mapping enables you to hide the details of your internal Web site
configuration by redirecting external requests for parts of the Web site to alternate
locations within the internal Web site. This means that you can limit access to only
specific areas within a Web site.
* User authentication. You can configure ISA Server to require that all external users
authenticate before their requests are forwarded to the Web server hosting the published
content. This protects the internal Web server from authentication attacks. Web
publishing rules support several methods of authentication including Remote
Authentication Dial-In User Service (RADIUS), integrated, basic, digest, digital
certificates, and RSA SecurID.
* Content caching. The content from the internal Web server can be cached on ISA
Server, which improves the response time to the Internet client while decreasing the load
on the internal Web server.

- 115 -
* Support for publishing multiple Web sites using a single Internet Protocol (IP) address.
You can configure multiple Web publishing rules that can make multiple internal Web
sites available to Internet clients.
* Link translation. With link translation, you can provide access to complex Web pages
that include references to other internal Web servers that are not directly accessible from
the Internet. Without link translation, any link to a server that is not accessible from the
Internet would appear as a broken link. Link translation can be used to publish complex
Web sites providing content from many servers while hiding the complexity from the
Internet users.
* Support for logging of the Internet client's IP address. By default, when you publish a
server using Web publishing, the source IP address that is received by the internal Web
server is the IP address of the ISA Server internal interface. If you need to be able to log
access to the Web server based on the IP address of the client computer on the Internet,
you can modify the default setting.
In this scenario we have one webserver hosting two websites, thus we need to configure
two different publishing rules. SiteA needs to be configured with authentication, so we
apply Basic Authentication to the publishing rule.
QUESTION NO: 79
The company's written security policy states that users must be allowed access to the
Internet only between the hours of 08:00 and 17:00.
You need to configure ISA1 to allow all Internet traffic between 08:00 and 17:00
and to not allow outbound Internet traffic at other times.
What should you do?
A. Create an access rule to allow all protocols.

Configure the rule's schedule to be enabled between 08:00 and 17:00.
B. Create an access rule to deny all protocols.
Configure the rule's schedule to be enabled between 08:00 and 17:00.
C. Create an access rule to allow all protocols at all times.
Create another access rule that denies all protocols between 17:00 and 8:00.
Ensure that this rule is placed immediately below the allow rules.
D. Create an access rule to deny all protocols at all times.
Create another access rule that allows all protocols between 08:00 and 17:00.
Ensure that this rule is placed immediately below the deny rule.

- 116 -
Answer: A
Explanation:
Access Rules always apply to outbound connections. Only protocols with a primary
connection in either the outbound or send direction can be used in Access Rules. In
contrast, Web Publishing Rules and Server Publishing Rules always use protocols with a
primary connection with the inbound or receive direction. Access Rules control access
from source to destination using outbound protocols. You can apply a Schedule to an
Access Rule to control when the rule should be applied. There are three built-in
schedules:
* Work Hours Permits access between 09:00 (9:00 A.M.) and 17:00 (5:00 P.M.) on
Monday through Friday (to this rule)
* Weekends Permits access at all times on Saturday and Sunday (to this rule)
* Always Permits access at all times (to this rule)
Note that rules can be allow or deny rules. The Schedules apply to all Access Rules, not
just allow rules. Schedules control only new connections that apply to an Access Rule.
Connections that are already established are not affected by Schedules. For example, if
you schedule access to a partner site during Work Hours, users will not be disconnected
after 5PM. You will have to manually disconnect the users or script a restart of the
firewall service.
In this scenario we want to allow all types of traffic only from 8:00am to 17:00pm,
therefore we need to Create an access rule to allow all protocols and configure the rule's
schedule to be enabled between 08:00 and 17:00.
QUESTION NO: 80
Server 2004 computer named ISA1. The company uses Microsoft Exchange Server
2003 as its e-mail server.
Remote users need to access the Exchange server by using either Microsoft Outlook
Web Access or Microsoft Outlook 2003. You need to use HTTPS to provide access
for both Outlook Web Access and Outlook 2003. You want to use forms-based
authentication for Outlook Web Access.
ISA1 is configured with three Web listeners named WebListen1, WebListen2 and
Weblisten3.You configure WebListen1 to use SSL certificate authentication. You
configure WebListen2 to use forms-based authentication. You configure
WebListen3 to use Windows Integrated authentication.

- 117 -
You need to ensure that remote users can access the Exchange server.
What should you do?
A. Create two Web publishing rules for the Exchange server. Configure one of the rules
to use WebListen1.
Configure the other rule to use WebListen3.
B. Create one Web publishing rule for the Exchange server. Configure the rule to use
WebListen2.
C. Create two Web publishing rules for the Exchange server. Configure one of the rules
to use WebListen1.
Configure the other rule to use WebListen2.
D. Create one Web publishing rule for the Exchange server. Configure the rule to use
WebListen1.
Answer: C
Explanation:
Many organizations have chosen to use Web-based clients to give remote users access to
their Exchange mailboxes. One of the most popular ways to provide access to e-mail for
users outside the internal network is to deploy an Outlook Web Access (OWA) server so
that users can access their mailboxes from any computer with an Internet connection and
a Web browser.When you publish Outlook Web Access servers through computers
running ISA Server, you are protecting the Outlook Web Access server from direct
external access because the name and IP address of the Outlook Web Access server are
not accessible to the user. The user accesses the computer running ISA Server, which then
forwards the request to the Outlook Web Access server according to the conditions of
your mail server publishing rule. You must configure a Web listener for Outlook Web
Access publishing. The Web listener for Outlook Web Access publishing should be
configured to use forms-based authentication. If you have configured secure connections
to the clients, be sure that the listener listens for requests on an HTTPS port. Therefore
we need to create two publishing rules for the Exchange server. Configure one of the
rules to use WebListen1 and configure the other rule to use WebListen2. We can use the
same rules for the outlook 2003 clients.
QUESTION NO: 81

- 118 -
Users on the Internal network require access to a partner VPN server. The partner
VPN server uses machine certificate authentication for VPN connections. You
enable a network address translation (NAT) relationship between the Internal
network and the External network.
You need to ensure that company users can access the partner VPN server.
A. Create an access rule to enable outbound access to the PPTP Client protocol.
B. Create an access rule to enable outbound access to the IPSec with Encapsulating
Security Payload (ESP) Server protocol.
C. Create an access rule to enable outbound access to the IKE Client protocol.
D. Create an access rule to enable outbound access to the IPSec NAT-T Client protocol.
Answer: C, D
Explanation:
You can configure the ISA firewall to allow outbound access to VPN servers on the
Internet. The ISA firewall supports all true VPN protocols, including PPTP, L2TP/IPSec,
and IPSec NAT Traversal (NAT-T).
Although ISA Server supports PPTP passthrough out of the box, there is no built-in
support for IPSec passthrough. The reason for this is that the IPSec protocols are not
NAPT (Network Address & Port Translation) compatible. The IPSec protocols are
designed to authenticate and/or encrypt information in the packet. When a NAPT device
(i.e. an ISA server) tries to change the information in the packet, it will either cause the
packet to be considered invalid by an IPSec protocol, or it will be unable to perform the
translation because information the NAPT device needs to access is encrypted. The IPSec
Working Group has worked out a solution called NAT Traversal or in short NAT-T. To
make NAT-T work on the ISA Server we need to create an access rule that uses the IPSec
IKE Clients protocol and the IPSec NAT-T protocol.
QUESTION NO: 82

- 119 -
The company deploys a new secure Web site. The Web site hosts an application
named App1. App1 requires client certificate authentication, and must record the
client IP source address for every request.
You need to configure ISA1 to publish the new Web site. First, you create an SSL
Web publishing rule. Now, you need to configure the rule to meet the requirements.
What should you do?
A. Configure the rule's link translation to replace absolute links in all Web pages.
B. Configure the rule to forward the original host header to the published Web server.
C. Configure the rule to forward the requests so that they appear to come from ISA1.
D. Configure the rule to forward the requests so that they appear to come from the
original client.
Answer: D
Explanation:
Link Translation solves a number of issues that may arise for external users connecting
through the ISA firewall to an internal Web site. The ISA firewall Link Translator is
implemented as an ISA firewall Web filter. Because of the Link Translator's built-in
functionality, and because it comes with a built-in default dictionary, you can use it right
out of the box to solve many common problems encountered with proxy-based Web
publishing scenarios. The default dictionary includes the following entries:
* Any occurrence on the Web site of the computer name specified on the To tab of the
Web Publishing Rule Properties is replaced with the Web site name (or IP address). For
example, if a rule redirects all requests for http://www.testking.com to an internal
computer called ISA1 , all occurrences of http://ISA1 in the response page returned to the
client are replaced with http://www.testking.com. Thus not exposing the internal naming
structure.
* If a nondefault port is specified on the Web listener, that port is used when replacing
links on the response page. If a default port is specified, the port is removed when
replacing links on the response page. For example, if the Web listener is listening on TCP
port 88, the responses returned to the Web client will include links to TCP port 88.
* If the client specifies HTTPS in the request to the ISA firewall, the firewall will replace
all occurrences of HTTP with HTTPS.

- 120 -
Forward the original host header instead of the actual one - By default, when ISA Server
receives an incoming Web request, it does not pass the host header included in the client
request on to the publishing Web server. This means that all requests that are routed to a
particular computer must be routed to the same (default) website on the computer. When
ISA Server passes host header information, client requests are routed to a particular site
on the published computer.
Requests appear to come from the ISA Server computer - Select if you want ISA Server
to substitute the original IP address sent with the packet with its own IP address.
Requests appear to come from the original client - ISA Server forwards requests with the
source IP address of the requesting original client. When you select this option, ISA
Server should be configured as the gateway for the published Web server. Alternatively,
ISA Server can be configured as the default gateway for the IP address of the requesting
client. Otherwise, IP packets returned by the Web server will not reach the ISA Server
computer.
QUESTION NO: 83
ISA Server 2004 computer named ISA1.
The company's new written security policy states that internal computer names
must not be published or accessible via the Internet.
You need to publish a new Web site that has many internal computer names within
the Web site. You must publish this Web site while adhering to the company's
security policy.
What should you do?
A. Configure an HTTP server publishing rule. Configure the rule so that requests sent to
the published server forward the URLs so that they appear to come from the original
client computer.
B. Configure an HTTP server publishing rule. Configure the rule so that requests sent to
the published server forward the URLs so that they appear to come from ISA1.
C. Create a Web publishing rule. On the rule, enable and configure HTTP bridging.
D. Create a Web publishing rule. On the rule, enable and configure the link translator.
Answer: D
Explanation:

- 121 -
Link Translation solves a number of issues that may arise for external users connecting
through the ISA firewall to an internal Web site. The ISA firewall Link Translator is
implemented as an ISA firewall Web filter. Because of the Link Translator's built-in
functionality, and because it comes with a built-in default dictionary, you can use it right
out of the box to solve many common problems encountered with proxy-based Web
publishing scenarios. The default dictionary includes the following entries:
* Any occurrence on the Web site of the computer name specified on the To tab of the
Web Publishing Rule Properties is replaced with the Web site name (or IP address). For
example, if a rule redirects all requests for http://www.testking.com to an internal
computer called ISA1 , all occurrences of http://ISA1 in the response page returned to the
client are replaced with http://www.testking.com. Thus not exposing the internal naming
structure.
* If a nondefault port is specified on the Web listener, that port is used when replacing
links on the response page. If a default port is specified, the port is removed when
replacing links on the response page. For example, if the Web listener is listening on TCP
port 88, the responses returned to the Web client will include links to TCP port 88.
* If the client specifies HTTPS in the request to the ISA firewall, the firewall will replace
all occurrences of HTTP with HTTPS.
QUESTION NO: 84
You are the administrator of an ISA Server 2000 computer named ISA1. You use
the ISA Server 2004 Migration Tool to perform an in-place upgrade on ISA1. You
install the Firewall Client installation component on ISA1.
Client computers in the sales department run Windows NT Workstation 4.0 with
Internet Explorer 5.0 and the Microsoft Proxy 2.0 Winsock Proxy client installed.
All other client computers run Windows XP Professional. The ISA Server 2000
Firewall Client was installed on the Windows XP Professional computers by using
Group Policy.
You discover that all client computer requests to ISA1 are being sent unencrypted.
You need to configure all client computers to communicate to ISA1 by using

encryption.
A. Uninstall the Winsock Proxy client from the client computers in the sales department.
Run Setup.exe to install the ISA Server 2004 Firewall Client.

- 122 -
B. Uninstall the Winsock Proxy client from the client computers in the sales department.
Enable the Allow non-encrypted Firewall client connections setting on the Internal
network.
C. Uninstall the Winsock Proxy client from the client computers in the sales department.
Enable the Require all users to authenticate setting. Configure SSL certificate
authentication for all Firewall clients on the Internal network.
D. Upgrade the Firewall Client for ISA Server 2000 software on the Windows XP
Professional client computers.
Answer: A, D
Explanation:
The Firewall client software is an optional client piece that can be installed on any
supported Windows operating system to provide enhanced security and accessibility. The
Firewall client software provides the following enhancements to Windows clients:
* Allows strong user/group-based authentication for all Winsock applications using the
TCP and UDP protocols.
* Allows user and application information to be recorded in the ISA 2004 firewall's log
files.
* Provides enhanced support for network applications, including complex protocols that
require secondary connections.
* Provides 'proxy' DNS support for Firewall client machines.
* Allows you to publish servers requiring complex protocols without the aid of an
application filter.
* The network routing infrastructure is transparent to the Firewall client.
* Provides encrypted traffc between the firewall client and the ISA Server.
In this scenario we need to encrypt all communications between the clients and the ISA
Server, therefore we need to uninstall the Winsock Proxy Clients from the NT 4.0 clients
and Install the ISA 2004 Firewall Client. Also we need to upgrade the ISA 2000 Firewall
clients to the ISA 2004 Firewall Client.
QUESTION NO: 85
You are the network administrator for TestKing. The network consists of a single
Active Directory domain testking.com. The network contains an ISA Server 2004
computer named ISA1. Client computers on the network consist of Windows 98
computers, Windows XP Professional computers, UNIX workstations and
Macintosh portable computers.

- 123 -
You configure ISA1 by using the Edge Firewall network template. You manually
configure ISA1 with access rules to allow HTTP and HTTPS access to the Internet.
You configure ISA1 to require all users to authenticate.
You need to provide Internet access for all client computers on the network while
preventing unauthorized non-company users from accessing the Internet through
ISA1. You also want to reduce the amount of administrative effort needed when you
configure the client computers.
What should you do?
A. Configure all client computers as Web Proxy clients. Configure Basic authentication
on the Internal network.
B. Configure all client computers as Web Proxy clients. Configure Basic authentication
on the Local Host network.
C. Configure all client computers as SecureNAT clients. Configure Basic authentication
on the Internal network.
D. Configure the Windows-based computers as Firewall clients. Configure the
non-Windows-based computers as Web Proxy clients. Configure Basic authentication on
the Local Host network.
Answer: A
Explanation:
Web proxy clients - Web proxy clients do not automatically send authentication
information to ISA Server. By default, ISA Server requests credentials from a Web proxy
client to identify a user only when processing a rule that restricts access based on a user
element. You can configure which method the client and ISA Server use for
authentication. You can also configure ISA Server to require authentication for all Web
requests.
Basic authentication - Prompts users for a user name and password before allowing Web
access. Basic authentication sends and receives user information as plaintext and does not
use encryption. Basic authentication is not a secure authentication method unless the
network traffic is encrypted by using SSL. Because basic authentication is part of the
HTTP specification, most browsers support it.
We configure basic authentication on the internal network, because the web proxy clients
are on the internal network.
QUESTION NO: 86

- 124 -
Server 2004 computer named TESTKING1, which controls access between three
segments on the network. The network is configured as shown in the exhibit.
A network address translation (NAT) relationship exists from the Internal network
to the perimeter network. A Windows Server 2003 computer named DNS1 functions
as a DNS server.
Web Proxy clients can access Web sites on the Internet. However, when SecureNAT
clients try to access hosts on the Internet, they receive the following error message:
"Cannot find server or DNS error."
You need to ensure that SecureNAT clients can perform DNS name resolution
correctly for hosts on the Internet. You also need to ensure that DNS name
resolution is optimized for Active Directory.

- 125 -
First, from a SecureNAT client, you run the nslookup command and set the default
server to 172.16.0.11. From the Nslookup console, you are able to query name server
(NS) resource records on the Internet.
A. On TESTKING1, replace the DNS server publishing rule with an equivalent access
rule.
B. On TESTKING1, change the NAT relationship between the perimeter network and the
Internal network to a route relationship.
C. On TESTKINGC, delete the .(root) zone and then disable recursion.
D. On DNS1, remove forwarding configuration and add a .(root) zone.
Answer: C
Explanation:
Disable Recursion - By default, a Windows Server 2003 running DNS and Windows
2000 DNS server accepts recursive queries. This enables the server to do DNS searches
on behalf of clients and is the preferred configuration. Select the Disable Recursion
option if you want the server to accept only iterative queries.
With a root domain (indicated by a folder with a dot (.) at the top of the namespace) tells
a DNS server that it sits at the top of the entire DNS namespace and whatever domains it
hosts are top-level domains. This means that the DNS server is a root server for its own
domain. But as long as that root zone exists this DNS server will not accept root hints and
cannot be configured to use forwarders. Windows 2000 forced administrators to delete
the root zone so that they could correctly configure their DNS infrastructure. In Windows
Server 2003, the root zone is not installed by default.
In this scenario we can see that SecureNAT clients are having a primary DNS Server
called TestKingA. This DNS server does have a root zone, thus preventing forward
lookups to the internet or another DNS server. Therefor we need to delete the root zone,
configure forwarding to DNS1 and disable recursion on TestKingA.
QUESTION NO: 87
Server 2004 computer named ISA1. ISA1 is configured to allow users in the sales
department access to resources on the Internet.

- 126 -
Users in the marketing department also want access to resources on the Internet.
You add a new network and computers for the marketing department. You install
the Firewall Client and configure the Web Proxy client on all computers in the new
network.
TestKing.com'snetwork is configured as shown in the exhibit.
Users in the marketing department report that they cannot access resources on the
Internet. You verify that users in the sales department and the internal servers can
still access resources on the Internet.
You need to ensure that users in the marketing department can access resources on
the Internet.
What should you do?
A. Configure the marketing computers to use 192.168.0.1 as the default gateway.

B. On ISA1, add a static route for the 192.168.2.1 network.
C. On ISA1, add a network object for the marketing department.
D. Configure the DNS settings of the marketing computers to use a DNS server that can
resolve Internet names.
Answer: B
Explanation:
Unfortunatly this scenario lacks an exhibit, therefore we can only speculate how the
infrastructure looks. One of the most common problems is that the ISA does not know the
route to the new subnet after adding a new network. That is why we must add an static
route pointing to the new subnet.
QUESTION NO: 88
You are the network administrator for Testking. The network consists of a single
Active Directory domain named testking.com. The relevant portion of the network
is configured as shown in the exhibit.

- 127 -
An ISA Server 2004 computer named TESTKING1 is configured with the 3-Leg
Perimeter network template. All client computers are configured as Firewall clients
and Web Proxy clients. Client computers are configured to use a DNS server named
DNS1. DNS1 is configured to forward requests to an ISP's DNS server. An
application server named TestKingA runs a Web-based application.
Users on the network report that access to TestKingA is very slow. You monitor
TESTKING1 and discover that client computer requests for TestKingA are being
passed through TESTKING1.
You need to configure TESTKING1 to allow faster access to TestKingA.
A. Create an access rule for DNS client protocol.

B. Enable IP routing between the perimeter network and the Internal network.
C. In the properties of the Internal network on TESTKING1, enable the Directly access
computers specified in the Domains tab option.
D. Add testking.com to the list of domain names available on the Internal network on
TESTKING1.
E. Add TestKingA.testking.com to the system policy DNS configuration group.
Answer: C, D
Explanation:

- 128 -
already entered on the domains tab and use them for Direct Access.
QUESTION NO: 89
office and one branch office. The network contains an ISA Server 2004 computer
named ISA1, which functions as a firewall for the branch office. The number of
employees at the branch office has doubled in the last week.
Users at the branch office report that they frequently receive outdated versions of
Web pages when they access Web servers operated by some of TestKing.com's
business partners.
You need to ensure that users always receive the most up-to-date content for Web
pages they access from the partner Web sites. You must also optimize bandwidth
use at the branch office.
A. Increase the value for the Maximum size of URL cached in memory (bytes) setting.
B. Create cache rules that disable the caching of content from the partner Web sites.
C. Increase the percentage of free memory to use for caching.
Answer: B, C

- 129 -
Explanation :
for objects stored in cache.
You can create rules to control the length of time that a cache object is considered to be
valid (ensuring that objects in the cache don't get hopelessly out of date), and you can
specify how cached objects are to be handled after they expire. So if we want to ensure
that users always receive the most up-to-date content for Web pages they access from the
partner Web sites, then we must create a caching rule that disables caching for those
partner websites.
Caching also uses system memory. Objects are cached to RAM as well as to disk. Objects
can be retrieved from RAM more quickly than from the disk. ISA Server 2004 allows you
to determine what percentage of random access memory can be used for caching (by
default, ISA Server 2004 uses 10 percent of the RAM, and then caches the rest of the
objects to disk only). You can set the percentage at anything from 1percent to 100
percent. The RAM allocation is set when the Firewall service starts. If you want to change
the amount of RAM to be used, you have to stop and restart the Firewall service.
The ability to control the amount of RAM allocated for caching ensures that caching will
not take over all of the ISA Server computer's resources. keeping with the emphasis on
security and firewall functionality, caching is not enabled by default when you install ISA
Server 2004. You must enable it before you can use the caching capabilities.
Maximum size of URL cached in memory (bytes) - Configure the Uniform Resource
Locators (URLs) that ISA Server will store in memory. When you increase the amount of
memory that a single object may occupy,
ISA Server will store fewer Web objects. ISA Server will cache objects larger than this
limit on disk.
So INcreasing the value will Decrease caching performance.
QUESTION NO: 90
TESTKING Server 2004 computers named TESTKING1 and TESTKING2.
TESTKING1 is configured as the Enterprise Configuration Storage server.
TESTKING1 and TESTKING2 are members of a single enterprise array.
A Web server named Web1 resides in the perimeter network. You publish an
external Web site on Web1. You publish an internal Web site on the array.

- 130 -
TESTKING1 and TESTKING2 are each configured with a RAID-5 volume. You
enable a cache drive on TESTKING1. You enable Cache Array Routing Protocol
(CARP) on the Internal network on TESTKING1 and TESTKING2.
Users report that access to Web1 is very slow. You discover that physical disk usage
is extremely high on TESTKING1 and Web1.
You need to configure TESTKING Server 2004 to allow faster access to Web1.
What should you do?
A. On TESTKING1, increase the HTTP caching Time to Live (TTL) setting to 50.
B. On TESTKING1, increase the size of the cache drive.
C. On TESTKING2, enable a content download job for the Web sites on Web1.
D. On TESTKING2, configure a cache drive.
Answer: D
Explanation:
resources.
the content.

- 131 -
In this scenerio we have not configured a cache drive on TESTKING2, as an result the
cache drive of TESTKING1 is constantly being used. There we need to configure a cache
drive on TESTKING2 to make use of CARP.
QUESTION NO: 91
You are the network administrator for TestKing.com. The network contains an
TestKing Server 2004 Enterprise Edition computer named TestKing1. You enable
and configure Cache Array Routing Protocol (CARP) on TestKing1.
You configure a 1-GB cache drive on TestKing1. You monitor TestKing1 and
discover that a large number of cached Web requests are coming from the sales
department. You install TestKing Server 2004 Enterprise Edition on two additional
computers named SA2 and TestKing3. All of the TestKing Server computers are
joined to a single array.
Array members are configured as shown in the following table.
You discover that many of the Internet Web requests are still being retrieved from
the Internet.
You need to reduce the number of Web requests that are being retrieved from the
Internet.
What should you do?
A. On TestKing1, change the load factor to 100.

B. On TestKing1, increase the size of the cache drive to 2 GB.
C. On TestKing2 and TestKing3, configure a cache drive.
D. On TestKing2 and TestKing3, change the load factor to 100.
Answer: B

- 132 -
Explanation:
data, the array of computers functions as a single, logical cache. CARP is used by Web
browsers and by ISA Server to increase performance in operations accessing a Web proxy
cache that is distributed across multiple ISA Server computers. CARP uses hash-based
routing to determine which ISA Server computer will respond to a client request and
cache specific Web content. CARP provides the following benefits:
resources.
the content.
However in this scenario it could be possible that the cache fills up quite quickly. Thus
ISA Server 2004 will purge some objects from the cache to make room for new ones.
URLs in the cache are removed according to a built-in logic so that the most recently used
objects will be removed last. Therefore the ISA Server will retrieve the requested URL
again, because it is not in its cache. We can overcome this problem by increasing the
Cache Drive size.

- 133 -

Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004

Uploaded by

Copyright:

Available Formats

Microsoft 70-350

Implementing Microsoft Internet Security and

Other TestKing products

Here is the procedure to get the latest version:

Our experts will answer your mail promptly.

Leading the way in IT testing and certification tools, www.testking.com

What should you do?

A. Create three service locater (SRV) resource records.

Leading the way in IT testing and certification tools, www.testking.com

Leading the way in IT testing and certification tools, www.testking.com

Leading the way in IT testing and certification tools, www.testking.com

Leading the way in IT testing and certification tools, www.testking.com

QUESTION NO: 4 DRAG DROP

What should you do?

To answer, drag the appropriate default gateway IP address or addresses to the

Leading the way in IT testing and certification tools, www.testking.com

Leading the way in IT testing and certification tools, www.testking.com

Leading the way in IT testing and certification tools, www.testking.com

Leading the way in IT testing and certification tools, www.testking.com

You identify the following requirements regarding VPN connections to the

You need to plan the VPN configuration for TestKing.

What should you do?

Leading the way in IT testing and certification tools, www.testking.com

Leading the way in IT testing and certification tools, www.testking.com

You perform the following actions on ISA1:

You test L2TP functionality by configuring a VPN connection object on a computer

What should you do?

Leading the way in IT testing and certification tools, www.testking.com

Leading the way in IT testing and certification tools, www.testking.com

What should you do?

Leading the way in IT testing and certification tools, www.testking.com

What should you do?

A. Disable IP fragment blocking.

Leading the way in IT testing and certification tools, www.testking.com

Leading the way in IT testing and certification tools, www.testking.com

What should you do?

A. Create a new CM profile by using the Connection Manager Administration Kit

B. Edit the quarantine.vbs scipt so that it used the following command:

* Create a client-side script that validates client configuration information.

Leading the way in IT testing and certification tools, www.testking.com

Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 <pathto RQS.exe>

Leading the way in IT testing and certification tools, www.testking.com

A. Install the IPSecPol tool on ISA1.

Leading the way in IT testing and certification tools, www.testking.com

What should you do?

Leading the way in IT testing and certification tools, www.testking.com

What should you do?

A. Restart the ISA Server computer at both offices.

Leading the way in IT testing and certification tools, www.testking.com

What should you do?

A. Disable the Firewall client before establishing the VPN connection.

Leading the way in IT testing and certification tools, www.testking.com

What should you do?

A. Configure all network computers as Web Proxy clients.

Leading the way in IT testing and certification tools, www.testking.com

Leading the way in IT testing and certification tools, www.testking.com

QUESTION NO: 18 HOTSPOT

TCP: Flags = 0x00 : ......

Leading the way in IT testing and certification tools, www.testking.com

This traffic slows the performance of ISA1.

What should you do?

Leading the way in IT testing and certification tools, www.testking.com