Professional Documents
Culture Documents
Version 4.0
Important Note, Please Read Carefully
Latest Version
We are constantly reviewing our products. New material is added and old material is
revised. Free updates are available for 90 days after the purchase. You should check your
member zone at TestKing and update 3-4 days before the scheduled exam date.
1.Go towww.testking.com
2.Click on Member zone/Log in
3.The latest versions of all purchased products are downloadable from here. Just click the
links.
For mostupdates,itisenough just to print the new questions at the end of the new version,
not the whole document.
Feedback
If you spot a possible improvement then please let us know. We always interested in
improving product quality.
Feedback should be send to feedback@testking.com. You should include the following:
Exam number, version, page number, question number, and your login ID.
Copyright
Each iPAD file contains a unique serial number associated with your particular name and
contact information for security purposes. So if we find out that a particular iPAD file is
being distributed by you, TestKing reserves the right to take legal action against you
according to the International Copyright Laws.
Explanations
This product does not include explanations at the moment. If you are interested in
providing explanations for this exam, please contact feedback@testking.com.
External client computers that connect to resources published by ISA Server must
be load balanced across the Network Load Balancing cluster when they connect by
using DNS.
You need to plan the external DNS implementation before you deploy ISA Server
2004.
Answer: C
Explanation:
Network Load Balancing (NLB) is a Windows service that enables network traffic to be
shared between multiple servers, while appearing to the client to be captured and
processed by a single server's IP address. It provides for load sharing between NLB
cluster members, and also provides for redundancy if one of the NLB members becomes
unavailable. Only the Enterprise version of ISA Server 2004 natively supports NLB.
In this scenario we are publishing resources for external clients, therefore we need to
configure publishing rules that are configured to use the external interface of the isa
server.
You are upgrading the Routing and Remote Access server to ISA Server 2004. You
need to configure the Internal network.
You need to create a access rules that are specific for each subnet.
Which three IP address ranges should you use? (Each correct answer presents part
of the solution. (Choose three)
A. 10.0.25.1 - 10.0.25.255
B. 172.16.1.0 - 172.16.1.255
Answer: B, C, D
Explanation:
two terms are distinct in the ISA world. An ISA network is defined as the grouping of
physical subnets that form a network topology that is attached to a single ISA Server
network adapter. So, a single ISA "network" could be composed of multiple physical
networks. Even though there are four physical subnets, all connected to each other with
switches, ISA sees these individual subnets as only two networks, an internal network and
a perimeter network (also called DMZ) because it has network adapters attached to only a
single subnet on each of the network. To further illustrate, a uni-homed (single NIC)
server would see the range of all IP addresses on the Internet as a single ISA network. In
our scenario the internal network consists of 172.16.1.0 - 172.16.1.255, 172.16.2.0 -
172.16.2.255 and 172.16.10.0 - 172.16.10.255. A perimeter network, also known as a
demilitarized zone (DMZ), or screened subnet, is a network that you set up separately
from an internal network and the
Internet. Perimeter networks allow external users to gain access to specific servers that
are located on the perimeter network while preventing direct access to the internal
network. In this way, even if an attacker penetrates the perimeter network security, only
the perimeter network servers are compromised.
In our scenario the DMZ consists 10.0.25.1 - 10.0.25.255.
QUESTION NO: 3
You are a network administrator for TestKing.com. Client computers on the
internal network are divided among several subnets by using routers.
You install an ISA Server 2004 computer named ISA1. ISA1 will be used to allow
users to access Web sites on the Internet. You configure TCP/IP on ISA1 as shown
in the exhibit.
You need to ensure that users can access Web sites on the Internet.
Which two actions should you perform? (Each correct answer presents part of the
solution. Choose two)
A. Configure the internal default gateway to match the external default gateway.
B. Configure a static route to each subnet.
C. Add the IP address of the internal default gateway to the Remote Management
Computers computer set.
D. Configure the internal network adapter with a blank default gateway.
E. Create a network set for each subnet.
Answer: B, D
You must ensure that client computers can access the Internet as SecureNAT clients
after ISA Server is deployed. You examine several client computers and discover
that the default gateway is not configured.
You need to configure the correct default gateway for client computers.
QUESTION NO: 5
You are a network administrator for TestKing.com. TestKing has a main office and
three branch offices.
You install Windows Server 2003 on the computers that will run ISA Server 2004.
You need to configure additional security for the ISA Server computers.
What are three possible ways to achieve this goal? (Each correct answer presents a
complete solution. Choose three)
A. Grant the Allow log on locally right to only the Administrators group.
B. Disable the external network adapter.
C. Enable the Secure Server (Require Security) IPSec policy.
D. Disable the Server service.
E. Remove all users from the Access this computer from the network right.
Answer: A, D, E
Explanations:
Secure Server (Require Security) policy - This policy is only appropriate for servers that
require all communications to be secure. Once this policy has been applied, the server
will neither send or accept insecure communications. Any client wanting to communicate
with the server must use at least the minimum level of security described by the policy. In
this scenario it will not work because the clients do not have Ipsec installed.
Allow log on locally - This logon right determines which users can interactively log on to
this computer. Logons initiated by pressing CTRL+ALT+DEL sequence on the attached
keyboard requires the user to have this logon right.
Access this computer from the network - This user right determines which users and
groups are allowed to connect to the computer over the network. This would still be
needed if the firewall client installation share resided on the isa server. In this scenario the
ISA Server2004 Client Installation Share resides on another server, so we can remove the
users from the list.
Disable the Server service - You need the Server service if you : You install ISA
Server2004 Client Installation Share or use the Routing and Remote Access Management,
rather than ISA Server Management, to configure a VPN. In this scenario we are not
using both.
Disable the external network adapter - In this scenario the external adapter has been
connected to the internet. If we disable that adapter then nobody would we able to
connect to the internet and no VPN could be set up.
You deploy a new application named App1. The server component of App1 is
installed on an internal server named Testking1. The client component of App1 is
installed on employee and partner computers. Employees and partners will establish
VPN connections when they use App1 from outside the corporate network.
1. Employees must be allowed access to only Testking1, three file servers, and an
internal Web server named Web1.
2. Employees must have installed all current software updates and antivirus
software before connecting to any internal resources.
3. Partners must be allowed access to only Testking1.
4. You must not install any software other than the App1 client on any partner
computers.
A. Configure ISA1 to accept incoming VPN connections from partners and employees.
Enable Quarantine Control on ISA1.
Configure Quarantine Control to disconnect users after a short period of time.
Use access rules to allow access to only the permitted resources.
B. Configure ISA1 to accept incoming VPN connections from partners and employees.
Enable Quarantine Control on ISA1.
Exempt partners from Quarantine Control.
Use access rules to allow access to only the permitted resources.
C. Configure ISA1 to accept incoming VPN connections from partners and employees.
Enable Quarantine Control on ISA1.
Enable RADIUS authentication and user namespace mapping.
Configure a Windows Server 2003 Routing and Remote Access server as a RADIUS
server.
Answer: B
Explanation:
VPN quarantine control allows you to screen VPN client machines before allowing them
access to the organization's network. To enable VPN quarantine, you create a Connection
Manager Administration Kit (CMAK) package that includes a VPN client profile and a
VPN-quarantine client-side script. This
script runs on the client and checks the security configuration of the remote access client
and reports the results to the VPN server. If the client passes the security configuration
check, the client is granted access to the organizations network.
If you are using ISA Server as the VPN server, and the script reports that the client meets
the software requirements for connecting to the network, the VPN client is moved from
the VPN Quarantine network to the VPN Clients network. You can set different access
policies for hosts on the VPN Quarantine network
compared to the VPN Clients network. The partners do not need to be quarantined so we
exclude them from the Quarantine Control. ISA Server uses these networks just like it
uses any other directly connected networks. That means that you can use network rules
and access rules to define the conditions under which network packets will be passed
from one network to another.
QUESTION NO: 7
You are the network administrator for TestKing.com. The network consists of a
single Active Directory domain named testking.com. The network contains an ISA
Server 2004 computer named ISA1.
ISA1 is configured as a VPN server and allows only VPN connections that use
PPTP. ISA1 is configured to use a RADIUS server named Testking1 to provide
authentication and authorization for VPN client connections.
1. In the Routing and Remote Access console, you enable the Allow custom IPSec
policy for L2TP connection option and enter a value for a preshared key.
2. In the ISA Server Management console, you enable L2TP over IPSec settings in
the VPN Clients Properties dialog box.
You need to configure ISA1 to support L2TP connections that use preshared keys.
A. In the ISA Server Management console, enable the use of a custom IPSec policy and
configure a preshared key in the Virtual Private Networks (VPN) Properties dialog
box.
B. In the ISA Server Management console, enable EAP in the Virtual Private Networks
(VPN) Properties dialog box.
C. In the RADIUS remote access policy profile for the VPN connection, add
MD5-Challenge as an authentication method.
D. In the RADIUS remote access policy profile for the VPN connection, add Protected
Extensible Authentication Protocol (PEAP) as an authentication method.
Answer: A
Explanation:
Error 792 can be caused by :
* You have a preshared key that is configured on the client, but the key is not configured
on the Routing and Remote Access Service server.
* VPN server is not a valid machine certificate or is missing.
* The IPSec Policy Agent service is stopped and started without stopping and starting the
Routing and Remote Access service on the remote computer.
QUESTION NO: 8
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. ISA1 functions as a remote access VPN server
for the network. Remote access VPN clients can use either PPTP or L2TP over
IPSec to connect to ISA1.
Users report that after connecting to the corporate network, they cannot access file
shared on the network file server without first being presented with an
authentication prompt.
You need to ensure that users are not asked for credentials when they access file
shares.
Which two actions should you perform? (Each correct answer presents part of the
solution. Choose two)
A. Instruct the users to log on by using their domain credentials via dial-up networking.
B. Configure ISA1 as a RADIUS client.
C. Create an access rule to enable the LDAP and LDAP5 protocols form the Local Host
network to the Internal network.
D. Join ISA1 to the domain.
Answer: A, D
Explanation:
The placement of the ISA VPN server ultimately governs how user accounts are accessed
during authentication. The following authentication methods are available:
* Authenticating directly against Active Directory - If the ISA VPN server is installed as
a domain member server, users can be authenticated directly against the internal Active
Directory domain without any additional configuration.
QUESTION NO: 9
You are the network administrator for TestKing.com. TestKing has a main office
and one branch office. The network contains two ISA Server 2004 computers named
ISA1 and ISA2. ISA1 is located at the main office. ISA1 is located at the branch
office.
An IPSec tunnel mode site-to-site VPN connects the main office and branch office
networks. ISA1 has three addresses bound to its external network adapter, and
ISA2 uses a non-primary IP address to establish the IPSec tunnel mode connection
to ISA1.
Users at the branch office report that they can connect to file shares at the main
office, but they cannot connect to the Microsoft Outlook Web Access Web site.
You need to ensure that users at the branch office can access the Outlook Web
Access Web site.
A. Use a network address translation (NAT) relationship between the branch office
network and the main office network.
B. Add IP addresses to the external network adapter of ISA2.
C. Change the Phase II IPsec configuration on both ISA1 and ISA2 to use Message Digest
5 (MD5) as its integrity algorithm.
D. Create a new protocol definition for TCP port 80 outbound and use the definition in
the access rule.
Explanation:
As the scenario stated : Users at the branch office report that they can connect to file
shares at the main office.
Therefore we can assume that the VPN tunnel has been correctly setup and is fully
functional. All we need to do is create a rule that allow the branch office users to connect
to the OWA website. We can achieve this by creating a new protocol definition for TCP
port 80 outbound and use the definition in the access rule.
QUESTION NO: 10
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named IS1, which is configured as a remote access VPN
server. You configure ISA1 to accept both PPTP and L2TP over IPSec VPN
connections from remote access clients.
Several users report that they cannot connect to the network. You review the log
files on ISA1 and discover that the users with failed connection attempts are all
using L2TP over IPSec.
You need to ensure that the users can connect to the network.
Answer: A
Explanation:
QUESTION NO: 11
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1.
You enable VPN Quarantine Control on ISA1. You create a Connection Manager
(CM) profile and install it on VPN client computers.
The CM profile contains a script named quarantine.vbs that performs several tests
on VPN client computers to ensure conformance with TestKing policy. If a
computer passes the tests, the script executes the following command:
RQC %1 %2 %3 %4 SV1.
The variables in the command represent the parameters inherited from the CM
profile. The parameters are shown in the following table.
Variable Parameter
%1 %DialRasEntry%
%2 %TunnelRasEntry%
%3 %Domain%
%4 %UserName%
Users report that after they establish a VPN connection with ISA1, they receive a
message stating that their computer has been placed in quarantine mode. The VPN
connection is terminated, and they are prompted to reconnect. You verify that the
client computer configurations conform to TestKing policies and pas the tests on the
quarantine.vbs script.
You need to ensure that VPN client computers can be moved out of the Quarantined
VPN Clients network when the quarantine.vbs script executes successfully.
Answer: C
Explanation:
The VPN quarantine control feature allows you to screen VPN client machines before
allowing them access to the organizations network. VPN quarantine control can delay
normal remote access to a private network until the remote access client configuration has
been validated by a client-side script. Configuring quarantine control on ISA Server
requires a number of configuration steps. Before you enable quarantine mode, you must
complete the following steps:
* The /install command line switch installs the listener service. To uninstall the listener
service, use /remove.
* The SharedKey value is the key that the notification component will send to the listener
component. The notification message sent by Rqc.exe contains a text string that indicates
the version of the quarantine script being run. This string is configured for Rqc.exe as part
of its command-line parameters, as run from the quarantine script. Rqs.exe compares this
text string to a set of text strings stored in the registry of the computer running ISA
Server. If there is a match, the quarantine conditions are removed from the connection. If
the client provides a shared key that is not in the allowed set, it will be disconnected.
There can be more than one shared key, separated by \0".
* <The path to RQS.exe> defines where the listener executable is located.
However in this scenario we can see that the scriptversion name is SV1. This script will
be executed on the client side. On the ISA server there must be a registry entry called
allowedsets with a value SV1. otherwise we will get the error mentioned in the scenario.
QUESTION NO: 12
You are the network administrator for TestKing.com. TestKing has a main office
and one branch office.
The main office has one ISA Server 2004 computer named ISA1, which runs
Windows Server 2003. The branch office has one ISA Server 2004 computer named
ISA2, which runs Windows 2000 Server.
You create a site-to-site VPN connection between ISA1 and ISA2. You configure
IPSec tunnel mode for the site-to-site connection.
When you test the site-to-site site VPN connection, the connection attempt fails.
You need to enable the IPSec tunnel mode site-to-site VPN connection between the
main office and the branch office.
Answer: B
Explanation:
IPSec tunnel mode - Tunneling is the entire process of encapsulation, routing, and
decapsulation. Tunneling wraps, or encapsulates, the original packet inside a new packet.
This new packet might have new addressing and routing information, which enables it to
travel through a network. When tunneling is combined with data confidentiality, the
original packet data (as well as the original source and destination) is not revealed to
those listening to traffic on the network. After the encapsulated packets reach their
destination, the encapsulation is removed, and the original packet header is used to route
the packet to its final destination.
The tunnel itself is the logical data path through which the encapsulated packets travel.
To the original source and destination peer, the tunnel is usually transparent and appears
as just another point-to-point connection in the network path. The peers are unaware of
any routers, switches, proxy servers, or other security gateways between the tunnels
beginning point and the tunnels endpoint. When tunneling is combined with data
confidentiality, it can be used to provide a VPN.
The encapsulated packets travel through the network inside the tunnel. In this example,
the network is the Internet. The gateway might be an edge gateway that stands between
the outside Internet and the private network. The edge gateway can be a router, firewall,
proxy server, or other security gateway. Also, two gateways can be used inside the private
network to protect traffic across untrusted parts of the network.
When Internet Protocol security (IPSec) is used in tunnel mode, IPSec itself provides
encapsulation for IP traffic only. The primary reason for using IPSec tunnel mode is
interoperability with other routers, gateways, or end systems that do not support L2TP
over IPSec or PPTP VPN tunneling.
To create a remote site network that uses the IPSec protocol tunneling mode on a
computer running Windows 2000 (ISA2 in our scenario), you must install the IPSecPol
tool, available on the Microsoft website.
QUESTION NO: 13
You are connecting the main office and branch office networks. You install ISA
Server 2004 on a computer at each office, and you create a site-to-site VPN
connection between the ISA Server computers.
You create remote site networks on the ISA Server computers at both offices. You
choose the L2TP over IPSec VPN protocol. You want to use a preshared key for the
IPSec authentication. You open the Routing and Remote Access console and enter
the preshared key in the Properties dialog box for the Routing and Remote Access
server.
The site-to-site L2TP over IPsec connection is successful. You then restart the ISA
Server computers and discover that the site-to-site connection fails.
You need to ensure that the L2TP over IPSec site-to-site VPN connections continue
to function properly after the ISA Server computers are restarted.
A. Re-enter the preshared keys on the ISA Server computers at both offices. Chang the
preshared keys so that they include mixed-case letters, numbers, and symbols.
B. Remove all certificates for the ISA Server computers at both offices.
C. On the ISA Server computers at both offices, remove the preshared key from the
Routing and Remote Access console, and enter the key on the Authentication tab of
the Virtual Private Networks (VPN) Properties dialog box.
D. Install user certificates on the ISA Server computers in both offices and enable EAP
user authentication for the demand-dial accounts.
Answer: C
Explanation:
Error 792 or pre-shared key issues can be caused by :
* You have a preshared key that is configured on the client, but the key is not configured
on the Routing and Remote Access Service server.
* VPN server is not a valid machine certificate or is missing.
* The IPSec Policy Agent service is stopped and started without stopping and starting the
Routing and Remote Access service on the remote computer.
* The IPSec Policy Agent service is not running when you start the Routing and Remote
Access service.
QUESTION NO: 14
You are the network administrator for TestKing.com. TestKing has a main office
and is adding a branch office.
The main office and the new branch each have an ISA Server 2004 computer. You
want to connect the main office and the branch office networks by using a
site-to-site VPN.
You create a site-to-site VPN connection that connects the office networks by using
the L2TP over IPSec VPN protocol. Computer certificates are installed on the ISA
Server computer at each office. When you create the remote site network on each
ISA Server computer, you configure it to use certificates and a preshared key. At
each office, the preshared key is configured as the office name on the ISA Server
computer at that office.
From the ISA Server computer at the main office, you repeatedly run the ping
command to a host on the branch office network. The site-to-site VPN fails. You
open the Routing and Remote Access console and manually dial the demand-dial
interface. You receive the following error message: "The last connection attempt
failed because: The L2TP connection attempt failed because the security layer
encountered a processing error during initial negotiations with the remote
computer."
You need to enable the site-to-site VPN connection by using the most secure IPSec
authentication method possible.
Answer: C
Explanation:
Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPSec) - Layer
Two Tunneling Protocol (L2TP) is an industry-standard Internet tunneling protocol that
provides encapsulation for sending Point-to-Point Protocol (PPP) across IP networks. The
Microsoft implementation of the L2TP protocol uses Internet Protocol security (IPSec)
encryption to protect the data stream from the VPN client to the VPN server. L2TP/IPSec
connections require user-level authentication and, in addition, computerlevel
authentication using computer certificates OR a pre-shared key. In this scenario we are
using both, thus we need to remove the per-shared keys to achieve highest possible
security.
QUESTION NO: 15
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. ISA1 functions as a VPN remote access server.
Remote access VPN clients use either PPTP or L2TP over IPSec to connect to ISA1.
All remote access VPN client computers are configured as both Web Proxy and
Firewall clients of ISA1.
You create an access rule to allow domain users on the VPN Clients network access
to all protocols and Web sites on the Internet.
A user named Bob logs on to his portable computer by using a local user account
and establishes a VPN connection to ISA1 by using his domain credentials. You
discover that Bob cannot connect to the Internal network when the VPN connection
to ISA1 is active.
You need to ensure that Bob can access the Internet network while maintaining a
VPN connection to ISA1.
Answer: C
Explanation:
As the scenario stated : A user named Bob logs on to his portable computer by using a
local user account and establishes a VPN connection to ISA1 by using his domain
credentials.
Therefore we can assume that the VPN tunnel has been correctly setup and is fully
functional. All we need to do is create a rule that allow Bob to connect to the internal
network. We can achieve this by creating n access rule to allow connections from the
VPN Clients network to the Internal network.
QUESTION NO: 16
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. ISA1 provides Internet access for all users on
TestKing's network.
All computers on the network are configured as SecureNAT clients. You create an
access rule on ISA1 that allows all users access to all protocols on the External
network.
You view the Firewall log and the Web Proxy filter log on ISA1 and notice that the
URLs of Web sites visited by TestKing users are not displayed.
You need to ensure that the URLs of Web sites visited by TestKing users are
displayed in the ISA1 log files.
Explanation:
The user name is only included in Firewall and Web Proxy logs when a client sends that
information to the ISA firewall. A client piece is always required to send user information
to the firewall since there are no provisions in the layer 1 through 6 headers to provide
this information. Only the Firewall client and Web Proxy client configurations can send
user information to the ISA firewall and have this information included in the log files.
SecureNAT client connections allow for logging of the source IP address, but user
information is never recorded for machines configured as only SecureNAT clients. Note
that there is no option to log the URL in the Firewall Logging Properties. The reason for
this is that the Firewall client doesn't send the URL for Web sites accessed via the
Firewall client. However you can fix this by correctly setting up the Web proxy client
configuration.
QUESTION NO: 17
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. ISA1 is configured to provide forward Web
caching for users on the Internet network.
During periods of peak usage, users report that it takes longer than usual for Web
pages to appear. You suspect that insufficient memory is the source of the slow
performance of ISA1.
You need to verify whether insufficient memory is the source of the slow
performance.
Which two System Monitor performance counters should you add? (Each correct
answer presents part of the solution. Choose two)
A. Memory\Pages/sec
B. Process(W3Prefch)\Pool Nonpaged Bytes
C. ISA Server Cache\Memory Usage Ratio Percent (%)
D. Physical Disk\Avg. Disk Queue Length
E. ISA Server Cache\Disk Write Rate (writes/sec)
F. Memory\Pool Nonpaged Bytes
Answer: A, C
You use Network Monitor to capture and analyze inbound traffic from the Internet
to ISA1. You notice a high volume of TCP traffic that is sent in quick succession to
random TCP ports on ISA1. The flag settings of the traffic are shown in the
following example.
You want to be able to create a custom alert that is triggered whenever ISA1
experience traffic that uses invalid flag settings to discover open ports. You do not
want the alert to be triggered by traffic that uses valid flag settings in an attempt to
discover open ports. You want to accomplish this goal by selecting only the
minimum number of options in the Intrusion Detection dialog box.
To answer, configure the appropriate option or options in the dialog box in the
answer area.
Answer:
Explanation:
QUESTION NO: 19
You are the administrator of an ISA Server 2004 computer named ISA1. ISA1 is
configured to publish two Web sites named www.fabrikam.com and
www.testking.com. Both Web sites are located on a Windows Server 2003 computer
named Testking1. The IP address of Testking1 is 10.0.0.2.
The Web publishing rules are configured as shown in the following display.
The default log view does not allow you to easily distinguish between requests for
www.fabrikam.com/info and requests for www.testking.com/info. A sample of the
log with the relevant entries is shown in the following table.
A. On ISA1, configure two Hosts file entries that resolve both FQDNs to 10.0.0.2.
Configure each Web publishing rule to use the FQDN of its respective Web site on the To
tab.
In the log viewer, add to the default log filter expression a condition where the URL
contains the text string "info".
B. On ISA1 configure two Hosts file entries that resolve both FQDNs to the external IP
address of ISA1.
Configure each Web publishing rule so that requests appear to come from the original
client computer.
In the log viewer, add a column to display the destination host name.
In the log viewer, add to the default log filter expression a condition where the URL
contains the text string "info".
C. In the log viewer, add two conditions to the default log filter expression.
Configure the first condition so that the Rule equals Web Publish 1.
Configure the second condition so that the Rule equals Web publish 2.
In the log viewer, add a column to display the destination host name.
D. In the log viewer, add two conditions to the default log filter expression.
Configure the first condition so that Server contains Fabrikam.
Configure the second condition so that Server contains Testking.
In the log viewer, add a column to display the destination host name.
Answer: A
Explanation:
QUESTION NO: 20
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1 and a Windows Server 2003 computer named
Testking1. Both ISA1 and Testking1 are members of an Active Directory domain
named testking.com
You configure ISA1 to generate daily reports and automatically publish them to a
shared folder named DailyReports on Testking1. You create an account named
Testking\IsaReports. You configure ISA to create reports in the security context of
the Testking\IsaReports account.
The current permissions on the DailyReports folder are shown in the following
table.
You need to configure the minimum NTFS permissions on the DailyReports folder.
A. Change the allowed permissions for the system object from Full Control to Modify.
B. Change the allowed permissions for the Testking\IsaReports object from Full Control
to Read.
C. Change the allowed permissions for the Testking\IsaReports object from Full Control
to Write.
D. Change the allowed permissions for the system object from Full Control to Read and
Write.
Answer: C
Explanation:
Reports are collections of information generated from data collected from the ISA Server
log files. You can use the reporting feature to summarize and analyze common usage
patterns such as:
* Internet users and the Web sites that are accessed.
* The protocols and applications most often used.
* General traffic patterns.
* The cache hit ratio.
You can also use reports to monitor the security of your network, such as attempts to
access internal resources or the number of connections to a published server. You can
generate a report immediately or you can schedule reports to generate on a recurring
basis. The report can include daily, weekly, monthly, or yearly data.
The Microsoft ISA Server Job Scheduler service must be running to create a report and if
you publish the report to a shared folder, be sure to supply credentials that will be used by
the reporting engine for publishing. These credentials should have write permissions in
the specified folder. To allow others to view the published report, give them read
permissions to that folder. In this scenario we are using the Testking\IsaReports account,
therefore we should remove the FULL Control permissions and change it to write
permissions.
QUESTION NO: 21
You are the network administrator for TestKing.com. The network consist of a
single Active Directory domain. All client computers run either Windows 2000
Professional or Windows XP Professional. All client computers are members of the
domain.
To increase network security, you install ISA Server 2004 on a computer named
ISA1. ISA1 connects to the Internet. You configure automatic discovery on the
network. You configure client computers as SecureNAT clients. You verify that
client computers can use the application on Testking1.
You then distribute the Firewall Client software to all client computers by using
Group Policy.
Users now report that they cannot use the application on Testking1.
You need to configure client computers on the network to allow the application on
Testking1 to function properly. Your solution must not affect other applications.
Answer: B
Explanation:
For most Winsock applications, the default Firewall Client configuration that is
downloaded from the ISA Server computer works with no further modification needed.
However, in some cases, you will need to add specific client configuration information.
For example, if one Firewall client computer requires an application setting that is
different from all other clients, you will need to configure the application settings on that
particular computer. The configuration is done by making changes to Firewall Client .ini
files. The Firewall Client configuration information is stored in a set of files, which are
installed on the Firewall client computer. The following files are used to configure the
local Firewall client settings:
Wspcfg.ini - This was previously used with ISA 2000 and Proxy server 2.0 and this file is
located in a specific client program folder. The ISA Server computer does not overwrite
this file. As a result, if you make configuration changes in this file, these changes apply
only to the specific client.
QUESTION NO: 22
You are the network administrator for TestKing.com. TestKing has a main office
and one branch office. The network contains two ISA Server 2004 computers named
ISA1 and ISA2. The relevant portion of the network is configured as shown in the
exhibit.
While monitoring ISA2, you discover that Web requests from client computers in
the branch office for servers located in the branch office are being resolved by ISA2.
What are two possible ways to achieve this goal? (Each correct answer presents a
complete solution. Choose two)
A. Configure the client computers as Web Proxy clients of ISA2. Configure the list of
domain names available on the Internal network on ISA1 to include the *.testking.com
domain.
B. Configure the client computers as Web Proxy clients of ISA2. Configure the Web
browser to include the *.branch.testking.com domain.
C. Configure the client computers as Firewall clients. Configure the list of domain names
available on the Internal network on ISA2 to include the *.branch.testking.com domain.
D. Configure the client computers as Firewall clients. Configure the list of domain names
available on the Internal network on ISA1 to include the *.branch.testking.com domain.
Answer: B, C
Explanation:
The Internal Network Domain Tab - Here you enter a list of internal network domains.
When the firewall client connects to a host located in one of these domains, the
connection request bypasses the Firewall client application. The primary rationale for this
is that if all the machines located in the same domain are located behind the same NIC,
then the Firewall client machine can communicate directly without looping back through
the ISA firewall. This reduces the overall load on the ISA firewall and improves client
performance because the connection doesn't incur any Firewall processing overhead.
Further, the Domains tab can be used to control the behavior of Web Proxy clients when
accessing external sites.
Directly access computers specified on the Domains tab - This allows the Web Proxy
client configured with the autoconfiguration script to use the domains listed on the
Domains tab for Direct Access. Direct Access for Web Proxy clients allows the Web
Proxy client computer to bypass the Web Proxy on the ISA firewall and connect directly
to the destination, either via the machines SecureNAT client configuration or via the
machines Firewall client configuration. This is useful if you want to leverage the domains
already entered on the domains tab and use them for Direct Access. In our scenario we
must also enter the *.branch.testking.com domain in the web browser exception list.
TestKing'swritten security policy states that the ISA Server logs must record the
user name for all outbound Internet access. All client computers are configured with
the Firewall client and the Web Proxy client and are not configured with a default
gateway.
Users in the marketing department require access to an external POP3 and SMTP
mail server so that they can use an alternate e-mail address when they sign up for
subscriptions on competitors Web sites. You create and apply an ISA Server access
rile as shown in the following display.
You need to ensure that the marketing department users can connect to the external
mail server.
A. Configure the marketing computers with the IP address of a DNS server that can
resolve external names to IP addresses.
B. Configure the marketing computers with a default gateway address that corresponds to
the IP address of ISA1 on the Internal network.
C. On ISA1, enable Outlook in the Firewall client settings.
D. On ISA1, create a computer set that contains the marketing computers.
Answer: C
QUESTION NO: 24
You are the network administrator for TestKing.com. The network consists of a
single Active Directory domain named testking.com. The network contains an ISA
Server 2000 computer named ISA1.
All client computers have the ISA Server 2000 Firewall Client software installed.
Client computers are configured to use an internal DNS server. Two Windows
Server 2003 computers named App1 and App2 run a Web-based application that is
used to process TestKing data.
You configure ISA1 with protocol rules to allow HTTP, HTTPS, RDP, POP3, and
SMTP access.
The list of domain names available on the Internal network on ISA1 contains the
following entries:
1. *.south.testking.com
2. *.north.testking.com
3. *.east.testking.com
4. *.west.testking.com
You perform an in-place upgrade of ISA1 by using the ISA Server 2004 Migration
Tool. When you use Network Monitor on ISA1, you discover that client requests for
App1 and App2 are being passed through ISA1.
A. Create and configure HTTP, HTTPS, RDP, POP3, and SMTP access rules on ISA1.
B. Configure an Application.ini file on the client computers.
C. Redeploy the ISA Server 2004 Firewall Client software by distributing it to the client
computers by using Group Policy.
D. Add app1.testking.com and app2.testking.com to the list of domain names available on
the Internal network on ISA1.
Answer: D
Explanation:
The Internal Network Domain Tab - Here you enter a list of internal network domains.
When the firewall client connects to a host located in one of these domains, the
connection request bypasses the Firewall client application. The primary rationale for this
is that if all the machines located in the same domain are located behind the same NIC,
then the Firewall client machine can communicate directly without looping back through
the ISA firewall. This reduces the overall load on the ISA firewall and improves client
performance because the connection doesn't incur any Firewall processing overhead.
Further, the Domains tab can be used to control the behavior of Web Proxy clients when
accessing external sites.
Directly access computers specified on the Domains tab - This allows the Web Proxy
client configured with the autoconfiguration script to use the domains listed on the
Domains tab for Direct Access. Direct Access for Web Proxy clients allows the Web
Proxy client computer to bypass the Web Proxy on the ISA firewall and connect directly
to the destination, either via the machines SecureNAT client configuration or via the
machines Firewall client configuration. This is useful if you want to leverage the domains
already entered on the domains tab and use them for Direct Access.
QUESTION NO: 25
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. The relevant portion of the network is shown in
the exhibit.
Users on the network report that they cannot access the Internet.
You need to configure the client computers on the network to allow Internet access.
Which two actions should you perform? (Each correct answer presents part of the
solution. Choose two)
Answer: B, E
Explanation:
In the simple network scenario, the default gateway of the SecureNAT client is
configured as the IP address of the Internal interface of the ISA 2004 firewall. You can
manually configure the default gateway address, or you can use DHCP to automatically
assign addresses to the SecureNAT clients. The DHCP server can be on the ISA 2004
firewall itself, or it can be located on a separate machine on the Internal network. In the
'complex network scenario,' the Internal network consists of multiple network IDs that are
managed by a router or series of routers or layer 3 switch(s). In the case of the complex
network, the default gateway address assigned to each SecureNAT client depends on the
location of the SecureNAT client computer. The gateway address for the SecureNAT
client will be a router that allows the SecureNAT client access to other networks within
the organization, as well as the Internet. The routing infrastructure must be configured to
support the SecureNAT client so that Internet-bound requests are forwarded to the
Internal interface of the ISA 2004 firewall.
QUESTION NO: 26
You are the network administrator for TestKing.com. The network contains a single
ISA Server 2004 computer named ISA1. All Internet access for the local network
occurs through ISA1.
You configure ISA1 with two access rules for outbound HTTP access. The rules are
named HTTP Access 1 and HTTP Access 2.
HTTP Access 1 is configured to use the All Authenticated Users user set as a
condition. HTTP Access 2 is configured to use the All Users ser set as a condition,
and it restricts outbound HTTP traffic to the IP address of Tetsking1.
You need to allow the Web application to use anonymous credentials when it
communicates with www.testking.com. You also need to require authentication on
ISA1 for all users when they access all external Web sites.
A. On Testking1, configure Web Proxy clients to bypass the proxy sever for the IP
address of the server that hosts www.testking.com
B. On ISA1, add the fully qualified domain name (FQDN) www.testking.com to the list
of domain names available on the Internal network.
C. On ISA1, disable the Web Proxy filter for the HTTP protocol.
D. Modify the order of the access rules so that HTTP Access 2 is processed before HTTP
Access 1.
Answer: D
Explanation:
The ordering of Access Rules is important to ensure that your Access Policy works the
way you expect it to work. We recommend the follow ordering of Access Rules:
* Put Web Publishing Rules and Server Publishing Rules on the top of the list.
* Place anonymous Deny Access Rules under the Web Publishing Rules and Server
Publishing Rules. These rules do not require user authentication and do not require the
client to be from a specific location (such as part of a Computer Set)
* Place anonymous Allow Access Rules under the Anonymous Deny Access Rules.
These rules do not require user authentication and do not require the client to be from a
specific location (such as part of a Computer Set)
* Place Deny Access Rules requiring authentication below the anonymous Allow Access
Rules.
* Place Allow Access Rules requiring authentication below the Deny Access Rules
requiring authentication.
It is important that anonymous rules that apply to the same protocol as an authenticated
access rule be applied first if it is your intent to allow anonymous access for that protocol.
If you do not put the anonymous access rule before the authenticated Access Rule, then
the connection request will be denied to the anonymous user (typically a SecureNAT
client) for that protocol.
All client computers run Windows XP Professional. All client computers are
configured as SecureNAT clients and require access to the Internet.
You create a security group named Marketing for the marketing department. You
add the users in the marketing department to the Marketing group. You create an
access rule to allow TCP port 3333 for only the users in the marketing department.
Members of the Marketing group report that they cannot connect to Webapp.
You need to ensure that only users in the marketing department can connect to
Webapp.
A. Enable the Firewall Client installation configuration group on ISA1. Add the
marketing client computers to the list of trusted computers.
B. Use Group Policy to assign the MS_FWC.msi file to the client computers in the
Marketing group.
C. Enable Web Proxy client support on the Local Host network. Enable SSL listening on
port 8443.
D. Configure the Internal network on ISA1 to require authentication for all users. Enable
SSL certificate authentication on the Internal network.
Answer: B
Explanation:
The Firewall client software is an optional client piece that can be installed on any
supported Windows operating system to provide enhanced security and accessibility. The
Firewall client software provides the following enhancements to Windows clients:
QUESTION NO: 28
You are a network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1.
Remote users establish VPN connections to ISA1 to access resources on the Internal
network. Remote users are required to use a smart card when they establish VPN
connections.
Another administrator reports that remote users can still establish VPN connections
to ISA1 after their smart card certificate has been revoked and a new certification
revocation list (CRL) has been published.
You need to ensure that users whose smart card certificates are revoked cannot
establish VPN connections to ISA1.
Explanation:
Verify that incoming client certificates are not revoked - Select this check box to specify
that when ISA Server receives a certificate from a client, it will automatically check if the
certificate is revoked. If the certificate is revoked, the client request will be denied.
Verify that incoming server certificates are not revoked in a forward scenario - Select this
check box to specify that ISA Server will automatically check if incoming server
certificates, in an SSL bridging scenario, are revoked. If the certificate is revoked, the
request will be denied.
Verify that incoming server certificates are not revoked in a reverse scenario - Select this
check box to specify that ISA Server will automatically check if server certificates, in a
Web publishing scenario, are revoked. If the certificate is revoked, the request will be
denied.
In this scenario we must ensure that can users cannot establish VPN connections to ISA1
after their smart card certificate has been revoked and a new certification revocation list
(CRL) has been published. Therefore we must enable the Verify that incoming client
certificates are not revoked checkbox in the general settings of the isa server.
QUESTION NO: 29
You are the network administrator for TestKing.com. You install ISA Server 2004
on a computer that has three network adapters. One of the network adapters is
connected to the Internet, one is connected to the Internal network, and one is
connected to a perimeter network.
The perimeter network adapter and the internal network adapter are connected to
private address networks.
You configure ISA Server by applying the 3-Leg Perimeter network template. You
run the 3-Leg Perimeter Network Template wizard. You then make the following
changes to the firewall policy:
1. Create an access rule to allow all traffic between the Internal network and the
Internet.
2. Create an access rule to allow all traffic between the Internal network and the
perimeter network.
3. Create an access rule to allow SMTP traffic from an SMTP server on the
perimeter network to a Microsoft Exchange Server computer on the Internal
network.
4.
Users report that they cannot receive e-mail messages from users outside of the
Internal network.
You need to allow users to receive e-mail messages from other users on the Internet.
You do not want to create a server publishing rule.
A. Change the network rule that controls the route relationship between the perimeter
network and the Internal network to Route.
B. Change all network rules that control the route relationship between the Internal
network, perimeter network, and External network to Route.
C. Change the network rule that controls the route relationship between the perimeter
network and the External network to Nat.
D. Change all network rules that control the route relationship between the Internal
network, perimeter network, and External network to Nat.
Answer: A
Explanation:
The trihomed DMZ Template allows you to configure the ISA firewall with three or more
network adapters to use the additional network adapters are Perimeter network or DMZ
segments. The trihomed DMZ Network Template is interesting because it sets some
interesting Network Rules, which might be counterintuitive to the majority of ISA
firewall administrators.After running the trihomed DMZ Network Template, you'll find
that:
QUESTION NO: 30
You are the network administrator for TestKing.com. The relevant portion of the
network is configured as shown in the Network exhibit.
TestKinghas a main office and one branch office. An ISA Server 2004 computer
named ISA2 connects to a Routing and Remote Access server named RRAS1.
You view the firewall policy on ISA2 as shown in the Firewall Policy exhibit.
You configure the dial-on-demand failure alert on ISA2 to send an e-mail alert to
the securityadmin@testking.com SMTP alias. EXCH2 is listed as the mail server on
the dial-on-demand failure alert. You confirm that the alert is issued, but the e-mail
for the alert is not received.
You need to configure ISA2 to ensure that the e-mail alert is received.
A. Enable the RPC from ISA Server to trusted servers system policy rule.
B. Enable the Allow SMTP from ISA Server to trusted servers system policy rule.
C. On ISA2, configure an access rule to allow POP3 from the Local Host network to
EXCH2.
D. On ISA2, configure a server publishing rule to EXCH2 for Exchange RPC.
Explanation:
To maintain the functionality and security of ISA Server and the networks protected by
ISA Server, you must know when specific events occur on the ISA Server computer. For
example, you need to know if an ISA Server service stops responding, or if a specific type
of intrusion is detected. You can use the ISA Server alert service to notify you when
specific events occur, as well as to configure alert definitions to trigger a series of actions
when an event occurs.
An alert is a notification of an event or action that has occurred on ISA Server. When the
event occurs, an alert is triggered according to the conditions and trigger thresholds
specified for the event.
In our scenario we want to send an email to securityadmin@testking.com if an alert
occurs. Therefore SMTP traffic must be allowed from ISA2 to the EXCH2 server. We
can achieve this by enabling the Allow SMTP from ISA Server to trusted servers system
policy rule, since it is disabled according to the exhibit.
QUESTION NO: 31
You are the administrator of an ISA Server 2004 computer named ISA1. ISA1 has
two network adapters. Access rules allow users on the Internal network to have
HTTP access to the Internet.
You add a third network adapter to ISA1 and connect the third network adapter to
a perimeter network. You place a Web server named WebServerTK2 on this
perimeter network segment.
Users report that they cannot access information on WebServerTK2. When they
attempt to access the Web site, they receive the following error message: "Error
Code 10060: Connection timeout. Background: There was a time out before the
page could be retrieved. This might indicate that the network is congested or that
the website is experiencing technical difficulties."
You need to ensure that users on the Internal network can access information on
WebServerTK2. First, you verify that WebServerTK2 is operation.
A. Create a network rule that sets a route relationship between the Internal network and
the perimeter network.
B. Create a server publishing rule that publishes WebServerTK2 to the Internal network.
C. Create a Web publishing rule that publishes WebServerTK2 to the Internal network.
D. Create an access rule that allows WebServerTK2 access to the Internal network.
Answer: A
Explanation:
You will need to create new Networks whenever a new Network is introduced into your
environment. A common reason to add a new Network is when you install additional
NICs into the ISA firewall. Since all addresses located behind any particular NIC are
considered a Network by the ISA firewall, you need to create a new Network when
additional NICs are added to the firewall. Also we must create a network relationship
between networks. This can be a route or NAT relationship. If there is no relationship
between networks, then all traffic will be dropped by the ISA Server. Therefore we need
to create a route relationship between the internal network and perimeter network to make
it work.
QUESTION NO: 32
You are the network administrator for TestKing.com. TestKing has a main office
and three branch offices. The network contains an ISA Server 2004 computer
named ISA1, which is located at the main office.
You plan to deploy new ISA Server 2004 computers for the branch offices. You
name one of the new computers ISA2. You perform the following tasks:
You install ISA Server 2004 on ISA2 by using an unattended installation. When the
installation is finished, you discover that the ISA Server 2004 configuration settings
from ISA1 are not copied to ISA2.
A. Export the system policy rules on ISA1 to another file named ISA1SystemPolicy.xml.
Add the following lines to the C:\Msisaund.ini file on ISA2:
IMPORTISACONFIG=1
IMPORT_CONFIG=ISASETUPCONFIG.XML
IMPORT_CONFIG=ISA1SystemPolicy.xml
Run an unattended setup by using this Msisaund.ini file on each new ISA Server 2004
computer.
B. Back up the array configuration on ISA1. Save the file as C:\Msisaunattended.xml.
Run the following command from the ISA Server 2004 installation media:
setup.exe /unattended:ISASETUPCONFIG.XML C:\Msisaund.ini
C. Create an individual ISASETUPCONFIG.XML file for each branch office ISA Server
2004 computer.
Edit each ISASETUPCONFIG.XML file to include the internal network addresses for the
respective branch office.
Edit the Msisaund.ini file from ISA2 by adding the following line.
IMPORT_CONFIG_FILE=ISASETUPCONFIG.XML
Run an unattended setup by using the Msisaund.ini file from ISA2 on each new ISA
Server 2004 computer.
D. Create a file named Msisaunattend.txt. Include the following lines:
UNATTENDED=1
EXPORT_ISACONFIG=0
FILEPATH=ISASETUPCONFIG.XML
Run an unattended setup by using this Msisaunattend.txt file on each new ISA Server
2004 computer.
Answer: C
Explanation:
You can perform an unattended installation of the ISA firewall to simplify provisioning
multiple ISA firewalls using a common installation and configuration scheme. The
unintended installation depends on the proper configuration of the msisaund.ini file,
which contains the configuration information used by ISA firewall setup in unattended
mode.
One of the values you can configure in msisaund.ini is : IMPORT_CONFIG_FILE =
<configfilename>. It specifies a configuration file to import.
QUESTION NO: 33
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1.
You deploy an internal certification authority (CA). You deploy client certificates to
users. You configure client certificate mapping for internal network users.
All client computers are configured as Web Proxy clients. You configure the
Internal network to allow only certificate-based authentication for Web Proxy
clients.
You revoke a user's certificate. After one week, you discover that ISA1 is still
authenticating Web requests for that user.
A. Add the All Networks (and Local Host) network set as a destination for the Allow
access to directory services for authentication purposes system policy rule.
B. Create a new content type set. Select the application/pkix-crl and
application/x-x509-ca-cert MIME types as the content type to allow.
C. Enable the Verify that incoming server certificates are not revoked in reverse scenario
certificate validation setting on ISA1, and enable the related system policy rule.
D. Enable the Verify that incoming client certificates are not revoked certificate
validation setting on ISA1, and enable the related system policy rule.
Answer: D
QUESTION NO: 34
You are a network administrator for TestKing.com. The network contains an ISA
Server 2004 array that is configured to use Network Load Balancing. The array
contains two members. The array is used to publish internal Web servers. Users
access internal Web servers by using the URL http://www.testking.com. The URL
resolves to a single virtual IP address.
You implement a new Web site named Testking1. To access Testking1, users must
authenticate by using credentials that are stored on a third-party RADIUS server.
You publish Testking1 on the array.
You need to ensure that users can access Testking1 by using the third-party
RADIUS server. You must ensure that requests are load balanced by all array
members.
A. On each array member, add a second IP address. Create a new listener that uses the
new address. Configure the listener to use RADIUS authentication.
B. Configure one array member to listen for requests to www.testking.com on one
listener. Configure the other array member to listen for requests to Testking1 on a new
listener. Configure each listener to use the appropriate authentication method.
C. Use the Network Load Balancing console to configure each array member to use an
affinity setting for None. Configure the listener to use RADIUS authentication.
D. Add a second unique network address to the external interface of each array member.
Configure www.testking.com to resolve to the new addresses by using DNS round
robin. Configure the listener to use RADIUS authentication.
Explanation:
Network Load Balancing provides high availability and scalability of servers using a
cluster of two or more host computers working together. Clients access the cluster using
either an IP address or a set of addresses. The clients are unable to distinguish the cluster
from a single server. Server applications do not identify that they are running in a cluster.
However, an NLB cluster differs significantly from a single host running a single server
application because it can provide uninterrupted service even if a cluster host fails. The
cluster can also respond more quickly to client requests than to a single host. You can
configure NLB on the External network of an ISA Server Enterprise Edition array, so that
client requests from the Internet are distributed among the array computers. NLB will be
automatically configured in unicast mode and single affinity. Single affinity ensures that
all network traffic from a particular client be directed to the same host.
You may want to publish your Web sites using Network Load Balancing (NLB) in your
ISA Server array. For the most effective use of NLB, your Web listener should listen on
the NLB virtual IP address. If you configure your Web listener to listen on all of the IP
addresses for the network adapters, it will listen on the virtual IP address, which will
distribute requests using NLB. Therefore we need to add a second ip addresses on all
external adapters of the array and configure a listener with radius authentication.
QUESTION NO: 35
You are the network administrator for TestKing.com. The network contains an ISA
Server 2000 computer named ISA1.
ISA1 connects to the Internet. ISA1 is configured with access rules to allow Internet
access for all users. All client computers are configured as Web Proxy clients of
ISA1.
You are deploying a new ISA Server 2004 computer named ISA2 for use by the
research department. You run the ISA Server 2004 Migration Tool on ISA1. You
save the resulting configuration to a file named Backupconfig.xml. You install ISA
Server 2004 on ISA2, and you import Backupconfig,xml on ISA2.
On ISA2, you configure the Internal network with a valid IP address range for the
research department client computers. You configure a Web chaining rule on ISA2
to redirect Web requests to ISA1. You configure client computers in the research
department as Web Proxy clients of ISA2.
You need to ensure that users of client computers in the research department can
connect to the Internet.
A. Change the external IP address on ISA2 to a valid IP address for the external network.
B. On ISA2, save its configuration as ISAbackup.xml. Restart the Microsoft Firewall
service on ISA2. Then import the configuration.
C. Configure the research department client computers as Firewall clients of ISA2.
Enable automatic discovery on ISA2.
D. Perform an ISA Server 2004 in-place upgrade on ISA1. On ISA2, configure access
rules to allow Internet access for the research department users.
Answer: A
Explanation:
Microsoft ISA Server 2004 includes an export and import feature that you can use to save
ISA Server configuration parameters to an .xml file. You can use the configuration in the
file as a backup to your configuration, or to copy the configuration to another ISA Server
computer. You can export on many levels in ISA Server. For example, you can export an
entire firewall policy, a single rule, or a single network object. Also, you can back up your
entire configuration so that you can restore it at a later date.
If you Want to set up another ISA Server computer with the same policy as the one that
you have configured, but the server is located in a different part of the network, possibly
in another domain, and has different network relationships. You cannot use the complete
configuration. The solution is to export the firewall policy, import it to the other ISA
Server computer, and then modify network details in the firewall policy rules as
necessary. After that you can import it on the new ISA Server.
In this scenario we need to change the ISA2 external network adapter ip address, because
it needs an ip address that differs from ISA1.
QUESTION NO: 36
You are a network administrator for TestKing.com. TestKing has a main office and
one branch office. The main office has a high-speed Internet connection. The branch
office has a dial-up Internet connection.
You need to configure the branch office ISA Server computer to meet the following
requirements:
1. Ensure that users in the branch office can access the Internet.
2. Ensure that users in the branch office are restricted by the main office access riles
when accessing the Internet.
3. Ensure that all information sent over the Internet is encrypted between the
offices.
A. Create a dial-up connection to the main office. Configure ISA Server to use the dial-up
connection as the default gateway. Configure a dial-up user account.
B. Create a dial-up connection to an ISP. Configure ISA Server to use the dial-up
connection as the default gateway. Configure Web Proxy chaining.
C. Create a demand-dial VPN connection to the main office. Configure ISA Server to use
the VPN connection as the default gateway. Configure firewall chaining. Configure a
firewall chaining user account.
D. Create a demand-dial VPN connection to an ISP. Configure firewall chaining.
Configure a firewall chaining user account.
Answer: C
Explanation:
Web Proxy Chaining is a method you can use to forward Web Proxy connections from
one ISA firewall to another ISA firewall. Web Proxy chains consist of upstream and
downstream ISA firewalls. The upstream ISA firewalls are those closer to the Internet
connection, and the downstream ISA firewalls are those further away from the Internet
connection. Downstream ISA firewalls forward Web Proxy requests to upstream ISA
firewalls. The first ISA firewall in the Web Proxy chain is the one closest to the Internet
and the one responsible for obtaining the Internet content.
QUESTION NO: 37
You are the network administrator for TestKing.com. The network contains two
ISA Server 2004 computers named ISA1 and ISA2. TestKing has a main office and
one branch office.
ISA1 is located in the main office and connects to the Internet. ISA2 is located in the
branch office and connects to the main office over a dedicated WAN link. All client
computers run Windows XP Professional.
All client computers can update virus definitions from the virus update Web site.
ISA2 can connect to the virus update Web site and the Windows Update Web site.
You discover that ISA1 cannot connect to the virus update Web site or the Windows
Update Web site. The firewall policy on ISA1 is configured as shown in the exhibit.
Answer: B
Explanation:
ISA Server introduces a system policy, a set of firewall policy rules that control how the
ISA Server computer enables the infrastructure necessary to manage network security and
connectivity. ISA Server is installed with a default system policy, designed to address the
balance between security and connectivity. Some system policy rules are enabled upon
installation. These are considered the most basic and necessary rules for effectively
managing the ISA Server environment. You can subsequently identify those services and
tasks that you require to manage your network, and enable the appropriate system policy
rules. In our scenario however, we need to enable HTTP traffic form ISA1 to the virus
update site. But we can see in the exhibit that the corresponding rule 17 is disabled.
Therefore we need to enable that rule and add the the URL of the virus update Web site to
the System Policy Allowed Sites.
QUESTION NO: 38
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 array. The array contains six members.
Soon after you enable CARP on the array, Web users on the corporate network
report that Internet access is slower then normal.
You use Network Monitor to check network traffic patterns on each of the ISA
Server 2004 array members. You discover that there is very high network utilization
on the intra-array network.
Answer: C
Explanation:
ISA Server Enterprise Edition provides distributed caching through the use of CARP.
CARP distributes the cache used by Web proxies across an array of ISA Server
computers. Although CARP assigns each ISA Server computer a unique set of cached
data (thus you need to configure the cache on each array member), the array of computers
functions as a single, logical cache. CARP is used by Web browsers and by ISA Server to
increase performance in operations accessing a Web proxy cache that is distributed across
multiple ISA Server computers. CARP uses hash-based routing to determine which ISA
Server computer will respond to a client request and cache specific Web content. CARP
provides the following benefits:
* CARP eliminates the duplication of cache contents across multiple ISA Server
computers. The result is a faster response to queries and a more efficient use of server
resources.
* Because CARP determines which ISA Server computer will cache any specific content,
no traffic is required among ISA Server computers to determine which server is caching
the content.
* CARP automatically adjusts when array members are added or removed. The
hash-based routing means that, when a server is either taken offline or added, only
minimal reassignment of URL caches is required.
QUESTION NO: 39
You are the network administrator for TestKing.com. The network contains two
ISA Server 2004 computers named ISA1 and ISA2. The network also contains a
Routing and Remote Access server named RRAS1. TestKing has a main office and
one branch office.
ISA2 uses a dial-up connection to connect to RRAS1. On ISA2, you create a Web
chaining rule that redirects requests to ISA1. Users in the branch office frequently
access a published Web site named http://sales.testking.com. This sales Web site
resides on a Web server in the perimeter network.
Users in the branch office report that occasionally during business hours they
cannot connect to http://sales.testking.com. You configure and enable a content
download job to ensure that Web site content is loaded into the Web cache on ISA2.
A. Create a new Web chaining rule. On the rule, enable a backup route to ISA1. Add a
URL set for http://sales.testking.ocm to the Web chaining rule. On the default cache
rule, increase the Time to Live (TTL) for HTTP objects.
B. Create a new Web caching rule. On the rule, redirect SSL requests as SSL requests.
Add a URL set for http://sales.testking.com to the Web chaining rule. On the default
cache rule, decrease the Time to Live (TTL) for HTTP objects.
C. Create a cache rule. Enable If any version of the object exists in cache. If none exists,
route the request. Enable Content for offline browsing. On the cache rule, decrease
the Time to Live (TTL) for HTTP objects.
D. Create a cache rule. Enable Only
Answer: D
Explanation:
ISA Server 2004 uses cache rules to allow you to customize what types of content will be
stored in the cache and exactly how that content will be handled when a request is made
for objects stored in cache. You can create rules to control the length of time that a cache
object is considered to be valid (ensuring that objects in the cache don't get hopelessly out
of date), and you can specify how cached objects are to be handled after they expire. ISA
Server 2004 gives you the flexibility to apply cache rules to all sites or just to specific
sites. A rule can further be configured to apply to all types of content or just to specified
types. In addition to controlling content type and object size, a cache rule can control how
ISA Server will handle the retrieval and service of objects from the cache. This refers to
the validity of the object. An object's validity is determined by whether its Time to Live
(TTL) has expired. Thus increasing the TTL will increase the object's validity in the
cache. Expiration times are determined by the HTTP or FTP caching properties or the
object's properties. Your options include:
* Setting ISA Server 2004 to retrieve only valid objects from cache (those that have not
expired). If the object has expired, the ISA server will send the request on to the Web
server where the object is stored and retrieve it from there.
* Setting ISA Server 2004 to retrieve requested objects from the cache even if they aren't
valid. In other words, if the object exists in the cache, ISA Server will retrieve and serve
it from there even if it has expired. If there is no version of the object in the cache, the
ISA Server will send the request to the Web server and retrieve it from there.
* Setting ISA Server to never route the request. In this case, the ISA Server relies only
upon the cache to retrieve the object. Objects will be returned from cache whether or not
they are valid. If there is no version of the object in the cache, the ISA Server will return
an error. It will not send the request to the Web server.
* Setting ISA Server to never save the object to cache. If you configure the rule this way,
the requested object will never be saved to the cache.
The scenario stated that we need to ensure that content from http://sales.testking.com will
always be available to users in the branch office, even if the connection is unavailable.
Thus we need to increase the TTL for the cached objects. If we would decrease the TTL,
the objects in the cache would be flushed quicker, and users would get page not found if
the connection between the main office and branchoffice was down.
Members of the graphical team make frequent changes to the Web site named
http://internal.testking.com. When the team members update the Web site, they
cannot see changes from other members of the team.
You need to configure ISA1 to allow members of the graphics team to immediately
view updates to http://internal.testking.com.
A. Add the testking.com domain name to the list of domains on the Internet network.
Disable the Bypass proxy for Web servers in this network option.
B. Add the client computers used by the members of the graphics team to a computer set.
Create a cache rule to include the computer set. Enable the Never. No content will
ever be cached setting.
C. Create URL set for http://internal.testking.com Create a cache rule to include the URL
set. Enable the Never. No content will ever be cached setting.
D. Create a new computer set for Testking2. Create a cache rule to include the computer
set. Disable HTTP caching on the cache rule
Answer: C
Explanation:
QUESTION NO: 41
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. TestKing uses Microsoft Exchange Server 2003
as its e-mail server.
TestKing'swritten security policy states that all user names and passwords must be
encrypted when they are sent over the Internet.
You need to configure ISA1 to give users access from their cellular phones to e-mail.
You need to ensure that you adhere to TestKing's security policy.
A. Create an HTTPS server publishing rule. Configure the rule to point to the Microsoft
Outlook Web Access site.
B. Create an HTTPS server publishing rule. Configure the rule to point to the Microsoft
Outlook Mobile Access site.
C. Create a POP3 server publishing rule. Configure the rule to point to en Exchange
Server 2003 computer.
D. Create an IMAP server publishing rule. Configure the rule to point to an Exchange
Server 2003 computer.
Answer: B
Explanation:
Exchange Server 2003 allows users of wireless and small devices, such as mobile phones,
personal digital assistants (PDAs), or smart phones (hybrid devices that combine the
functionality of mobile phones and PDAs), access to xchange data. Exchange ActiveSync
and Outlook Mobile Access (OMA) are two of the mobile service components that are
Internet Explorer and desktop personal computers using Internet Explorer 6.0 or later also
support OMA.
Outlook Web Access provides access to a computer running Exchange Server through a
Web browser. OWA does not require any client software or client configuration other
than a Web browser. Although OWA does not provide all of the functionality provided by
a full Outlook client, the fact that it is easy to deploy and does not require any special
client makes OWA an attractive option for providing remote access.
By default, OMA and OWA areconfigured to use HTTP. This means that all user logon
information is passed in clear text to the computer running Exchange Server. In addition,
authentication to the SMTP server is passed in clear text. This issue can be easily
addressed using SSL to encrypt all user sessions.
QUESTION NO: 42
You are the network administrator for TestKing.com. The network contains two
ISA Server 2004 computers named ISA1 and ISA2. The relevant portion of the
network is shown in the exhibit.
TestKing'swritten security policy states that employees must connect to the VPN
server installed on ISA2 by using the most secure method possible.
You need to configure ISA1 to allow employees to connect to the VPN server on
ISA2.
Answer: B
Explanation:
When you configure a VPN, you create a secured, point-to-point connection across a
public network such as the Internet. A VPN client uses special Transmission Control
Protocol/Internet Protocol (TCP/IP)-based protocols called tunneling protocols to connect
to a virtual connection port on a VPN server. The tunneling protocols use encryption
protocols to provide data security as the data is sent across the public network. The two
VPN protocols supported by ISA Server are Microsoft Point-to-Point Tunneling Protocol
(PPTP) or the Layer 2 Tunneling Protocol (L2TP).
PPTP and L2TP use encryption protocols ensure that the connection is private or secure
by encrypting all traffic sent across a public network. The PPTP VPN protocol uses the
Microsoft Point-to-Point Encryption protocol (MPPE) to protect data moving through the
PPTP virtual networking connection. The L2TP/IPSec VPN protocol uses Internet
Protocol Security (IPSec) to encrypt data moving through the L2TP virtual network.
Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure
authentication protocol. It is typically used if the remote access client and remote access
server cannot negotiate a more secure form of authentication.
Extensible Authentication Protocol (EAP) is the most secure remote authentication
protocol. It uses certificates on both the client and the server to provide mutual
authentication, data integrity, and data confidentiality. It negotiates encryption algorithms
and secures the exchange of session keys. Use EAP if you are implementing multifactor
authentication technologies such as smart cards or universal serial bus (USB) token
devices.
QUESTION NO: 43
You are the network administrator for TestKing.com. ISA Server 2004 is installed
as TestKing's firewall. All of TestKing's portable computers run Microsoft Outlook
2003.
You need to ensure that all employees use Outlook 2003, whether they use e-mail in
the office or use e-mail remotely over the Internet.
Answer: D
Explanation:
Outlook 2003 with Exchange 2003 running on Microsoft Windows Server 2003 supports
RPC over HTTP, which simplifies the network and firewall configuration needed to
support a MAPI client. Using RPC over HTTP provides all the benefits of using an
Outlook client without needing multiple ports open on the firewall. Users running
Outlook 2003 can connect directly to a computer running Exchange Server 2003 over the
Internet by using HTTP or HTTPS-even if both the computer running Exchange Server
and Outlook are behind firewalls and located on different networks. Only the HTTP and
HTTPS ports need to be opened on the firewall.
RPC over HTTP can be deployed using front-end and back-end servers. The front-end
server is an RPC proxy server that converts the RPC over HTTP packets into normal RPC
packets, which are forwarded to the back-end computer running Exchange Server. The
back-end server replies to the frontend server, which converts the response back into
HTTP packets and replies to the client. In this case, the RPC proxy server does not need
to be running Exchange. RPC over HTTP can also be deployed in a single server
configuration where the Exchange Server is also configured as the RPC proxy server. In
either case, RPC over HTTP requires the use of SSL to encrypt the traffic between the
Outlook client and the RPC proxy server.
We can not use OWA in this scenario because the question stated : Outlook 2003 clients
only.
QUESTION NO: 44
You are the administrator of an ISA Server 2004 computer named ISA1. ISA1 is
connected to the Internet. All client computers are configured as SecureNAT clients.
You need to configure ISA1 to block all instant messaging traffic and all other
non-Web traffic.
Answer: A
Explanation:
Access rules determine how clients on a source network can access resources on a
destination network. To enable access to Internet resources for users on your internal
network, you need to configure an access rule that enables this access. Access rules are
used to configure all traffic flowing through ISA Server, including all traffic from the
internal network to the Internet, and from the Internet to the internal network.
One of the most important Web filters included with ISA Server 2004 is the HTTP filter.
Many Internet applications now use HTTP to tunnel the application traffic. For example,
Microsoft MSN® Messenger uses HTTP as the application-layer protocol. The only way
to block these types of applications without blocking all HTTP traffic is to use HTTP
filtering.
An HTTP signature can be any string of characters in the HTTP header or body. To block
an application based on signatures, you need to identify the specific patterns the
application uses in request headers, response headers, and body, and then modify the
HTTP policy to block packets based on that string.For example, to block MSN
Messenger, configure the rule to block User-Agent: MSN Messenger in the request
header.
TestKing'swritten security policy states that all HTTP traffic must go through ISA1.
The human resources (HR) department creates a new HR Web site, which
employees use to access and manage their benefits. The HR Web site has its own
Windows Server 2003 Web server and its own server publishing rule on ISA1.
Security requirements dictate that employees must not be able to access the HR Web
site from an untrusted client computer.
You need to configure the server publishing rule to meet the security requirements.
A. External
B. Local Host
C. Quarantined VPN Clients
D. All Protected Networks
Answer: D
Explanation:
The All Protected Networks Network Object includes all Networks defined on the ISA
firewall except for the default External Network. You might use the All Protected
Networks Network Object when you want to apply an Access Rule that controls outbound
access for all networks behind the ISA firewall.
The Quarantined VPN Clients Network is a "virtual" or "just in time" Network where
addresses are dynamically assigned to this Network when quarantined VPN clients
connect to the ISA firewall. The Quarantined VPN Client Network is only used when
VPN Quarantine is enabled on the ISA firewall.
Internal Network includes all computers (IP addresses) that were specified as internal
during the installation process.
QUESTION NO: 46
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer. Users on the Internet network require access to a partner
VPN server. The partner VPN server does not support machine certificate
authentication for VPN connections. You enable a route relationship between the
Internal network and the External network.
You need to ensure that TestKing users can access the partner VPN server.
A. Create an access rule to enable outbound access to the PPTP Client protocol.
B. Create an access rule to enable outbound access to the IPSec with Encapsulation
Security Payload (ESP) Server protocol.
C. Create an access rule to enable outbound access to the IKE Client protocol.
D. Create an access rule to enable outbound access to the L2TP Client protocol.
Answer: A
Explanation:
A remote access VPN server accepts VPN calls from VPN client machines. A remote
access VPN server allows single client machines and users access to corporate network
resources after the VPN connection is established.
You can use any VPN client software that supports PPTP or L2TP/IPSec to connect to a
VPN server.
PPTP uses Point-to-Point Protocol (PPP) user authentication methods and Microsoft
Point-to-Point Encryption (MPPE) to encrypt IP traffic. PPTP supports the use of
Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) for
password-based authentication. For stronger authentication for PPTP connections, you
can implement a public key infrastructure (PKI) using smart cards or certificates and
Extensible Authentication Protocol Transport Level Security (EAP-TLS).
QUESTION NO: 47
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer.
Which two actions should you perform? (Each correct answer presents part of the
solution. Choose two)
A. Configure a new protocol definition for TCP port 12345 inbound named RDP-x.
B. Configure a new protocol definition for TCP port 12345 outbound named RDP-x.
C. Create an access rule that uses RDP-x.
D. Create a server publishing rule that uses RDP-x.
Answer: A, D
Explanation:
Creating Server Publishing Rules is simple compared to Web Publishing Rules. The only
things you need to know when creating a Server Publishing Rule are:
* The protocol or protocols you want to publish
* The IP address where the ISA firewall accepts the incoming connections
QUESTION NO: 48
You are the network administrator for TestKing.com. The network contains a single
ISA Server 2004 computer.
TestKingis creating a new Web site for access by a business partner. The Web site
will be hosted on an internal Web server. The Web site will be accessed by
customers. Requests from client computers should first be validated by using SSL
authentication. However, if client certificate requests fail, customers should still be
prompted to log in by using a user name and password.
You need to configure a publishing rule to allow access to the new Web site and to
fulfil the authentication requirements.
A. Create an HTTP server publishing rule. Configure the rule to accept connections from
client computers at the partner location.
B. Create an HTTPS server publishing rule. Configure the rule to accept connections
from client computers at the partner location.
C. Create a Web publishing rule. Configure a new Web listener for the HTTP protocol.
Configure the Web listener to allow both Integrated Windows authentication and Digest
authentication.
D. Create a Web publishing rule. Configure a new Web listener for the HTTPS protocol.
Configure the Web listener to allow both SSL certificate authentication and Basic
authentication.
Answer: D
Explanation:
QUESTION NO: 49
You are the network administrator for TestKing.com. The network contains two
ISA Server 2004 Enterprise Edition computers named ISA1 and ISA2. ISA1 and
ISA2 are configured as members of an ISA Server 2004 array.
You configure the array to cache outgoing Web requests. You configure the array so
that the cached Web content is distributed between ISA1 and ISA2.
A. Enable Cache Array Routing Protocol (CARP) on the Local Host network.
B. Enable the client computers to download the automatic configuration script.
C. Configure a content download job on the array.
D. Configure Network Load Balancing on the Internal network.
Explanation:
ISA Server Enterprise Edition provides distributed caching through the use of CARP.
CARP distributes the cache used by Web proxies across an array of ISA Server
computers. Although CARP assigns each ISA Server computer a unique set of cached
data (thus you need to configure the cache on each array member), the array of computers
functions as a single, logical cache. CARP is used by Web browsers and by ISA Server to
increase performance in operations accessing a Web proxy cache that is distributed across
multiple ISA Server computers. CARP uses hash-based routing to determine which ISA
Server computer will respond to a client request and cache specific Web content. CARP
provides the following benefits:
* CARP eliminates the duplication of cache contents across multiple ISA Server
computers. The result is a faster response to queries and a more efficient use of server
resources.
* Because CARP determines which ISA Server computer will cache any specific content,
no traffic is required among ISA Server computers to determine which server is caching
the content.
* CARP automatically adjusts when array members are added or removed. The
hash-based routing means that, when a server is either taken offline or added, only
minimal reassignment of URL caches is required.
* CARP ensures that the cache objects are either distributed evenly between all servers in
the array or by the load factor that is configured for each server.
When client-side CARP is enabled, the Web browser downloads the
Array.dll?Get.Routing.Script from an ISA Server computer in the array. When a user
types a URL into a Web browser, the URL is handed off to the script, which calculates
which ISA Server computer in the array will be used to cache the content. The script
always returns the same server list for a given URL, ensuring that each URL is cached on
one array server only.
QUESTION NO: 50
You are the network administrator for TestKing.com. The network contains a single
ISA Server 2004 computer named ISA1.
TestKing'swritten security policy states that ISA1 must authenticate users before
users on the Internet are allowed to access corporate Web servers.
You install a new Web server on the Internal network. Partners and customers will
access the Web pages hosted by this Web server only from the Internet.
A. Create a Web publishing rule. Configure the rule to require user authentication.
B. Create a Web publishing rule. Configure the rule to perform link translation.
C. Create an HTTP server publishing rule. Configure the rule to specify that requests
appear to come from ISA1.
D. Create an HTTP access rule. Configure the rule to allow connections from the External
network to the Internal network
Answer: A
Explanation:
ISA Server uses Web publishing rules to make Web sites on protected networks available
to users on other networks, such as the Internet. A Web publishing rule is a firewall rule
that specifies how ISA Server will route incoming requests to internal Web servers.
User authentication - You can configure ISA Server to require that all external users
authenticate before their requests are forwarded to the Web server hosting the published
content. This protects the internal Web server from authentication attacks. Web
publishing rules support several methods of authentication, including Remote
Authentication Dial-In User Service (RADIUS), integrated, basic, digest, digital
certificates, and RSA SecurID.
Link translation - With link translation, you can provide access to complex Web pages
that include references to other internal Web servers that are not directly accessible from
the Internet. Without link translation, any link to a server that is not accessible from the
Internet would appear as a broken link. Link translation can be used to publish complex
Web sites providing content from many servers while hiding the complexity from the
Internet users.
QUESTION NO: 51
You are network administrator for TestKing.com. TestKing.com have a main office
and two branch office. Users in the main office use client computers that run
Windows XP. Users in the branch office use Macintosh.
A. On each brain office ISA server computers configure Firewall Client Settings. Allow
non-encrypted Firewall Client to connect to ISA server computers.
B. On each brain office ISA server computers configure Firewall chaining. Configure
Firewall chaining to use a user account.
C. On the main office ISA server computer, configure a server publish rule. Publish the
POP3 Server the users are attempting to connect to.
D. On the main office ISA server computer configure IP-preferences. Disable IP-routing.
Answer: B
Explanation:
Since we are having Macintosh PC's in the branchoffice we must configure them as
SecureNAT or Web Proxy clients. The firewall Client can only be installed on Windows
Operating systems. In this scenario we can not use a web proxy configuration because the
web proxy configuration only support HTTP, HTTPS & FTP and no POP3. Therefore we
configure the Macintosh PC's as SecureNAT clients. SecureNAT does not support user
authentication (this was a demand in the scenario) therefore we must configure firewall
chaining with user authentication.
ISA Server 2004 Standard Edition supports the chaining of multiple servers running ISA
Server together to provide flexible Web proxy services. These servers can be chained in a
hierarchical manner so that one ISA Server computer routes Internet requests to another
ISA Server computer, rather than routing the request directly to the Internet.
ISA Server 2004 also supports Firewall chaining to allow requests from SecureNAT and
Firewall clients to be forwarded to another ISA Server computer. The advantages of the
Firewall chaining configuration over the Web Proxy configuration is that Firewall
chaining supports all TCP and UDP Winsock protocols, not just Web protocols
(HTTP/HTTPS/FTP).
You are the network administrator for TestKing.com. The network contains two
ISA Server 2004 computers named ISA1 and ISA2.
The company has a main office and one branch office. The main office connects to
the branch office over a dedicated 56-Kbps frame relay WAN link. A client
computer named Client2 in the branch office connects to the main office through
ISA2.
Two computers in each office are configured as shown in the following table.
Users of Client1 and Client2 report that they cannot connect to the Internet. Client2
can connect to the main office network.
You want to maintain a high level of security on the external network adapter on
ISA1 and on ISA2.
A. Configure Client1 with the default gateway IP address of the internal network adapter
of ISA1. Issue the ping command to 192.168.100.1 from Client1.
B. Configure Client2 with the default gateway IP address of the internal network adapter
of ISA2. Issue the tracert command to 172.16.1.1 from Client2.
C. Edit the Diagnostic Services ICMP configuration group on ISA1 by adding the main
office network as a destination network.
Issue the pathping command to 192.168.100.1 from Client1.
D. Edit the Remote Management ICMP (PING) configuration group on ISA1 by adding
Client1 to the Remote Management Computers computer set.
Issue the ping command to 192.168.100.1 from Client1.
Explanation:
The system policy is used primarily to enable sufficient access between the ISA Server
computer and the connected networks so that you can manage ISA Server. All of the
system policies define access between the Local Network, which is the ISA Server
computer itself, and the connected networks rather than defining access between
networks. Configuration groups are used in several of these system policies.
Remote Management ICMP (PING) configuration group - Enabling this configuration
group enables system policy rules that allow ICMP ping requests from selected computers
to the isa server.
Diagnostic Services ICMP configuration group - Enabling this configuration group
enables system policy rules that ICMP ping from the isa server to selecters computers.
In this scenario we want to diagnose connectivity from source client1 to destination ISA1.
Therefore we need to add client 1 to the Remote Management Computers computer set
that is used in the Remote Management ICMP (PING) configuration group.
QUESTION NO: 52
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1.
ISA1 connects to the Internet. ISA1 is configured with access rules for Internet
access. A Windows Server 2003 computer named CERT1 is configured as an
internal certification authority (CA). ISA1 can download the certificate revocation
list (CRL) from CERT1.
You are deploying 10 new ISA Server 2004 computers on the network. On ISA1 you
export the firewall policy settings into a file named ISA1export.xml. You configure
the network configuration settings on each new ISA Server computer. You import
the firewall policy settings from the ISA1export.xml file on each new ISA Server
computer.
You test the imported configuration on each of the new ISA Server computers. You
discover that each new ISA Server computer cannot download the CRL from
CERT1.
You need to ensure that the new ISA Server computers can download the CRL.
Answer: B
Explanation:
You can export the entire ISA Server configuration, or just parts of it, depending on your
specific needs. When you export an entire configuration, all general configuration
information is exported. This includes access rules, publishing rules, rule elements, alert
configuration, cache configuration, and ISA Server properties. In addition, you can select
to export user permission settings and confidential information such as user passwords.
Confidential information included in the exported file is encrypted. You van also choose
to export the firewall policies or system policies seperately. In this scenario only the
firewall policy was exported and then imported. But we must also export end import the
system policies since it contains the Allow all HTTP traffic from ISA Server to all
networks (for CRL downloads) rule.
QUESTION NO: 53
Exhibit
When you install ISA Server 2004 on TESTKINGA, you defined the Internal
network address range as 10.0.1.0 through 10.0.1.255.
You create an access rule to allow all traffic from the Internal network to the
External network. Users are not required to be authenticated to use this rule.
Users on network IDs 10.0.2.0/24 and 10.0.3.0/24 report that they cannot connect to
the Internet. You examine the routing tables on the router and on TESTKINGA and
confirm that they are correctly configured.
You need to ensure that users on network IDs 10.0.2.0/24 and 10.0.3.0/24 can
connect to the Internet.
A. Create a subnet network object for network ID 10.0.2.0/24 and for network ID
10.0.3.0/24.
B. Add the address ranges 10.0.2.0 through 10.0.2.255 and 10.0.3.0 through 10.0.3.0
through 10.0.3.255 to the definition of the Internal network.
C. Create two new networks, one for network ID 10.0.2.0/24 and one for 10.0.3.0/24.
Create access rules to allow these networks access to the Internet.
D.
Answer: B
Explanation:
2003 or Windows® 2000 Server routing table. You can also select the private IP address
ranges, as defined by IANA in RFC 1918. These three blocks of addresses are reserved
for private intranets only and are never used on the public Internet.
The routing table reflects a topology of the Internal network, in this scenario it is
comprised of the subnets 10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24. When you configure
the Internal network for ISA Server, it should include all those ranges (subnets). If you
create distinct networks for each of those subnets, rather than a single network, then ISA
Server will consider the 10.0.2.x and 10.0.3.x networks temporarily disconnected,
because there is no network adapter associated with them. In this scenario we need to add
the 10.0.2.x and 10.0.3.x networks to the addresses tab of the internal network properties
to make it work. Just adding a subnet network object is not sufficient since there are no
access rules configured for it.
QUESTION NO: 54
Exhibit
The network contains an ISA Server array. The array contains two ISA Server 2003
computers named TestKing1 and TestKing2. TestKing1 and TestKing2 connect to
the Internet. All client computers on the network are configured as Web Proxy
clients.
Users report that when they access www.testking.com Web pages, the network is
very slow. You discover that the content download jobs to www.testking.com have
failed.
You need to configure the array to allow users on the network to access
www.contoso.com Web pages more quickly.
A. Enable the Allow HTTP/HTTPS requests from ISA Server to selected servers for
connectivity verifiers system policy rule.
B. Enable the Allow HTTP from ISA Server to selected computers for Content Download
Jobs system policy rule.
C. Enable a new HTTP access rule that includes the Internal network. Configure the rule
to use port 8080.
D. Enable Cache Array Routing Protocol (CARP) on the Local Host network.
Answer: B
Explanation:
ISA Server introduces a system policy, a set of firewall policy rules that control how the
ISA Server computer enables the infrastructure necessary to manage network security and
connectivity. ISA Server is installed with a default system policy, designed to address the
balance between security and connectivity. Some system policy rules are enabled upon
installation. These are considered the most basic and necessary rules for effectively
managing the ISA Server environment. You can subsequently identify those services and
tasks that you require to manage your network, and enable the appropriate system policy
rules. By default, the scheduled download jobs feature is disabled. When you create a
content download job, you will be prompted to enable this system policy rule. ISA Server
will be able to access the sites specified in the content download job. In this scenario we
can see that the scheduled download job system policy is disabled and we can read that
the content download of the testking.com is failing. Therefore we need to enable this rule
to successfully retrieve the content of the website.
QUESTION NO: 55
You are the network administrator for TestKing. The network consists of a single
Active Directory domain named TestKing.com.
You configure an ISA Server 2004 computer named ISA1-VPN to meet the
following requirements:
1. Allow external VPN connections.
2. Allow Internet VPN server access for internal VPN clients.
3. Allow only RADIUS authentication for VPN connections.
The system policy on ISA1-VPN is configured as shown in the System Policy exhibit.
You need to ensure that external VPN client computers can create VPN connections
to ISA1-VPN.
Answer: D
Explanation:
QUESTION NO: 56
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1.
You are replacing ISA1 with a new ISA Server computer named ISA1. You export
the network-level node configuration settings on ISA1 to a file named
ISAconfig.xml. You import the ISAconfig.xml file on ISA2. You replace ISA1 with
ISA2 on the network.
Remote VPN users report that they cannot authenticate to gain access to the
network. Internal network users report that they cannot connect to the Internet.
You need to configure ISA1 to allow incoming and outgoing access for company
users.
Answer: B
Explanation:
ISA Server 2004 includes export and import features that enable you to save and restore
most ISA Server configuration information. The configuration parameters can be
exported and stored in an .xml file.
When you export an entire configuration, all general configuration information is
exported. This includes access rules, publishing rules, rule elements, alert configuration,
cache configuration, VPN configuration and ISA Server properties. Confidential
information included in the exported file is encrypted.
In this scenario we need to export the entire array configuration. If we only exported,
change and imported the VPN configuration only then we still have a problem with the
internal users that could not connect to the internet.
QUESTION NO: 57
You are a network administrator for TestKing.com. The company has a main office
and two branch offices.
Users in the main office use client computers that run Windows XP Professional.
Users in the branch offices use Macintosh-based client computers.
You deploy one ISA Server 2004 computer in the main office and one ISA Server
2004 computer in each branch office. You configure an access rule on the main
office ISA Server computer. The rule allows authenticated users to download e-mail
by using the POP3 protocol. You install the Firewall Client on the Windows XP
Professional computers.
Users in the branch offices report that they cannot download e-mail by using the
POP3 protocol.
A. On each branch office ISA Server computer, configure Firewall client settings. Allow
non-encrypted Firewall clients to connect to the ISA Server computer.
B. On each branch office ISA Server computer, configure firewall chaining. Configure
firewall chaining to use a user account.
C. On the main office ISA Server computer, configure a server publishing rule. Publish
the POP3 server the users are attempting to connect to.
D. On the main office ISA Server computer, configure IP preferences. Disable IP routing.
Answer: B
Explanation:
Since we are having Macintosh PC's in the branchoffice we must configure them as
SecureNAT or Web Proxy clients. The firewall Client can only be installed on Windows
Operating systems. In this scenario we can not use a web proxy configuration because the
web proxy configuration only support HTTP, HTTPS & FTP and no POP3. Therefore we
configure the Macintosh PC's as SecureNAT clients. SecureNAT does not support user
authentication (this was a demand in the scenario) therefore we must configure firewall
chaining with user authentication.
ISA Server 2004 Standard Edition supports the chaining of multiple servers running ISA
Server together to provide flexible Web proxy services. These servers can be chained in a
hierarchical manner so that one ISA Server computer routes Internet requests to another
ISA Server computer, rather than routing the request directly to the Internet.
ISA Server 2004 also supports Firewall chaining to allow requests from SecureNAT and
Firewall clients to be forwarded to another ISA Server computer. The advantages of the
Firewall chaining configuration over the Web Proxy configuration is that Firewall
chaining supports all TCP and UDP Winsock protocols, not just Web protocols
(HTTP/HTTPS/FTP).
QUESTION NO: 58
You are the administrator of an ISA Server 2004 computer named ISA1. ISA1 has
two network adapters. Access rules allow users on the Internal network to have
HTTP access to the Internet.
Users report that they cannot access information on WebServer2. When they
attempt to access the Web site, they receive the following error message: "Error
Code 10060: Connection timeout. Background: There was a time out before the
page should be retrieved. This might indicate that the network is congested or that
the website is experiencing technical difficulties."
You need to ensure that users on the Internal network can access information on
WebServer2. First, you verify that WebServer2 is operational.
A. Create a network rule that sets a route relationship between the Internal network and
the perimeter network.
B. Create a server publishing rule that publishes WebServer2 to the Internal network.
C. Create a Web publishing rule that publishes WebServer2 to the Internal network.
D. Create an access rule that allows WebServer2 access to the Internal network.
Answer: A
Explanation:
You will need to create new Networks whenever a new Network is introduced into your
environment. A common reason to add a new Network is when you install additional
NICs into the ISA firewall. Since all addresses located behind any particular NIC are
considered a Network by the ISA firewall, you need to create a new Network when
additional NICs are added to the firewall. Also we must create a network relationship
between networks. This can be a route or NAT relationship. If there is no relationship
between networks, then all traffic will be dropped by the ISA Server. Therefore we need
to create a route relationship between the internal network and perimeter network to make
it work.
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. The IP address bound to the external network
adapter of ISA1 is 192.168.100.141.
You run the netstat - na command on ISA1. The relevant portion of the output is
shown in the following table.
You need to ensure that ISA1 accepts connection requests for only HTTP traffic.
You need to be able to quickly verify whether ISA1 is listening on TCP port 139.
Answer: B
Explanation:
Portqry.exe is a microsoft command-line utility that you can use to help troubleshoot
TCP/IP connectivity issues. Portqry.exe runs on Windows 2000-based computers, on
Windows XP-based computers, and on Windows Server 2003-based computers. The
utility reports the port status of TCP and UDP ports on a computer that you select.
PortQry version 2.0 supports the following session layer and application layer protocols:
* Lightweight Directory Access Protocol (LDAP)
* Remote Procedure Calls (RPC)
* Domain Name System (DNS)
* NetBIOS Name Service
* Simple Network Management Protocol (SNMP)
QUESTION NO: 60
You are the administrator of an ISA Sever 2004 computer named ISA1. ISA1 is
configured to generate daily and monthly reports. ISA1 publishes the reports to a
folder named IsaReports.
You generate custom reports to indicate user activity during the weekends of the
last three months.
The reports for the last five weekends display correct data. However, reports for
previous weekends cannot be displayed. Only monthly activity summary reports are
available for previous months.
You need to provide custom reports that show the actual activity for all the
weekends during the last three months.
A. Configure the Microsoft Data Engine (MSDE) database log files to be saved for 130
days. Restore the MSDE database log files from backup for the last three months.
B. Configure daily reports to be saved for 130 days. Restore the log summary files from
backup for the last three months.
C. Delete the log summary files. Configure daily reports to be saved for 130 days. Disable
and then re-enable log summary reports.
D. In the IsaReports folder, create a new folder for each of the weekends. Copy the
respective daily report files for each day of a weekend into their corresponding folders.
Answer: B
Explanation:
QUESTION NO: 61
You enable the default Network configuration changed alert. You add a custom
alert named Network Connectivity. The properties of the Network Connectivity
alert are configured as shown in the Alert Events exhibit and the Alert Actions
exhibit.
You need to ensure that the administrative computers receive the text message when
the Network Connectivity alert is triggered. You also need to be able to test the alert
by disabling any of the network adapters on ISA1.
Answer: D
Explanation:
With the release of Windows Server 2003, the situation changed again when two new
built-in account types similar to Local System were added: the Network Service account
and the Local Service account.
The new Network Service account also uses the computer's credentials when it
authenticates remotely, but has a greatly reduced privilege level on the server itself and,
therefore, does not have local administrator privileges. The new Local Service account
has the same reduced privileges as the Network Service account, but as the name
suggests, it does not have the ability to authenticate to network resources.
Log on as a batch job - Allows a user to be logged on by means of a batch-queue facility.
For example, when a user submits a job by means of the task scheduler, the task
scheduler logs that user on as a batch user rather than as an interactive user. By default,
only the Local Service account and the support group has the privilege to be logged on as
a batch job on the ISA Server. In this scenario the networkalert.cmd will not run because
the local system account does not have the Log on as a batch job right. Therefore we need
to configure the Network Connectivity alert actions to run NetworkAlert.cmd by using an
account that has the Log on as a batch job right.
QUESTION NO: 62
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. ISA1 is configured to provide forward Web
caching for users on the Internal network.
Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) database logging is
enabled on ISA1. ISA1 is configured with 512 MB or RAM and a single 60-GB hard
disk.
During periods of peak usage, users report that it takes longer than usual for Web
pages to appear.
A. Memory\Pages/sec
B. Memory\Pool Nonpaged Bytes
C. MSSQL$MSFW:Databases(*)\Transactions/sec
D. MSSQL$MSFW:MemoryManager\Target Server Memory (KB)
E. Physical Disk\Avg. Disk Queue Length
F. Physical Disk\SplitIO/sec
Answer: A, E
Explanation:
The ISA Server installation configures several new performance objects that you can use
to monitor system performance on the computer running ISA Server. You view the
performance objects and their associated performance counters in real time in System
Monitor. System Monitor is a monitoring tool that is included with Windows 2000 and
Windows Server 2003.
Memory\Pages/sec - Pages/sec is the rate at which pages are read from or written to disk
to resolve hard page faults. This counter is a primary indicator of the kinds of faults that
cause system-wide delays.
Memory\Pool Nonpaged Bytes - Pool Nonpaged Bytes is the size, in bytes, of the
nonpaged pool, an area of system memory (physical memory used by the operating
system) for objects that cannot be written to disk, but must remain in physical memory as
long as they are allocated.
Physical Disk\Avg. Disk Queue Length - Is the average number of both read and write
requests that were queued for the selected disk during the sample interval.
MSSQL$MSFW:Databases(*)\Transactions/sec - Number of transactions started for the
database.
MSSQL$MSFW:MemoryManager\Target Server Memory - Total amount of dynamic
memory the server is willing to consume.
QUESTION NO: 63
You are the network administrator for TestKing.com. The company has a main
office, two branch offices and one research office. An ISA Server array is configured
for each of these three offices. All arrays are members of the same ISA Server 2004
enterprise.
You need to install a new ISA Server array in the research office. You need to
ensure that only research office administrators can manage access rules that affect
client computers in the research office.
Answer: D
Explanation:
A Configuration Storage server stores the configuration for all the arrays in the enterprise.
There can be multiple configuration storage servers in the enterprise, with each
replicating to the rest any updates to enterprise configuration. Configuration Storage
servers store the configuration in ADAM. Hence, there is no centralized master copy of
directory information. Instead, any change committed on any Configuration Storage
server is replicated to every other onfiguration Storage server within the enterprise.
ADAM is a special mode of the Active Directory directory service that is designed for
directory-enabled applications. ADAM is a Lightweight Directory Access Protocol
(LDAP) compatible directory service that runs on servers running Microsoft Windows
The Internal network contains two Web sites named HR and Sales, which are used
by employees. The HR Web site is stored on a Web server named
Web1.TestKing.com. The Sales Web site is stored on a Web server named
http://www.TestKing.com.
You must allow employees to access both the HR Web site and the Sales Web site
from the Internet. You must ensure that employees can access the HR Web site by
using the URL http://www.TestKing.com/hr. You must also ensure that employees
can access the Sales Web site by using the URL http://www.TestKing.com/sales.
A. Configure one of the Web servers to listen for HTTP requests on port 8080.
Create two server publishing rules. Create one of the rules to respond to requests on port
8080, and configure this rule to forward requests to one internal Web server. Create the
other rule to use the DefaultHTTP listener, and configure this rule to forward to the other
internal Web server.
B. Configure one of the Web servers to listen for HTTP request on port 8080.
Create a new listener that uses HTTP on port 8080.
Create two Web publishing rules. Configure each rule to forward to a different internal
Web server. Configure each rule to use a different listener.
C. Create two server publishing rules. Configure each rule to forward to a different
internal Web server. Configure each internal Web server to listen for HTTP requests on
an unused port.
D. Create two Web publishing rules. Configure each rule to forward to a different internal
Web server. Configure each rule to use the DefaultHTTP listener.
Answer: D
Explanation:
QUESTION NO: 65
You are a network administrator for TestKing.com. You are installing ISA Server
2004 on two computers named TESTKING1 and TESTKING2. The network is
configured as shown in the exhibit.
You need to ensure that the implementation plan meets the following requirements:
1. All devices that pass outbound traffic must perform network address translation
(NAT).
2. All Internet-accessible internal resources must be published.
A. Adapter A
B. Adapter B
C. Adapter C
D. Adapter D
Answer: B, D
Explanations:
Many organizations implement a back-to-back firewall configuration. In this scenario,
one firewall Testking1 is directly connected to the Internet while the second network
adapter on the firewall is connected to the creened subnet (An internal network for
Testking1). The second firewall Testking2 is connected to the screened subnet and the
internal network. All network traffic must flow through both firewalls and through the
screened network to pass between the Internet and the internal network. In this
configuration, there is no single point of access from the Internet to the internal network.
To reach the internal network, an attacker would need to get past both firewalls. It is
common to use two different firewall vendors in this configuration for maximum
security. This dual-vendor configuration prevents an exploit on one firewall from being
easily exploited on both firewalls.
QUESTION NO: 66
You are the network administrator for TestKing.com. The network consists of a
single Active Directory domain. The network contains an ISA Server 2004 computer
named ISA1. ISA1 is a member of the Active Directory domain.
You configure ISA1 as a remote access VPN server that allows both PPTP and
L2TP over IPSec remote access client connections. You want to control VPN access
by using a remote access policy.
You configure ISA1 to allow VPN access to members of the Domain Users global
group. However, VPN connections fail. You examine the properties of several
domain user accounts and you discover that the Control access through Remote
Access Policy option is not available.
Answer: C
Explanation:
The Control access through remote access policy option is unavailable while the Active
Directory is in Mixed mode. Therefore we must enable these options and change the
Active Directory to Native mode. Note that when you change the Active Directory from
Mixed mode to Native mode, it cannot be reversed.
QUESTION NO: 67
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1.
ISA1 is configured with two network adapters. The external network adapter is
connected to the Internet. The internal network adapter is connected to the Internal
network. The Internal network address range is 10.0.0.0 through 10.0.0.255.
You define the VPN assignment as a static pool that extends from 10.0.1.0 through
10.0.1.255. You enable VPN client access. You test the VPN configuration and
successfully establish a VPN connection to ISA1 from an external Windows XP
Professional client computer named XP1.
You discover that you cannot browse external Web sites from XP1 while it has a
VPN session with ISA1. You confirm that internal client computers can browse
external Web sites.
You need to ensure that VPN clients can browse external Web sites while connected
to ISA1. You also need to ensure that all requests for external Web sites from VPN
clients are processed through ISA1.
A. On the VPN clients, in the VPN connection object in the Network Connections folder,
clear the check box to use the default gateway on the remote network.
B. On the VPN clients, in the Internet Explorer, configure the dial-up and virtual network
settings for the VPN connection object to use the proxy server settings for ISA1.
C. On ISA1, reconfigure the VPN address assignments to use DHCP. Ensure that the
address assignments are within the range defined for the Internal network.
D. On ISA1, create an access rule that allows outbound HTTP and HTTPS access from
the VPN client network for the All Authenticated Users user set.
Answer: D
Explanation:
ISA Server assigns computers to networks and then uses network rules, network access
rules, and publishing rules to restrict the movement of network traffic between networks.
These concepts are also used by ISA Server to manage VPN connections. ISA Server uses
the following networks for VPN connections:
* VPN Clients network. This network contains the IP addresses of all of the VPN clients
that have connected using VPN client access.
* Quarantined VPN Clients network. This network contains the IP addresses of all of the
VPN clients that have connected using VPN client access but have not yet cleared
quarantine.
* Remote-site network. This network contains the IP addresses of all of the computers in
a remote site when a site-to-site VPN connection is configured. Additional remote-site
networks are created for each remote-site connection.
ISA Server uses these networks just like it uses any other directly connected networks.
That means that you can use network rules and access rules to define the conditions under
which network packets will be passed from one network to another. In this scenario the
VPN Clients network does not have access to the internet because there is no access rule
that allow that traffic. Therefore we need create an access rule that allows outbound
HTTP and HTTPS access from the VPN client network for the All Authenticated Users
user set to the external network.
QUESTION NO: 68
You are the network administrator for TestKing.com. The company has a main
office and one branch office. You want to connect the main office to the branch
office by using a site-to-site VPN connection.
The main office network includes two network IDs: 192.168.1.0/24. The
192.168.1.0/24 network is directly connected to ISA1 and is configured as the default
Internal network. The 192.168.2.0/24 network is connected to the 192.168.1.0/24
network by a router on the main office Internal network. You create two subnet
network objects in the ISA Server Management console: one network for the
192.168.1.0/24 network and one for the 192.168.2.0/24 network.
You create an access rule on ISA1 and on ISA2 to allow all traffic to and from the
main office and branch office networks. You create an access rule on ISA1 to allow
all traffic between the default Internal network and the branch office network.
You need to ensure that all users at the main office can connect to resources located
on the branch office network.
A. Add the addresses in network ID 192.168.2.0/24 to the default Internal network at the
main office.
B. Add the addresses in network ID 10.0.0.0/24 to the default Internal network at the
main office.
C. Remove the router connecting the two networks at the main office and place both
network IDs on a single Ethernet broadcast segment.
D.
Answer: A
Explanation:
Site-to-site VPNs allow you to connect entire networks to one another. This can lead to
significant cost savings for organizations that are using dedicated frame relay links to
connect branch offices to the main office, or branch offices to one another. The ISA
firewall supports site-to-site VPN networking using the following VPN protocols:
* PTP (Point-to-Point Tunneling Protocol)
* 2TP/IPSec (Layer Two Tunneling Protocol over IPSec)
* PSec Tunnel Mode
In this scenario we can read that the site-to-site configuration is fully working between
the two sites. Thus the internal network users (192.168.1.0/24) from the main office can
connect to the internal network (10.0.0.0/24) in the branch office. However the network
users behind the router (192.168.2.0/24) can not. We did create a new subnet object but
we forgot to add the 192.168.2.0/24 subnet to the internal network addresses.
QUESTION NO: 69
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1, which allows outgoing connections to the
Internet. A network rule defines a network address translation (NAT) relationship
between the Internal network and the Internet.
Users on ISA Server protected networks require access to PPTP and L2TP over
IPSec VPN servers on the Internet.
You configure all network computers, except ISA1, as both Web Proxy and Firewall
clients. You create access rules on ISA1 to allow outbound connections to the
Internet by using PPTP Client, IPSec NAT Traversal (NAT-T) Client, and IKE
Client protocols. You discover that users cannot connect to Internet PPTP and
L2TP over IPSec VPN servers.
You need to ensure that users can connect to PPTP and L2TP over IPSec VPN
servers on the Internet.
Answer: C
Explanation:
You can configure the ISA firewall to allow outbound access to VPN servers on the
Internet. The ISA firewall supports all true VPN protocols, including PPTP, L2TP/IPSec,
and IPSec NAT Traversal (NAT-T).
Although ISA Server supports PPTP passthrough out of the box, there is no built-in
support for IPSec passthrough. The reason for this is that the IPSec protocols are not
NAPT (Network Address & Port Translation) compatible. The IPSec protocols are
designed to authenticate and/or encrypt information in the packet. When a NAPT device
(i.e. an ISA server) tries to change the information in the packet, it will either cause the
packet to be considered invalid by an IPSec protocol, or it will be unable to perform the
translation because information the NAPT device needs to access is encrypted. The IPSec
Working Group has worked out a solution called NAT Traversal or in short NAT-T. To
make NAT-T work on the ISA Server we need to create an access rule that uses the IPSec
IKE Clients protocol and the IPSec NAT-T protocol.
Because the PPTP VPN protocol requires GRE (an IP level protocol that does not use
TCP or UDP as a transport), machines configured as only Firewall and/or Web Proxy
clients will not be able to connect to Internet VPN servers using PPTP. The machine must
also be configured as a SecureNAT client to successfully complete the PPTP connection.
QUESTION NO: 70
You are the network administrator for TestKing.com. The network consists of a
single Active Directory domain named testking.com. The network contains an ISA
Server 2004 computer named ISA1. ISA1 is a member of the domain.
You want to configure ISA1 as a VPN server. You want VPN clients to connect by
using L2TP over IPSec. You want the VPN clients to use certificate-based
authentication.
You examine the system log and the application log on ISA1. You discover several
events related to the failure of the automatic enrollment of the certificate. The events
indicate an inability of ISA1 to use RPC and Distributed Component Object Model
(DCOM) to acquire the certificate through automatic enrollment.
You need to install a computer certificate on ISA1 from the enterprise CA. You also
need to ensure that the computer certificate can be used for only client
authentication and server authentication.
A. On ISA1, add the Certificates snap-in for the local computer to an MMC console. In
the Personal certificate store of the Certificates snap-in, use the Certificate Request
wizard to manually request a computer certificate.
B. On ISA1, using Internet Explorer, connect to the certificate server Web enrollment
pages on TestKing3. Use the Advanced Certificate Web enrollment pages to request a
certificate based on the Administrator certificate template and to store the certificate in
the local computer certificate store.
C. From a Web server on the Internal network, request a Web certificate from TestKing3
that uses ISA1.fabrikam.com as the common name and that contains an exportable
private key. Import the certificate to the Personal certificate store for the local computer
on ISA1.
D. On ISA1, temporarily disable the RPC application filter and create an access rule to
allow all protocols from ISA1 to the Internal network. Temporarily, disable the setting to
enforce strict RPC compliance. Manually refresh the GPO.
Answer: D
Explanation:
QUESTION NO: 71
You are the network administrator for TestKing.com. The company has a main
office and is adding a branch office.
You need to connect the two offices to each other so that employees in the branch
office can access file, Web and database servers at the main office.
You create a site-to-site VPN by creating remote site networks on ISA Server 2004
computers in both offices. You configure L2TP over IPSec as the VPN protocol for
the site-to-site connection. You configure the ISA Server computers in both offices
to use computer certificates and to use a preshared key.
The L2TP over IPSec connection is successfully established, but when you view the
connection parameters in the IPSec console, you discover that the preshared key is
used to establish the IPSec connection.
You need to allow the computer certificates to be used instead of the preshared key
for the IPSec negotiations.
A. Remove the preshared key from only the main office ISA Server computer's remote
site network configuration.
B. Remove the preshared key from only the branch office ISA Server computer's remote
site network configuration.
C. Remove the preshared key from the ISA Server computer's remote site network
configuration at both offices.
D. Remove the computer certificates on the ISA Server computers at both offices and
replace them with user certificates.
Explanation:
Site-to-site VPNs allow you to connect entire networks to one another. This can lead to
significant cost savings for organizations that are using dedicated frame relay links to
connect branch offices to the main office, or branch offices to one another. The ISA
firewall supports site-to-site VPN networking using the following VPN protocols:
* PPTP (Point-to-Point Tunneling Protocol)
* L2TP/IPSec (Layer Two Tunneling Protocol over IPSec)
* IPSec Tunnel Mode
L2TP/IPSec is more secure than PPTP and IPSec tunnel mode. However, to ensure that
you have a secure site-to-site VPN connection using L2TP/IPSec, you must use machine
certificates (thus you should have a PKI) on all ISA firewall VPN gateways. If you don't
have a PKI in place yet, or if you do not plan on implementing a certificate infrastructure,
you can use pre-shared keys for the computer authentication component of L2TP/IPSec
connection establishment. However in this scenario we have a certificate infrastructure
thus we do not need the pre-shared keys. Therefore we can remove the pre-shared keys
settings on both Isa servers.
QUESTION NO: 72
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. ISA1 is configured as a remote access VPN
server and as a DHCP server.
On the DHCP server, you create a DHCP scope that includes the three DHCP
options.
VPN users report that they cannot connect to file shares after logging on to the
network. You discover that no WINS or DNS server address is assigned to the VPN
clients, and no primary domain name is listed.
You need to ensure that the DHCP options are assigned to the VPN client
computers.
A. Remove the DHCP server from ISA1 and place it on a computer that is behind ISA1.
B. Configure the Routing and Remote Access internal network adapter as a DHCP client.
C. In the ISA Server Management console, configure VPN address assignment to use the
Internal network for the DHCP, DNS and WINS services.
D. Install a DHCP Relay Agent on ISA1
Answer: A, D
Explanation:
The Dynamic Host Configuration Protocol (DHCP) allows you to automatically assign IP
addressing information to VPN clients. IP addressing information the DHCP server can
assign to VPN clients includes:
* IP address
* WINS server address
* DNS server address
* Primary domain name
The ISA Server firewall/VPN server can be configured to use a static address pool or
DHCP to assign IP addresses to VPN clients and gateways. When you use a static address
pool, the IP address pool is configured on the ISA Server firewall/VPN server, and WINS
and DNS server addresses are assigned based on the WINS and DNS server address
settings on the internal interface of the ISA Server firewall/VPN server. You can use
DHCP to assign VPN clients an IP address, a WINS server address, a DNS server
address, and a primary domain name, as well as other DHCP options. In order to fully
utilize the information a DHCP server can provide to the VPN client, the ISA Server
firewall/VPN server must be configured with a DHCP Relay Agent. The DHCP Relay
Agent acts as a "DHCP proxy" between the VPN client and the DHCP server. The DHCP
Relay Agent forwards the DHCP messages between the VPN client and DHCP server and
back.
QUESTION NO: 73
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1, which functions as a remote access VPN server
for the network. ISA1 is a member of a workgroup.
Users report that they cannot connect to the network. They state that they receive
the following error message: "Error 691: Access was denied because the username
and/or password was invalid for the domain."
You need to ensure that VPN users can connect to the network.
Answer: A
Explanation:
You can significantly enhance the security of your ISA firewall's VPN remote access
client connections by using EAP user certificate authentication. User certificate
authentication requires that the user possess a user certificate issued by a trusted
certificate authority.
Both the ISA firewall and the remote access VPN client must have the appropriate
certificates assignment to them. You must assign the ISA firewall a machine certificate
that the firewall can use to identify itself. Users must be assigned user certificates from a
certificate authority that the ISA firewall trusts. When both the remote access client
machine presenting the user certificate and the ISA firewall contain a common CA
certificate in their Trusted Root Certification Authorities certificate stores, the client and
server trust the same certificate hierarchy. Before we are able to use EAP we must join
the ISA Server to the domain. Otherwise we get the dreaded error 691 as stated in this
scenario.
QUESTION NO: 74
You are the network administrator for TestKing.com. The company has a main
office and is adding a branch office. ISA Server 2004 Standard Edition is deployed
at the main office and at the branch office.
Users at the main office report that they cannot connect to servers at the branch
office. Users at the branch office report that they cannot connect to servers at the
main office.
You view the Event Viewer services log on the ISA Server computer in each office.
You see the following error message: "Unable to contact a DHCP server. The
Automatic Private IP Address 169.254.99.87 will be assigned to dial-in clients.
Clients may be unable to access resources on the network."
You need to enable users at the main and the branch office to connect to resources
on the other side of the site-to-site VPN connection.
Answer: C
Explanation:
Site-to-site VPNs allow you to connect entire networks to one another. This can lead to
significant cost savings for organizations that are using dedicated frame relay links to
connect branch offices to the main office, or branch offices to one another. The ISA
firewall supports site-to-site VPN networking using the following VPN protocols:
* PPTP (Point-to-Point Tunneling Protocol)
* L2TP/IPSec (Layer Two Tunneling Protocol over IPSec)
* IPSec Tunnel Mode
QUESTION NO: 75
You are the network administrator for TestKing.com. The network contains a single
ISA Server 2004 computer.
Users can connect to the Remote Desktop Web Connection site by using Internet
Explorer. However, they cannot establish a Terminal Services connection.
Answer: A
Explanation:
QUESTION NO: 76
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer.
The company's written security policy states that all incoming connections from the
Internet into the corporate network must be encrypted, and only SSL Web
connections are allowed.
The company upgrades to the latest version of Microsoft Exchange Server. You
configure a server publishing rule to allow inbound secure Exchange RPC
connections to the Exchange Server computer.
You need to allow users to connect to Outlook Web Access and you need to adhere
to the company's security policy.
Answer: C
Explanation:
Outlook Web Access (OWA) provides access to a computer running Exchange Server
through a Web browser. OWA does not require any client software or client configuration
other than a Web browser. Although OWA does not provide all of the functionality
provided by a full Outlook client, the fact that it is easy to deploy and does not require
any special client makes OWA an attractive option for providing remote access.
The use of OWA raises several issues with e-mail security, including:
* Securing the user logon. By default, OWA is configured to use Hypertext Transfer
Protocol (HTTP). This means that all user logon information is passed in clear text to the
computer running Exchange Server. This issue can be easily addressed using Secure
Sockets Layer (SSL) to encrypt all user sessions. However, some clients may cache the
user logon credentials so that if the user does not close all Web browser sessions, another
user may be able to access the user's e-mail without logging on.
* Securing e-mail contents. Because all messages are sent in clear text using HTTP, the
e-mail contents may not be secure while crossing the Internet. You can use Hypertext
Transfer Protocol Secure (HTTPS) to secure the e-mail. However, some Web browsers
may cache the e-mail contents on the local computer. For example, when you open an
attachment using OWA, itis stored in the temporary Internet files on the computer.
Another user may be able to gain access to the files.Another option for providing remote
access to e-mail on a computer running Exchange Server is to use an Outlook client
configured to use Messaging Application Programming Interface (MAPI) to communicate
with Exchange. The Outlook client provides the most functionality, but also introduces
some security risks when used to provide access from the Internet.
Outlook 2003 with Exchange 2003 running on Microsoft Windows Server 2003 supports
RPC over HTTP, which simplifies the network and firewall configuration needed to
support a MAPI client. Using RPC over HTTP provides all the benefits of using an
Outlook client without needing multiple ports open on the firewall. Users running
Outlook 2003 can connect directly to a computer running Exchange Server 2003 over the
Internet by using HTTP or HTTPS even if both the computer running Exchange Server
and Outlook are behind firewalls and located on different networks. Only the HTTP and
HTTPS ports need to be opened on the firewall.
In this scenario we are having OWA clients, so we do not need RPC over HTTP
functionality. So we must delete the current RPC Server Publishing Rule and create an
new HTTPS Web Publishing rule for our OWA Clients.
Users access a Secure Shell protocol (SSH)-based application on a partner Web site.
Access to this application is mission-critical to TestKing.com.
You need to configure ISA Server 2004 to ensure that Internet access is still
available if the ISA Server computer fails.
Answer: A
Explanation:
Network Load Balancing (NLB) is a Windows network component that is used to create a
cluster of computers that can be addressed by a single-cluster IP address. NLB provides
load balancing and high availability for IP-based services. ISA Server Enterprise Edition
integrates with NLB so that you can configure and manage the NLB functionality using
the ISA Server Management tools. One of the NLB features is NLB health monitoring,
this feature discontinues NLB on a particular computer if the server is not available or if
the Firewall Service on the server has stopped. In this scenario we need to ensure that
internet access is still available if one of the isa servers does not function. We can achieve
this by configuring NLB on the array.
QUESTION NO: 78
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1 and a Web server named Web1.
The company has two Web sites named SiteA and SiteB. Both Web sites are hosted
on Web1. SiteA requires users to be authenticated. SiteB needs to have only
anonymous access configured.
Answer: B
Explanation:
ISA Server uses Web publishing rules to make Web sites available to users on the
Internet. A Web publishing rule is a firewall rule that specifies how ISA Server will route
incoming requests to internal Web servers. Use Web publishing rules to provide:
* Access to Web servers running HTTP protocol. When you configure a Web publishing
rule, you configure ISA Server to listen for HTTP requests from the Internet and to
forward that request to a Web server on a protected network. To publish servers using any
other protocols, you need to use a server publishing rule.
* Application-layer filtering. Application-layer filtering enables ISA Server to inspect the
application data in each packet passing through ISA Server. This includes filtering of
Secure Sockets Layer (SSL) packets if you enable SSL bridging. This provides an
additional layer of security not provided by server publishing rules.
* Path mapping. Path mapping enables you to hide the details of your internal Web site
configuration by redirecting external requests for parts of the Web site to alternate
locations within the internal Web site. This means that you can limit access to only
specific areas within a Web site.
* User authentication. You can configure ISA Server to require that all external users
authenticate before their requests are forwarded to the Web server hosting the published
content. This protects the internal Web server from authentication attacks. Web
publishing rules support several methods of authentication including Remote
Authentication Dial-In User Service (RADIUS), integrated, basic, digest, digital
certificates, and RSA SecurID.
* Content caching. The content from the internal Web server can be cached on ISA
Server, which improves the response time to the Internet client while decreasing the load
on the internal Web server.
QUESTION NO: 79
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1.
The company's written security policy states that users must be allowed access to the
Internet only between the hours of 08:00 and 17:00.
You need to configure ISA1 to allow all Internet traffic between 08:00 and 17:00
and to not allow outbound Internet traffic at other times.
Explanation:
Access Rules always apply to outbound connections. Only protocols with a primary
connection in either the outbound or send direction can be used in Access Rules. In
contrast, Web Publishing Rules and Server Publishing Rules always use protocols with a
primary connection with the inbound or receive direction. Access Rules control access
from source to destination using outbound protocols. You can apply a Schedule to an
Access Rule to control when the rule should be applied. There are three built-in
schedules:
* Work Hours Permits access between 09:00 (9:00 A.M.) and 17:00 (5:00 P.M.) on
Monday through Friday (to this rule)
* Weekends Permits access at all times on Saturday and Sunday (to this rule)
* Always Permits access at all times (to this rule)
Note that rules can be allow or deny rules. The Schedules apply to all Access Rules, not
just allow rules. Schedules control only new connections that apply to an Access Rule.
Connections that are already established are not affected by Schedules. For example, if
you schedule access to a partner site during Work Hours, users will not be disconnected
after 5PM. You will have to manually disconnect the users or script a restart of the
firewall service.
In this scenario we want to allow all types of traffic only from 8:00am to 17:00pm,
therefore we need to Create an access rule to allow all protocols and configure the rule's
schedule to be enabled between 08:00 and 17:00.
QUESTION NO: 80
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. The company uses Microsoft Exchange Server
2003 as its e-mail server.
Remote users need to access the Exchange server by using either Microsoft Outlook
Web Access or Microsoft Outlook 2003. You need to use HTTPS to provide access
for both Outlook Web Access and Outlook 2003. You want to use forms-based
authentication for Outlook Web Access.
ISA1 is configured with three Web listeners named WebListen1, WebListen2 and
Weblisten3.You configure WebListen1 to use SSL certificate authentication. You
configure WebListen2 to use forms-based authentication. You configure
WebListen3 to use Windows Integrated authentication.
A. Create two Web publishing rules for the Exchange server. Configure one of the rules
to use WebListen1.
Configure the other rule to use WebListen3.
B. Create one Web publishing rule for the Exchange server. Configure the rule to use
WebListen2.
C. Create two Web publishing rules for the Exchange server. Configure one of the rules
to use WebListen1.
Configure the other rule to use WebListen2.
D. Create one Web publishing rule for the Exchange server. Configure the rule to use
WebListen1.
Answer: C
Explanation:
Many organizations have chosen to use Web-based clients to give remote users access to
their Exchange mailboxes. One of the most popular ways to provide access to e-mail for
users outside the internal network is to deploy an Outlook Web Access (OWA) server so
that users can access their mailboxes from any computer with an Internet connection and
a Web browser.When you publish Outlook Web Access servers through computers
running ISA Server, you are protecting the Outlook Web Access server from direct
external access because the name and IP address of the Outlook Web Access server are
not accessible to the user. The user accesses the computer running ISA Server, which then
forwards the request to the Outlook Web Access server according to the conditions of
your mail server publishing rule. You must configure a Web listener for Outlook Web
Access publishing. The Web listener for Outlook Web Access publishing should be
configured to use forms-based authentication. If you have configured secure connections
to the clients, be sure that the listener listens for requests on an HTTPS port. Therefore
we need to create two publishing rules for the Exchange server. Configure one of the
rules to use WebListen1 and configure the other rule to use WebListen2. We can use the
same rules for the outlook 2003 clients.
QUESTION NO: 81
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer.
You need to ensure that company users can access the partner VPN server.
Which two actions should you perform? (Each correct answer presents part of the
solution. Choose two.)
A. Create an access rule to enable outbound access to the PPTP Client protocol.
B. Create an access rule to enable outbound access to the IPSec with Encapsulating
Security Payload (ESP) Server protocol.
C. Create an access rule to enable outbound access to the IKE Client protocol.
D. Create an access rule to enable outbound access to the IPSec NAT-T Client protocol.
Answer: C, D
Explanation:
You can configure the ISA firewall to allow outbound access to VPN servers on the
Internet. The ISA firewall supports all true VPN protocols, including PPTP, L2TP/IPSec,
and IPSec NAT Traversal (NAT-T).
Although ISA Server supports PPTP passthrough out of the box, there is no built-in
support for IPSec passthrough. The reason for this is that the IPSec protocols are not
NAPT (Network Address & Port Translation) compatible. The IPSec protocols are
designed to authenticate and/or encrypt information in the packet. When a NAPT device
(i.e. an ISA server) tries to change the information in the packet, it will either cause the
packet to be considered invalid by an IPSec protocol, or it will be unable to perform the
translation because information the NAPT device needs to access is encrypted. The IPSec
Working Group has worked out a solution called NAT Traversal or in short NAT-T. To
make NAT-T work on the ISA Server we need to create an access rule that uses the IPSec
IKE Clients protocol and the IPSec NAT-T protocol.
QUESTION NO: 82
You are the network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1.
You need to configure ISA1 to publish the new Web site. First, you create an SSL
Web publishing rule. Now, you need to configure the rule to meet the requirements.
A. Configure the rule's link translation to replace absolute links in all Web pages.
B. Configure the rule to forward the original host header to the published Web server.
C. Configure the rule to forward the requests so that they appear to come from ISA1.
D. Configure the rule to forward the requests so that they appear to come from the
original client.
Answer: D
Explanation:
Link Translation solves a number of issues that may arise for external users connecting
through the ISA firewall to an internal Web site. The ISA firewall Link Translator is
implemented as an ISA firewall Web filter. Because of the Link Translator's built-in
functionality, and because it comes with a built-in default dictionary, you can use it right
out of the box to solve many common problems encountered with proxy-based Web
publishing scenarios. The default dictionary includes the following entries:
* Any occurrence on the Web site of the computer name specified on the To tab of the
Web Publishing Rule Properties is replaced with the Web site name (or IP address). For
example, if a rule redirects all requests for http://www.testking.com to an internal
computer called ISA1 , all occurrences of http://ISA1 in the response page returned to the
client are replaced with http://www.testking.com. Thus not exposing the internal naming
structure.
* If a nondefault port is specified on the Web listener, that port is used when replacing
links on the response page. If a default port is specified, the port is removed when
replacing links on the response page. For example, if the Web listener is listening on TCP
port 88, the responses returned to the Web client will include links to TCP port 88.
* If the client specifies HTTPS in the request to the ISA firewall, the firewall will replace
all occurrences of HTTP with HTTPS.
QUESTION NO: 83
You are the network administrator for TestKing.com. The network contains a single
ISA Server 2004 computer named ISA1.
The company's new written security policy states that internal computer names
must not be published or accessible via the Internet.
You need to publish a new Web site that has many internal computer names within
the Web site. You must publish this Web site while adhering to the company's
security policy.
A. Configure an HTTP server publishing rule. Configure the rule so that requests sent to
the published server forward the URLs so that they appear to come from the original
client computer.
B. Configure an HTTP server publishing rule. Configure the rule so that requests sent to
the published server forward the URLs so that they appear to come from ISA1.
C. Create a Web publishing rule. On the rule, enable and configure HTTP bridging.
D. Create a Web publishing rule. On the rule, enable and configure the link translator.
Answer: D
Explanation:
QUESTION NO: 84
You are the administrator of an ISA Server 2000 computer named ISA1. You use
the ISA Server 2004 Migration Tool to perform an in-place upgrade on ISA1. You
install the Firewall Client installation component on ISA1.
Client computers in the sales department run Windows NT Workstation 4.0 with
Internet Explorer 5.0 and the Microsoft Proxy 2.0 Winsock Proxy client installed.
All other client computers run Windows XP Professional. The ISA Server 2000
Firewall Client was installed on the Windows XP Professional computers by using
Group Policy.
You discover that all client computer requests to ISA1 are being sent unencrypted.
Which two actions should you perform? (Each correct answer presents part of the
solution. Choose two.)
A. Uninstall the Winsock Proxy client from the client computers in the sales department.
Run Setup.exe to install the ISA Server 2004 Firewall Client.
Answer: A, D
Explanation:
The Firewall client software is an optional client piece that can be installed on any
supported Windows operating system to provide enhanced security and accessibility. The
Firewall client software provides the following enhancements to Windows clients:
* Allows strong user/group-based authentication for all Winsock applications using the
TCP and UDP protocols.
* Allows user and application information to be recorded in the ISA 2004 firewall's log
files.
* Provides enhanced support for network applications, including complex protocols that
require secondary connections.
* Provides 'proxy' DNS support for Firewall client machines.
* Allows you to publish servers requiring complex protocols without the aid of an
application filter.
* The network routing infrastructure is transparent to the Firewall client.
* Provides encrypted traffc between the firewall client and the ISA Server.
In this scenario we need to encrypt all communications between the clients and the ISA
Server, therefore we need to uninstall the Winsock Proxy Clients from the NT 4.0 clients
and Install the ISA 2004 Firewall Client. Also we need to upgrade the ISA 2000 Firewall
clients to the ISA 2004 Firewall Client.
QUESTION NO: 85
You are the network administrator for TestKing. The network consists of a single
Active Directory domain testking.com. The network contains an ISA Server 2004
computer named ISA1. Client computers on the network consist of Windows 98
computers, Windows XP Professional computers, UNIX workstations and
Macintosh portable computers.
You need to provide Internet access for all client computers on the network while
preventing unauthorized non-company users from accessing the Internet through
ISA1. You also want to reduce the amount of administrative effort needed when you
configure the client computers.
A. Configure all client computers as Web Proxy clients. Configure Basic authentication
on the Internal network.
B. Configure all client computers as Web Proxy clients. Configure Basic authentication
on the Local Host network.
C. Configure all client computers as SecureNAT clients. Configure Basic authentication
on the Internal network.
D. Configure the Windows-based computers as Firewall clients. Configure the
non-Windows-based computers as Web Proxy clients. Configure Basic authentication on
the Local Host network.
Answer: A
Explanation:
Web proxy clients - Web proxy clients do not automatically send authentication
information to ISA Server. By default, ISA Server requests credentials from a Web proxy
client to identify a user only when processing a rule that restricts access based on a user
element. You can configure which method the client and ISA Server use for
authentication. You can also configure ISA Server to require authentication for all Web
requests.
Basic authentication - Prompts users for a user name and password before allowing Web
access. Basic authentication sends and receives user information as plaintext and does not
use encryption. Basic authentication is not a secure authentication method unless the
network traffic is encrypted by using SSL. Because basic authentication is part of the
HTTP specification, most browsers support it.
We configure basic authentication on the internal network, because the web proxy clients
are on the internal network.
QUESTION NO: 86
A network address translation (NAT) relationship exists from the Internal network
to the perimeter network. A Windows Server 2003 computer named DNS1 functions
as a DNS server.
Web Proxy clients can access Web sites on the Internet. However, when SecureNAT
clients try to access hosts on the Internet, they receive the following error message:
"Cannot find server or DNS error."
You need to ensure that SecureNAT clients can perform DNS name resolution
correctly for hosts on the Internet. You also need to ensure that DNS name
resolution is optimized for Active Directory.
A. On TESTKING1, replace the DNS server publishing rule with an equivalent access
rule.
B. On TESTKING1, change the NAT relationship between the perimeter network and the
Internal network to a route relationship.
C. On TESTKINGC, delete the .(root) zone and then disable recursion.
D. On DNS1, remove forwarding configuration and add a .(root) zone.
Answer: C
Explanation:
Disable Recursion - By default, a Windows Server 2003 running DNS and Windows
2000 DNS server accepts recursive queries. This enables the server to do DNS searches
on behalf of clients and is the preferred configuration. Select the Disable Recursion
option if you want the server to accept only iterative queries.
With a root domain (indicated by a folder with a dot (.) at the top of the namespace) tells
a DNS server that it sits at the top of the entire DNS namespace and whatever domains it
hosts are top-level domains. This means that the DNS server is a root server for its own
domain. But as long as that root zone exists this DNS server will not accept root hints and
cannot be configured to use forwarders. Windows 2000 forced administrators to delete
the root zone so that they could correctly configure their DNS infrastructure. In Windows
Server 2003, the root zone is not installed by default.
In this scenario we can see that SecureNAT clients are having a primary DNS Server
called TestKingA. This DNS server does have a root zone, thus preventing forward
lookups to the internet or another DNS server. Therefor we need to delete the root zone,
configure forwarding to DNS1 and disable recursion on TestKingA.
QUESTION NO: 87
You are a network administrator for TestKing.com. The network contains an ISA
Server 2004 computer named ISA1. ISA1 is configured to allow users in the sales
department access to resources on the Internet.
Users in the marketing department report that they cannot access resources on the
Internet. You verify that users in the sales department and the internal servers can
still access resources on the Internet.
You need to ensure that users in the marketing department can access resources on
the Internet.
Answer: B
Explanation:
Unfortunatly this scenario lacks an exhibit, therefore we can only speculate how the
infrastructure looks. One of the most common problems is that the ISA does not know the
route to the new subnet after adding a new network. That is why we must add an static
route pointing to the new subnet.
QUESTION NO: 88
You are the network administrator for Testking. The network consists of a single
Active Directory domain named testking.com. The relevant portion of the network
is configured as shown in the exhibit.
Users on the network report that access to TestKingA is very slow. You monitor
TESTKING1 and discover that client computer requests for TestKingA are being
passed through TESTKING1.
Which two actions should you perform? (Each correct answer presents part of the
solution. Choose two.)
Answer: C, D
Explanation:
QUESTION NO: 89
You are the network administrator for TestKing.com. The company has a main
office and one branch office. The network contains an ISA Server 2004 computer
named ISA1, which functions as a firewall for the branch office. The number of
employees at the branch office has doubled in the last week.
Users at the branch office report that they frequently receive outdated versions of
Web pages when they access Web servers operated by some of TestKing.com's
business partners.
You need to ensure that users always receive the most up-to-date content for Web
pages they access from the partner Web sites. You must also optimize bandwidth
use at the branch office.
Which two actions should you perform? (Each correct answer presents part of the
solution. Choose two.)
A. Increase the value for the Maximum size of URL cached in memory (bytes) setting.
B. Create cache rules that disable the caching of content from the partner Web sites.
C. Increase the percentage of free memory to use for caching.
Answer: B, C
Caching also uses system memory. Objects are cached to RAM as well as to disk. Objects
can be retrieved from RAM more quickly than from the disk. ISA Server 2004 allows you
to determine what percentage of random access memory can be used for caching (by
default, ISA Server 2004 uses 10 percent of the RAM, and then caches the rest of the
objects to disk only). You can set the percentage at anything from 1percent to 100
percent. The RAM allocation is set when the Firewall service starts. If you want to change
the amount of RAM to be used, you have to stop and restart the Firewall service.
The ability to control the amount of RAM allocated for caching ensures that caching will
not take over all of the ISA Server computer's resources. keeping with the emphasis on
security and firewall functionality, caching is not enabled by default when you install ISA
Server 2004. You must enable it before you can use the caching capabilities.
Maximum size of URL cached in memory (bytes) - Configure the Uniform Resource
Locators (URLs) that ISA Server will store in memory. When you increase the amount of
memory that a single object may occupy,
ISA Server will store fewer Web objects. ISA Server will cache objects larger than this
limit on disk.
So INcreasing the value will Decrease caching performance.
QUESTION NO: 90
You are the network administrator for TestKing.com. The network contains two
TESTKING Server 2004 computers named TESTKING1 and TESTKING2.
TESTKING1 is configured as the Enterprise Configuration Storage server.
TESTKING1 and TESTKING2 are members of a single enterprise array.
A Web server named Web1 resides in the perimeter network. You publish an
external Web site on Web1. You publish an internal Web site on the array.
Users report that access to Web1 is very slow. You discover that physical disk usage
is extremely high on TESTKING1 and Web1.
You need to configure TESTKING Server 2004 to allow faster access to Web1.
A. On TESTKING1, increase the HTTP caching Time to Live (TTL) setting to 50.
B. On TESTKING1, increase the size of the cache drive.
C. On TESTKING2, enable a content download job for the Web sites on Web1.
D. On TESTKING2, configure a cache drive.
Answer: D
Explanation:
ISA Server Enterprise Edition provides distributed caching through the use of CARP.
CARP distributes the cache used by Web proxies across an array of ISA Server
computers. Although CARP assigns each ISA Server computer a unique set of cached
data (thus you need to configure the cache on each array member), the array of computers
functions as a single, logical cache. CARP is used by Web browsers and by ISA Server to
increase performance in operations accessing a Web proxy cache that is distributed across
multiple ISA Server computers. CARP uses hash-based routing to determine which ISA
Server computer will respond to a client request and cache specific Web content. CARP
provides the following benefits:
* CARP eliminates the duplication of cache contents across multiple ISA Server
computers. The result is a faster response to queries and a more efficient use of server
resources.
* Because CARP determines which ISA Server computer will cache any specific content,
no traffic is required among ISA Server computers to determine which server is caching
the content.
* CARP automatically adjusts when array members are added or removed. The
hash-based routing means that, when a server is either taken offline or added, only
minimal reassignment of URL caches is required.
* CARP ensures that the cache objects are either distributed evenly between all servers in
the array or by the load factor that is configured for each server.
QUESTION NO: 91
You are the network administrator for TestKing.com. The network contains an
TestKing Server 2004 Enterprise Edition computer named TestKing1. You enable
and configure Cache Array Routing Protocol (CARP) on TestKing1.
You configure a 1-GB cache drive on TestKing1. You monitor TestKing1 and
discover that a large number of cached Web requests are coming from the sales
department. You install TestKing Server 2004 Enterprise Edition on two additional
computers named SA2 and TestKing3. All of the TestKing Server computers are
joined to a single array.
You discover that many of the Internet Web requests are still being retrieved from
the Internet.
You need to reduce the number of Web requests that are being retrieved from the
Internet.
Answer: B
However in this scenario it could be possible that the cache fills up quite quickly. Thus
ISA Server 2004 will purge some objects from the cache to make room for new ones.
URLs in the cache are removed according to a built-in logic so that the most recently used
objects will be removed last. Therefore the ISA Server will retrieve the requested URL
again, because it is not in its cache. We can overcome this problem by increasing the
Cache Drive size.