QUESTION NO: 1
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed three ISA Server 2004 computers to the domain which will be used by the client computers for Internet access. You have received instruction from the CIO to plan the implementation to ensure that the client computers view all three servers as one.
You are additionally required to ensure that the load on ISA Server 2004 is distributed among the three ISA Server 2004 computers.
What should you do?
A. The Windows Server 2003 computer should be configured as a Network Load Balancing (NLB) cluster
B. The Windows Server 2003 computer should be configured as a three-node Active/Passive cluster
C. All the Windows Server 2003 computers should be configured as stand-alone servers
D. All the Windows Server 2003 computers should be configured with the same IP address
Answer: A
Explanation:
In the scenario the host record should be configured with the virtual IP address to the external interface of the NLB cluster. Since NLB is used as a cluster technique which is used to allow two or more servers to share the processing load it should be used in the scenario.

Incorrect Answers:
B: The configuration made with a three-node Active/Passive cluster should not be considered in the scenario because it will not help in any way.
C: The stand-alone server configuration should not be considered in the scenario because the server that is not a member of the domain will provide access to all resources that are available in it.
D: The configuration should not be used at all in the scenario as you will be responsible for have creating IP address conflicts on the network.Reference:


QUESTION NO: 2
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Microsoft Windows NT 4.0 with Microsoft Proxy 2.0 Winsock Proxy client installed and the other computers run Windows XP Professional and all have the ISA Server 2000 Firewall Client installed.

The CertKiller.com network contains an ISA Server 2004 server named CERTKILLER-SR01 which is used for Internet access. You have received instruction from the CIO to configure all client computers to use encryption while communicating wit hCERTKILLER-SR01.
What should you do (Choose three)
A. ISA Server 2004 must be configured to enable Require all users to authenticate setting.
B. The Firewall client settings should be configured on ISA Serve r2004 to enable the Allow non-encrypted Firewall client connections setting.
C. The ISA Server 2000 Firewall Client software should be upgraded on the Windows XP Professional computers to ISA Server 2004 Firewall Client.
D. The Winsock Proxy client should be uninstalled from the client computers running Microsoft Windows NT 4.0 and install the ISA Server 2004 Firewall Client.
E. An in-place upgrade should be performed on CERTKILLER-SR01 by using the ISA Server 2004 Migration Tool.
Answer: C,D,E
Explanation:
In the scenario you should perform an in-place upgrade and uninstall the Winsock Proxy client from the computers and install the ISA Server 2004 Firewall Client software on both workstation computers NT 4.0 and XP Professional as ISA Server 2000 does not have encryption.

Incorrect Answers:
A: The setting should not be configured in the scenario because the settings are used for Web proxy clients and the ISA server will prompt for user credentials.
B: This setting should not be considered in the scenario as you are required to provide encryption and the Firewall Client in question should not be configured this way.Reference:


QUESTION NO: 3
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
The CIO of CertKiller.com has asked you to put into operation an ISA Server 2004. The implementation should act as a SecureNAT firewall for client computers on the CertKiller.com network. You want the ISA Server 2004 implementation to consist of a Windows Server 2003 Network Load Balancing cluster.

CertKiller.com wants their customers to be load balanced across the Network Load Balancing cluster when they connect by using DNS.
Before you install ISA Server 2004 you need to plan the external DNS implementation.
What should you do?
A. You need to create three service locater (SRV) resource records and configure each record to use the _HTTP service and to reference the IP address of one of the internal interfaces of the Network Load Balancing cluster nodes.
B. You need to create three host (A) resource records and configure each record with the IP address of one of the external interfaces of the Network Load Balancing cluster nodes.
C. You need to create one host (A) resource record and to configure the record with the virtual IP address that is assigned to the external interface of the Network Load Balancing cluster.
D. You need to create one host (A) resource record and to configure the record with the virtual IP address that is assigned to the internal interface of the Network Load Balancing cluster.
Answer: C
Explanation:
Network load balancing is a cluster of servers that provide the same services. By using network load balancing, users contact the IP address of the cluster in order to use the services that are shared by the cluster. It provides for load sharing between NLB cluster members, and also provides for redundancy if one of the NLB members becomes unavailable. Only the Enterprise version of ISA Server 2004 natively supports NLB.
Part 2: Assess and configure the operating system, hardware, and network services (7 Questions)


QUESTION NO: 4
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed 4 Microsoft ISA 2004 server computers that are to be used for connecting to the Internet. You decided to configure the ISA server computers as a Network Load Balancing cluster.
You have received instruction from the CIO to allow the client computers to connect to the NLB cluster by using DNS and to load balance the network traffic to the ISA server computers across the NLB cluster. You firstly create a host (A) resource record for the NLB cluster and need to decide what to do next.

What should you do?
A. DNS round-robin should be used to map the cluster's FQDN to the IP addresses of each network adapter of the NLB cluster nodes.
B. The host record must be configured with the IP address assigned to one of the external interfaces of the NLB cluster nodes.
C. The host record must be configured with the IP address assigned to one of the internal interfaces of the NLB cluster nodes.
D. The host record must be configured with the virtual IP address of the NLB cluster.
Answer: D
Explanation:
In the scenario the host record should be configured with the virtual IP address to the external interface of the NLB cluster. Since NLB is used as a cluster technique which is used to allow two or more servers to share the processing load it should be used in the scenario.

Incorrect Answers:
A: DNS round-robin should not be used in the scenario because the NLB clusters FQDN should be mapped to the cluster's virtual IP address.
B: The host record should not be configured with the IP Address assigned to the internal or external NLB cluster interfaces because the internal IP address is used for internal communication and the second interface is not configured with a unique IP address.Reference:
C: The host record should not be configured with the IP Address assigned to the internal or external NLB cluster interfaces because the internal IP address is used for internal communication and the second interface is not configured with a unique IP address.Reference:


QUESTION NO: 5
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer to the domain named CERTKILLER-SR01 which will be used by the client computers for Internet access.
You have received instruction from the CIO to secure CERTKILLER-SR01 before it starts providing Internet access to client computers on the network an you need to know how to configure security for the ISA Server 2004 computer.

What should you do? (Choose TWO.)
A. All users should be granted Deny access to this computer from the network right.
B. The Allow log on locally right should be granted only to the Administrators group.
C. The Allow log on locally right should be granted only to the Authenticated Users group.
D. The Remote Access Connection Manager service should be disabled on CERTKILLER-SR01.
Answer: A,B
Explanation:
In the scenario you should grant only the Administrators group the Allow log on locally right and the Deny access to this computer from the network must be assigned to all users as this will ensure that users in the administrative group has the rights to manage monitor and configure the ISA server.

Incorrect Answers:
C: The Allow log on locally right should not be assigned in the scenario because the authenticated users group contains all the users in the domain who are authenticated allowing every authenticated user to access or log on locally to the ISA server.Reference:
D: The Allow log on locally right should not be assigned in the scenario because the authenticated users group contains all the users in the domain who are authenticated allowing every authenticated user to access or log on locally to the ISA server.Reference:


QUESTION NO: 6
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer to the domain which will be used by the client computers for Internet access. The Firewall client installation share will be placed on the ISA Server 2004 computer and the clients will connect to the ISA Server 2004 and install the firewall client software from the share and are required to know which service to enable to allow client computers to connect to ISA Server 2004 and install Firewall Client software from the share.
What should you do?
A. Enable the Windows Installer service.
B. Enable the Workstation service.
C. Enable the Net Logon service.
D. Enable the Server service.

Answer: D
Explanation:
The Server service should be enabled in the scenario because the service is used to connect to the ISA 2004 Server and install Firewall Client software from the Firewall Client Installation share on the network.

Incorrect Answers:
A: The Windows Installer service should not be enabled in the scenario because the service adds, modifies and removes applications provided as .msi packages
B: The Workstation service should not be enabled in the scenario because the service creates and maintains client network connections to remote servers.
C: Net Logon should not be enabled in the scenario because the service maintains a secure channel between the client computer and the domain controller to authenticate users and services.Reference:


QUESTION NO: 7
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR01 configured with the external and internal network adapters IP addresses of 100.100.10.2 and
192.168.100.2 respectively.
During the course of the day you discover that CERTKILLER-SR01 is unable to receive SMTP traffic from the Internet. You are required to query a single TCP port to verify if CERTKILLER-SR01 is listening on TCP port 25 or not.
What should you do?
A. The portqry n 100.100.10.2p tcp e 25 command should be run on CERTKILLER-SR01.
B. The portqry n 100.100.10.2 p tcp r 25 command should be run on CERTKILLER-SR01.
C. The netstat a p tcp command should be run on CERTKILLER-SR01.
D. The netstat a p tcp command should be run on CERTKILLER-SR01.
Answer: A
Explanation:
In the scenario the best option is to run the portqry n 100.100.10.2 p tcp e 25 command on CERTKILLER-SR01 as this command is capable of querying a single port to check if the server is listening on that particular port in the scenario.


Incorrect Answers:
B: This command should not be used in the scenario because you want to scan a single port and the command is used to scan a range of ports.
C: This command should not be used in the scenario because the command is used to display all the connections and listening ports for TCP.
D: This command should not be considered for the scenario because the command is used to display all the addresses and port numbers in a numerical form for TCP.Reference:


QUESTION NO: 8
CertKiller.com has employed you as a network administrator. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
The CertKiller.com network also contains a server named CERTKILLER-SR24 which is set up as a Routing and Remote Access server. The CertKiller.com network in configured as seen in the exhibit:

You are planning to upgrade CERTKILLER-SR24 to ISA Server 2004. To upgrade to ISA Server 2004 you need to configure the Internal network and take into consideration the creation of access rules that are specific for each subnet.
Which of the following IP address ranges should you use? (Each correct answer presents part of the solution. (Choose THREE)
A. 10.0.25.1 - 10.0.25.255.

B. 172.16.1.0 - 172.16.1.255.
C. 172.16.2.0 - 172.16.2.255.
D. 172.16.10.0 - 172.16.10.255.
E. 192.168.1.0 - 192.168.1.255.
Answer: B,C,D
Explanation:
An ISA network is defined as the grouping of physical subnets that form a network topology that is attached to a single ISA Server network adapter. In the exhibit there are four physical subnets. The subnets are connected to each other with switches. ISA sees these individual subnets as only two networks, an internal network and a perimeter network (also called DMZ) because it has network adapters attached to only a single subnet on each of the network. To further illustrate, a uni -homed (single NIC) server would see the range of all IP addresses on the Internet as a single ISA network. In our scenario the internal network consists of 172.16.1.0 - 172.16.1.255,
172.16.2.0 - 172.16.2.255 and 172.16.10.0 - 172.16.10.255. A perimeter network, also known as a demilitarized zone (DMZ), or screened subnet, is a network that you set up separately from an internal network and the Internet. Perimeter networks allow external users to gain access to specific servers that are located on the perimeter network while preventing direct access to the internal network. In this way, even if an attacker penetrates the perimeter network security, only the perimeter network servers are compromised. In our scenario the DMZ consists of 10.0.25.1 - 10.0.25.255.


QUESTION NO: 9
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. CertKiller.com contains a Research department.
CertKiller.com contains an ISA Server 2004 computer named TESTING-SR10 and a Web server named CERTKILLER-SR11. CERTKILLER-SR10 has two network adapters. The Internal network is configured with an access rule to allow the employees in the Research department to have HTTP access to the Internet. On CERTKILLER-SR10, you then create a third network adapter which is connected to a perimeter network and place CERTKILLER-SR11 on this perimeter network.
The CertKiller.com manager wants the Web server to be accessible to the operating systems of the Internal network. You then create a computer object for CERTKILLER-SR11 and then create an access rule that allows the Research department employees' access to CERTKILLER-SR11. Users are not required to authenticate with CERTKILLER-SR10 to access CERTKILLER-SR11.
Now you receive complaints from the employees in the Research department that they cannot access information on CERTKILLER-SR11. When they try to access the Web site, they receive an error message: "Error Code 10060: Connection timeout. Background: There was a time out before the page should be retrieved. This might indicate that the network is congested or that the website is experiencing technical difficulties." You then make sure that CERTKILLER-SR11 is in operational. Now you need to ensure that the Research department employees on the Internal network can access information on CERTKILLER-SR11.

What should you do?
A. You need to create a network rule that sets a route relationship between the Internal network and the perimeter network.
B. You need to create a server publishing rule that publishes CERTKILLER-SR11 to the Internal network.
C. You need to create a Web publishing rule that publishes CERTKILLER-SR11 to the Internal network.
D. You need to create an access rule that allows CERTKILLER-SR11 access to the Internal network.
Answer: A
Explanation:
You need to create new Networks whenever a new Network is introduced into your environment. All addresses located behind any particular NIC are considered a Network by the ISA firewall; you need to create a new Network when additional NICs are added to the firewall. Also you need to create a network relationship between networks. This can be a route or NAT relationship. If there is no relationship between networks, then all traffic will be dropped by the ISA Server.


QUESTION NO: 10
You work as the network administrator at CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Your duties at CertKiller.com include administering an ISA Server 2004 computer named CERTKILLER-SR14. CertKiller.com is divided into several departments of which the Marketing department is one. A portion of the network is configured as seen in the exhibit.

You were installing ISA Server 2004 on CERTKILLER-SR14 where you defined the Internal network address range as 10.0.1.0 through 10.0.1.255. You also create an access rule to allow all traffic from the Internal network to the External network. The employees in the Marketing department are not required to be authenticated to use this rule.

One morning you received a report from the employees on the following networks: IDs 10.0.2.0/24 and 10.0.3.0/24 complaining that they cannot connect to the Internet. To this end you then check the routing tables on the router and on CERTKILLER-SR14 and saw that is was correctly configured. However, you need to ensure that users on network IDs 10.0.2.0/24 and 10.0.3.0/24 can connect to the Internet.
What should you do?
A. You must create a subnet network object for network ID 10.0.2.0/24 and for network ID 10.0.3.0/24.
B. You must add the address ranges 10.0.2.0 through 10.0.2.255 and 10.0.3.0 through 10.0.3.0 through 10.0.3.255 to the definition of the Internal network.
C. You must create two new networks, one for network ID 10.0.2.0/24 and one for 10.0.3.0/24. Create access rules to allow these networks access to the Internet.
D. You must create two new networks, one for network ID 10.0.3.0/24 and one for 10.0.3.0/24. Create a new network set containing these networks. Create an access rule to allow this network set access to the Internet.
Answer: B
Explanation:
ISA Server can construct the Internal network, based on your Microsoft Windows Server 2003 or Windows 2000 Server routing table. You can also select the private IP address ranges, as defined by IANA in RFC 1918. These three blocks of addresses are reserved for private intranets only and are never used on the public Internet. The routing table reflects a topology of the Internal network, in this scenario it is comprised of the subnets 10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24. When Andy Reid configured the Internal network for ISA Server, it should include all those ranges (subnets). If you create distinct networks for each of those subnets, rather than a single network, then ISA Server will consider the 10.0.2.x and 10.0.3.x networks temporarily disconnected, because there is no network adapter associated with them.
Part 3: Deploy ISA Server 2004 (8 Questions)


QUESTION NO: 11
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com

has its headquarters in Chicago and branch office in Miami.
The CertKiller.com main office has an ISA 2004 Server named CERTKILLER-SR01. You are about to deploy a second ISA Server 2004 computer in the branch office named CERTKILLER-SR02 which will be used to provide Internet access for branch users. You perform the following: You export the ISA Server configuration settings of CERTKILLER-SR01 to a file named CERTKILLER-SR01Config.xml by using the ISA Server 2004 Migration Tool.On CERTKILLER-SR02 you install ISA Server 2004 and import the CERTKILLER-SR01Config.xml file on CERTKILLER-SR02.CERTKILLER-SR02 was configured with a valid IP address for the external network adapter.CERTKILLER-SR02 was configured with a valid IP address range for the internal network of the branch office.The client computers in the branch office must be configured as Web Proxy clients of CERTKILLER-SR02.
You have received instruction from the CIO to redirect the Web requests from the branch office to CERTKILLER-SR01.
What should you do?
A. A Firewall chaining rule must be configured on CERTKILLER-SR02 to redirect Web requests to CERTKILLER-SR01.
B. The branch office users should be configured as Firewall clients of CERTKILLER-SR02.
C. Automatic discovery should be enabled on CERTKILLER-SR02.
D. A Web chaining rule should be configured on CERTKILLER-SR02 to redirect Web requests to CERTKILLER-SR01.
Answer: D
Explanation:
In the scenario you should consider configuring a Web chaining rule on CERTKILLER-SR02 to redirect requests to CERTKILLER-SR01. Web chaining is used to allow the client computer to route their web requests to a single location.

Incorrect Answers:
A: Firewall chaining should not be considered in the scenario because firewall chaining forwards requests from SecureNAT and firewall clients to an upstream ISA server.
B: The usage of firewall clients should not be considered in the scenario as firewall clients would require additional software to access the ISA Server 2004 computers.
C: This should not be configured in the scenario because the setting will enable the clients to automatically receive their proxy configuration at startup.Reference:
QUESTION NO: 12

You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com has its headquarters in Chicago and branch office in Dallas.
The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR01 which is configured with access rules to allow Internet access to the main office users who are all configured as Firewall Clients of CERTKILLER-SR01. During the business week you decide to deploy a new ISA Server 2004 computer named CERTKILLER-SR02 to the branch office.
You later run the ISA Server 2004 Migration Tool on CERTKILLER-SR01 and export configuration settings to a file named CERTKILLER-SR01Config.xml. You finished installing ISA Server 2004 on CERTKILLER-SR02 and are about to import the configuration settings. You configure CERTKILLER-SR02 with a valid IP address for the external network adapter. You configure branch office users as Firewall Clients of CERTKILLER-SR02 and configure a Firewall chaining rule on CERTKILLER-SR02 to forward requests from clients in the branch office to CERTKILLER-SR01
Recently the branch office users started reporting they are unable to connect to the Internet. You must ensure that the branch office client computers can connect to the Internet.
What should you do?
A. CERTKILLER-SR02 must be configured to include a valid IP address range for the internal network of the branch office.
B. A Web chaining rule must be configured on CERTKILLER-SR02 to forward requests from branch office computers to CERTKILLER-SR01.
C. On CERTKILLER-SR02 you must configure automatic discovery.
D. The branch client computers must be configured as Web Proxy clients of CERTKILLER-SR02.
Answer: A

Explanation:
The configuration made here should be used in the scenario because the .xml file contains the External IP address of the source and are used to specify for which ISA Server to accept requests in the scenario.

Incorrect Answers:
B: Web chaining should not be considered for this scenario as it is used to allow the client computer to route their web requests to a single location.
C: This should not be configured in the scenario because the setting will enable the clients to automatically receive their proxy configuration at startup.
D: This should not be configured in the scenario because the client that has a Web Proxy application will not be of much use in the scenario.Reference:



QUESTION NO: 13
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer to the domain named CERTKILLER-SR01 which will be used by the client computers for Internet access. Later during the day you install two new ISA Servers named CERTKILLER-SR02 and CERTKILLER-SR03 and perform the actions below: You export the USA Server 2004 configuration settings from CERTKILLER-SR01 to two separate CERTKILLER-SR01Config.xml files for the new serversYou edit each of the CERTKILLER-SR01Config.xml files to include a valid IP address for the external network adapter an d the internal network address range served by the new ISA Servers
You have received instruction from the CIO to perform the unattended installation on the new ISA Server 2004 computers.
What should you do?
A. A file named C:\CertKiller\Msisaund.ini on the new ISA servers and edit the file to include the
following lines:
IMPORT_ISA_CONFIG = 1
FILEPATH = CERTKILLER-SR01Config.xml
Then run an unattended setup on the new ISA server using the Msisaund.ini file
B. A file named C:\CertKiller\Msisaunattended.ini must be created on both new ISA servers and edit the file to include the IMPORT_CONFIG = CERTKILLER-SR01Config.xml property then run the unattended setup on the new ISA servers
C. A file named C:\CertKiller\Unattended.txt must be created on the new ISA servers and edit the file and include the (IMPORT_CONFIG_FILE = CERTKILLER-SR01Config.xml property and run an unattended setup on the new ISA servers using the file
D. On both the new ISA servers a file named C:\CertKiller\Msisaund.ini should be created and edited to include the IMPORT_CONFIG_FILE = CERTKILLER-SR01Config.xml property and run the unattended setup on the new ISA servers using the file
Answer: D
Explanation:
In the scenario you would be correct in doing so because creating a separate .xml file for the same configuration and edit the files to include both the internal network range and a valid IP address of the external network adapter.


Incorrect Answers:
A: This configuration should not be made in the scenario because you are not allowed to use the Msisaunattended.ini file to perform an unattended installation. You may not use the unattended.txt file to perform an unattended installation of Microsoft ISA Server 2004.Reference:
B: This configuration should not be made in the scenario because you are not allowed to use the Msisaunattended.ini file to perform an unattended installation. You may not use the unattended.txt file to perform an unattended installation of Microsoft ISA Server 2004.Reference:
C: This configuration should not be made in the scenario because you are not allowed to use the Msisaunattended.ini file to perform an unattended installation. You may not use the unattended.txt file to perform an unattended installation of Microsoft ISA Server 2004.Reference:


QUESTION NO: 14
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com has its headquarters in Chicago and branch office in Miami.
The CertKiller.com network headquarters contains an ISA Server 2004 server named CERTKILLER-SR01 configured with rules to allow Internet access for Chicago users who are all configured as Firewall Clients of CERTKILLER-SR01. The CertKiller.com network recently deployed an ISA Server 2004 computer named CERTKILLER-SR01 to the branch office. You run the ISA Server 2004 Migration Tool to export the configuration settings of CERTKILLER-SR01 to a file named CERTKILLER-SR01Config.xml
You install ISA Server 2004 and import the CERTKILLER-SR01Config.xml file on CERTKILLER-SR02 and configure CERTKILLER-SR02 with a valid IP address for the external network adapter and configure the client computers as Firewall Clients of CERTKILLER-SR02. You are in the process of configuring a Firewall chaining rule on CERTKILLER-SR02 to forward all requests from the branch office to CERTKILLER-SR01. After this move the branch office users complain about the inability to connect to the Internet. You must ensure the branch office users can connect to the Internet.
What should you do?
A. CERTKILLER-SR02 should be configured to include a valid IP address range for the internal network of the branch office.
B. A Web chaining rule must be configured on CERTKILLER-SR02 to forward request from branch office clients to CERTKILLER-SR01.
C. The branch office clients should be configured as Web Proxy clients of CERTKILLER-SR02.
D. On CERTKILLER-SR02 you must enable automatic discovery.

Answer: A
Explanation:
You must configure CERTKILLER-SR02 to include a valid range for the internal network of the branch office and additionally you should edit the .xml file properly in the scenario.

Incorrect Answers:
B: Web chaining should not be considered for this scenario as it is used to allow the client computer to route their web requests to a single location.
C: This should not be configured in the scenario because the client that has a Web Proxy application will not be of much use in the scenario.
D: This should not be configured in the scenario because the setting will enable the clients to automatically receive their proxy configuration at startup.Reference:


QUESTION NO: 15
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional. CertKiller.com has its headquarters in Chicago where the CertKiller.com Finance department is located and branch offices in Dallas and Miami, where the CertKiller.com Research department is located.
The employees in the Research department need to access the Internet, so you were instructed to install ISA Server 2004 on a server in each branch office. The servers which are going to run ISA Server 2004 will be configured as stand-alone servers. You also plan to install the Firewall Client share on an existing file server in the Dallas and Miami offices. You then install Windows Server 2003 on the servers that will run ISA Server 2004.
You need to configure additional security for the ISA Server computers.
What should you do? (Each correct answer presents a complete solution. Choose TWO.)
A. You need to grant the Allow log on locally right to only the Administrators group.
B. You need to disable the external network adapter.
C. You need to enable the Secure Server (Require Security) IPSec policy.
D. You need to remove all users from the Access this computer from the network right.
Answer: A,D
Explanation:
: Secure Server (Require Security) policy - This is for servers that require all communications to be secure. If this policy is set, the server will neither send nor accept insecure communications. Allow log on locally - This logon right determines which users can interactively log on to this computer. Logons initiated by pressing CTRL+ALT+ DEL sequence on the attached keyboard requires the user to have this logon right. Access this computer from the network - This user right determines which users and groups are allowed to connect to the computer over the network. This would still be needed if the firewall client installation share resided on the ISA server. In this case the ISA Server 2004 Client Installation Share resides on another server, so we can remove the users from the list. Disable the external network adapter - In this scenario the external adapter has been connected to the internet. If we disable that adapter then nobody would we able to connect to the internet and no VPN could be set up.



QUESTION NO: 16
You work as the network administrator for CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. CertKiller.com has headquarters in London and branch offices in Paris, Minsk, and Athens. CertKiller.com also has a development office that operates on its own. You have been assigned to the London office.
All the branch offices in CertKiller.com are configured with an ISA Server array. The head quarters in London contains a Configuration Storage server. The branch offices in Paris, Minsk, and Athens contain a Replica Configuration Storage server and have its own administrator. All arrays are members of the same ISA Server 2004 enterprise.
You are busy administering the enterprise settings in the London office and the other administrators administer the enterprise settings at their respective offices where they are located. You received instructions to install a new ISA Server array in the development office.
What should you do?
A. You must configure a replica Configuration Storage server and assign the development research office administrators the ISA Server Array Administrator role.
B. You must configure a new array in the existing enterprise and assign the development office administrators the ISA Server Array Administrator role.
C. You must configure a new array in the existing enterprise and assign the development office administrators the ISA Server Enterprise Administrator role.
D. You must configure a new Configuration Storage server in the development office. Configure it as a new enterprise and assign the research office administrators the ISA Server Enterprise Administrator role.
Answer: D
Explanation:
A Configuration Storage server stores the configuration for all the arrays in the enterprise. Configuration Storage servers store the configuration in ADAM. Hence, there is no centralized master copy of directory information. Instead, any change committed on any Configuration Storage server is replicated to every other configuration Storage server within the enterprise. You can define any access rules or publishing rules at the array level. These rules will be applied to all array members. Wherefore he needs to create a new configuration storage server for a new enterprise, because he needs to make sure that only research office administrators can manage access rules that affect client computers in the research office.



QUESTION NO: 17
You work as the network administrator at CertKiller.com . The CertKiller.com network consists of a single Active Directory domain named CertKiller.com.
You have received instructions to install two ISA Server 2004 computers named CERTKILLER-SR20 and CERTKILLER-SR21. The CertKiller.com network is configured as seen in the exhibit.

You want all devices that pass outbound traffic to perform network address translation (NAT). You also want all Internet-accessible internal resources to be published and all traffic between two network interfaces on an ISA Server computer should be subject to inspection. To this end you need to configure the appropriate interface or interfaces as an internal interface.
Which of the following interface or interfaces should be configured as an internal interface? (Choose TWO.)
A. Adapter A
B. Adapter B
C. Adapter C
D. Adapter D
Answer: B,D
Explanation:
: In this case, one firewall CERTKILLER-SR20 is directly connected to the Internet while the second network adapter on the firewall is connected to the screened subnet for CERTKILLER-SR20. The second firewall CERTKILLER-SR21 is connected to the screened subnet and the internal network. All network traffic must flow through both firewalls and through the screened network to pass between the Internet and the internal network. There is no single point of access from the Internet to the internal network. To reach the internal network, an attacker would need to get past both firewalls. It is common to use two different firewall vendors in this configuration for maximum security. This dual-vendor configuration prevents an exploit on one firewall from being easily exploited on both firewalls.



QUESTION NO: 18
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com.
After a few years in operation the CEO has decided to open three branch offices in Chicago, Dallas and Miami respectively. An ISA Server 2004 computer named CERTKILLER-SR11 is located in the headquarters in New York. Due to the opening of the new branch offices, you have received instructions to set up a new ISA Server 2004 computer for each office.
On one of the new computers; named CERTKILLER-SR12, you do the following tasks. You export the ISA Server 2004 configuration on CERTKILLER-SR11 to a file named ISASETUPCONFIG.XML and edit the file to include a valid external IP address. You also create a file named C:\Msisaund.ini on CERTKILLER-SR12.
You then perform an unattended installation of ISA Server 2004 on CERTKILLER-SR12. After the completion of the installation you find out that the ISA Server 2004 configuration settings from CERTKILLER-SR11 were not copied to CERTKILLER-SR12. You need to deploy the ISA Server 2004 computers in the branch offices with the configuration settings from CERTKILLER-SR11 with the minimum amount of administrative effort.
What should you do?
A. You need to export the system policy rules on CERTKILLER-SR11 to another file named CERTKILLER-SR11SystemPolicy.xml and add the following lines to the C:\Msisaund.ini file on CERTKILLER-SR12:
IMPORTISACONFIG=1
IMPORT_CONFIG=ISASETUPCONFIG.XML
IMPORT_CONFIG= CERTKILLER-SR11SystemPolicy.xml
Run an unattended setup by using this Msisaund.ini file on each new ISA Server 2004 computer.
B. You need to back up the array configuration on CERTKILLER-SR11 and save the file as C:\Msisaunattended.xml. Run the following command from the ISA Server 2004 installation media:
setup.exe /unattended:ISASETUPCONFIG.XML C:\Msisaund.ini
C. You need to create an individual ISASETUPCONFIG.XML file for each branch office ISA Server 2004 computer and edit each ISASETUPCONFIG.XML file to include the internal network addresses for the respective branch office. Edit the Msisaund.ini file from CERTKILLER-SR12 by adding the following line.

IMPORT_CONFIG_FILE=ISASETUPCONFIG.XML Run an unattended setup by using the Msisaund.ini file from CERTKILLER-SR12 on each new ISA Server 2004 computer.
D. You need to create a file named Msisaunattend.txt. Include the following lines: UNATTENDED=1 EXPORT_ISACONFIG=0 FILEPATH=ISASETUPCONFIG.XML
Run an unattended setup by using this Msisaunattend.txt file on each new ISA Server 2004 computer.
Answer: C
Explanation:
You can perform an unattended installation of the ISA firewall to simplify provisioning multiple ISA firewalls using a common installation and configuration scheme. The unintended installation depends on the proper configuration of the msisaund.ini file, which contains the configuration information used by ISA firewall setup in unattended mode. One of the values you can configure in msisaund.ini is: IMPORT_CONFIG_FILE = < configfilename >. It specifies a configuration file to import. ISA Server 2004 includes export and import features that enable you to save and restore most ISA Server configuration information. The configuration parameters can be exported and stored in an .xml file. When you export an entire configuration, all general configuration information is exported. This includes access rules, publishing rules, rule elements, alert configuration, cache configuration, and ISA Server properties. Because of this, you need to change the internal and external network addresses, otherwise they will conflict with CERTKILLER-SR11. In addition, you can select to export user permission settings and confidential information such as user passwords. Confidential information included in the exported file is encrypted.


QUESTION NO: 19
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer to the domain named CERTKILLER-SR01 which has the Firewall Client installation placed on a share. All of the network clients are configured as Firewall clients of CERTKILLER-SR01. During the course of the day you distribute the CKMS_FWC.msi file to all clients using Group Policy.
A network user named Rory Allen from a partner of CertKiller.com has been hired to work on a project and will require connecting to CERTKILLER-SR01 from the external network. You decide to grant the necessary rights to connect to the internal network through a Virtual Private Network (VPN) connection. Rory Allen attempts to connect to the Firewall Client installation share but is unable to do so. You are required to ensure Rory Allen is able to connect to the Firewall Client share and install the software.

What should you do?
A. The default gateway on Rory Allen's computer should be configured with the IP address of the external network adapter of CERTKILLER-SR01.
B. Rory Allen must be granted the Access this computer from the network user right.
C. A computer set must be created on CERTKILLER-SR01 and include Rory Allen's client computer in the set.
D. The client computer of Rory Allen should be added to the list of trusted computers on CERTKILLER-SR01.
Answer: D
Explanation:
By default the network clients of the internal network are capable of accessing the share, the external network users must first be added to the list of trusted computers on the ISA Server 2004 computer CERTKILLER-SR01.

Incorrect Answers:
A: This should not be configured in the scenario because the gateway is used to define to which IP address of the next hop to which data is sent.
B: This should not be considered in the scenario because the computer will be allowed access to computers on the internal network.
C: There is no need for a set to be created in the scenario because the set is used to hold IP addresses of computers who have rules defined and the set is used to define to who the rules should be applied.Reference:


QUESTION NO: 20
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer to the domain named CERTKILLER-SR01 which has the Firewall Client software located in a share on the server. The network client computers were all configured as SecureNAT clients on CERTKILLER-SR01 and the users of the Finance department require access to the Internet whilst maintaining the highest level of security.
The Finance client computers are located in an OU named FinanceOU which has no administrative rights on their client computers. You decide to install the Firewall Client software on the client computers of the Finance department and are required to ensure the Firewall Client is installed on the Finance computers using the least amount of administrative effort.

What should you do?
A. The users of the Finance department should be added to the Authenticated Users group on their computers and use Group Policy to assign the MS_FWC.msi file to the FinanceOU.
B. The users of the Finance department should be added to the local Administrators group on their computers and configure the permissions on the \\CERTKILLER-SR01\MspcInt share to allow the authenticated Users group to connect to the share and install the Firewall Client.
C. The Finance department users should be asked to perform an unattended installation of the Firewall Client.
D. Group Policy must be used to assign the MS_FWC.msi file to the FinanceOU.
Answer: D
Explanation:
In the scenario you should consider making use of Group Policy because Group Policy is used to allow the logged-on user the capability run and install the software as required in the scenario SecureNAT .

Incorrect Answers:
A: The users should not be added to the local administrators group as there will be too much administrative effort involved in the scenario.
B: You should not make this configuration in the scenario because then users of all departments will be able to install the software as users who successfully logged on are added to the Authenticated Users group.
C: You should not consider this move as the users will require being members of the local administrators group on the client computer.Reference:


QUESTION NO: 21
You are the CEO of CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Kara Lang works as the network administrator at CertKiller.com. Her duties include administering an ISA Server 2000 computer named CERTKILLER-SR14.
CertKiller.com consists of a Finance department. Kara Lang have used the ISA Server 2004 Migration Tool to perform an in-place upgrade on CERTKILLER-SR14 and install the Firewall Client installation component on CERTKILLER-SR14. The client computers in CertKiller.com are running Windows NT Workstation 4.0 and Microsoft XP Professional. On the Windows NT Workstation 4.0 client computers Internet Explorer 5.0 and the Microsoft Proxy 2.0 Winsock Proxy client installed; and on the Windows XP Professional client computers, ISA Server 2000 Firewall Client was installed by using Group Policy.

A new CertKiller.com security policy requires that all communication to CERTKILLER-SR14 should be encrypted. During a routine monitoring Kara Lang found out that Windows NT Workstation 4.0 and Microsoft XP Professional client computers sends their requests unencrypted.
What should Kara Lang do to configure all client computers to communicate to CERTKILLER-SR14 by using encryption? (Each correct answer presents part of the solution. Choose TWO.)
A. Kara Lang should uninstall the Winsock Proxy client from the client computers and run the Setup.exe to install the ISA Server 2004 Firewall Client.
B. Kara Lang needs to uninstall the Winsock Proxy client from the client computers and enable the Allow non-encrypted Firewall client connections setting on the Internal network.
C. Kara Lang needs to uninstall the Winsock Proxy client from the client computers and enable the Require all users to authenticate setting. Configure SSL certificate authentication for all Firewall clients on the Internal network.
D. Kara Lang needs to upgrade the Firewall Client for ISA Server 2000 software on the Windows XP Professional client computers.
Answer: A,D
Explanation:
The Firewall client software is an optional client piece that can be installed on any supported Windows operating system to provide enhanced security and accessibility. The Firewall client software provides the following enhancements to Windows clients: Allows strong user/group-based authentication for all Winsock applications using the TCP and UDP protocols. Allows user and application information to be recorded in the ISA 2004 firewall's log files. Provides enhanced support for network applications, including complex protocols that require secondary connections. Provides 'proxy' DNS support for Firewall client machines. Allows you to publish servers requiring complex protocols without the aid of an application filter. The network routing infrastructure is transparent to the Firewall client. Provides encrypted traffic between the firewall client and the ISA Server. To comply with the security policy Kara Lang needs to encrypt all communications between the clients and the ISA Server. So she need to uninstall the Winsock Proxy Clients from the NT 4.0 clients and Install the ISA 2004 Firewall Client and upgrade the ISA 2000 Firewall clients to the ISA 2004 Firewall Client.
Part 2: Configure client computers for ISA Server 2004. Types of client computers include Web Proxy, Firewall Client, and SecureNAT (10 Questions)
QUESTION NO: 22

You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently installed an ISA Server 2004 computer to the domain named CERTKILLER-SR01 to increase the network security and all client computers are configured as Firewall Clients of CERTKILLER-SR01. The network users use an IP-based client/server application to store product data and the users require accessing the Internet through this application to update information about the latest products.
What should you do?
A. An Application.ini file must be configured on the client computer used for the Internet updates.
B. A Management.ini file should be configured on the client computer used for the Internet updates.
C. A Wspcfg.ini file must be configured on the client computer used for the Internet updates.
D. A Common.ini file must be configured on the client computer used for the Internet updates.
Answer: A

Explanation:
In the scenario your best option would be to configure the client computer used for the Internet updates with an Application.ini file because the file will specify configuration settings for specific applications.

Incorrect Answers:
B: This file should not be considered for use in the scenario because the file is used to specify Firewall Client Management configuration settings.
C: There is no need for the Wspcfg.ini file to be configured in the scenario because the file allows you to add specific client configuration information.
D: This file should not be considered for use in the scenario because the file specifies common settings for all applications.Reference:


QUESTION NO: 23
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer and two routers to the domain which will be used to provide Internet access for the Finance and Research departments whose client's computers will access the Internet as SecureNAT clients after the server is deployed. The network is in the 172.20.50.0/24 subnet range During the course of the day you examine the client computers and discover that the client computers are configured with incorrect TCP/IP configuration.

What should you do? (Choose TWO.)
A. The client computers of the Finance department should be configured with a default gateway IP address of 172.50.20.6.
B. The client computers of the Research department should be configured with a default gateway IP address of 172.10.50.1.
C. The client computers of the Finance department should be configured with a default gateway IP address of 192.168.10.5.
D. The client computers of the Finance department should be configured with a default gateway IP address of 192.168.10.6.
Answer: A,B
Explanation:
In the scenario you should keep in mind that SecureNAT are the easiest clients to configure because the only settings you have to configure in the scenario would be network settings.

Incorrect Answers:
C: The other default gateway addresses should not be used in the scenario because they will not allow the two departments Internet access.Reference:
D: The other default gateway addresses should not be used in the scenario because they will not allow the two departments Internet access.Reference:


QUESTION NO: 24
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR01. CertKiller.com has recently partnered with a company named Partner.com. You install a second ISA Server 2004 computer named CERTKILLER-SR02 to the Partner.com network which is connected to the headquarters through a WAN connection and all the network clients have Firewall clients installed and a few use Web Proxy clients.
You are required to ensure that the load on CERTKILLER-SR02 is minimal by preventing Web Proxy clients from looping back through the firewall to access the internal network resources while connecting to servers using a single label name or computer name.

What should you do?
A. The list of domain names available on the internal network must be configured on CERTKILLER-SR02 to include the branch domain.
B. The list of computer addresses or domain names should be configured on CERTKILLER-SR02 for Direct Access.
C. The Directly access computers specified in the Domain tab option must be selected on CERTKILLER-SR02.
D. The Bypass proxy server in this network option should be selected on CERTKILLER-SR02.
Answer: D
Explanation:
In the scenario it seems that the best choice of configuration is for you to make use of the Bypass proxy for Web server in this network option as this will stop the loop back of the proxy server in the scenario.

Incorrect Answers:
A: This will have no affect on the network and should not be used unless you also select the Directly access computers specified in the Domain tab option.
B: This should not be done in the scenario because this configuration affects both the Web proxy and Firewall Clients.
C: This should not be selected in the scenario because you will allow Firewall client computers to bypass the Web proxy configuration while connecting to host.Reference:


QUESTION NO: 25
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com has its headquarters in Chicago and branch office in Miami.
The CertKiller.com network recently deployed three ISA Server 2004 computers to the domain named CERTKILLER-SR01, CERTKILLER-SR02 and CERTKILLER-SR03. CERTKILLER-SR01 is located at the Chicago office and CERTKILLER-SR02 and CERTKILLER-SR03 are located at the branch office that uses Linux computers.
You later configure an access rule on CERTKILLER-SR01 that allows authenticated users to download files from an external FTP server using the FTP protocol. You want to install Firewall Client on the Chicago office computers. Both offices network user's report they are unable to download files from the external FTP servers using the FTP protocol. The branch office users now require the ability to upload files to the external FTP servers. You must ensure both offices are able to download files and that branch office users ca upload files.

What should you do?
A. The Firewall Client settings on CERTKILLERSR02 and CERTKILLER-SR03 must be configured to enable the Allow non-encrypted Firewall client connections setting
B. Half the clients of CERTKILLER-SR02 must e configured as Firewall clients and the other half of CERTKILLER-SR03 clients must be configured as Web Proxy clients
C. The client computers if CERTKILLER-SR02 and CERTKILLER-SR03 must be configured as Web Proxy clients
D. Half the client computers of CERTKILLER-SR02 must be configured as Firewall clients and the other half of the CERTKILLER-SR03 clients must be configured as SecureNAT clients
Answer: D
Explanation:
You will be correct in the scenario if you made the configurations suggested in the option because SecureNAT clients support application filters and can download files from and upload file to the FTP external server.

Incorrect Answers:
A: This option should not be used in the scenario as the users will still be unable to download or uploads files to the external FTP server.
B: There should be no Web proxy clients in the scenario as they can only download and the users are required to be able to upload as well.
C: This should not be done as the Firewall Client software is not compatible with Macintosh computers like Linux.Reference:


QUESTION NO: 26
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network has its headquarters in Chicago and branch office in Dallas.
The CertKiller.com main office has an ISA Server 2004 computer named CERTKILLER-SR01. You are in the process of deploying an ISA server to the branch office named CERTKILLER-SR02. CERTKILLER-SR02 is configured to forward Web requests to CERTKILLER-SR01 and the branch clients are configured as Firewall clients of CERTKILLER-SR02. The CertKiller.com network requires that you configure the client computers in the branch to directly access the Web servers in the main office. You select Directly access computers specified in the Domain tab option on CERTKILLER-SR02.
What else should you do?

A. The list of domain names available on the internal network on CERTKILLER-SR02 must be configured to include the CertKiller.com domain.
B. The client computers in the branch office must be configured as SecureNAT clients of CERTKILLER-SR02.
C. The CNAME resource record should be created for the internal Web servers on the branch DNS server.
D. The Use default URL option must be enabled on CERTKILLER-SR02.
Answer: A
Explanation:
In the scenario the proper thing to do is enabling the Directly access computers specified in the Domains tab option as Firewall Clients do not use the ISA server while connecting to domains listed on the Domains tab.

Incorrect Answers:
B: This should not be done as the scenario objective will not be reached because SecureNAT routes requests to the ISA server.
C: This should not be considered in the scenario because it can not be used to help directly connect to the Web servers.
D: The settings defined in the option can not be used to help you achieve the desired scenario objective.Reference:


QUESTION NO: 27
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 with all the client computers configured as Firewall clients. CERTKILLER-SR01 hosts a Web application named CK_Webapp which is configured to use port 80 on CERTKILLER-SR01. The CertKiller.com network users will use the application to exchange confidential information but the users require the application to use port 443. You are required to configure the Web application to use port 443.
What should you do?
A. An Application.ini file must be configured on the client computers and include the LocalBindTcpPorts=443 entry in the Application.ini file.
B. An Application.ini file must be configured on the client computers and include the RemoteBindTcpPorts=443 entry in the Application.ini file.

C. On the Application Settings tab in the Define Firewall Client Settings dialog box on CERTKILLER-SR01 the value of the LocalBindTcpPorts entry must be set to 443.
D. On the Application Settings tab in the Define Firewall Client Settings dialog box on CERTKILLER-SR01 the value of the RemoteBindTcpPorts entry must be set to 443.
Answer: A
Explanation:
In the scenario we should consider using the Application.ini file because the file specifies configuration settings for specific applications and the settings defined in the Application.ini file always takes precedence over the configured settings at the server level.

Incorrect Answers:
B: This configuration should not be used in the scenario because the application must be configured on the local machine not the remote server.
C: This setting should not be set in the scenario because by configuring these settings they will become a server-level configuration which will be applied to all Firewall clients.
D: This entry should not be configured in the scenario because the entry here is used to specify the port that will be used by the application on the remote server not the local machine.Reference:


QUESTION NO: 28
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com.
CertKiller.com contains an ISA Server 2004 computer server named CERTKILLER-SR17 and the client computers run Windows 98 computers, Windows XP Professional computers, Microsoft Windows 2000 and Macintosh portable computers.
CERTKILLER-SR17 is configured to use the Edge Firewall network template. CERTKILLER-SR17 is configured with an access rules to allow HTTP and HTTPS access to the Internet. CERTKILLER-SR17 is also configured to require all users to authenticate.
You must provide Internet access for all client computers while preventing unauthorized non-company users from accessing the Internet through CERTKILLER-SR17 and to reduce the amount of administrative effort needed when you configure the client computers.
What should you do?
A. You need to configure all client computers as Web Proxy clients and configure Basic authentication on the Internal network.
B. You need to configure all client computers as Web Proxy clients and configure Basic authentication on the Local Host network.

C. You need to configure all client computers as SecureNAT clients and configure Basic authentication on the Internal network.
D. You need to configure the Windows-based computers as Firewall clients and configure the non-Windows-based computers as Web Proxy clients and Basic authentication on the Local Host network.
Answer: A
Explanation:
Web proxy clients - Web proxy clients do not automatically send authentication information to ISA Server. By default, ISA Server requests credentials from a Web proxy client to identify a user only when processing a rule that restricts access based on a user element. You can configure which method the client and ISA Server use for authentication. You can also configure ISA Server to require authentication for all Web requests. Basic authentication - Prompts users for a user name and password before allowing Web access. Basic authentication sends and receives user information as plaintext and does not use encryption. Basic authentication is not a secure authentication method unless the network traffic is encrypted by using SSL. Because basic authentication is part of the HTTP specification, most browsers support it. We configure basic authentication on the internal network, because the web proxy clients are on the internal network.


QUESTION NO: 29
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. CertKiller.com has its headquarters in Dallas and a branch office in Miami. All client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com contains two ISA Server 2004 computers named CERTKILLER-SR20 that is located in Dallas, and CERTKILLER-SR30 that is located in Miami. CERTKILLER-SR30 is connected to CERTKILLER-SR20 by using a dedicated WAN connection. CERTKILLER-SR30 is configured to forward Web requests to CERTKILLER-SR20. The relevant section of the network is configured as seen in the exhibit.


The Windows XP Professional computers are configured as follows: To use an internal DNS server in each officeSet up as SecureNAT clients.
During your routine monitoring, you find out that Web requests from the Windows XP Professional computers in Miami for servers located in that office are being resolved by CERTKILLER-SR30.
You need to configure the Windows XP Professional computers in Miami to directly access servers in Miami.
What should you do? (Each correct answer presents a complete solution. Choose TWO.)
A. You should configure the Windows XP Professional computers as Web Proxy clients of CERTKILLER-SR30. Configure the list of domain names available on the Internal network on CERTKILLER-SR20 to include the *.CertKiller.com domain.

B. You should configure the Windows XP Professional computers as Web Proxy clients of CERTKILLER-SR30. Configure the Web browser to include the *.branch.CertKiller.com domain.
C. You should configure the Windows XP Professional computers as Firewall clients. Configure the list of domain names available on the Internal network on CERTKILLER-SR30 to include the *.branch.CertKiller.com domain.
D. You should configure the Windows XP Professional computers as Firewall clients. Configure the list of domain names available on the Internal network on CERTKILLER-SR20 to include the *.branch.CertKiller.com domain.
Answer: B,C
Explanation:
The Internal Network Domain Tab - Here you enter a list of internal network domains. When the firewall client connects to a host located in one of these domains, the connection request bypasses the Firewall client application. The primary rationale for this is that if all the machines located in the same domain are located behind the same NIC, then the Firewall client machine can communicate directly without looping back through the ISA firewall. This reduces the overall load on the ISA firewall and improves client performance because the connection doesn't incur any Firewall processing overhead. Directly access computers specified on the Domains tab - This allows the Web Proxy client configured with the autoconfiguration script to use the domains listed on the Domains tab for Direct Access. Direct Access for Web Proxy clients allows the Web Proxy client computer to bypass the Web Proxy on the ISA firewall and connect directly to the destination, either via the machines SecureNAT client configuration or via the machines Firewall client configuration. This is useful if you want to leverage the domains already entered on the domains tab and use them for Direct Access. In our scenario we must also enter the *.branch.CertKiller.com domain in the web browser exception list.


QUESTION NO: 30
You work as the network administrator at CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2004 computer named CERTKILLER-SR23.
CERTKILLER-SR23 contains an external network adapter that has an IP address of
192.168.100.141. You are currently busy running the netstat - na command on CERTKILLER-SR23 and received the following output is seen in the table.
You need to ensure that CERTKILLER-SR23 accepts connection requests for only HTTP traffic and to able to verify whether CERTKILLER-SR23 is listening on TCP port 139.

What should you do?
A. Andy Reid needs to run the pathping command to query CERTKILLER-SR23 from a remote computer.
B. Andy Reid needs to use a port scanner to query CERTKILLER-SR23 from a remote computer.
C. Andy Reid needs to use the Portqry.exe tool to query CERTKILLER-SR23 on CERTKILLER-SR23.
D. Andy Reid needs to use the Netdiag.exe tool to query CERTKILLER-SR23 on CERTKILLER-SR23.
Answer: B
Explanation:
Portqry.exe is a Microsoft command-line utility that you can use to help troubleshoot TCP/IP connectivity issues. Portqry.exe runs on Windows 2000-based computers, on Windows XP-based computers, and on Windows Server 2003-based computers. The utility reports the port status of TCP and UDP ports on a computer that you select. PortQry version 2.0 supports the following session layer and application layer protocols: Lightweight Directory Access Protocol (LDAP) Remote Procedure Calls (RPC) Domain Name System (DNS) NetBIOS Name Service Simple Network Management Protocol (SNMP) Internet Security and Acceleration Server (ISA) SQL Server 2000 Named Instances Trivial File Transfer Protocol (TFTP) Layer Two Tunneling Protocol (L2TP)
This question looks like a trick question because we could also use a portscanner on the local device. But the results from a local scan could be confusing and being influenced from the local host itself. Therefore we use a portscanner (you could use portqry ) from a remote device and scan the external interface of the ISA server.


QUESTION NO: 31
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com contains two ISA Server 2004 computer named CERTKILLER-SR16 and CERTKILLER-SR18. CertKiller.com also contains a Windows Server 2003 computer named CERTKILLER-SR17. CERTKILLER-R17 functions as a DNS server. CERTKILLER-SR16 controls access between three segments on the CertKiller.com network as seen in the exhibit.


CertKiller.com has an IP translation process that allows the network with private addresses to access information on the Internet. This all exists from the Internal network to the perimeter network. The Web Proxy clients can access Web sites on the Internet, but when SecureNAT clients try to access hosts on the Internet, they receive an error message: "Cannot find server or DNS error."
You were give the instructions to ensure that SecureNAT clients can perform DNS name resolution correctly for hosts on the Internet and to ensure that DNS name resolution is optimized for Active Directory.
To this end you run the nslookup command from a SecureNAT client and set the default server to
172.16.0.11. You also find out that you are able to query name server (NS) resource records on the Internet from the Nslookup console.
What should your next step be?
A. You need to replace the DNS server publishing rule with an equivalent access rule on CERTKILLER-SR16.
B. You need to change the NAT relationship between the perimeter network and the Internal network to a route relationship on CERTKILLER-SR16.
C. You need to delete the .(root) zone and then disable recursion on CERTKILLER-SR18.
D. You need to remove forwarding configuration and add a .(root) zone on CERTKILLER-SR17.
Answer: C
Explanation:
Disable Recursion - By default, a Windows Server 2003 running DNS and Windows 2000 DNS server accepts recursive queries. This enables the server to do DNS searches on behalf of clients and is the preferred configuration. Select the Disable Recursion option if you want the server to accept only iterative queries. With a root domain (indicated by a folder with a dot (.) at the top of the namespace) tells a DNS server that it sits at the top of the entire DNS namespace and whatever domains it hosts are top-level domains. This means that the DNS server is a root server for its own domain. But as long as that root zone exists this DNS server will not accept root hints and cannot be configured to use forwarders. Windows 2000 forced administrators to delete the root zone so that they could correctly configure their DNS infrastructure. In Windows Server 2003, the root zone is not installed by default. In this case you can see that SecureNAT clients are having a primary DNS Server called CERTKILLER-SR18. This DNS server does have a root zone, thus preventing forward lookups to the internet or another DNS server. You need to delete the root zone, configure forwarding to CERTKILLER-SR17 and disable recursion on CERTKILLER-SR18.

Part 3: Configure a local domain table (LDT) (2 Questions)


QUESTION NO: 32
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
The client computers of CertKiller.com are configured with the Firewall client and the Web Proxy client and are not configured with a default gateway. The relevant portion of the network is configured as seen in the exhibit.

The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR11 that is configured with the 3-Leg Perimeter network template. CertKiller.com also contains a DNS server named CERTKILLER-SR12 and an Application server named CERTKILLER-SR13 which runs a Web-based application.
The Windows XP Professional computers are configured to use CERTKILLER-SR12 which is configured to forward requests to an ISP's DNS server One morning you received a complaint from the employees on the network that their access to CERTKILLER-SR13 is slow. During your investigation you find out that the Windows XP Professional computers requests for CERTKILLER-SR13 are being passed through CERTKILLER-SR11.

You need to address this issue and should thus configure CERTKILLER-SR11 to allow faster access to CERTKILLER-SR13.
What should you do? (Each correct answer presents part of the solution. Choose TWO.)
A. You need to create an access rule for DNS client protocol.
B. You need to enable IP routing between the perimeter network and the Internal network.
C. You need to enable the Directly access computers specified in the Domains tab option in the properties of the Internal network on CERTKILLER-SR11.
D. You need to add CertKiller.com to the list of domain names available on the Internal network on CERTKILLER-SR11.
E. You need to add CERTKILLER-SR13 to the system policy DNS configuration group.
Answer: C,D
Explanation:
The Internal Network Domain Tab - Here you enter a list of internal network domains. When the firewall client connects to a host located in one of these domains, the connection request bypasses the Firewall client application. The primary rationale for this is that if all the machines located in the same domain are located behind the same NIC, then the Firewall client machine can communicate directly without looping back through the ISA firewall. This reduces the overall load on the ISA firewall and improves client performance because the connection doesn't incur any Firewall processing overhead. Directly access computers specified on the Domains tab - This allows the Web Proxy client configured with the autoconfiguration script to use the domains listed on the Domains tab for Direct Access. Direct Access for Web Proxy clients allows the Web Proxy client computer to bypass the Web Proxy on the ISA firewall and connect directly to the destination, either via the machines SecureNAT client configuration or via the machines Firewall client configuration. This is useful if you want to leverage the domains already entered on the domains tab and use them for Direct Access.


QUESTION NO: 33
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.

CertKiller.com contains an ISA Server 2000 computer named CERTKILLER-SR13 and two Windows Server 2003 computers named CERTKILLER-SR14 and CERTKILLER-SR15. CertKiller.com consists of a Development department. CERTKILLER-SR14 and CERTKILLER-SR15 run a Web-based application that is used to process the data of the Development department.
At present CERTKILLER-SR13 is configured with the following protocol rules that will allow access to HTTP, HTTPS, RDP, POP3, and SMTP. The list of domain names available on the Internal network on CERTKILLER-SR13 contains the following entries: *.south.CertKiller.com*.north.CertKiller.com*.east.CertKiller.com*.west.CertKiller.com
You then use the ISA Server 2004 Migration Tool and perform an in-place upgrade of CERTKILLER-SR13. On CERTKILLER-SR13 you then use the Network Monitor and notice that client requests for CERTKILLER-SR14 and CERTKILLER-SR15 are being passed through CERTKILLER-SR13.
You need to provide a solution that will allow clients to directly access the data of the Development department on CERTKILLER-SR14 and CERTKILLER-SR15.
What should you do?
A. On CERTKILLER-SR13 you need to create and configure HTTP, HTTPS, RDP, POP3, and SMTP access rules.
B. You need to configure an Application.ini file on the client computers.
C. You need to use the Group Policy and redeploy the ISA Server 2004 Firewall Client software by distributing it to the client computers.
D. You need to add CertKiller-sr14.CertKiller.com and CertKiller-sr15.CertKiller.com to the list of domain names available on the Internal network on CERTKILLER-SR13.
Answer: D
Explanation:
The Internal Network Domain Tab - In this tab you can enter a list of internal network domains. When the firewall client connects to a host located in one of these domains, the connection request bypasses the Firewall client application. The primary rationale for this is that if all the machines located in the same domain are located behind the same NIC, then the Firewall client machine can communicate directly without looping back through the ISA firewall. This reduces the overall load on the ISA firewall and improves client performance because the connection doesn't incur any Firewall processing overhead. The Domains tab is also used to control the behavior of Web Proxy clients when accessing external sites. Directly access computers specified on the Domains tab - This allows the Web Proxy client configured with the autoconfiguration script to use the domains listed on the Domains tab for Direct Access. Direct Access for Web Proxy clients allows the Web Proxy client computer to bypass the Web Proxy on the ISA firewall and connect directly to the destination, either via the machines SecureNAT client configuration or via the machines Firewall client configuration. This is useful if you want to leverage the domains already entered on the domains tab and use them for Direct Access.

Part 4: Configure ISA Server 2004 for automatic client configuration by using Web Proxy Automatic Discovery (WPAD) (1 Question)


QUESTION NO: 34
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Development department. The CertKiller.com network contains an ISA Server 2004 array that consists of eight members. You have received instruction to enable Cache Array Routing Protocol in the array to resolve outbound Web requests. After the enabling of CARP, you have received complains from the Development department that the Internet access is slower then normal. During you investigation you find out that there is a high network utilization on the intra-array network.
You need to reduce the amount of intra-array traffic.
What should you do?
A. You need to enable Network Load Balancing on the intra-array network.
B. You need to configure the Windows XP Professional computers as SecureNAT clients.
C. You need to use automatic discovery to configure the Windows XP Professional computers as Web Proxy clients.
D. You need to enable CARP on the intra-array network.
Answer: C
Explanation:
ISA Server Enterprise Edition provides distributed caching through the use of CARP. CARP distributes the cache used by Web proxies across an array of ISA Server computers. Although CARP assigns each ISA Server computer a unique set of cached data, the array of computers functions as a single, logical cache. CARP is used by Web browsers and by ISA Server to increase performance in operations accessing a Web proxy cache that is distributed across multiple ISA Server computers. CARP uses hash-based routing to determine which ISA Server computer will respond to a client request and cache specific Web content.

Part 5: Diagnose and resolve client computer connectivity issues (14 Questions)


QUESTION NO: 35
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer to the domain named CERTKILLER-SR01 which has three network adapters that are connected to the Internet the perimeter network and the internal network. The CertKiller.com network also has two DNS servers named CERTKILLER-SR02 and CERTKILLER-SR03 located on the internal network.
The CertKiller.com network client computers are configured as Firewall clients of CERTKILLER-SR01. The perimeter network users recently started complaining about the inability to connect to the Internet whilst internal network users report no such problems and can connect to the Internet. You must decide what to do in order to enable all client computers the ability to access the Internet.
What should you do?
A. The interface address of CERTKILLER-SR01 that is connected to the perimeter network must be included in the Perimeter Network list of addresses.
B. The client computers in the perimeter network must be configured as Web Proxy clients of CERTKILLER-SR01.
C. The .root zone must be deleted and disabled on CERTKILLER-SR03.
D. The .root zone must be deleted and disabled on CERTKILLER-SR02.
Answer: A
Explanation:
In the scenario you should know that a perimeter network is a network that is used to permit external users to use specific servers that are located on the perimeter network to prevent access to an internal corporate network.

Incorrect Answers:
B: This will not be off much help in the scenario and should not be used unless you include the interface address of CERTKILLER-SR01 that is connected to the perimeter network in the list of addresses for the perimeter network.
C: This should not be done in the scenario because by additionally disabling recursion on either of the DNS servers is not recommended. The recursion is used to enable a DNS server to perform recursive queries for the DNS clients and servers for which the queries were made too.Reference:

D: This should not be done in the scenario because by additionally disabling recursion on either of the DNS servers is not recommended. The recursion is used to enable a DNS server to perform recursive queries for the DNS clients and servers for which the queries were made too.Reference:


QUESTION NO: 36
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network consists of an ISA Server 2004 computer that is configured as an Edge Firewall.
The CertKiller.com network Graphics department has Macintosh computers configured as SecureNAT clients of the ISA 2004 server and the Finance department has Firewall clients. Both the Finance and Graphics departments require NNTP access to the external network. You decide to create a rule allowing NNTP for the All Authenticated Users. Now the Graphics department users report they are unable to access newsgroups through NNTP. The Finance department users do not report any problems connecting to newsgroups. You need to ensure that both departments are able to access newsgroups using NNTP.
What should you do?
A. An Access rule should be created to allow NNTP for the All Users user set and remove the access rule for the All Authenticated Users user set.
B. The Authenticated access rule must be modified to include the users of the graphics department.
C. A route relationship between the internal and the external network must be created.
D. All the users must be configured as SecureNAT clients.
Answer: A
Explanation:
The best option in the scenario is creating the access rule and configuring the rule properly and remember that the All Authenticated Users user set includes all the users who are authenticated using any type of authentication and SecureNAT clients are not authenticated until they connect through VPN.

Incorrect Answers:
B: This will not allow you to achieve the scenario objective and should not be used instead you should create an access rule.
C: This should not be done in the scenario because when you are using an Edge Firewall a network rule that specifies a route relationship between the internal network and VPN clients are already applied.

D: This should not be considered in the scenario because this will nor allow you to achieve the scenario objective and the All Authenticated Users user ser does not include non-VPN SecureNAT clients.Reference:


QUESTION NO: 37
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR01.
The network users of the Finance and Research departments of CertKiller.com sometimes work remotely and require access to the internal network resources from outside the network. You just completed configuring CERTKILLER-SR01 as a remote VPN server and both PPTP and L2Tp/IPSec are selected on the VPN Clients Properties dialog box.
The CertKiller.com remote client s can either use PPTP or L2TP/IPSec to connect to CERTKILLER-SR01 and all network clients are configured as both Web Proxy and Firewall clients of CERTKILLER-SR01. You are additionally required to create an access rule enabling remote users to access the internal resources using a VPN connection you are in the process of configuring an Access Policy and require help.
What should you do?
A. The Access rule should be modified to allow the connections from VPN Clients to the internal network to select PPTP as the outbound protocol.
B. The VPN Clients properties should be checked and uncheck the Enable PPTP option.
C. The VPN Clients properties should be checked and uncheck the Enable L2TP/IPSec option.
D. The access rule should be modified to allow access to the users of the Research department.
Answer: D
Explanation:
In the scenario you should consider modifying the access rule for the Research department as access rules are used to configure the traffic passing through the ISA Server and includes all the traffic from the internal network to the Internet and back to internal network.

Incorrect Answers:
A: In the scenario you should not consider this option instead the users of the Research department should be added to the User Sets page enabling them access to the internal resources.
B: You should not check this checkbox in the scenario because this option will not allow the Research users to connect to the Internet

C: You should not check this checkbox in the scenario because this option will not allow the users to access the internal resources remotely.Reference:


QUESTION NO: 38
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server and two routers to the network to provide Internet access to the client computers who will access the Internet as Secure NAT clients after the deployment. The network users are supposed to run IP addresses in the range 172.10.50.0/24. During maintenance you discover that none of the client computers are configured with the proper IP addresses. You are required to allow the client computers in the two departments access to the Internet
What should you do? (Choose TWO.)
A. The client computers in the Finance department must be configured with a default gateway of
192.168.10.0.
B. The client computers in the Research department must be configured with a default gateway of
192.168.20.20.
C. The client computers in the Research department must be configured with a default gateway of
172.20.50.6.
D. The client computers in the Finance department must be configured with a default gateway of
172.10.50.1.
Answer: C,D
Explanation:
In the scenario you should keep in mind that SecureNAT are the easiest clients to configure because the only settings you have to configure in the scenario would be network settings.

Incorrect Answers:
A: The other default gateway addresses should not be used in the scenario because they will not allow the two departments Internet access.Reference:
B: The other default gateway addresses should not be used in the scenario because they will not allow the two departments Internet access.Reference:
QUESTION NO: 39

You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network recently deployed an ISA Server 2004 computer named CERTKILLER-SR01 to ensure security.
The CertKiller.com network client computers are configured as Web Proxy clients. You enabled IP routing so that you can use the Ping diagnostics utility to check connectivity. You ping the external resources from the Web Proxy clients to validate connectivity. TesCKig.com network also has corporate users who work in the office and have separate user's accounts created in the Vendors group for these users. The Group Policy states that vendors have limited access to corporate resources and access to all the servers is encrypted by using IPSec. In order for the vendors group to access and download their mail from their corporate mail servers you create an access rule for POP3 and SMTP on CERTKILLER-SR01
For network security you configured the external vendors working from the office to have no additional protocols other than POP3 and SMTP. You configure the vendors as Firewall clients of CERTKILLER-SR01 and enable the Outlook option in the Firewall Client settings dialog box to enable the vendors to access and download mail. You just performed the operation and the vendors immediately start complaining that they are unable to download mail using POP3 and SMTP. You are required to choose what to do next.
What should you do?
A. Deselect the Allow non-encrypted Firewall client connections checkbox on CERTKILLER-SR01 in the Firewall Client Settings dialog box
B. The services setting must be configured and enabled in the Firewall Client Settings dialog box on CERTKILLER-SR01
C. The Vendor group on CERTKILLER-SR01 must be allowed to access the HTTP and HTTPS protocols
D. In the IP Preferences dialog box IP routing should be disabled
Answer: D

Explanation:
In the scenario you should consider having the IP routing disabled because when you disable IP routing the ISA server will send only the data and not the original network packet to the destination.

Incorrect Answers:
A: This should not be configured in the scenario because there are no down-level Windows clients in the scenario.
B: You should not consider this configuration in the scenario because it is not used to configure Outlook and wont help.

C: The scenario clearly stipulates that the Vendors group should not have any other protocols except SMTP and POP3.Reference:


QUESTION NO: 40
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network recently deployed an ISA Server 2004 computer to increase security.
The CertKiller.com network clients are all configured as Secure NAT clients and are able to browse Web sites but report they are unable to connect to FTP sites. You are required to ensure that the client computers are able to access the Internet for HTTP, HTTPS and FTP access by using the ISA server.
What should you do?
A. The FTP Access application filter should be enabled
B. The internal network adapter should be configured with a blank default gateway
C. The Link Translation Webb filter should be enabled
D. A static route should be created
Answer: A
Explanation:
In the scenario you should consider enabling the filter because FTP uses port 20 for connection and port 12 for data transfer which is not understood by SecureNAT making use of this option will enable the SecureNAT clients to access FTP HTTP and HTTPS sites.

Incorrect Answers:
B: This should not be done in the scenario because the users will not be enabled to access the FTP HTTP and HTTPS sites.
C: This should not be considered in the scenario as it can not be used to enable FTP access to the Internet.
D: There is no need for this configuration as it will not ensure the users are able to access FTP HTTPS and HTTP sites.Reference:


QUESTION NO: 41
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network consists of an ISA Server 2004 computer named CERTKILLER-SR01 configured as a remote access VPN and is configured to accept PPTP remote connections.

You plan to configure CERTKILLER-SR01 to use only L2TP/IPSec connections from remote clients to increase network security. You decide to create a new Connection Manager profile by using Connection Manager Administration Kit (CMAK) and distribute the kit to the remote users. The CertKiller.com remote users were disconnected from CERTKILLER-SR01 while trying to connect to the internal network. You are required to ensure that remote users can connect to the internal network.
What should you do?
A. A computer certificate should be issued to the VPN client computers.
B. The ISA firewall must be configured to support pre-shared keys.
C. IP routing should be disabled.
D. The Block IP fragments option should be disabled.
Answer: D
Explanation:
In the scenario when Block IP fragments option is enabled the L2TP/IPSec connection is not established properly because of packet fragmentation.

Incorrect Answers:
A: This should not be considered in the scenario because the certificate provided will not stop the problem of packet fragmentation in the scenario.
B: This option should not be tried in the scenario because the option can not be used to help allow remote users to connect to internal resources.Reference:
C: This option should not be tried in the scenario because the option can not be used to help allow remote users to connect to internal resources.Reference:


QUESTION NO: 42
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network contains an ISA Server 2004 computer configured as an Edge Firewall.
The CertKiller.com network client computers are configured as Firewall clients. You implement a firewall policy used to allow access to the clients using HTTP, HTTPS an FTP protocols whilst other network access is blocked as required by company policy. You recently finished deploying the ISA server when the Firewall clients computers report they are unable to download information from FTP server but can upload information, you diagnose and discover the problem is not page specific and need to know what to do to enable the clients to download and upload FTP information.

What should you do?
A. The route relationship between the internal and external networks must be modified.
B. The Firewall policy must be modified to allow access to all protocols.
C. All the client computers should be configured as Web Proxy clients.
D. The FTP policy must be configured to disabled the Read Only option.
Answer: D
Explanation:
In the scenario the best option would be to modify the policy thereby ensuring that you enable the network clients the ability to download and upload files to FTP sites.

Incorrect Answers:
A: This should not be done in the scenario because when you are using an Edge Firewall a network rule that specifies a route relationship between the internal network and VPN clients are already applied.
B: There is no requirement for additional protocols in the scenario because the given protocols in the scenario are enough for the users to download and upload FTP files.
C: This configuration should not be made in the scenario because the Web Proxy client can only download files but are unable to upload.Reference:


QUESTION NO: 43
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows 200 Professional or Windows XP Professional. The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR01.
Certain members of CertKiller.com will work remotely and require access to the internal network resources. You configure CERTKILLER-SR01 as a VPN server to provide authentication and authorization to VPN clients. You configured CERTKILLER-SR01 to make use of a RADIUS server named CERTKILLER-SR02. You configure CERTKILLER-SR01 to use L2TP connections using pre-shared keys. You decide to enable the use of a custom IPSec security policy on CERTKILLER-SR01 and configure a pre-shared in the VPN properties. You use the CMAK kit and create a Connection Manager profile and distribute the pre-shared key within the Connection Manager profile to CPN clients.
You recently during the business day tested the VPN connectivity fro the clients by using the Connection Manager profile. You find you are able to connect to the internal network from the VPN clients. You later discover during routine maintenance that there are a lot of UDP requests on the internal adapter of CERTKILLER-SR01 to secure this you block the UDP traffic to the ISA server's internal network adapter. After you made these changes the external remote users report they are unable to access the VPN server.

What should you do?
A. A new Connection Manager profile should be configured using the CMAK kit to use certificates in stead of pre-shared keys and instruct the VPN users to use the new Connection Manager profile
B. A new Connection Manager profile should be configured to use pre-shared keys with certificates and instruct the VPN users to use the new Connection Manager profile
C. On the internal network adapter of CERTKILLER-SR01 you must enable UDP ports 1512, 1513, 1445 and 1446
D. On the internal network adapter of CERTKILLER-SR01 you must enable UDP ports 1812. 1813, 1645 and 1646
Answer: D
Explanation:
In the scenario you should enable the UDP ports 1812, 1812, 1645 and 1646 ensuring that the ISA server can communicate with the RADIUS server which means the users will be authenticated.

Incorrect Answers:
A: This should not be considered for use in the scenario as it will not improve scenario conditions and the wrong ports are used in the scenario.
B: The pre-shared key should not be used with certificates in the scenario because the additional digital certificates will not allow clients to access the VPN server.Reference:
C: This should not be considered for use in the scenario as it will not improve scenario conditions and the wrong ports are used in the scenario.


QUESTION NO: 44
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 with the external adapter configured with a single IP address. You recently enabled the caching feature of CERTKILLER-SR01. The CertKiller.com network users Finance department will be working out of the office and require access to an Exchange 2003 mail server named CERTKILLER-SR02 who is available on the internal network.

The remote users will use MS Outlook 2003 from within the internal network and the VPN clients will also use MS Outlook 2003. The Domain Administrators group is the only group enabled for VPN-client access. The CertKiller.com network policy stipulates that mail access to external users should only be browser based. You decide to create a protocol definition for the outbound TCP port 80 to allow mail access via Outlook Web Access for the Senior Management group. You later create an access rule using the protocol definition which is applied to the Finance and Senior Management group. You verified the connections are working. The remote network users start complaining that they are unexpectedly logged off while accessing the internal mail server by using Outlook Web Access from a public computer.
What should you do?
A. OWA forms-based authentication must be configured in the Authentication dialog box of the Web listener.
B. The bridging mode must be configured and select the Secure connection to clients and mail server option.
C. The Web listener must be configured to select the Log off OWA when the user leaves OWA option.
D. A cache rule should be created to prevent the caching of Outlook Web Access objects.
Answer: D
Explanation:
In the scenario the best option is to create a cache rule to prevent the Outlook Web Access objects because when you enable the caching feature of ISA Server all of the Outlook Web Access objects will be cached if you do not configure the ISA server to use forms-based authentication.

Incorrect Answers:
A: The Web listener should not be configured with this option because you cannot configure OWA forms-based authentication as you cannot have a mutually exclusive authentication method using a single IP address. You should not even configure OWA forms-based authentication either.
B: This mode should not be considered on the scenario because this creates a Web Publishing Rule ensuring a secure SSL connection from the client to the OWA Web site.Reference:
C: The Web listener should not be configured with this option because you cannot configure OWA forms-based authentication as you cannot have a mutually exclusive authentication method using a single IP address. You should not even configure OWA forms-based authentication either.


QUESTION NO: 45
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.

The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 to enhance network security and a DNS server named CERTKILLER-SR02. You decided to enhance network security more by selecting the Enable IP Options filtering, Block IP fragments and Enable IP routing options in the IP Preferences dialog box on CERTKILLER-SR01. The CertKiller.com management decided to deploy a streaming server named CERTKILLER-SR03 on the internal network which will host multimedia files that will be accessed by the users of the Finance department both inside and outside the CertKiller.com network.
You were later instructed to publish the streaming server on CERTKILLER-R01. You ensure that there is enough bandwidth for optimal streaming of multimedia files. You check the performance of the connection by allowing access to the files to a limited set of external users who are able to connect to the streamed files but they report the connection to the streaming server is erratic and terminates while playing the multimedia files. You are required to ensure the multimedia files are optimized and persistent.
What should you do?
A. A DNS server should be installed on CERTKILLER-SR01 and instruct the external clients to use the new DNS server for name resolution.
B. The .root zone should be deleted and then disable recursion on CERTKILLER-SR02.
C. IP routing should be disabled on CERTKILLER-SR01.
D. IP fragment blocking should be disabled on CERTKILLER-SR01.
Answer: D
Explanation:
In the scenario we should consider disabling the block IP fragments option because when this option is enabled one IP datagram is separated into multiple small datagrams or IP fragments which all will be dropped when the ISA server filters packet fragments.

Incorrect Answers:
A: This should not be done in the scenario because the users can already access the multimedia files using the first DNS server CERTKILLER-SR02.
B: This zone should not be considered for deletion because the zone is important and is created by default in Windows Server 2003 and is used for recursive queries.
C: This should definitely not be considered in the scenario because IP routing allows the original packets to be forwarded to their destinations.Reference:


QUESTION NO: 46
You are the CEO of CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Rory Allen works as the network administrator at CertKiller.com. His duties include administering an ISA Server 2004 computer named CERTKILLER-SR15.

CertKiller.com contains a Sales department that has two locations named Location1 and Location2 which is situated around the city. A portion of the network is shown in the exhibit.

CERTKILLER-SR15 is configured to use the Edge Firewall network template. Rory Allen also created access rules to allow Internet access for CertKiller.com employees on the network. However, the employees in the Sales department complain that they cannot access the Internet.
What should Rory Allen do to configure the client computers on the network to allow Internet access? (Each correct answer presents part of the solution. Choose TWO.)
A. Rory Allen needs to configure client computers in Location1 with a default gateway IP address of 172.16.100.1.
B. Rory Allen needs to configure client computers in Location2 with a default gateway IP address of 172.16.50.1.
C. Rory Allen needs to configure client computers in Location1 with a default gateway IP address of 10.10.10.1.
D. Rory Allen needs to configure client computers in Location2 with a default gateway IP address of 172.16.100.1.
E. Rory Allen needs to configure client computers in Location1 with a default gateway IP address of 172.16.30.1.
F. Rory Allen needs to configure client computers in Location2 with a default gateway IP address of 10.10.10.1
Answer: B,E
Explanation:
The default gateway of the SecureNAT client is configured as the IP address of the Internal interface of the ISA 2004 firewall. You can manually configure the default gateway address, or you can use DHCP to automatically assign addresses to the SecureNAT clients. The DHCP server can be on the ISA 2004 firewall itself or it can be located on a separate machine on the Internal network. In the 'complex network scenario,' the Internal network consists of multiple network IDs that are managed by a router or series of routers or layer 3 switch(s). In the case of the complex network, the default gateway address assigned to each SecureNAT client depends on the location of the SecureNAT client computer. The gateway address for the SecureNAT client will be a router that allows the SecureNAT client access to other networks within the organization, as well as the Internet. The routing infrastructure must be configured to support the SecureNAT client so that Internet-bound requests are forwarded to the Internal interface of the ISA 2004 firewall.



QUESTION NO: 47
You work as the network administrator for CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2000 computer named CERTKILLER-SR23.
CertKiller.com contains a Finance department and a Sales department. CERTKILLER-SR23 is configured with access rules to allow Internet access for all the employees in CertKiller.com. The client computers of CertKiller.com are configured as Web Proxy clients of CERTKILLER-SR23. You received instructions to install a new ISA Server 2004 computer named CERTKILLER-SR24. CERTKILLER-SR24 will be placed in the Sales department.
On CERTKILLER-SR23 you then ran the ISA Server 2004 Migration Tool and saved the configuration to a file named Backupconfig.xml. You then installed ISA Server 2004 on CERTKILLER-SR24, and imported Backupconfig.xml on the new ISA Server 2004 computer.
You then also configure the Internal network with a valid IP address range on CERTKILLER-SR24, for the client computers in the Sales department. You also configured a Web chaining rule on CERTKILLER-SR24 to redirect Web requests to CERTKILLER-SR23 and configured client computers in the Sales department as Web Proxy clients of CERTKILLER-SR24.
After the completion of the task, you received complaints from the Sales department employees that they cannot connect to the Internet.
You need to ensure that users of client computers can connect to the Internet.
What should you do?
A. You must change the external IP address on CERTKILLER-SR24 to a valid IP address for the external network.
B. You must save its configuration as ISAbackup.xml on CERTKILLER-SR24 and restart the Microsoft Firewall service on CERTKILLER-SR24. Then import the configuration.

C. You must configure the client computers as Firewall clients of CERTKILLER-SR24 and enable automatic discovery on CERTKILLER-SR24.
D. You must perform an ISA Server 2004 in-place upgrade on CERTKILLER-SR23 and configure access rules to allow Internet access for the Sales department users on CERTKILLER-SR24.
Answer: A
Explanation:
Microsoft ISA Server 2004 includes an export and import feature that Mia Hamm can use to save ISA Server configuration parameters to an .xml file. She can use the configuration in the file as a backup to your configuration, or to copy the configuration to another ISA Server computer. She can export on many levels in ISA Server. If Mia Hamm want to set up another ISA Server computer with the same policy as the one that you have configured, but the server is located in a different part of the network, possibly in another domain, and has different network relationships. She cannot use the complete configuration. The solution is to export the firewall policy, import it to the other ISA Server computer, and then modify network details in the firewall policy rules as necessary. After that she can import it on the new ISA Server.


QUESTION NO: 48
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com contains a very big Sales department and the client computers in the Sales department are split among a few subnets by means of routers. CertKiller.com network contains a server named CERTKILLER-SR10. You have installed ISA Server 2004 on CERTKILLER-SR10 which is used to allow the users in the Sales department to access Web site.
You then configure the TCP/IP on CERTKILLER-SR10 as seen in the exhibit.


After the installation of ISA Server 2004, the users in the Sales department compliant that they cannot access Web sites on the Internet. You need to ensure that users can access Web sites on the Internet.
What should you do? (Each correct answer presents part of the solution. Choose TWO.)
A. You need to match the external default gateway by configure the internal default gateway.
B. For each subnet in the CertKiller.com network, you need to configure a static route.
C. You need to add the IP address of the internal default gateway to the Remote Management Computers computer set.
D. You need to configure the internal network adapter with a blank default gateway.
E. You need to create a network set for each subnet.
Answer: B,D
Explanation:
: Before you installed the ISA firewall software, you must configure the routing table on the ISA firewall machine. The routing table should include routes to all networks that are not local to the ISA firewall's network interfaces. Because the ISA firewall can have only a single default gateway, the routing table entries are required. If you have an internal or other Network that contains multiple subnets, you should configure routing table entries that ensure the ISA firewall can communicate with the computers and other IP devices on the appropriate subnets. The network interface with the default gateway is the one used to connect to the Internet, either direction or via upstream routers. After knowing this we should remove the default gateway IP Address from the internal network card and we should configure static routes to each subnet.


QUESTION NO: 49
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network contains an ISA Server 2004 computer configured as an Edge Firewall and a DNS server on the internal network.
The ISA server will be responsible for controlling Web access to client computers in the domain. The CertKiller.com network recently acquired a new project that requires any form of data transfer including OS-related error reporting should be prevented from being transmitted to external sites because the data may contain information related to the work environment of the project. You configure the network clients as Firewall clients of the ISA server a dare required to ensure that OS-related error reporting data is not transmitted.
What should you do?

A. The communication to the Microsoft configuration group should be disabled.
B. The HTTP Connectivity verifiers configuration group should be disabled.
C. The Remote Logging (NetBIOS) configuration group should be disabled.
D. The ICMP configuration group should be disabled.
Answer: A
Explanation:
In the scenario the best option would be for you to have the Communication to the Microsoft configuration group disabled as this group is used to define the method which ISA 2004 uses to interact with network resources.

Incorrect Answers:
B: This configuration setting in question should not be changed in the scenario as the group allows the Local Host network to use HTTP or HTTPS protocols to access computers on any network.
C: This should not be considered for disabling in the scenario as it will not prevent the OS-related error reporting to Microsoft.
D: The use of ICMP should not be disabled in the scenario because the policy rule allows access to the Diagnostic Services ICMP configuration group and the ISA server uses ICMP group to access all networks.Reference:


QUESTION NO: 50
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network has headquarters in Chicago and a branch office in Miami connected to the main office through a WAN connection.
The CertKiller.com network has recently installed an ISA server to the main office named CERTKILLER-SR01 and an ISA server in the branch office named CERTKILLER-SR02. The CertKiller.com management plan to remotely perform all ISA administrative tasks for CERTKILLER-SR02 from the main office. You require access to non-ISA services like DNS to configure the firewall. You firstly export the current system policy to ensure you are able to perform all administrative tasks for CERTKILLER-SR02 from CERTKILLER-SR01.
What should you do?
A. The Microsoft Management Console configuration group on CERTKILLER-SR02 should be enabled.
B. The Windows Networking configuration group on CERTKILLER-SR02 should be enabled.
C. The Allowed Sites configuration group on CERTKILLER-SR02 should be enabled.

D. The Terminal Server configuration group on CERTKILLER-SR02 should be enabled.
Answer: D
Explanation:
In the scenario the best choice of configuration is enabling the Terminal Server configuration group in the scenario as the group is the best option to achieve the scenario objective.

Incorrect Answers:
A: The Microsoft Management Console configuration group should not be enabled in the scenario because the group is used to remotely administer ISA Server 2004 through MMC.
B: This option should not be enabled in the scenario because the Windows Networking configuration group allows NetBIOS communication on the network by default.
C: There is no need to have this option enabled as it is enabled by default in ISA Server 2004.Reference:


QUESTION NO: 51
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR20 and a Windows Server 2003 computer named CERTKILLER-SR22. CERTKILLER-SR20 is configured with access rules for Internet access and CERTKILLER-SR22 is configured as an internal certification authority (CA).
Due to company growth you were given the instruction to deploy 15 new ISA Server 2004 computers. You then export the firewall policy settings into a file named CERTKILLER-SR20export.xml on CERTKILLER-SR20 and configure the network configuration settings on each of the 15 new ISA Server computers. You also import the firewall policy settings from the CERTKILLER-SR20export.xml file on each of the 15 ISA Server computers.
While you were testing the imported configuration you find out that the new ISA Server computers cannot download the CRL from CERTKILLER-SR22. You need to ensure that the new ISA Server computers can download the CRL.
What should you do?
A. You need to edit the CERTKILLER-SR20export.xml file by adding the following lines: StorageType=Allow HTTP from ISA Server to all networks (for CRL downloads) String=0 Enabled=1

Import the CERTKILLER-SR20export.xml file on each of the 15 ISA Server computers.
B. You need to export the system policy rules on CERTKILLER-SR20 by using the Export System Policy task. Import the system policy rules on each of the 15 ISA Server computers.
C. You need to export the array configuration settings on CERTKILLER-SR20 to an .xml file. Import the .xml file on the new ISA Server computers.
D. You need to create a destination set for the new ISA Server 2004 computers. Add this destination set to the destination list on the Allow all HTTP traffic from ISA Server to all networks (for CRL downloads) system policy rule.
Answer: B
Explanation:
You can export the entire ISA Server configuration, or just parts of it, depending on your specific needs. When you export an entire configuration, all general configuration information is exported. This includes access rules, publishing rules, rule elements, alert configuration, cache configuration, and ISA Server properties. In addition, you can select to export user permission settings and confidential information such as user passwords. Confidential information included in the exported file is encrypted. You can also choose to export the firewall policies or system policies separately.


QUESTION NO: 52
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com has its headquarters in Chicago and a branch office in Dallas. The Chicago office and the Dallas officer are connected over a dedicated 56-Kbps frame relay WAN link. The headquarters in Chicago contains an ISA Server 2004 computer named CERTKILLER-SR12 and the branch office in Dallas contains an ISA Server 2004 computer named CERTKILLER-SR13. CertKiller.com also contains two client computers named CERTKILLER-WS350 and CERTKILLER-WS354. CERTKILLER-WS354 in the Dallas office connects to the headquarters in Chicago through CERTKILLER-SR13. Two computers in each office are configured as seen in the table.
The employees that work on CERTKILLER-WS354 can connect to the headquarters in Chicago, however CERTKILLER-WS350 and CERTKILLER-WS354 cannot connect to the Internet. You need to verify connectivity to CERTKILLER-SR12 from either CERTKILLER-WS350 or CERTKILLER-WS354 and to maintain a high level of security on the external network adapter on CERTKILLER-SR12 and on CERTKILLER-SR13.

What should you do?
A. You need to configure CERTKILLER-WS350 with the default gateway IP address of the internal network adapter of CERTKILLER-SR12 and issue the ping command to 192.168.100.1 from CERTKILLER-WS350.
B. You need to configure CERTKILLER-WS354 with the default gateway IP address of the internal network adapter of CERTKILLER-SR13 and issue the tracert command to 172.16.1.1 from CERTKILLER-WS354.
C. You need to edit the Diagnostic Services ICMP configuration group on CERTKILLER-SR12 by adding the main office network as a destination network and issue the pathping command to
192.168.100.1 from CERTKILLER-WS350.
D. You need to edit the Remote Management ICMP (PING) configuration group on CERTKILLER-SR12 by adding CERTKILLER-WS350 to the Remote Management Computers computer set and issue the ping command to 192.168.100.1 from CERTKILLER-WS350.
Answer: D
Explanation:
The system policy is used primarily to enable sufficient access between the ISA Server computer and the connected networks so that you can manage ISA Server. All of the system policies define access between the Local Network, which is the ISA Server computer itself, and the connected networks rather than defining access between networks. Configuration groups are used in several of these system policies. Remote Management ICMP (PING) configuration group - Enabling this configuration group enables system policy rules that allow ICMP ping requests from selected computers to the ISA server. Diagnostic Services ICMP configuration group - Enabling this configuration group enables system policy rules that ICMP ping from the ISA server to selectors computers. You need to diagnose connectivity from source CERTKILLER-WS350 to destination CERTKILLER-SR12. You need to add CERTKILLER-WS350 to the Remote Management Computers computer set that is used in the Remote Management ICMP (PING) configuration group.
Part 2: Back up and restore ISA Server 2004 (3 Questions)


QUESTION NO: 53
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network recently deployed an IS Server 2004 computer named CERTKILLER-SR01 to enhance network security.

A new CertKiller.com security policy states that access to certain Web sites must be restricted. You create URL sets for the restricted Web sites and rules to deny access to the sites in CERTKILLER-SR01. The CertKiller.com network recently expanded and acquired a new branch office and the number of subnets in the branch office will vary on the regional requirement and expansion plans.
You decide to implement two new ISA Server 2004 computers in the branch office to secure the network. You configured the network configuration on the new ISA servers. You need to know how to configure access rules for the new ISA server to block the restricted sites.
What should you do?
A. The System Policy rules on CERTKILLER-SR01 should be exported to CERTKILLER-SR01.xml using the Export System Policy task and import the CERTKILLER-SR01.xml file to the new ISA servers.
B. All the network objects in the Toolbox tab in CERTKILLER-SR01 should be exported to CERTKILLER-SR01.xml and imported on the new ISA servers.
C. The complete configuration settings on CERTKILLER-SR01 should be exported to CERTKILLER-SR01.xml and imported to the new ISA servers.
D. The URL sets network objects on CERTKILLER-SR01 should be exported to CERTKILLER-SR01.xml and imported to the new ISA servers.
Answer: D
Explanation:
In the scenario the best configuration choice would be to export the file to an .xml file because the configuration in the .xml file can be used to either backup for your configuration or to copy the settings to the new ISA servers.

Incorrect Answers:
A: This should not be considered in the scenario because the Network objects are used as source and destination elements in access rules specifying the type of traffic allowed between networks.
B: There is no need to make this export in the scenario because the scenario states the number of subnets varies and the branch office has different settings.Reference:
C: There is no need to make this export in the scenario because the scenario states the number of subnets varies and the branch office has different settings.Reference:


QUESTION NO: 54
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.

The CertKiller.com network recently deployed two ISA Server 2004 computers named CERTKILLER-SR01 to enhance network security. You recently configured a number of scheduled content download jobs on CERTKILLER-SR01 and requests to have CERTKILLER-SR01 have increased. You plan to implement two new ISA 2004 Servers named CERTKILLER-SR02 and CERTKILLER-SR03.
The Firewall policies of CERTKILLER-SR02 and CERTKILLER-SR03 will be configured the same as CERTKILLER-SR01. You later export the Firewall policy settings to a file named SR01firepolicy.xml and import the file to the new servers respectively. After the configuration network clients of CERTKILLER-SR02 and CERTKILLER-SR03 report they are experiencing slow access and download from the Internet. You are required to optimize Internet access for the new ISA servers.
What should you do?
A. The Export confidential information (encryption will be used) option should be selected during the export of the Firewall policy settings to SR01firepolicy.xml and import the file to the new ISA servers.
B. All the network objects in the Toolbox tab should be exported on CERTKILLER-SR01 to SR01firepolicy and import the file to the new ISA servers.
C. The Web Listeners network object should be exported from CERTKILLER-SR01 to SR01firepolicy.xml and import the file to the new ISA servers.
D. The System Policy rules on CERTKILLER-SR01 should be exported using the Export System Policy task and import the System Policy rules on the new ISA servers.
Answer: D
Explanation:
In the scenario the best option to have the new ISA servers configured is to export the System Policy rules because if you simply exporter the Firewall policy the System Policy rules are not included and the rules are important.

Incorrect Answers:
A: This option should not be used in the scenario as it is meant for sending user passwords pre-shared keys for IPSec and more.
B: This should not be done in the scenario because the ISA 2004 Server does not allow selecting all network objects in a single step.
C: This option should not be used in the scenario because it will not optimize network performance.Reference:
QUESTION NO: 55

You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2004 computer named CERTKILLER-SR10. All the client computers in CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Marketing department. CERTKILLER-SR10 is configured with an internal certificate authority (CA). You also install the client certificates to the employees in the Marketing department and configure client certificate mapping for internal network users. The client computers are configured as Web Proxy clients and you configure the Internal network to allow only certificate-based authentication for Web Proxy clients.
Due to the security you have revoke an employee named Mia Hamm's certificate. During a routine monitoring you notice that CERTKILLER-SR10 is still authenticating Web requests for her. To this end you need to configure CERTKILLER-SR10 to deny Internet access to Mia Hamm.
What should you do?
A. You need to add the All Networks (and Local Host) network set as a destination for the Allow access to directory services for authentication purposes system policy rule.
B. You need to create a new content type set and select the application/pkix-crl and application/x-x509-ca-cert MIME types as the content type to allow.
C. You need to enable the Verify that incoming server certificates are not revoked in reverse scenario certificate validation setting on CERTKILLER-SR10, and enable the related system policy rule.
D. You need to enable the Verify that incoming client certificates are not revoked certificate validation setting on CERTKILLER-SR10, and enable the related system policy rule.
Answer: D

Explanation:
Verify that incoming client certificates are not revoked - Select this check box to specify that when CERTKILLER-SR10 receives a certificate from a client, it will automatically check if the certificate is revoked. If the certificate is revoked, the client request will be denied. Verify that incoming server certificates are not revoked in a forward scenario - Select this check box to specify that CERTKILLER-SR10 will automatically check if incoming server certificates, in an SSL bridging scenario, are revoked. If the certificate is revoked, the request will be denied. Verify that incoming server certificates are not revoked in a reverse scenario - Select this check box to specify that CERTKILLER-SR10 will automatically check if server certificates, in a Web publishing scenario, are revoked. If the certificate is revoked, the request will be denied.
Part 3: Define administrative roles (2 Questions)



QUESTION NO: 56
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network recently deployed an IS Server 2004 computer named CERTKILLER-SR01 to enhance network security.
The CertKiller.com network recently expanded and acquired a new branch office whose network computers run Linux and some UNIX variants. You decide to install an additional ISA server named CERTKILLER-SR02 to the branch office to secure access to the Internet and the CertKiller.com security policy states all requests to Internet must pass through CERTKILLER-SR01.
What should you do?
A. Firewall chaining should be configured on CERTKILLER-SR02 and configure CERTKILLER-SR02 to forward client requests to CERTKILLER-SR01.
B. A demand-dial VPN connection to the main office should be created and configure CERTKILLER-SR02 to use the VPN connection as a default gateway and configure a firewall chaining user account.
C. On CERTKILLER-SR01 you must configure firewall chaining and configure CERTKILLER-SR01 to get client requests from CERTKILLER-SR02.
D. On CERTKILLER-SR01 you must configure Web chaining and configure CERTKILLER-SR02 as the downstream proxy server.
Answer: A
Explanation:
In the scenario the best configuration choice of option would be to configure firewall chaining because firewall chaining is used to route requests from client computers in the branch office to the ISA server in the main office.

Incorrect Answers:
B: This should not be configured in the scenario because it will send all requests made to connect to the server or resource in a remote location to the demand-dial VPN connection.
C: This configuration should not be made because CERTKILLER-SR02 should forward the requests to CERTKILLER-SR01 in the scenario.
D: This configuration should not be made in the scenario because this will allow the network clients to route Web requests through a single location.Reference:



QUESTION NO: 57
You are the CIO of CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Rory Allen and Clive Wilson work as network administrators at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com contains a Sales department and a Finance department. CertKiller.com has its headquarters in Chicago and a branch office in Dallas. The network construction in Chicago has a high-speed Internet connection and the Dallas has a dial-up Internet connection. Rory Allen is responsible for administering the computers in the Chicago office and Clive Wilson is responsible for administering the computers in the Dallas office.
Rory Allen has configured an ISA Server 2004 computer named CERTKILLER-SR30 to provide Internet access to employees in the Chicago office and configures access rules and enables VPN access to CERTKILLER-SR30. The access rules allow only authorized users' access to the Internet. Clive Wilson also configured an ISA Server 2004 computer named CERTKILLER-SR32 in the Dallas office. You then instruct Clive Wilson to configure CERTKILLER-SR32 as following: Allow the Dallas employees' access to the Internet.Make sure that the employees in Dallas are restricted by the Chicago office access rules when accessing the Internet.Make sure that all information sent over the Internet is encrypted between the two offices.
You thus need to give Clive Wilson the proper instructions to configure CERTKILLER-SR32.
What should you do?
A. Instruct Clive Wilson to create a dial-up connection to Chicago and configure the ISA Server to use the dial-up connection as the default gateway. Configure a dial-up user account.
B. Instruct Clive Wilson to create a dial-up connection to an ISP and configure ISA Server to use the dial-up connection as the default gateway. Configure Web Proxy chaining.
C. Instruct Clive Wilson to create a demand-dial VPN connection to Chicago and configure ISA Server to use the VPN connection as the default gateway. Configure firewall chaining and a firewall chaining user account.
D. Instruct Clive Wilson to create a demand-dial VPN connection to an ISP. Configure firewall chaining and a firewall chaining user account.
Answer: C
Explanation:
Web Proxy Chaining is a method you can use to forward Web Proxy connections from one ISA firewall to another ISA firewall. Web Proxy chains consist of upstream and downstream ISA firewalls. The upstream ISA firewalls are those closer to the Internet connection, and the downstream ISA firewalls are those further away from the Internet connection. Downstream ISA firewalls forward Web Proxy requests to upstream ISA firewalls. The first ISA firewall in the Web Proxy chain is the one closest to the Internet and the one responsible for obtaining the Internet content. Web Proxy chaining supports complex protocols that require secondary connections. Microsoft highly recommends that you require authentication on the upstream Web Proxy. When authentication is forced on the upstream Web Proxy, the downstream Web Proxy must be able to send credentials to the upstream to access the Internet. Therefore we must configure a firewall chaining user account. To securely encrypt the traffic we will use a VPN connection.

Part 4: Configure firewall settings (6 Questions)


QUESTION NO: 58
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows 2000 Professional or Windows XP Professional. The CertKiller.com network recently deployed an IS Server 2004 computer named CERTKILLER-SR01 to enhance network security and all client computers are Firewall clients.
The CertKiller.com network recently expanded and acquired a new branch office whose network computers run Linux and some UNIX variants. You decide to install an additional ISA server named CERTKILLER-SR02to the branch office to secure access to the Internet and the TsCKing.com security policy states all requests for Internet must pass through CERTKILLER-SR01.
What should you do?
A. Firewall chaining should be configured on CERTKILLER-SR02 and configure CERTKILLER_SR02 to forward client requests to CERTKILLER-SR01.
B. A demand-dial VPN connection to the main office should be created and configure CERTKILLER-SR02 to use the VPN connection as a default gateway and configure a firewall chaining user account.
C. On CERTKILLER-SR01 you must configure firewall chaining and configure CERTKILLER-SR01 to get client requests from CERTKILLER-SR02.
D. On CERTKILLER-SR01 you must configure Web chaining and configure CERTKILLER-SR02 as the downstream proxy server.
Answer: A Explanation:

In the scenario the best configuration option would be to configure firewall chaining because firewall chaining is used to route requests from client computers in the branch office to the ISA server in the main office.

Incorrect Answers:
B: This should not be configured in the scenario because it will send all requests made to connect to the server or resource in a remote location to the demand-dial VPN connection.
C: This configuration should not be made because CERTKILLER-SR02 should forward the requests to CERTKILLER-SR01 in the scenario.
D: This configuration should not be made in the scenario because this will allow the network clients to route Web requests through a single location.Reference:


QUESTION NO: 59
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. A server on the CertKiller.com network runs Windows Server 2003. Half the client computers run Windows 2000 Professional, and the rest run Windows XP Professional.
The Windows Server 2003 named CERTKILLER-SR13 has ISA Server 2004 installed which is connected to the Internet. The CertKiller.com network is configured on automatic discovery. The employees in CertKiller.com use an IP-based client/server application on CERTKILLER-SR13 to record company data. The Windows 2000 Professional and Windows XP Professional client computers are configured as SecureNAT clients who access the accounting application on CERTKILLER-SR13 with no problems.
To make the network more secure, you distribute the Firewall Client software to all client computers by using Group Policy. Later during the day you have received complains from the employees that they cannot gain access to the accounting application.
You need to configure client computers on the network to allow the accounting application to function properly without affect other applications.
What should you do?
A. You need to configure a Wspcfg.ini file.
B. You need to configure an Application.ini file.
C. You need to configure the Management.ini file.
D. You need to configure the Common.ini file.
Answer: B Explanation:

For most Winsock applications, the default Firewall Client configuration that is downloaded from the ISA Server computer works with no further modification needed. However, in some cases, you will need to add specific client configuration information. The following files are used to configure the local Firewall client settings: Common.ini - Specifies the common configuration for all applications Management.ini - Specifies Firewall Client Management configuration settings Application.ini - Specifies application-specific configurations settings


QUESTION NO: 60
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All the client computers at CertKiller.com are running Window XP Professional.
The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR20 which is connected to the Internet. CERTKILLER-SR20 has VPN access configured on it. The only type of authentication for VPN connections is RADIUS. The remote users of CertKiller.com use a VPN connection to connect to CERTKILLER-SR20 and the internal users are connected to the Internet.
CERTKILLER-SR20 is due for replacement and you replace it with a new ISA Server computer named CERTKILLER-SR-21. You then export the network-level node configuration settings on CERTKILLER-SR20 to a file named ISAconfig.xml and import the ISAconfig.xml file on CERTKILLER-SR-21. You replace CERTKILLER-SR-20 with CERTKILLER-SR-21 on the network.
One morning you received a complaint that the VPN users cannot authenticate to gain access to the network and the Internal network users cannot connect to the Internet. You need to configure CERTKILLER-SR21 to allow incoming and outgoing access for company users.
What should you do?
A. You need to export the system policy configuration settings on CERTKILLER-SR20 to an .xml file and import the .xml file on CERTKILLER-SR21.
B. You need to export the array configuration settings on CERTKILLER-SR20 and include confidential information in the exported configuration file. Import the file on CERTKILLER-SR21.
C. You nee to export the array configuration settings on CERTKILLER-SR20 and include user permission settings in the exported configuration file. Import the file on CERTKILLER-SR21.

D. You need to export the VPN Clients configuration on CERTKILLER-SR20 and include confidential information in the exported configuration file. Import the file on CERTKILLER-SR21.
Answer: B
Explanation:
ISA Server 2004 includes export and import features that enable you to save and restore most ISA Server configuration information. The configuration parameters can be exported and stored in an .xml file. When you export an entire configuration, all general configuration information is exported. This includes access rules, publishing rules, rule elements, alert configuration, cache configuration, VPN configuration and ISA Server properties. Confidential information included in the exported file is encrypted. In this case you need to export the entire array configuration. If you only exported, change and imported the VPN configuration only then you still have a problem with the internal users that could not connect to the internet.


QUESTION NO: 61
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Half the client computers run Windows XP Professional, and the rest run Macintosh.
CertKiller.com has its headquarters in London and branch offices in Paris and Milan. The client computers in London are the Windows XP Professional and the Macintosh client computers resides in the Paris and Milan offices. Each branch office in CertKiller.com contains one ISA Server 2004 computer. The London office contains an ISA Server 2004 computer named CERTKILLER-SR20.
CERTKILLER-SR20 has an access rule configured that allows authenticated users to download e-mail by using the POP3 protocol. You install Firewall Client on client computers that are running Windows XP Professional.
One morning you have received complains from the offices of Paris and Milan, that the employees cannot download e-mail by using the POP3 protocol. You need to ensure that the employees in Paris and Milan can download e-mail by using the POP3 protocol and to ensure that authentication is required for all outbound traffic from the London office.
What should you do?
A. You need to configure Firewall client settings on the ISA Server computer in the branch offices and allow non-encrypted Firewall clients to connect to the ISA Server computer.

B. You need to configure firewall chaining on the ISA Server computer in the branch offices and configure firewall chaining to use a user account.
C. You need to configure a server publishing rule on CERTKILLER-SR20 and publish the POP3 server the users are attempting to connect to.
D. You need to configure IP preferences on CERTKILLER-SR20 and disable IP routing.
Answer: B
Explanation:
The Macintosh PC's must be configured as SecureNAT or Web Proxy clients. The firewall Client can only be installed on Windows Operating systems. You cannot use a web proxy configuration because the web proxy configuration only supports HTTP, HTTPS & FTP and no POP3. SecureNAT does not support user authentication therefore we must configure firewall chaining with user authentication. ISA Server 2004 Standard Edition supports the chaining of multiple servers running ISA Server together to provide flexible Web proxy services. These servers can be chained in a hierarchical manner so that one ISA Server computer routes Internet requests to another ISA Server computer, rather than routing the request directly to the Internet. ISA Server 2004 also supports Firewall chaining to allow requests from SecureNAT and Firewall clients to be forwarded to another ISA Server computer. The advantages of the Firewall chaining configuration over the Web Proxy configuration is that Firewall chaining supports all TCP and UDP Winsock protocols, not just Web protocols (HTTP/HTTPS/FTP).


QUESTION NO: 62
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Half the client computers run Windows XP Professional, and the rest run Macintosh.
CertKiller.com has its headquarters in Chicago and branch offices in Dallas and Miami. The client computers in Chicago are the Windows XP Professional and the Macintosh client computers resides in the Dallas and Miami offices. Each branch office in CertKiller.com contains one ISA Server 2004 computer. The Chicago office contains an ISA Server 2004 computer named CERTKILLER-SR12.
CERTKILLER-SR12 has an access rule configured that allows authenticated users to download e-mail by using the POP3 protocol. You install Firewall Client on client computers that are running Windows XP Professional.
One morning you have received complaints from the offices of Dallas and Miami, that the employees cannot download e-mail by using the POP3 protocol. You need to ensure that the employees in Dallas and Miami can download e-mail by using the POP3 protocol and to ensure that authentication is required for all outbound traffic from the main office.

What should you do?
A. You need to configure Firewall Client Settings on each ISA server computers in the branch offices and allow non-encrypted Firewall Client to connect to ISA server computers.
B. You need to configure Firewall Client Settings on each ISA server computers in the branch offices and configure Firewall chaining to use a user account.
C. You need to configure a server publish rule on CERTKILLER-SR12 and publish the POP3 Server the users are attempting to connect to.
D. You need to configure IP-preferences on CERTKILLER-SR12 and disable IP-routing.
Answer: B
Explanation:
Since we are having Macintosh PC's in the branch office you must configure them as SecureNAT or Web Proxy clients. The firewall Client can only be installed on Windows Operating systems. In this case you can not use a web proxy configuration, because the web proxy configuration only supports HTTP, HTTPS & FTP and no POP3. You need to configure the Macintosh PC's as SecureNAT clients. ISA Server 2004 Standard Edition supports the chaining of multiple servers running ISA Server together to provide flexible Web proxy services. These servers can be chained in a hierarchical manner so that one ISA Server computer routes Internet requests to another ISA Server computer, rather than routing the request directly to the Internet. ISA Server 2004 also supports Firewall chaining to allow requests from SecureNAT and Firewall clients to be forwarded to another ISA Server computer. The advantages of the Firewall chaining configuration over the Web Proxy configuration is that Firewall chaining supports all TCP and UDP Winsock protocols, not just Web protocols (HTTP/HTTPS/FTP).


QUESTION NO: 63
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com.
The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR20. The CIO has appointed you to monitor the network of the company. One morning you are busy using the Network Monitor to capture and analyze inbound traffic from the Internet to CERTKILLER-SR20. During the monitoring you notice a high volume of TCP traffic that is sent in quick succession to random TCP ports on CERTKILLER-SR20. The flag settings of the traffic are seen in the following example.
TCP: Flags = 0x00 : ...... TCP: ..0..... = No urgent data TCP: ...0.... = Acknowledgment field not significant TCP: ....0... = No Push function TCP: .....0.. = No Reset TCP: ......0. = No Synchronize TCP: .......0 = No Fin

According to the chart the traffic slows the performance of CERTKILLER-SR20. You need to create a custom alert that is triggered whenever CERTKILLER-SR20 experience traffic that uses invalid flag settings to discover open ports. You also do not want the alert to be triggered by traffic that uses valid flag settings in an attempt to discover open ports. To this end you then checked the Enable intrusion detection dialog box which opened up a few options that must be selected to create custom alerts. You accomplish this task by only selecting the minimum number of options in the Intrusion Detection dialog box.
What should you do?
A. Select the Windows out of band (Winnuke) option.
B. Select the Land option
C. Select the Ping of death option.
D. Select the IP half scan option.
E. Select the UDP bomb option.
F. Select the Port scan option.
Answer: D
Explanation:
IP half scan - This alert notifies you that repeated attempts to send TCP packets with invalid flags were made. During an IP half scan attack, the attacking computer does not send the final ACK packet during the TCP three-way handshake. Instead, it sends other types of packets that can elicit useful responses from the target host without causing a connection to be logged. This is also known as a stealth scan, because it does not generate a log entry on the scanned host. If this alert occurs, log the address from which the scan occurs. If appropriate, configure the ISA Server rules to block traffic from the source of the scans. Incorrect answers: Windows out-of-band attack - This alert notifies you that there was an out-of-band denial-of service attack attempted against a computer protected by ISA Server. Land attack - This alert notifies you that a TCP SYN packet was sent with a spoofed source IP address and port number that match those of the destination IP address and port. If the attack is successfully mounted, it can cause some TCP implementations to go into a loop that causes the computer to fail. Ping-of-death attack - This alert notifies you that an IP fragment was received with more data than the maximum IP packet size. If the attack is successfully mounted, a kernel buffer overflows, which causes the computer to fail. Port scan - This alert notifies you that an attempt was made to access more than the preconfigured number of ports. You can specify a threshold, indicating the number of ports that can be accessed. UDP bomb - This alert notifies you that there is an attempt to send an illegal User Datagram Protocol (UDP) packet. These UDP packets will cause some older operating systems to fail when the packet is received. If the target machine does fail, it is often difficult to determine the cause.

Part 5: Configure ISA Server 2004 for Network Load Balancing (3 Questions)


QUESTION NO: 64
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows 2000 Professional or Windows XP Professional. The CertKiller.com network recently deployed an IS Server 2004 computer named CERTKILLER-SR01 to enhance network security and the network contains a DNS server named CERTKILLER-DC01.
The majority of CertKiller.com network employees require persistent connectivity to the Internet. You configure three more ISA servers named CERTKILLER-SR02, CERTKILLER-SR03 and CERTKILLER-SR04 for creating an ISA server array which configuration is shown below: CERTKILLER-SR01 - internal IP: 192.168.1.1 - external IP: 15.15.1.1CERTKILLER-SR02 -internal IP: 192.168.1.2 - external IP: 15.15.1.2CERTKILLER-SR03 - internal IP: 192.168.1.3 -external IP: 15.15.1.3CERTKILLER-SR04 - internal IP: 192.168.1.4 - external IP: 15.15.1.4
You later decided to configure Network Load Balancing (NLB) and test connectivity. You discover network clients can not connect to the Internet.
What should you do?
A. The network to be load balanced should be reconfigured as Internal and specify a virtual IP address as 192.168.1.5.
B. The network must be reconfigured to select both Internal and External.
C. The virtual IP address must be reconfigured to 15.15.1.1.
D. The virtual IP address must be reconfigured to192.168.1.5.
Answer: A
Explanation:
In the scenario at hand the best option of configuration is to reconfigure the network to load balance as Internal and specify the virtual IP address of 192.168.1.5 as the external IP address is configured to the adapter for the cluster.


Incorrect Answers:
B: This should not be considered in the scenario as you are only required to provide network load balancing to internal clients.
C: You should not configure this way as the IP address is already in use you would only be causing more network problems with conflicting IP addresses.
D: This option should not be used in the scenario as you will be unable to provide Internet access to most of the users.Reference:


QUESTION NO: 65
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All the client computers in CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Development department. The CertKiller.com contains an ISA Server 2004 named CERTKILLER-SR20. The CEO has arranged with a partner company to use a very important Secure Shell protocol (SSH)-based application that is hosted on there Web site. The employees in the Development department need to use the application daily.
What should you do to configure ISA Server 2004 to ensure that Internet access is still available if CERTKILLER-SR20 fails?
A. You need to configure Network Load Balancing on the array.
B. You need to configure Cache Array Routing Protocol (CARP) on the array.
C. You need to create a new enterprise policy on the array and apply the policy to the array.
D. You need to create two publishing rules for the partner Web site.
Answer: A
Explanation:
Network Load Balancing (NLB) is a Windows network component that is used to create a cluster of computers that can be addressed by a single-cluster IP address. NLB provides load balancing and high availability for IP-based services. ISA Server Enterprise Edition integrates with NLB so that you can configure and manage the NLB functionality using the ISA Server Management tools. One of the NLB features is NLB health monitoring, this feature discontinues NLB on a particular computer if the server is not available or if the Firewall Service on the server has stopped. In this scenario we need to ensure that internet access is still available if one of the ISA servers does not function. You can achieve this by configuring NLB on the array.
QUESTION NO: 66

You are the CIO of CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Dean Austin works as the network administrator at CertKiller.com. His duties include administering an ISA Server 2004 array that is configured to use Network Load Balancing.
CertKiller.com contains of a Research department. The array contains two members and is used to publish internal Web servers. Users access internal Web servers by using the URL http://www.CertKiller.com which resolves to a single virtual IP address.
Dean Austin also created a new Web site which the employees must access via a third-party RADIUS server. Dean Austin then published the new Web site on the array. You want Dean Austin to ensure that users can access the new Web site by using the third-party RADIUS server and to ensure that requests are load balanced by all array members.
What should you do?
A. Instruct Dean Austin to add a second IP address on each array member and create a new listener that uses the new address. Configure the listener to use RADIUS authentication.
B. Instruct Dean Austin to configure one array member to listen for requests to www.CertKiller.com on one listener and configure the other array member to listen for requests to the new Web site on a new listener. Configure each listener to use the appropriate authentication method.
C. Instruct Dean Austin to use the Network Load Balancing console to configure each array member to use an affinity setting for None. Configure the listener to use RADIUS authentication.
D. Instruct Dean Austin to add a second unique network address to the external interface of each array member and configure www.CertKiller.com to resolve to the new addresses by using DNS round robin. Configure the listener to use RADIUS authentication.
Answer: A

Explanation:
Network Load Balancing (NLB) is a type of clustering designed for stateless applications, such as Web servers, in which each node has a duplicate copy of the server data and incoming client requests are distributed among the cluster nodes. It also provides high availability and scalability of servers using a cluster of two or more host computers working together. Clients access the cluster using either an IP address or a set of addresses. The clients are unable to distinguish the cluster from a single server. Server applications do not identify that they are running in a cluster. However, an NLB cluster differs significantly from a single host running a single server application because it can provide uninterrupted service even if a cluster host fails. The cluster can also respond more quickly to client requests than to a single host. Dean Austin can configure NLB on the External network of an ISA Server Enterprise Edition array, so that client requests from the Internet are distributed among the array computers. NLB will be automatically configured in unicast mode and single affinity. Single affinity ensures that all network traffic from a particular client be directed to the same host.

Dean Austin may wants to publish your Web sites using Network Load Balancing (NLB) in your ISA Server array. For the most effective use of NLB, your Web listener should listen on the NLB virtual IP address. If Dean Austin configures your Web listener to listen on all of the IP addresses for the network adapters, it will listen on the virtual IP address, which will distribute requests using NLB. Therefore Dean Austin needs to add a second IP addresses on all external adapters of the array and configure a listener with radius authentication.
Part 6: Configure ISA Server 2004 to support a network topology (8 Questions)


QUESTION NO: 67
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 or Windows 2000 Server and all client computers run Windows XP Professional. The CertKiller.com network also contains two domain controllers named CERTKILLER-DC01 and CERTKILLER-DC02 both configures as DNS servers.
The CertKiller.com network security policy requires forwarding of DNS requests from clients to external DNS servers. You configure CERTKILLER-DC02 to forward requests to CERTKILLER-DC01. The CertKiller.com network recently deployed an ISA server 2004 computer named CERTKILLER-SR01 to ensure network security and control access to the Internet.
Some of CertKiller.com network clients are configured as SecureNAT clients and the rest are Web Proxy clients. You decide to configure an access rule for the clients to access the Internet and the default gateway for the SecureNat clients is configured as 10.10.10.3 but the SecureNAT clients can not browse the Internet. You must ensure they can browse the Internet.
What should you do?
A. The preferred DNS server must be configured for the SecureNAT clients as 10.10.10.2 and a secondary DNS server as 10.10.10.1.
B. A static route should be added between the internal network and the Internet on CERTKILLER-SR01.
C. The default gateway should be configured for the SecureNAT clients as 15.14.21.54.
D. The root zone on CERTKILLER-DC01 should be deleted.
Answer: D
Explanation:
In the scenario the best solution to enable forwarding of DNS is by deleting the root zone and then the DNS forwarding option is disabled disabling it to act as a forwarder.


Incorrect Answers:
A: This configuration should not be made in the scenario as you are required to forward request from CERTKILLER-DC02 to CERTKILLER-DC01.
B: The static route should not be added in the scenario because the route is used only when multiple subnets exist and will not help in the scenario.
C: There should be no default gateway changes in the scenario because in the question it is already configured properly.Reference:


QUESTION NO: 68
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows 2000 Professional or Windows XP Professional. The CertKiller.com network recently deployed an IS Server 2004 computer named CERTKILLER-SR01 to enhance network security.
The ISA server CERTKILLER-SR01 contains three network adapters used for the internal network, the perimeter network and the private network. After you configured CERTKILLER-SR01 using the 3-Leg Perimeter network template you decide to create an access rule between the internal network and the Internet and between the internal network and the perimeter network.
The CertKiller.com network additionally has a Web server that needs to be accessed by internal network users and the Internet users. You decide to create an access rule allowing HTTP traffic from the internal network to the Web server in the perimeter network. You make use of the Web Publishing Wizard to allow HTTP traffic from the External network to the Web server in the perimeter network. The users immediately start reporting they are unable to access the Internet or browse the Web server from the internal network.
What should you do?
A. The route relationship between the internal network and Perimeter network must be configured as Route and between the Perimeter network and the Internet as NAT.
B. The route relationship between the Internal and Perimeter network must be configured as Route.
C. The route relationship between Perimeter network and Internet must be configured as NAT.
D. The route relationship between internal network and Internet must be configured as Route.
Answer: A
Explanation:
The correct response to the scenario would be to configure the route relationship between the required networks as done in the answer, network rules have to be defined to allow communication between network objects.


Incorrect Answers:
B: You should not make these configurations in the scenario because when using a 3-Leg Perimeter network template a default configuration would be applied.
C: You should not make these configurations in the scenario because when using a 3-Leg Perimeter network template a default configuration would be applied.
D: This should not be done in the scenario as you will not provide users from the Internet access to the Web server on the Perimeter network.Reference:


QUESTION NO: 69
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network recently deployed two ISA Server 2004 computers named CERTKILLER-SR01 and CERTKILLER-SR02 to enhance network security. The CertKiller.com network uses two subnets 172.10.50.0/24 and 10.120.2.0/24
A new CertKiller.com network security policy states that all outbound traffic from the internal network and intranet resources be accessible using NAT. You are required to ensure that the ISA Server implementation adheres to the security policy. You must decide which interface or interfaces should be configured as the internal interface.
What should you do? (Choose TWO.)
A. Configure the interface that has an IP address of 10.120.2.104
B. Configure the interface that has an IP address of 172.10.50.1
C. Configure the interface that has an IP address of 192.168.20.54
D. Configure the interface that has an IP address of 192.168.10.53
Answer: A,B
Explanation:
The best choice in the scenario would be to use the IP addresses used in the answers as they are private IP addresses and can not be routed across the Internet and therefore you should use them.

Incorrect Answers:
C: The IP addresses here can be routed across the Internet and should not be considered for use in the scenario as it fails to meet the scenario objectives required.Reference:
D: The IP addresses here can be routed across the Internet and should not be considered for use in the scenario as it fails to meet the scenario objectives required.Reference:



QUESTION NO: 70
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network recently deployed two ISA Server 2004 computers named CERTKILLER-SR01 and CERTKILLER-SR02 to enhance network security. The CertKiller.com network uses two subnets 172.10.50.0/24 and 10.120.2.0/24
A new CertKiller.com network security policy states that all outbound traffic from the internal network and intranet resources be accessible using NAT. You are required to ensure that the ISA Server implementation adheres to the security policy. You must decide which interface or interfaces should be configured as the internal interface.
What should you do? (Choose TWO.)
A. Configure the interface that has an IP address of 10.120.2.104
B. Configure the interface that has an IP address of 172.10.50.1
C. Configure the interface that has an IP address of 192.168.1.50
D. Configure the interface that has an IP address of 192.168.1.49
Answer: A,B
Explanation:
The best choice in the scenario would be to use the IP addresses used in the answers as they are private IP addresses and can not be routed across the Internet and therefore you should use them.

Incorrect Answers:
C: The IP addresses here can be routed across the Internet and should not be considered for use in the scenario as it fails to meet the scenario objectives required.Reference:
D: The IP addresses here can be routed across the Internet and should not be considered for use in the scenario as it fails to meet the scenario objectives required.Reference:


QUESTION NO: 71
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network are using the 192.169.1.0/24 subnet configuration
The CertKiller.com network contains two routers named TestRouter01 and KingRouter02, TestRouter01 is used to connect various segments together and KingRouter02 is used centrally for Internet access. During the course of the week you decide to replace KingRouter02 with an ISA 2004 Server named CERTKILLER-SR01 to enable policy based security. After you finished installed and deployed CERTKILLER-SR01 with the IP address 100.200.20.20. The users of the 192.168.1.0/24 subnet segment report they are unable to connect to the Internet. You later troubleshoot and discover TrstRouter01 is configured with no gateway

What should you do?
A. The default gateway of TestRouter01 must be configured with the IP address of the internal network adapter of CERTKILLER-SR01
B. The default gateway of TestRouter01 must be configured with the IP address of 172.124.22.1
C. The default gateway of TestRouter01 must be configured with the IP address of 100.200.20.20
D. The default gateway of TestRouter01 must be configured with the IP address of 192.168.10.1
Answer: D
Explanation:
In the scenario the TestRouter01 router was not configured with a default gateway and the IP address used in the option fits into the subnet the network is running. The default gateway provides the IP address of the next hop to which data should be sent.

Incorrect Answers:
A: The addresses used here should not be used in the scenario because the IP address
100.200.20.20 is the IP address of CERTKILLER-SR01 and the other address does not fit in the network subnet.
B: The addresses used here should not be used in the scenario because the IP address
100.200.20.20 is the IP address of CERTKILLER-SR01 and the other address does not fit in the network subnet.
C: This configuration should not be used in the scenario because the users will still be unable to access the Internet via CERTKILLER-SR01.Reference:


QUESTION NO: 72
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows 2000 Professional or Windows XP Professional
The CertKiller.com network recently deployed two ISA Server 2004 computers named CERTKILLER-SR01 with the IP address 100.200.20.20 on the external interface to enhance network security. The CertKiller.com network also contains a router named KingRouter01 with the IP address 172.20.50.10 on the external interface and 172.60.50.20 on the internal interface.

The CertKiller.com Internal network contains a Web server hosting the CertKiller.com Web site and all clients are configured to use an internal DNS server. You are required to ensure that all client computers are able to access the internal Web server.
What should you do?
A. The default gateway of the client computers must be configured with the IP address of the ISA server's external IP address 100.200.20.20.
B. The default gateway of the client computers must be configured with the IP address of the Kingrouter02 external IP address 172.20.50.10.
C. The default gateway of the client computers must be configured with a blank IP address.
D. The default gateway of the client computers must be configured with the IP address of the
172.60.50.20.
Answer: D
Explanation:
In the scenario the best option to you is configuring the computers with the internal IP address of the KingRouter01 router as the Web server is also located on the internal network this is the logical option.

Incorrect Answers:
A: The external IP address of the CERTKILLER-SR01 should not be used in the scenario because the users will then be unable to access CERTKILLER-SR01 and won't access the Web server either
B: The external IP address of the Router should not be used in the scenario because the users will then be unable to access CERTKILLER-SR01 and won't access the Web server either.
C: The IP address for the default gateway should not be configured as blank as the users still wont be able to access the Web server.Reference:


QUESTION NO: 73
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network is configured to use the 1923.168.0.0/24 subnet.
The CertKiller.com network recently deployed two ISA Server 2004 computers named CERTKILLER-SR01 to enhance network security and all client computers are configured as Firewall clients. After the deployment has been made users started complaining that they are unable to access the Internet. You later try and connect from the same subnet and are unsuccessful. You are required to ensure that the client computers can access Internet resources.

What should you do?
A. The client computers are to be reconfigured as SecureNAT clients with the default IP address of 172.60.10.2.
B. A static route should be added on CERTKILLER-SR01 which contains the 28.24.32.2 subnet.
C. A persistent static route should be added on CERTKILLER-SR01 for the 172.32.0.0/24 subnet.
D. A persistent static route should be added on CERTKILLER-SR01 for the 192.168.0.0/24 subnet.
Answer: D
Explanation:
In the scenario you should add a persistent static route on CERTKILLER-SR01 for the 192.168.0.0/24 subnet as this is the subnet stated in the scenario in addition the routing table should also be configured properly in the scenario.

Incorrect Answers:
A: This configuration should not be made in the scenario as there is no need to reconfigure the client computers as SecureNAT clients.
B: There is no need for this static route to be added in the scenario because the scenario states the CertKiller.com network use the 192.168.0.0/24 subnet.Reference:
C: There is no need for this static route to be added in the scenario because the scenario states the CertKiller.com network use the 192.168.0.0/24 subnet.Reference:


QUESTION NO: 74
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. CertKiller.com is divided into several departments of which the Sales department is one. CertKiller.com also works in joint ventures with other partner companies.
CertKiller.com network contains an internal server named CERTKILLER-SR10 and a Web server named CERTKILLER-SR15. CERTKILLER-SR10 hosts the server components of a new accounting application named Test_Acc1. The partners and the CertKiller.com sales representatives have the client components of Test_Acc1 installed on their systems. They will use it to connect to the CertKiller.com network when they are not on the CertKiller.com premises. CertKiller.com also contains one ISA Server 2004 computer named CERTKILLER-SR11 which needs to be configured to allow inbound VPN access.
The CIO of CertKiller.com wants the VPN connections for comply with the following requirements. The computers of the sales representatives must be configured as follows: Allow access to CERTKILLER-SR10, CERTKILLER-SR15 and the file servers.Install the latest

software updates and antivirus software before connecting to any internal resources.
The computers of the partners must be configured as follows: Allow access to CERTKILLER-SR10.No other software with the exception of Test_Acc1 should be installed on their computers.
What should you do to plan the VPN configuration for CertKiller.com?
A. You need to configure CERTKILLER-SR11 to accept incoming VPN connections from the partners and sales representatives and to enable Quarantine Control on CERTKILLER-SR11. Configure Quarantine Control to disconnect users after a short period of time. You also need to use access rules to allow access to only the permitted resources.
B. You need to configure CERTKILLER-SR11 to accept incoming VPN connections from partners and sales representatives and to enable Quarantine Control on CERTKILLER-SR11. Exempt the partners from Quarantine Control. You also need to use access rules to allow access to only the permitted resources.
C. You need to configure CERTKILLER-SR11 to accept incoming VPN connections from the partners and sales representatives and to enable Quarantine Control on CERTKILLER-SR11. Enable RADIUS authentication and user namespace mapping.
D. You need to configure a Windows Server 2003 Routing and Remote Access server as a RADIUS server and create a single remote access policy.
E. You need to add a second ISA Server 2004 computer named CERTKILLER-SR12 and configure CERTKILLER-SR11 to accept VPN connections from employees, but do not enable Quarantine Control for CERTKILLER-SR11. You need to configure CERTKILLER-SR12 to accept VPN connections from partners and enable Quarantine Control on CERTKILLER-SR12. Use access rules on each file server to allow access to only the permitted resources.
Answer: B
Explanation:
VPN quarantine control allows you to screen VPN client machines before allowing them access to the network. If you create a Connection Manager Administration Kit (CMAK) package that includes a VPN client profile and a VPN-quarantine client-side script, it will allow you to enable VPN quarantine. This script runs on the client and checks the security configuration of the remote access client and reports the results to the VPN server. If the client passes the security configuration check, the client is granted access to the organizations network. If you are using ISA Server as the VPN server, and the script reports that the client meets the software requirements for connecting to the network, the VPN client is moved from the VPN Quarantine network to the VPN Clients network. You can set different access policies for hosts on the VPN Quarantine network. That means that you can use network rules and access rules to define the conditions under which network packets will be passed from one network to another.



QUESTION NO: 75
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed two ISA Server 2004 computers named CERTKILLER-SR01 to enhance network security. Users of CertKiller.com have been hired as editors who write reviews about books before they are released and require collecting information for their reviews by visiting various book Web sites which includes web sites that contain static content and dynamically changing entertainment Web sites
The CertKiller.com users often view drafts of the books which go through peer reviews and are downloaded again and again by the users. To have the speed optimized you created a caching rule. You select the If any version of the object exists in the cache. If none exist, route the request to the server option in the content retrieval page of the New Cache Rule Wizard. You later also select the Content for Offline Browsing (302, 307 responses) option in the Cache Content page.
You then go about decreasing the Time-To-Live (TTL) for HTTP objects. You are about to validate the configuration by getting an editor feedback of access time to various entertainment sites and the editor reports no noticeable difference in access times. You are required to ensure that the content from the various sites is always available to the editors.
What should you do?
A. The Content requiring user authentication for retrieval option should be selected in the Cache Content page.
B. The Also apply these TTL boundaries to sources that specify expiration option should be selected.
C. The Only if a valid version of the object exists in the cache. If none exist, route the request to the server option in the content retrieval page should be selected.
D. The Dynamic Content option should be selected in the Cache Content page.
Answer: D
Explanation:
This scenario requires you to take the action of the configurations in the answer because caching is used to store Web content in the memory of an ISA 2004 server or on the hard disk.

Incorrect Answers:
A: This option should not be used in the scenario because the option is used to cache information that may require user authentication.

B: This setting should not be considered in the scenario because the option is used to override the expiration data included with the content.
C: This option should not be used in the scenario because you would only retrieve information from the cache that has not expired.Reference:


QUESTION NO: 76
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed one ISA Server 2004 computers named CERTKILLER-SR01 to enhance network security. The CertKiller.com network Finance and Sales departments frequently access the Internet to research Finance and Sales related information. The users visit various web sites and access files that are common between them. You decide to configure caching of Internet objects on CERTKILLER-SR01 to speed up data access for the Finance and Sales users.
You are required to ensure caching is configured for HTTP and FTP objects that contain static and dynamic content whilst ensuring that the object is retrieved from the cache if it has not expired.
What should you do?
A. A caching rule should be created which enables the Only if a valid version of the object exists in the cache. If none exist, route the request to the server option and select Dynamic content and enable HTTP and FTP caching.
B. A caching rule should be created which enables the If any version of the object exists in the cache. If none exist, route the request to the server option and select Content for offline browsing (302, 307 responses) option and on the cache rule decrease the TTL for HTTP objects.
C. A cache rule must be created that enables the Cache objects that have an unspecified last modification time and select Dynamic content.
D. A cache rule must be created that enables the Cache objects that have an unspecified last modification time and select Dynamic content and enable HTTP and FTP caching.
Answer: A
Explanation:
In the scenario you should create a rule that enables the Only if a valid version of the object exists in the cache. If none exist, route the request to the server option and select Dynamic content and enable HTTP and FTP caching because caching also reduces the bandwidth usage when a user requests Web information that is already cached.


Incorrect Answers:
B: The configuration options in this answer should not be used in the scenario because the responses indicate that the content has been temporarily relocated or the client has been temporarily redirected.
C: This option should not be used in the scenario because the option will take the cached items and clear them from the cache based upon the parameters defined in the cache rule.Reference:Part 2: Optimize performance of the ISA Server 2004 cache (7 Questions)
D: This option should not be used in the scenario because the option will take the cached items and clear them from the cache based upon the parameters defined in the cache rule.Reference:Part 2: Optimize performance of the ISA Server 2004 cache (7 Questions)


QUESTION NO: 77
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network contains three ISA 2004 Servers named CERTKILLER-SR01, CERTKILLER-SR02 and CERTKILLER-SR03 with all client computers configured as Web Proxy clients.
You later decided to configure the client computers to automatically download the configuration script and configured an array that contains the three ISA servers. The ISA server array is configured to cache Web requests from clients on the network and define the cache drive on each ISA server to store the cached information. The CertKiller.com ISA servers are also configured to store confidential files. You are required to configure the array so the cached information is distributed between the three ISA servers whilst ensuring very few cached objects are stored on CERTKILLER-SR01
What should you do?
A. On the Internal network array you must enable Cache Array Routing Protocol (CARP) and configure the load factor on CERTKILLER-SR01.
B. A content download job must be configured on the ISA servers and on CERTKILLER-SR01 disable caching dynamic content.
C. On the Internal network array you must configure network load balancing (NLB) and configure the load factor on CERTKILLER-SR01.
D. On CERTKILLER-SR02 and CERTKILLER-SR03 the Cache Array Routing Protocol (CARP) should be enabled and configure the load factor on CERTKILLER-SR01.
Answer: A Explanation:

The CARP protocol should be used in the scenario because the protocol is used to enable ISA servers to provide distributed cache which are distributed by the CARP protocol used by Web Proxy clients.

Incorrect Answers:
B: This option should not be used in the scenario because a content download job downloads the content to the ISA server before network clients request that content.
C: This option should not be considered for configuration because distributed caching does not occur with NLB.
D: This option should not be considered in the scenario because no one server can have CARP enabled specifically for one server.Reference:


QUESTION NO: 78
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed one ISA Server 2004 computers named CERTKILLER-SR01 to enhance network security. The users of the CertKiller.com Finance department regularly access scientific Web sites to download information and the Sales department also access Web sites frequently to download product manuals. The other network departments recently started reporting Internet access when the Finance and Sales users access the Internet.
You decide to investigate and discover that outgoing Web requests by the Sales and Finance users use a lot of bandwidth. You are required to provide faster Internet access to the affected departments by decreasing the use of bandwidth by the Sales and Finance users whilst minimizing the traffic from the internal network to the Internet.
What should you do?
A. A content download job should be configured on CERTKILLER-SR01.
B. The client computers must be enabled to download the automatic configuration script.
C. Active Caching should be enabled.
D. On CERTKILLER-SR01 reverse caching should be enabled.
Answer: A
Explanation:
In the scenario you should consider scheduling a content download job in the scenario because the content download job can be used to improve the performance of caching in the scenario which is what is required of you.


Incorrect Answers:
B: The client computers should not be configured this way in the scenario because the automatic configuration script is used to automatically configure Web Proxy clients.
C: This option should not be considered in the scenario because this type of caching preempts users from accessing content from the Internet by automatically downloading the content within the cache.
D: This type of caching should not be configured in the scenario because reverse caching occurs when the Internet users request Web content located on a server on the CertKiller.com network.Reference:


QUESTION NO: 79
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Development department. The CertKiller.com network contains two ISA Server 2004 computers named CERTKILLER-SR11 and CERTKILLER-SR12 and a Web server named CERTKILLER-SR13. CERTKILLER-SR11 and CERTKILLER-SR12 are members of a single enterprise array. The two ISA Server computers are configured as follows:CERTKILLER-SR11 is set up as the Enterprise Configuration Storage server.CERTKILLER-SR11 and CERTKILLER-SR12 are set up with RAID-5 volume.Cache drive is enabled on CERTKILLER-SR11.Cache Array Routing Protocol (CARP) are enabled on the Internal network both ISA Servers 2004 computers.
CERTKILLER-SR13 is in a network separated from the CertKiller.com primary production network by a firewall, to prevent outside traffic from infiltrating the private network. You then publish an external Web site on CERTKILLER-SR13 and an internal Web site on the array. One morning you have received complaints from the Development department that access to CERTKILLER-SR13 is very slow. During the investigation you find out that the physical disk usage is extremely high on CERTKILLER-SR11 and CERTKILLER-SR13.
You need to configure the ISA Server 2004 to allow faster access to CERTKILLER-SR13.
What should you do?
A. You need to increase the HTTP caching Time to Live (TTL) setting to 50 on CERTKILLER-SR11.
B. You need to increase the size of the cache drive on CERTKILLER-SR11.
C. On CERTKILLER-SR12 you need to enable a content download job for the Web sites on CERTKILLER-SR13.

D. You need to configure a cache drive on CERTKILLER-SR12.
Answer: D
Explanation:
ISA Server Enterprise Edition provides distributed caching through the use of CARP. CARP distributes the cache used by Web proxies across an array of ISA Server computers. Although CARP assigns each ISA Server computer a unique set of cached data (thus you need to configure the cache on each array member), the array of computers functions as a single, logical cache. CARP is used by Web browsers and by ISA Server to increase performance in operations accessing a Web proxy cache that is distributed across multiple ISA Server computers. CARP uses hash-based routing to determine which ISA Server computer will respond to a client request and cache specific Web content.


QUESTION NO: 80
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. CertKiller.com has its headquarters in London and branch offices in Paris and Berlin.
CertKiller.com contains a Development department. The CEO has a business agreement with a partner from where the employees get their research from. The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR15. CERTKILLER-SR15 functions as a firewall for the branch office.
Due to company growth, the number of employees in the branch offices has tripled. Lately you have received complaints from the offices that they receive outdated versions of Web pages when they access Web servers operated by the CertKiller.com business partner.
You need to ensure that users always receive the most up-to-date content for Web pages they access from the Web sites of the business partners and to optimize bandwidth use at Paris and Berlin.
What should you do? (Each correct answer presents part of the solution. Choose TWO.)
A. You need to increase the value for the Maximum size of URL cached in memory (bytes) setting.
B. You need to create cache rules that disable the caching of content from the partner Web sites.
C. You need to increase the percentage free memory used for caching.
D. You need to decrease the percentage free memory used for caching.
Answer: B,C Explanation:

ISA Server 2004 uses cache rules to allow you to customize what types of content will be stored in the cache and exactly how that content will be handled. You can create rules to control the length of time that a cache object is considered to be valid and you can specify how cached objects are to be handled after they expire. So if we want to ensure that users always receive the most up-to-date content for Web pages they access from the partner Web sites, then you must create a caching rule that disables caching for those partner websites.
Caching also uses system memory. ISA Server 2004 allows you to determine what percentage of random access memory can be used for caching. The ability to control the amount of RAM allocated for caching ensures that caching will not take over all of the ISA Server computer's resources. Keeping with the emphasis on security and firewall functionality, caching is not enabled by default when you install ISA Server 2004. You must enable it before you can use the caching capabilities.
Maximum size of URL cached in memory (bytes) - Configure the Uniform Resource Locators (URLs) that ISA Server will store in memory. When you increase the amount of memory that a single object may occupy, ISA Server will store fewer Web objects. ISA Server will cache objects larger than this limit on disk. So increasing the value will Decrease caching performance.


QUESTION NO: 81
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Your duties include administering of two ISA Server 2004 computers named CERTKILLER-SR15 and CERTKILLER-SR16. CertKiller.com also contains a Routing and Remote Access server named CERTKILLER-SR20.
CertKiller.com consists of a Research department and a Finance department. CertKiller.com has its headquarters in Chicago and a branch office in Miami. CERTKILLER-SR16 uses a dial-up connection to connect to CERTKILLER-SR20. You also you create a Web chaining rule on CERTKILLER-SR16 that redirects requests to CERTKILLER-SR20.
The employees of the Miami branch office access a published Web site named http://research.CertKiller.com which resides on a Web server in a network separated from the CertKiller.com primary production network by a firewall, to prevent outside traffic from infiltrating the private network.
One morning you received a complaint from the Miami employees that they sometimes cannot connect to http://research.CertKiller.com. You configure and enable a content download job to ensure that Web site content is loaded into the Web cache on CERTKILLER-SR16. You need to ensure that content from http://research.CertKiller.com will always be available to the Miami employees even if the connection is unavailable on CERTKILLER-SR16

What should you do?
A. You need to create a new Web chaining rule that enable a backup route to CERTKILLER- SR15. Add a URL set for http://research.CertKiller.com to the Web chaining rule. On the default cache rule, increase the Time to Live (TTL) for HTTP objects.
B. You need to create a new Web caching rule that redirect SSL requests as SSL requests. Add a URL set for http://research.CertKiller.com to the Web chaining rule. On the default cache rule, decrease the Time to Live (TTL) for HTTP objects.
C. You need to create a cache rule that decrease the Time to Live (TTL) for HTTP objects. Enable If any version of the object exists in cache. If none exists, route the request. Enable Content for offline browsing.
D. You need to create a cache rule that increase the Time to Live (TTL) for HTTP objects. Enable Only if a valid version of the object exist in cache. If no valid version exists, route the request. Enable Content for offline browsing.
Answer: D
Explanation:
ISA Server 2004 uses cache rules to allow you to customize what types of content will be stored in the cache and exactly how that content will be handled when a request is made for objects stored in cache. You can create rules to control the length of time that a cache object is considered to be valid, and you can specify how cached objects are to be handled after they expire. ISA Server 2004 gives you the flexibility to apply cache rules to all sites or just two specific sites. A rule can further be configured to apply to all types of content or just two specified types. In addition to controlling content type and object size, a cache rule can control how ISA Server will handle the retrieval and service of objects from the cache. This refers to the validity of the object. An object's validity is determined by whether its Time to Live (TTL) has expired. Thus increasing the TTL will increase the object's validity in the cache. Expiration times are determined by the HTTP or FTP caching properties or the object's properties.


QUESTION NO: 82
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.

CertKiller.com contains two ISA Server 2004 Enterprise Edition computers named CERTKILLER-SR21 and CERTKILLER-SR22. CERTKILLER-SR21 and CERTKILLER-SR22 are configured as members of an ISA Server 2004 array.
You have received instructions to configure the array to cache outgoing Web requests and to configure the array so that the cached Web content is distributed between CERTKILLER-SR21 and CERTKILLER-SR22. After the completion of the instructions you need to minimize the traffic on the intra-array network.
What actions should you take?
A. You need to enable Cache Array Routing Protocol (CARP) on the Local Host network.
B. You need to enable the client computers to download the automatic configuration script.
C. You need to configure a content download job on the array.
D. You need to configure Network Load Balancing on the Internal network.
Answer: B
Explanation:
ISA Server Enterprise Edition provides distributed caching through the use of CARP. CARP distributes the cache used by Web proxies across an array of ISA Server computers. Although CARP assigns each ISA Server computer a unique set of cached data, the array of computers functions as a single, logical cache. CARP is used by Web browsers and by ISA Server to increase performance in operations accessing a Web proxy cache that is distributed across multiple ISA Server computers. CARP uses hash-based routing to determine which ISA Server computer will respond to a client request and cache specific Web content. CARP provides the following benefits: CARP eliminates the duplication of cache contents across multiple ISA Server computers. The result is a faster response to queries and a more efficient use of server resources. Because CARP determines which ISA Server computer will cache any specific content, no traffic is required among ISA Server computers to determine which server is caching the content. CARP automatically adjusts when array members are added or removed. The hash-based routing means that, when a server is either taken offline or added, only minimal reassignment of URL caches is required. CARP ensures that the cache objects are either distributed evenly between all servers in the array or by the load factor that is configured for each server. When client-side CARP is enabled, the Web browser downloads the Array.dll ?Get.Routing.Script from an ISA Server computer in the array. When a user types a URL into a Web browser, the URL is handed off to the script, which calculates which ISA Server computer in the array will be used to cache the content. The script always returns the same server list for a given URL, ensuring that each URL is cached on one array server only.



QUESTION NO: 83
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Development department. The CertKiller.com network contains a Server 2004 Enterprise Edition computer named CERTKILLER-SR20. Cache Array Routing Protocol (CARP) is enabled and configured on CERTKILLER-SR20. You then configure a 1-GB cache drive on CERTKILLER-SR20. During a routine monitoring on CERTKILLER-SR20 you find out that a large number of cached Web requests are coming from the Development department.
You then deploy Server 2004 Enterprise Edition on two other computers named CERTKILLER-SR21 and CERTKILLER-SR22. All of the CertKiller.com server computers are joined to a single array. The array members are configured as seen in the table.
Later you find that most of the Internet Web requests are still being retrieved from the Internet. You thus need to reduce the number of Web requests that are being retrieved from the Internet.
What should you do?
A. You need to change the load factor to 100, on CERTKILLER-SR20.
B. You need to increase the size of the cache drive to 2 GB, on CERTKILLER-SR20.
C. You need to configure a cache drive on CERTKILLER-SR21 and CERTKILLER-SR22.
D. You need to change the load factor to 100 on CERTKILLER-SR21 and CERTKILLER-SR22.
Answer: B
Explanation:
ISA Server Enterprise Edition provides distributed caching through the use of CARP. CARP distributes the cache used by Web proxies across an array of ISA Server computers. Although CARP assigns each ISA Server computer a unique set of cached data, the array of computers functions as a single, logical cache. CARP is used by Web browsers and by ISA Server to increase performance in operations accessing a Web proxy cache that is distributed across multiple ISA Server computers. CARP uses hash-based routing to determine which ISA Server computer will respond to a client request and cache specific Web content. CARP provides the following benefits: CARP eliminates the duplication of cache contents across multiple ISA Server computers. The result is a faster response to queries and a more efficient use of server resources. Because CARP determines which ISA Server computer will cache any specific content, no traffic is required among ISA Server computers to determine which server is caching the content. CARP automatically adjusts when array members are added or removed. The hash-based routing means that, when a server is either taken offline or added, only minimal reassignment of URL caches is required. CARP ensures that the cache objects are either distributed evenly between all servers in the array or by the load factor that is configured for each server.

In this case it could be possible that the cache fills up quite quickly. Therefore ISA Server 2004 will purge some objects from the cache to make room for new ones. URLs in the cache are removed according to a built-in logic so that the most recently used objects will be removed last. Therefore the ISA Server will retrieve the requested URL again, because it is not in its cache. To overcome the problem, you can increase the Cache Drive size.
Part 3: Diagnose and resolve caching issues (10 Questions)


QUESTION NO: 84
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com has its headquarters in Chicago and a branch office in Miami.
The CertKiller.com network main office contains an ISA 2004 Server computer named CERTKILLER-SR01 and the branch office has all the client computers. CERTKILLER-SR01 will be responsible for providing the two offices with Internet access. The CertKiller.com company website www.CertKiller.com is published on an external Web server and the branch users need access to www.CertKiller.com regularly to get updated product information.
You later decide to increase the performance and decrease the bandwidth usage by installing a new ISA server named CERTKILLER-SR02 in the branch office. You configure the two ISA servers as a single array. You later configure a content download job to get contents from www.CertKiller.com and schedule it to run daily after office hours. After the configurations are made the branch users started reporting that the connection to www.CertKiller.com is very slow. You are required to ensure the branch users are able to access www.CertKiller.com quickly.
What should you do?
A. Cache Array Routing Protocol (CARP) should be enabled on CERTKILLER-SR02 on the local host network.
B. The array in the network must be disabled and configure the ISA servers as standalone servers.
C. In the array bidirectional affinity should be enabled.
D. The System policy rule should be disabled that allows content download.
Answer: A Explanation:

The CARP protocol should be used in the scenario because the protocol is used to enable ISA servers to provide distributed cache which are distributed by the CARP protocol used by Web Proxy clients.

Incorrect Answers:
B: This is impossible because if the servers are not members of the domain they cannot be part of an array.
C: This should not be configured in the scenario because the configuration ensures that traffic is handled both directions by the sane array server.
D: This configuration should not be made in the scenario because you scheduled a content download job to occur and this disables the action.Reference:


QUESTION NO: 85
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed one ISA Server 2004 computers named CERTKILLER-SR01 to the network. The CertKiller.com network additionally includes a perimeter network consisting of an Internet Information Server (IIS) acting as a Web server hosting the Intranet site of the organization as well as other sites like library Web sites which are used by network clients to read and download online books. You decided to create a URL set for the Intranet Web site and enable caching for this URL set using a cache rule on CERTKILLER-SR01.
You create a second cache rule to prevent Web designers responsible for updating the Intranet site from viewing the cached HTTP and FTP objects. The new cache rule is configured to include the URL for the Intranet site and enable the Never, no content will ever be cached setting. After you applied the rules the Web designers report lag times in viewing changes made to the Internet site. You are required to ensure that the Web designers are able to see changes made immediately.
What should you do?
A. The more specific cache rule should be reordered for the Web Designers to be processed first
B. The computer set of the Web designers should be added in a cache rule and configure the rule to prevent caching the URL set for the Intranet
C. The first rule should be deleted that enables the caching of the URL set
D. Another rule should be created to disable caching for the All Users group
Answer: A Explanation:

In the scenario you should consider reordering the cache rules because in the scenario there is more than one rule so the order in which the rules are processed is very important.

Incorrect Answers:
B: This rule should not even be considered in the scenario as you would effectively affect all the network users requesting the Intranet Web site.
C: The first rule should not be deleted in the scenario because this would affect all the users in the network.
D: There is no need for another rule to be created instead the order of the rule should be changed to specify which rule is processed first.Reference:


QUESTION NO: 86
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed two ISA Server 2004 computers named CERTKILLER-SR01 and CERTKILLER-SR02 configured as a single array to enhance network security. The CertKiller.com network Web site is published on an internal Web server named CERTKILLER-SR03 and the ISA serve array is responsible for providing internal and external client's access to the company Web site.
The content of the CertKiller.com Web site is updated every night and for optimized bandwidth usage and faster access to the internal Web site you create a content download job to run every morning which download the updated Web content to the array before it is requested by internal and external clients. The CertKiller.com network clients recently started reporting that access to the internal Web site is very slow. You need to ensure that internal and external clients have quick access to the Internal Web site.
What should you do?
A. Distributed caching should be enabled using Cache Array Routing Protocol (CARP)
B. The system Policy rule must be enabled to allow content download
C. Network Load Balancing (NLB) should be enabled
D. The Web site should be published on an external Web server
Answer: A
Explanation:
In the scenario you should consider using the CARP protocol as it enables an ISA server to provide caching by distributing the cache used by Web Proxy clients across the array of ISA servers in the scenario.


Incorrect Answers:
B: This option should not be used in the scenario because a content download job downloads the content to the ISA server before network clients request that content.
C: This option should not be considered for configuration because distributed caching does not occur with NLB.
D: This option should not be considered in the scenario because the option will not help you achieve the scenario objective.Reference:


QUESTION NO: 87
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer named CERTKILLER-SR01 to enhance network security. The CertKiller.com network users frequently access sites from customers and sales related sites which consume a lot of bandwidth. You want to optimize the bandwidth to handle client requests for other network resources. To optimize the bandwidth you create rules for the non-customer related sales Web sites and apply them to the client computers in the sales department. You increase the percent of free memory to be used for caching to speed up retrieval of cached objects.
In order to prevent sales users from getting cached information for customer Web sites you create a URL set for the customer Web sites and configure a cache rule to include the URL set for the customer Web site. The Sales department users started reporting that they are unable to get updated content for customer sites and they receive totally outdated data for the other sales related sites. You are required to ensure that the objects related to the sales sites are cached but not outdated.
What should you do?
A. The value of the TTL for the caching rule must be decreased for the cache rule pointing.
B. The cache rule for the sales site should be deleted and in the cache rule for the customer sites include the URL set for the sales site in the Exceptions section.
C. A cache rule should be created that disables caching of HTTP content on the sales sites.
D. A cache rule should be created that disables caching of FTP content on the sales sites.
Answer: A
Explanation:

In the scenario you should consider decreasing the TTL value as the value will determine when the cached contents are expired and will attempt to download updated information.
Incorrect Answers:
B: In the scenario you should not consider this option because the sites in question are not part of the original set and therefore cannot be accepted.
C: Making these configurations should not be considered in the scenario because you are required to cache objects related to the sales sites and this will not help you achieve the scenario objective.Reference:
D: Making these configurations should not be considered in the scenario because you are required to cache objects related to the sales sites and this will not help you achieve the scenario objective.Reference:


QUESTION NO: 88
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed four ISA Server 2004 computers configured as an array to enhance network security and all the client computers are configured as SecureNAT clients and Web Proxy clients. The CertKiller.com network clients require access to the Internet an you enable the Cache Array Routing Protocol (CARP) on the array for the outgoing Web requests from the internal clients. You also create and apply a cache rule to make sure that only updated objects are returned to the client computers.
The CertKiller.com network users recently started reporting that the Internet connection is very slow. You decide to use the Performance Monitor to check caching statistics. You discover the cached content is not returned to the clients. You are required to ensure that client computers in the internal network are able to access the cached content.
What should you do?
A. Caching should be disabled and then enabled to clear the cache.
B. Automatic discovery must be enabled and configure all client computers as Web Proxy clients.
C. The array must be configured to disable CARP.
D. The order of the caching rules should be modified.
Answer: A
Explanation:
This is the best option to use in the scenario because caching can be used to reduce bandwidth usage and in the scenario you should clear the cache.


Incorrect Answers:
B: The order of the caching rules should not be modified in the scenario because cache rules are configured to define what type of content is cached on the ISA server.
C: This option should not be considered as the protocol is used to provide distributed caching.
D: This option should not be considered in the scenario because the option is used to discover the correct location to automatically download the configuration.Reference:


QUESTION NO: 89
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows 2000 Server and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer so server as a Web caching server to enhance network security as all the network clients require Internet access. You later enable and configure caching on The ISA server but the users report access to the Internet is very slow, you check the configuration and discover the following event in the event log:
"14193, Cache was initialized with less memory cache than configured."
You are required to provide faster Internet access to the network users whilst ensuring that the event does not occur again.
What should you do?
A. The percentage of free memory should be configured to be used for caching setting.
B. The maximum size of objects in the cache should be decreased.
C. The size of the cache drive should be increased.
D. A cache drive must be configured on the ISA server.
Answer: A
Explanation:
In the scenario this option seems the best choice because the ISA server caused the event to be recorded by not having enough memory allocated for caching.

Incorrect Answers:
B: This option should not be considered in the scenario as you would consume even more memory.
C: There is no need to increase the size of the cache drive because this option only defines the maximum size of the cache drive.
D: There is no need to configure a cache drive in the scenario because the option is used to define the cache drive to store cached content.Reference:



QUESTION NO: 90
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer named CERTKILLER-SR01 to provide Internet access and enhance network security. The CertKiller.com Finance users recently require accessing foreign language programs from an e-learning Web site on the Internet and the modules for the programs are non-streaming audio files and the Web site contains some less frequently used video files that are more than 15 MB in size and the audio files are around 1 MB in size.
In order to provide faster access to the audio files for the Finance team you create a cache rule on CERTKILLER-SR01 and observe that the larger video files are cached. You are required to prevent that heavy video files are cached and ensure that the cache drive is used optimally and caches smaller files.
What should you do?
A. The cache rule should be modified and specify the size of the objects that can be cached.
B. The memory parameters should be modified and specify the size of objects that can be cached.
C. The Max cache size (MB) option should be configured.
D. The TTL value of the bigger objects should be decreased.
Answer: A
Explanation:
In the scenario your best option would seem that you should modify the cache rule in order to prevent the larger video files from being cached in the scenario.

Incorrect Answers:
B: The memory parameters should not be configured in the scenario because when configuring a cache drive the objects are cached on the hard disk configured as the cache drive.
C: This option should not be configured in the scenario because this option is used to define the size of the cache drive that is used to store the content.
D: This value should not be decreased in the scenario as this will cause them to expire quicker and be cached more regularly.Reference:
QUESTION NO: 91

You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA Server 2004 computer named CERTKILLER-SR01 to enhance network security and the network also has a perimeter network where an Internet Information Server(IIS) acting as a Web server named CERTKILLER-SR02 resides. CERTKILLER-SR01 hosts the Intranet site of the company and also hosts other sites like library Web sites from where the users can download and read online books.
In order to reduce the load on CERTKILLER-SR01 you create a URL set for all the Web sites hosted on CERTKILLER-SR02 and enable caching for the sites on CERTKILLER-SR01 using a cache rule. You are required to ensure that Web designers responsible for updating the Intranet site can see changes to the Intranet site immediately after updating the site.
What should you do?
A. A Domain name set for the Intranet site must be created and create a cache rule to include the Domain Name set for Intranet site and enable the Never, no content will ever be cached option.
B. A computer ser for the Intranet site must be created and create a cache rule to include the computer set in Intranet site an enable the Never, no content will ever be cached option.
C. A network set for Intranet site must be created and create a cache rule to include the network set for Intranet site and enable the Never, no content will ever be cached option.
D. A URL ser for the Intranet site should be created and create a cache rule to include the URL set for Intranet site and enable the Never, no content will ever be cached option.
Answer: D

Explanation:
This option should be used in the scenario because caching is used to store Web content in memory of the ISA server or on the server's hard disk. Cache rules can additionally also be used to specify how Web information is stored.

Incorrect Answers:
A: This option should not be considered in the scenario because the option defines one or more domain names as a single set enabling you to apply access rules to the specified domains
B: This option should not be used in the scenario because the option defines one or more computer to form a single set enabling you to apply access rules to the specified computers.
C: There is no need for creating a network set because the set is used to represent a grouping of one or more networks.Reference:
QUESTION NO: 92

You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed three ISA Server 2004 computers to enhance network security and the client computers are all configured as Firewall clients and the internal computers are configured as Web Proxy clients. The internal network users recently started reporting that Internet access is very slow. You make use of the Network Monitor and discover that HTTP objects have been duplicated. You also discover that The HTTP objects have been cached on all three ISA servers. You are required to ensure that the users have faster Internet access.
What should you do?
A. Automatic discovery should be enabled and configure all client computers as Web Proxy clients.
B. Automatic discovery should be enabled and configure all client computers as Firewall clients.
C. Network Load Balancing (NLB) should be enabled on the ISA server array.
D. On the ISA server array you should enable CARP.
Answer: D

Explanation:
The CARP protocol should be used in the scenario because the protocol is used to enable ISA servers to provide distributed cache which are distributed by the CARP protocol used by Web Proxy clients.

Incorrect Answers:
A: This should not be configured in the scenario because the setting will enable the clients to automatically receive their proxy configuration at startup.
B: This should not be configured in the scenario because the setting will enable the clients to automatically receive their proxy configuration at startup.
C: This option should not be considered for configuration because distributed caching does not occur with NLB.Reference:


QUESTION NO: 93
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Your duties include administering of an ISA Server 2004 computer named CERTKILLER-SR20.
CertKiller.com consists of a Research department and a Finance department. On CERTKILLER-SR20, cache drive is enabled and the server is a multi-homed server. CertKiller.com also contains a Web server named CERTKILLER-SR33 which resides in a network separated from the CertKiller.com primary production network by a firewall, to prevent outside traffic from infiltrating the private network. CERTKILLER-SR33 host two Web site named http://research.CertKiller.com and http://finance.CertKiller.com.

Due to the research that the employees do in their respective department, frequent changes are made in the http://research.CertKiller.com Web site. However, some of their colleagues complain that they cannot see the changes of the previous employees when they want to update http://research.CertKiller.com.
You need to configure CERTKILLER-SR20 to allow members of the research employees to immediately view updates to http://research.CertKiller.com.
What should you do?
A. You need to add the CertKiller.com domain name to the list of domains on the Internet network and disable the Bypass proxy for Web servers in this network option.
B. You need to add the client computers used by the employees in the Research department to a computer set and create a cache rule to include the computer set. Enable the Never. No content will ever be cached setting.
C. You need to create a URL set for http://research.CertKiller.com. Create a cache rule to include the URL set. Enable the Never. No content will ever be cached setting.
D. You need to create a new computer set for CERTKILLER-SR33. Create a cache rule to include the computer set and disable HTTP caching on the cache rule.
Answer: C
Explanation:
ISA Server 2004 uses cache rules to allow you to customize what types of content will be stored in the cache and exactly how that content will be handled when a request is made for objects stored in cache. ISA Server 2004 gives you the flexibility to apply cache rules to all sites or just to specific sites. A rule can further be configured to apply to all types of content or just two specified types. An object's validity is determined by whether its Time to Live (TTL) has expired. Expiration times are determined by the HTTP or FTP caching properties or the object's properties. Your options include: Setting ISA Server 2004 to retrieve only valid objects from cache (those that have not expired). If the object has expired, the ISA server will send the request on to the Web server where the object is stored and retrieve it from there. Setting ISA Server 2004 to retrieve requested objects from the cache even if they aren't valid. In other words, if the object exists in the cache, ISA Server will retrieve and serve it from there even if it has expired. If there is no version of the object in the cache, the ISA Server will send the request to the Web server and retrieve it from there. Setting ISA Server to never route the request. In this case, the ISA Server relies only upon the cache to retrieve the object. Objects will be returned from cache whether or not they are valid. If there is no version of the object in the cache, the ISA Server will return an error. It will not send the request to the Web server. Setting ISA Server to never save the object to cache. If you configure the rule this way, the requested object will never be saved to the cache. In this scenario the content of the research.CertKiller.com website is being cached by the ISA Server. And it seems that not the latest content is residing in the cache. Therefore you must create a caching rule to disable caching for research.CertKiller.com.



QUESTION NO: 94
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server configured as an Internet-Edge Firewall and is responsible for controlling Internet access to users on the internal network. You created and applied an access rule to allow unrestricted access to the Internet for all users. The CertKiller.com Finance department informed you that they require attending a live Web cast between 1100 hours and 1300 hours and they require minimum Internet activity from other users during this period.
You later sent e-mail messages to the other departments stating that Internet access will not be available between 100 hours and 1300 hours. You are required to ensure that Internet access is not available to the other departments between 100 hours and 1300 hours.
What should you do?
A. Create an access rule named King1 to allow all protocols to All Users group. Create another access rule named King2 to deny all protocols to the users of the Finance department. Configure King2 schedule to be enabled between 1100 hours and 1300 hours. Ensure that King2 is placed above King1.
B. Create an access rule named King1 to deny all protocols to All Users group. Create another access rule named King2 to allow all protocols to the users of the Finance department. Configure King2 schedule to be enabled between 1100 hours and 1300 hours. Ensure that King2 is placed above King1.
C. Create an access rule named King1 to deny all protocols to All Users group. Create another access rule named King2 to allow all protocols to the users of the Finance department. Configure both rules schedules to be enabled between 1100 hours and 1300 hours. Ensure that King2 is placed above King1.
D. Create an access rule named King1 to deny all protocols to All Users group. Create another access rule named King2 to allow all protocols to the users of the Finance

department. Configure King2 and King 1 schedule to be enabled between 1100 hours and 1300 hours. Ensure that King2 is placed above King1.
Answer: D
Explanation:
In the scenario you should consider using the two rules you created because access rules are used to configure traffic passing through the ISA server including traffic passing from the internal network to the Internet to the internal network.

Incorrect Answers:
A: This option should not be considered in the scenario because the configuration would enable all the protocols between 1100 hours and 1300 hours enabling the other users to access the Internet.
B: This option should not be considered in the scenario because the configuration used here will disallow Internet access for everyone between 1100 hours and 1300 hours.Reference:
C: This option should not be considered in the scenario because the configuration used here will disallow Internet access for everyone between 1100 hours and 1300 hours.Reference:


QUESTION NO: 95
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The users of CertKiller.com are located in a newly opened CertKiller.com centre.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 that will be used to provide the network users with Internet access. The CertKiller.com centre is isolated from the network. You perform the following tasks: Install a second ISA 2004 server named CERTKILLER-SR02 at the edge of the CertKiller.com centreAnd you configure all client computers in the CertKiller.com centre as Web Proxy clients
You are required to ensure the CertKiller.com centre environment is isolated but that the client computers are able to access the Internet through CERTKILLER-SR01 after authentication.
What should you do?
A. Firewall chaining should be configured on CERTKILLER-SR02 and configure Firewall chaining to use a user account.
B. Both CERTKILLER-SR01 and CERTKILLER-SR02 should be configured as a single array and enable NLB.
C. An automatic dial-up connection must be configured on CERTKILLER-SR02.

D. Web chaining should be configured on CERTKILLER-SR02 and configure it to use authentication.
Answer: D
Explanation:
In the scenario it would be an excellent idea considering configuring Web chaining because Web chaining allows the client computer to route Web requests through a single location and enables you to route requests from client computers located in multiple branch offices.

Incorrect Answers:
A: This configuration should not be made as it will not affect the users as they are Web Proxy clients and the configuration affects SecureNAT clients and Firewall clients.
B: This option should not be considered in the scenario because this option will not ensure that the CertKiller.com centre is isolated.
C: This should not be configured in the scenario because the client computers will be allowed to automatically dial an Internet connection through CERTKILLER-SR01.Reference:


QUESTION NO: 96
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All the client computers in CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Research department. The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR16 which is a member of the domain. You have received instructions from the CEO to configure CERTKILLER-SR16 as a VPN server. You want the VPN clients to connect by using L2TP over IPSec and they should use certificate-based authentication. Certification authority is obtained from a company named citycentral.com that contains an enterprise certification authority (CA) that is installed on a Windows Server 2003 computer named CC-SR11.
You then configure a Group Policy object (GPO) so that CERTKILLER-SR16 and other member computers acquire computer certificates through automatic enrollment. However CERTKILLER-SR16 does not receive a computer certificate through automatic enrollment. You then very that automatic enrollment of the computer certificate is successful for other member computers.
On CERTKILLER-SR16, you examine the system log and the application log and find out several events related to the failure of the automatic enrollment of the certificate. The events indicate a lack of ability of CERTKILLER-SR16 to use RPC and Distributed Component Object Model (DCOM) to acquire the certificate through automatic enrollment. To this end you need to install a computer certificate on CERTKILLER-SR16 from the enterprise CA and to ensure that the computer certificate can be used for only client authentication and server authentication.

What should you do?
A. You need to add the Certificates snap-in for the local computer to an MMC console on CERTKILLER-SR16 and use the Certificate Request wizard to manually request a computer certificate that is in the Personal certificate store of the Certificates snap-in.
B. You need to connect to the certificate server Web enrollment pages on CC-SR11 with CERTKILLER-SR16 and use the Advanced Certificate Web enrollment pages to request a certificate based on the Administrator certificate template and to store the certificate in the local computer certificate store.
C. You need to request a Web certificate from CC-SR11 that uses CERTKILLER-SR16.CertKiller.com as the common name and that contains an exportable private key from a Web server on the Internal network and import the certificate to the Personal certificate store for the local computer on CERTKILLER-SR16.
D. On CERTKILLER-SR16, temporarily disable the RPC application filter and create an access rule to allow all protocols from CERTKILLER-SR16 to the Internal network. Temporarily, disable the setting to enforce strict RPC compliance. Manually refresh the GPO.
Answer: D
Explanation:
In the default configuration, a Windows Server 2003 Certificate Authority communicates with its clients via RPC and DCOM. To obtain a certificate on a Web server behind ISA Server from a CA in a different network, modify settings on the rule (or rules) to allow DCOM traffic between the networks, as follows: In the Firewall Policy node of ISA Server Management, click the required rule, and on the Tasks tab, click Edit Selected Rule. On the access rule Protocols tab, click Filtering, and then click Configure RPC Protocol. On the Protocol tab, clear the Enforce strict RPC compliance check box. Then in the Configuration node of ISA Server Management, click Add-Ins. Right-click RPC Filter in the details pane, and then click Disable. You will have to repeat this for any other access rules that are configured between the networks.
Part 2: Create policy elements, access rules, and connection limits. Policy elements include schedule, protocols, user groups, and network objects (9 Questions)


QUESTION NO: 97
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as an Edge Firewall responsible for providing Internet access with all the client computers either Firewall or Web Proxy clients. The CertKiller.com network was approached by the government recently to start a project of a sensitive nature that requires special security. You decided to deploy CERTKILLER-SR01 in the Demilitarized Zone (DMZ) mode by creating a Perimeter network. The Perimeter will be configured to use a public IP address range.

All of the file resources and FTP servers related to the project have been placed on the perimeter network. You also created a new Perimeter network object for the Perimeter network. The internal network users are working on the project and require access to the FTP servers.
What should you do?
A. A NAT relationship should be created between the internal network and the Perimeter network and create an access rule to grant the internal client computers access to the FTP servers in the Perimeter network.
B. A NAT relationship should be created between the internal network and the Perimeter network and create an access rule to allow limited Web access to the internal clients.
C. A NAT relationship should be created between the internal network and the Perimeter network.
D. An access rule should be created that allows the internal clients access to the FTP server in the Perimeter network.
Answer: A
Explanation:
In the scenario we should consider making a NAT relationship between the two networks because a NAT relationship is used for communication between trusted and untrusted networks and furthermore a NAT relationship is unidirectional.

Incorrect Answers:
B: This configuration should not be used in the scenario because the configuration states allow limited web access which will not allow the clients to access the FTP servers.
C: This should not be done in the scenario because by simply creating the relationship between the networks you will not achieve the scenario objective.
D: You should not simply create an access rule in the scenario because the rule on its own can not be used to achieve the scenario objective.Reference:


QUESTION NO: 98
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 to enhance network security and all the client computers are configured as a mix of SecureNAT, Firewall and Web Proxy clients. The CertKiller.com network security states that the SecureNAT clients should have anonymous access to the FTP and Web Proxy and Firewall clients should have authenticated access to the FTP.

To adhere to this you create an access rule that allows access to the All Users group for the FTP protocol. You create another rule allowing access to only the All Authenticated Users group for the FTP protocol. After the rules were created you discover Web Proxy clients and Firewall clients access the FTP site anonymously. You are required to ensure that Web Proxy and Firewall clients are only allowed Authenticated access to FTP sites you have to achieve this using the least amount of administrative effort.
What should you do?
A. The access rules should be reordered to ensure the access rule for the All Authenticated Users group to be processed before the access rule for the All Users group.
B. The access rule that allows access to the All Users group to the FTP protocol should be deleted.
C. All the client computers should be configured as Firewall and Web Proxy clients.
D. An access rule should be created for the SecureNAT clients to enable access to the FTP site.
Answer: A
Explanation:
In the scenario the best option we could use is to reorder the access rules because in the scenario the SecureNAT clients who have not been authenticated are therefore not in the Authenticated users group will not have the first rule applied.

Incorrect Answers:
B: You should not create a new access rule because the SecureNAT clients only need to have the order of the access rules reordered.
C: This should not be considered in the scenario because the SecureNAT clients do not support authentication and they will not be able to access the FTP site.
D: This configuration should not be considered in the scenario because you are not required to configure all the client computers as Firewall and Web Proxy clients.Reference:


QUESTION NO: 99
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows 200 Professional or Windows XP Professional.

The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 to enhance network security and deployed a domain controller named CERTKILLER-DC01 configured as the internal DNS server forwarding DNS requests to the ISP's DNS server. The company web site http://home.CertKiller.com is hosted at an ISP location and for security reasons the CertKiller.com management decided to host the Web site inside the CertKiller.com network.
You decided to configure a Web server named CERTKILLER-SR02 in the internal network and host the Web site on it. The network users complain after the configurations that the Web site on CERTKILLER-SR02 is very slow to diagnose the situation you check the log files and discover requests for http://home.CertKiller.com are being routed through CERTKILLER-SR01. You are required to ensure that requests for internal servers are not routed through CERTKILLER-SR01.
What should you do? (Choose TWO.)
A. The Allow limited Web access and access to ISP network services policy should be configured.
B. The Block Internet access/allow access to Internet service provider (ISP) network services policy should be configured.
C. The Directly access computers specified in the Domain tab option on CERTKILLER-SR01 should be enabled.
D. CertKiller.com should be added to the list of domain names available on the internal network on CERTKILLER-SR01.
Answer: C,D
Explanation:
The best choice in the scenario would be to enable the required options because this option allows Web Proxy and Firewall clients to bypass the proxy configuration when connecting to hosts in the domain.

Incorrect Answers:
A: This should not be configured in the scenario because this policy does not ensure the requests for internal resources are not routed through CERTKILLER-SR01.Reference:
B: This should not be configured in the scenario because this policy does not ensure the requests for internal resources are not routed through CERTKILLER-SR01.Reference:


QUESTION NO: 100
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows 200 Professional or Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 to enhance network security. The CertKiller.com network also contains a FTP server. You are about to enable users to access from the Internet by creating an access rule to allow FTP access for all the users on the default FTP ports. You will travel frequently. You therefore decide to configure CERTKILLER-SR01 and the FTP server for remote management so you are able to manage them when outside the office. You are required to remotely manage CERTKILLER-SR01 and the FTP server.

What should you do?
A. One RDP server publishing rule must be configured on CERTKILLER-SR01 to remotely manage CERTKILLER-SR01 and configure a second RDP server publishing rule on port 12 to remotely manage the FTP server.
B. One RDP server publishing rule must be configured on CERTKILLER-SR01 to remotely manage the FTP server and from the FTP server remotely connect to he ISA server using MMC.
C. One RDP server publishing rule must be configured on CERTKILLER-SR01 to remotely manage CERTKILLER-SR01 and from CERTKILLER-SR01 remotely connect to the FTP server using the MMC.
D. Two external IP addresses should be configured on CERTKILLER-SR01 and create two server publishing rules to enable RDP access.
Answer: D
Explanation:
In the scenario the best option is to configure two external IP addresses because when a server publishing rule is created you actually configure the ISA server to listen for client requests using a particular port number.
Incorrect Answer:
A: This option should not be considered in the scenario because the use of MMC for the connections is not secure because communication is not protected.
B: This should not be considered in the scenario because using two rules and two listeners is not entirely secure and should not be used in the scenario.
C: This configuration should not be considered in the scenario instead two external IP addresses should be configured.
Reference:


QUESTION NO: 101
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2004 computer named CERTKILLER-SR10. All the client computers in CertKiller.com are running Windows XP Professional.

CertKiller.com consists of a Sales department which operated between 9AM to 5PM. A new CertKiller.com security policy requires that the employees of the Sales department must be allowed access to the Internet only between the hours of 09:00 and 16:00.
You need to configure CERTKILLER-SR10 to allow all Internet traffic between 09:00 and 16:00 and to not allow outbound Internet traffic at other times.
What should you do?
A. You need to create an access rule to allow all protocols and configure the rule's schedule to be enabled between 09:00 and 16:00.
B. You need to create an access rule to deny all protocols and configure the rule's schedule to be enabled between 09:00 and 16:00.
C. You need to create an access rule to allow all protocols at all times and create another access rule that denies all protocols between 16:00 and 9:00. Ensure that this rule is placed immediately below the allow rules.
D. You need to create an access rule to deny all protocols at all times and create another access rule that allows all protocols between 09:00 and 16:00. Ensure that this rule is placed immediately below the deny rule.
Answer: A
Explanation:
Access Rules always apply to outbound connections. Only protocols with a primary connection in either the outbound or send direction can be used in Access Rules. In contrast, Web Publishing Rules and Server Publishing Rules always use protocols with a primary connection with the inbound or receive direction. Access Rules control access from source to destination using outbound protocols. You can apply a Schedule to an Access Rule to control when the rule should be applied. There are three built-in schedules: Work Hours Permits access between 09:00 ( 9:00
A.M. ) and 17:00 ( 5:00 P.M. ) on Monday through Friday (to this rule) Weekends Permits access at all times on Saturday and Sunday (to this rule) Always Permits access at all times (to this rule) Note that rules can be allow or deny rules. The Schedules apply to all Access Rules, not just allow rules. Schedules control only new connections that apply to an Access Rule. Connections that are already established are not affected by Schedules. In this case you need to allow all types of traffic only from 9:00 A.M. to 16:00 P.M. , therefore you need to create an access rule to allow all protocols and configure the rule's schedule to be enabled between 09:00 and 16:00 .
QUESTION NO: 102

You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2004 computer named CERTKILLER-SR20. CERTKILLER-SR20 is configured to allow Internet access for the local network.
CertKiller.com also contains a Web server named CERTKILLER-SR30 which is configured as a SecureNAT client. CERTKILLER-SR30 host a Web application that communicates with an external Web site named www.CertKiller.com. CERTKILLER-SR20 is also configured with two access rules named HTTP CK1 and HTTP CK2, for outbound HTTP access. The two access rules are configured as follows:HTTP CK1 is configured to use the All Authenticated Users user set as a condition.HTTP CK2 is configured to use the All Users ser set as a condition and it restricts outbound HTTP traffic to the IP address of CERTKILLER-SR30.
You then make sure that the employees can access the external Web site. You also noticed that the Web application cannot access www.CertKiller.com. You need to allow the Web application to use anonymous credentials when it communicates with www.CertKiller.com and to require authentication on CERTKILLER-SR20 for all users when they access all external Web sites.
What should you do?
A. You need to configure Web Proxy clients on CERTKILLER-SR30 to bypass the proxy sever for the IP address of the server that hosts www.CertKiller.com
B. You need to add the fully qualified domain name (FQDN) www.CertKiller.com on CERTKILLER-SR20 to the list of domain names available on the Internal network.
C. You need to disable the Web Proxy filter for the HTTP protocol on CERTKILLER-SR20.
D. You need to modify the order of the access rules so that HTTP CK2 is processed before HTTP CK1.
Answer: D

Explanation:
The ordering of Access Rules is important to ensure that your Access Policy works the way you expect it to work. The following is recommended to the ordering of Access Rules: Put Web Publishing Rules and Server Publishing Rules on the top of the list. Place anonymous Deny Access Rules under the Web Publishing Rules and Server Publishing Rules. These rules do not require user authentication and do not require the client to be from a specific location (such as part of a Computer Set) Place anonymous Allow Access Rules under the Anonymous Deny Access Rules. These rules do not require user authentication and do not require the client to be from a specific location (such as part of a Computer Set) Place Deny Access Rules requiring authentication below the anonymous Allow Access Rules. Place Allow Access Rules requiring authentication below the Deny Access Rules requiring authentication. It is important that anonymous rules that apply to the same protocol as an authenticated access rule be applied first if it is your intent to allow anonymous access for that protocol. If you do not put the anonymous access rule before the authenticated Access Rule, then the connection request will be denied to the anonymous user (typically a SecureNAT client) for that protocol.



QUESTION NO: 103
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional and are configured as SecureNAT clients.
CertKiller.com contains of a Finance department. The client computers in the Finance department are located in an OU named FinanceOU. One of the Windows Server 2003 computers named CERTKILLER-SR21 has ISA Server 2004 installed. The employees in the Finance department use a finance application named CK_Fin which is located in an external sister company. CK_Fin uses SSL and TCP port 3333.
For the security of the data, you created a security group named CK_Finance and add the finance employees in that group. You also create an access rule to allow TCP port 3333 for only the users in the Finance department. However the employees in the Finance department complains that they cannot connect to
Members of CK_Finance group report that they cannot connect to CK_Fin. You need to ensure that only users in the Finance department can connect to CK_Fin.
What should you do?
A. You need to enable the Firewall Client installation configuration group on CERTKILLER-SR21 and add the Windows XP Professional computers to the list of trusted computers.
B. You need to use Group Policy to assign the MS_FWC.msi file to the client computers in CK_Finance.
C. You need to enable Web Proxy client support on the Local Host network and enable SSL listening on port 8443.
D. You need to configure the Internal network on CERTKILLER-SR21 to require authentication for all users and enable SSL certificate authentication on the Internal network.
Answer: B
Explanation:
The Firewall client software is an optional client piece that can be installed on any supported Windows operating system to provide enhanced security and accessibility. The Firewall client software provides the following enhancements to Windows clients: Allows strong user/group-based authentication for all Winsock applications using the TCP and UDP protocols. Allows user and application information to be recorded in the ISA 2004 firewall's log files. Provides enhanced support for network applications, including complex protocols that require secondary connections. Provides 'proxy' DNS support for Firewall client machines. Allows you to publish servers requiring complex protocols without the aid of an application filter. The network routing infrastructure is transparent to the Firewall client. Provides encrypted traffic between the firewall client and the ISA Server.

You must use the firewall client to support the custom port 3333. The easiest way to deploy the firewall client is to assign the MS_FWC.msi file to the client computers in the Marketing group via active directory.


QUESTION NO: 104
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2004 computer named CERTKILLER-SR15.
CERTKILLER-SR15 has three network adapters which are connected as follows: To the InternetTo have HTTP access to the InternetTo a perimeter network
CertKiller.com also contains a Web server named CERTKILLER-SR20 which is on the perimeter network.
The CertKiller.com CIO wants CERTKILLER-SR20 to be accessible to computers on the Internal network. For this, you create a computer object for CERTKILLER-SR20 and then create an access rule that allows Internal network clients HTTP access to CERTKILLER-SR20. The employees do not need to authenticate with CERTKILLER-SR15 to access CERTKILLER-SR20.
However you have received a few complaints that the employees cannot access information on CERTKILLER-SR20. When trying to access, they received the following error message: "Error Code 10060: Connection timeout. Background: There was a time out before the page could be retrieved. This might indicate that the network is congested or that the website is experiencing technical difficulties." You then confirm that CERTKILLER-SR20 is working.
What should you do to ensure that users on the Internal network can access information on CERTKILLER-SR20?
A. You need to create a network rule that sets a route relationship between the Internal network and the perimeter network.
B. You need to create a server publishing rule that publishes CERTKILLER-SR20 to the Internal network.

C. You need to create a Web publishing rule that publishes CERTKILLER-SR20 to the Internal network.
D. You need to create an access rule that allows CERTKILLER-SR20 access to the Internal network.
Answer: A
Explanation:
You will need to create new Networks whenever a new Network is introduced into your environment. All addresses located behind any particular NIC are considered a Network by the ISA firewall. You need to create a new Network when additional NICs are added to the firewall. Also you must create a network relationship between networks. You need to create a route relationship between the internal network and perimeter network to make it work.


QUESTION NO: 105
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional that is configured as SecureNAT clients.
CertKiller.com contains an ISA Server 2004 computer named CERTKILLER-SR31. CERTKILLER-SR31 is configured to allow all instant messaging applications from the Internet. A new CertKiller.com security policy requires that only Web-based traffic will be allowed on the network. You need to configure CERTKILLER-SR31 to block all instant messaging traffic and all other non-Web traffic.
What should you do?
A. You need to delete all current access rules and create a new access rule that has only HTTP and HTTPS as the allowed protocols. Configure HTTP filtering and add signatures for instant messaging applications.
B. You need to create a new access rule that denies all instant messaging protocols and create a new access rule that has only HTTP and HTTPS as the allowed protocols.
C. You need to create a new access rule that has only HTTP and HTTPS as the allowed protocols and configure HTTP filtering and add signatures for instant messaging applications. Unbind the HTTP filter from the HTTP protocol definition.
D. You need to create a computer set definition for instant messaging servers on the Internet and create a new access rule that denies all instant messaging protocols to the computer set you defined. Create a new access rule that has only HTTP and HTTPS as the allowed protocols.
Answer: A Explanation:

Access rules determine how clients on a source network can access resources on a destination network. To enable access to Internet resources for users on your internal network, you need to configure an access rule that enables this access. Access rules are used to configure all traffic flowing through ISA Server, including all traffic from the internal network to the Internet, and from the Internet to the internal network. One of the most important Web filters included with ISA Server 2004 is the HTTP filter. Many Internet applications now use HTTP to tunnel the application traffic. An HTTP signature can be any string of characters in the HTTP header or body. To block an application based on signatures, you need to identify the specific patterns the application uses in request headers, response headers, and body, and then modify the HTTP policy to block packets based on that string.
Part 3: Create policy rules for Web publishing (9 Questions)


QUESTION NO: 106
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 to enhance network security and control access to the Internet. The CertKiller.com network hosts two Web sites named Finance and Distribution on two Web server named CERTKILLER-SR02 and CERTKILLER-SR03 both located on the internal network.
You are in the process of publishing the Finance and Distribution Web sites on CERTKILLER-SR01 and require providing access to both sites. You want to configure anonymous access for the Finance Web site and Basic authentication for the Distribution Web site. You must know how to configure the access for the sites.
What should you do?
A. Two Web publishing rules should be created and configure each rule to forward to a different Web server and configure the rule to use different Web listeners.
B. Two Web publishing rules should be created and configure each rule to forward to a different Web server and configure the rule to use the same Web listener.
C. One Web publishing rule should be created and configure the rule to forward to both Web servers and configure the rule to use a Web listener.
D. One Web publishing rule should be created and configure the rule to forward to two different Web servers and configure the rule to use the default Web listener.

Answer: A
Explanation:
In the scenario you should remember that a Web listener defines how the ISA server listens for HTTP and SSL requests and defines the network, IP address and port number on which the listener listens for client requests.

Incorrect Answers:
B: This option should not be considered in the scenario because the same Web listener can not be used for two Web sites.
C: This should not be considered in the scenario because it is impossible to publish two Web sites using different authentication methods.Reference:
D: This should not be considered in the scenario because it is impossible to publish two Web sites using different authentication methods.Reference:


QUESTION NO: 107
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 to enhance network security and control Internet access and the network contains an Exchange 2003 server configured as an e-mail server named CERTKILLER-SR02. The CertKiller.com network security policy states all inbound requests from the Internet are authenticated. The CertKiller.com network users Finance department travels frequently and required access to their e-mail when out of the office.
To achieve the requirement you create and apply a Web publishing rule on CERTKILLER-SR01 and configure the rue to use a Web listener named CK_Listener configured to use forms-based authentication to enable access for Outlook Web Access (OWA). The remote users of the Finance department are able to use OWA to access their e-mail. The CertKiller.com network users recently requested access to their e-mail through wireless mobile clients. You plan to enable access to CERTKILLER-SR02 through Outlook Mobile Access (OMA).
What should you do?
A. A Web listener that uses SSL should be created and create another Web publishing rule to push CERTKILLER-SR02 on CERTKILLER-SR01 for OMA and configure the rule to use the Web listener.
B. A new Web listener should be created and modify the existing Web publishing rule for OWA and configure it also for OMA and configure the rule to use the new listener.

C. Another Web publishing rule should be created to publish CERTKILLER-SR02 on CERTKILLER-SR01 for OMA and configure the rule to use CK_Listener.
D. The existing Web publishing rule should be modified for OWA and configure it also for OMA and configure the rule to use Listener.
Answer: A
Explanation:
In the scenario you should remember that you are required to use a different Web listener for OMA and a Web listener is configured to use forms-based authentication which OMA does not support in the scenario.

Incorrect Answers:
B: This option should not be used in the scenario because in order to publish more than one Web client mail service which require different authentication methods you require a separate Web publishing rule.Reference:
C: This option should not be used in the scenario because in order to publish more than one Web client mail service which require different authentication methods you require a separate Web publishing rule.Reference:
D: This option should not be used in the scenario because in order to publish more than one Web client mail service which require different authentication methods you require a separate Web publishing rule.Reference:


QUESTION NO: 108
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Your duties include administering of an ISA Server 2004 computer named CERTKILLER-SR15.
CertKiller.com consists of a Research department. The Research department does the research in upgrading the computer software. A new CertKiller.com security policy requires that that computer names inside the company must not be published or accessible via the Internet.
You need to publish a new Web site that has many internal computer names within the Web site and still comply with the new security policy.
What should you do?
A. You need to configure an HTTP server publishing rule and configure the rule so that requests sent to the published server forward the URLs so that they appear to come from the original client computer.
B. You need to configure an HTTP server publishing rule and configure the rule so that requests sent to the published server forward the URLs so that they appear to come from CERTKILLER-SR15.

C. You need to create a Web publishing rule and enable and configure HTTP bridging.
D. You need to create a Web publishing rule and enable and configure the link translator.
Answer: D
Explanation:
Link Translation solves a number of issues that may arise for external users connecting through the ISA firewall to an internal Web site. The ISA firewall Link Translator is implemented as an ISA firewall Web filter. Because of the Link Translator's built-in functionality, and because it comes with a built-in default dictionary, you can use it right out of the box to solve many common problems encountered with proxy-based Web publishing scenarios.


QUESTION NO: 109
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR30. You have deployed a new secure Web site that hosts an accounting application named CK_Accounting which requires client certificate authentication. The CEO also wants CK_Accounting to record the client IP source address for every request. You then create an SSL Web publishing rule.
You need to configure CERTKILLER-SR30 to publish the new Web site and to configure the rule to meet the requirements.
What should you do?
A. You need to replace absolute links in all Web pages by configure the rule's link translation.
B. You need to configure the rule to forward the original host header to the published Web server.
C. You need to configure the rule to forward the requests so that they appear to come from CERTKILLER-SR30.
D. You need to configure the rule to forward the requests so that they appear to come from the original client.
Answer: D
Explanation:
Link Translation solves a number of issues that may arise for external users connecting through the ISA firewall to an internal Web site. The ISA firewall Link Translator is implemented as an ISA firewall Web filter. The default dictionary includes the following entries: Any occurrence on the Web site of the computer name specified on the To tab of the Web Publishing Rule Properties is replaced with the Web site name (or IP address). For example, if a rule redirects all requests for http://www.CertKiller.com to an internal computer called CERTKILLER-SR30, all occurrences of http://ISA1 in the response page returned to the client are replaced with http://www.CertKiller.com. Thus not exposing the internal naming structure. If a nondefault port is specified on the Web listener, that port is used when replacing links on the response page. If a default port is specified, the port is removed when replacing links on the response page. For example, if the Web listener is listening on TCP port 88, the responses returned to the Web client will include links to TCP port

88. If the client specifies HTTPS in the request to the ISA firewall, the firewall will replace all occurrences of HTTP with HTTPS. Forward the original host header instead of the actual one - By default, when ISA Server receives an incoming Web request, it does not pass the host header included in the client request on to the publishing Web server. This means that all requests that are routed to a particular computer must be routed to the same (default) website on the computer. When ISA Server passes host header information, client requests are routed to a particular site on the published computer. Requests appear to come from the ISA Server computer - Select if you want ISA Server to substitute the original IP address sent with the packet with its own IP address. Requests appear to come from the original client - ISA Server forwards requests with the source IP address of the requesting original client. When you select this option, ISA Server should be configured as the gateway for the published Web server. Alternatively, ISA Server can be configured as the default gateway for the IP address of the requesting client. Otherwise, IP packets returned by the Web server will not reach the ISA Server computer.


QUESTION NO: 110
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2004 computer named CERTKILLER-SR15. All the client computers in CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Sales department. CertKiller.com uses Microsoft Exchange Server 2003 named CERTKILLER-SR17 as its e-mail server. The Sales department has quite a few sales representatives which uses there laptops when not at the work. The sales representative needs to access CERTKILLER-SR17 by using either Microsoft Outlook Web Access or Microsoft Outlook 2003. Your goal is to use HTTPS to provide access for both Outlook Web Access and Outlook 2003 and to use forms-based authentication for Outlook Web Access.
CERTKILLER-SR15 is set up with three Web listeners named WebListenA, WebListenB and WeblistenC which are configured as follows:WebListenA to use SSL certificate authenticationWebListenB to use forms-based authenticationWebListenC to use Windows Integrated authentication You must ensure that remote users can access CERTKILLER-SR17.

What should you do?
A. You need to create two Web publishing rules for CERTKILLER-SR17 and configure one of the rules to use WebListenA and the other rule to use WebListenC.
B. You need to create one Web publishing rule for CERTKILLER-SR17 and configure the rule to use WebListenB.
C. You need to create two Web publishing rules for CERTKILLER-SR17 and configure one of the rules to use WebListenA and thee other rule to use WebListenB.
D. You need to create one Web publishing rule for CERTKILLER-SR17 and configure the rule to use WebListenA.
Answer: C
Explanation:
One of the most popular ways to provide access to e-mail for users outside the internal network is to deploy an Outlook Web Access (OWA) server so that users can access their mailboxes from any computer with an Internet connection and a Web browser. When you publish Outlook Web Access servers through computers running ISA Server, you are protecting the Outlook Web Access server from direct external access because the name and IP address of the Outlook Web Access server are not accessible to the user. The user accesses the computer running ISA Server, which then forwards the request to the Outlook Web Access server according to the conditions of your mail server publishing rule. You must configure a Web listener for Outlook Web Access publishing. The Web listener for Outlook Web Access publishing should be configured to use forms-based authentication. If you have configured secure connections to the clients, be sure that the listener listens for requests on an HTTPS port. Therefore you need to create two publishing rules for the Exchange server. Configure one of the rules to use WebListenA and configure the other rule to use WebListenB . You can use the same rules for the outlook 2003 clients.


QUESTION NO: 111
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Sales department. The CertKiller.com network contains a Microsoft Exchange Server 2003 computer named CERTKILLER-SR11. ISA Server 2004 is installed as the CertKiller.com firewall. The Sales representatives in CertKiller.com use Microsoft Outlook 2003 to connect to CERTKILLER-SR11 from their laptops.

A new CertKiller.com security policy requires that all e-mail communications to CERTKILLER-SR11 over the Internet must be encrypted. You need to ensure that all employees use Outlook 2003, whether they use e-mail in the office or use e-mail remotely over the Internet.
What should you do?
A. You need to configure Microsoft Outlook Web Access on internal server and configure an HTTP Web publishing rule to direct traffic to CERTKILLER-SR11.
B. You need to configure Microsoft Outlook Web Access on an internal server and configure an HTTP Web publishing rule to direct traffic to CERTKILLER-SR11.
C. You need to configure an RPC Proxy server and create a server publishing rule to direct all Exchange RPC traffic to the RPC Proxy server.
D. You need to configure an RPC Proxy server and create an HTTPS Web publishing rule to direct traffic to the RPC Proxy server.
Answer: D
Explanation:
Outlook 2003 with Exchange 2003 running on Microsoft Windows Server 2003 supports RPC over HTTP, which simplifies the network and firewall configuration needed to support a MAPI client. Using RPC over HTTP provides all the benefits of using an Outlook client without needing multiple ports open on the firewall. Users running Outlook 2003 can connect directly to a computer running Exchange Server 2003 over the Internet by using HTTP or HTTPS-even if both the computer running Exchange Server and Outlook are behind firewalls and located on different networks. Only the HTTP and HTTPS ports need to be opened on the firewall.


QUESTION NO: 112
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Sales department. CertKiller.com contains an ISA Server 2004 computer named CERTKILLER-SR14 and an internal Web server named CERTKILLER-SR16. To promote sales CertKiller.com has a business partner who has access to a Web site that you have created with customers that want to access the Web site.
The CEO wants the client computers to first be authenticated by using SSL authentication. If the authentication fails, the customers should still be prompted to log in by using a user name and password. You need to configure a publishing rule to allow access to the new Web site and to fulfill the authentication requirements.

What should you do?
A. You need to create an HTTP server publishing rule and configure the rule to accept connections from client computers at the partner location.
B. You need to create an HTTPS server publishing rule and configure the rule to accept connections from client computers at the partner location.
C. You need to create a Web publishing rule and configure a new Web listener for the HTTP protocol. Configure the Web listener to allow both Integrated Windows authentication and Digest authentication.
D. You need to create a Web publishing rule and configure a new Web listener for the HTTPS protocol. Configure the Web listener to allow both SSL certificate authentication and Basic authentication.
Answer: D
Explanation:
ISA Server uses server publishing rules to make servers on protected networks available to users on the Internet. Server publishing rules are firewall rules that specify how ISA Server will route incoming requests to internal servers. Secure Web publishing provides an additional layer of security when publishing an internal Web site by enabling the option to use Secure Sockets Layer (SSL) to encrypt all network traffic to and from the Web site. For Web publishing and secure Web publishing rules, you must configure a Web listener as part of the rule definition. The Web listener defines which authentication methods are enabled. You can configure a Web listener to use more than one authentication mechanism. These authentication mechanisms can be used simultaneously on a Web listener: Basic, Digest, Integrated, and Client Certificate Authentication. When selected, RADIUS, SecurID , or forms-based authentication methods must be the only authentication mechanism configured. The authentication option you select applies only if you limit access to the Web Publishing Rule to a user or group. If you allow All Users access to the Web Publishing Rule, then the authentication option is ignored. These authentication options apply only to authentication performed by the ISA firewall itself, not to authentication that may be required by the published Web site. When you enable basic authentication delegation, ISA Server authenticates the users, and then forwards the user credentials to the Web server, allowing the Web server to authenticate users without requesting credentials a second time. To enable basic authentication delegation, select the check box for Forward Basic authentication credentials (Basic delegation) on the Users tab of the Web publishing or secure Web publishing rule.


QUESTION NO: 113
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All the client computers in CertKiller.com are running Windows XP Professional. CertKiller.com is divided into several departments.

TesCKng.com contains an ISA Server 2004 computer named CERTKILLER-SR14 and a Web server named CERTKILLER-SR10. The Finance department has a Web site named http://finance.CertKiller.com and the Marketing department has a Web site named http://marketing.CertKiller.com.
http://finance.CertKiller.com and http://marketing.CertKiller.com are hosted on CERTKILLER-SR10. The CEO wants http://finance.CertKiller.com to request authentication from the employees and http://marketing.CertKiller.com needs to have only anonymous access configured.
What should you do to configure CERTKILLER-SR14 to publish http://finance.CertKiller.com and http://marketing.CertKiller.com to meet the security requirements of each Web site?
A. You need to configure a Web publishing rule for each Web site on CERTKILLER-SR14 and configure the rule for http://finance.CertKiller.com to allow anonymous connections.
B. You need to configure a Web publishing rule for http://finance.CertKiller.com and http://marketing.CertKiller.com on CERTKILLER-SR14. Configure the rule for http://finance.CertKiller.com to use Basic authentication.
C. You need to configure one Web publishing rule for http://finance.CertKiller.com and http://marketing.CertKiller.com and configure the rule to use EAP authentication.
D. You need to configure one Web publishing rule for http://finance.CertKiller.com and http://marketing.CertKiller.com and configure the rule to use forms-based authentication.
Answer: B
Explanation:
ISA Server uses Web publishing rules to make Web sites available to users on the Internet. A Web publishing rule is a firewall rule that specifies how ISA Server will route incoming requests to internal Web servers. Use Web publishing rules to provide: Access to Web servers running HTTP protocol . When you configure a Web publishing rule, you configure ISA Server to listen for HTTP requests from the Internet and to forward that request to a Web server on a protected network. To publish servers using any other protocols, you need to use a server publishing rule. Application-layer filtering . Application-layer filtering enables ISA Server to inspect the application data in each packet passing through ISA Server. This includes filtering of Secure Sockets Layer (SSL) packets if you enable SSL bridging. This provides an additional layer of security not provided by server publishing rules. Path mapping . Path mapping enables you to hide the details of your internal Web site configuration by redirecting external requests for parts of the Web site to alternate locations within the internal Web site. This means that you can limit access to only specific areas within a Web site. User authentication . You can configure ISA Server to require that all external users authenticate before their requests are forwarded to the Web server hosting the published content. This protects the internal Web server from authentication attacks. Web publishing rules support several methods of authentication including Remote Authentication Dial-In User Service (RADIUS), integrated, basic, digest, digital certificates, and RSA SecurID . Content caching . The content from the internal Web server can be cached on ISA Server, which improves the response time to the Internet client while decreasing the load on the internal Web server. Support for publishing multiple Web sites using a single Internet Protocol (IP) address. You can configure multiple Web publishing rules that can make multiple internal Web sites available to Internet clients. Link translation . With link translation, you can provide access to complex Web pages that include references to other internal Web servers that are not directly accessible from the Internet. Without link translation, any link to a server that is not accessible from the Internet would appear as a broken link. Link translation can be used to publish complex Web sites providing content from many servers while hiding the complexity from the Internet users. Support for logging of the Internet client's IP address . By default, when you publish a server using Web publishing, the source IP address that is received by the internal Web server is the IP address of the ISA Server internal interface. If you need to be able to log access to the Web server based on the IP address of the client computer on the Internet, you can modify the default setting. In this case you have one web server hosting two websites, thus you need to configure two different publishing rules. http://finance.CertKiller.com needs to be configured with authentication, so we apply Basic Authentication to the publishing rule.



QUESTION NO: 114
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com contains an ISA Server 2004 computer named CERTKILLER-SR31. A CertKiller.com security policy states that CERTKILLER-SR31 must authenticate users before users on the Internet are allowed to access corporate Web servers. To this end you installed a Web server named CERTKILLER-SR32 on the CertKiller.com network. The CEO wants the customers to access the Web pages on CERTKILLER-SR32 only from the Internet. You thus need to configure CERTKILLER-SR31 to publish the Web site hosted by CERTKILLER-SR32 and to comply with the security.
What should you do?
A. You need to create a Web publishing rule and configure the rule to require user authentication.
B. You need to create a Web publishing rule and configure the rule to perform link translation.
C. You need to create an HTTP server publishing rule and configure the rule to specify that requests appear to come from CERTKILLER-SR31.
D. You need to create an HTTP access rule and configure the rule to allow connections from the External network to the Internal network
Answer: A Explanation:

ISA Server uses Web publishing rules to make Web sites on protected networks available to users on other networks, such as the Internet. A Web publishing rule is a firewall rule that specifies how ISA Server will route incoming requests to internal Web servers. User authentication - You can configure ISA Server to require that all external users authenticate before their requests are forwarded to the Web server hosting the published content. This protects the internal Web server from authentication attacks. Web publishing rules support several methods of authentication, including Remote Authentication Dial-In User Service (RADIUS), integrated, basic, digest, digital certificates, and RSA SecurID . Link translation - With link translation, you can provide access to complex Web pages that include references to other internal Web servers that are not directly accessible from the Internet. Without link translation, any link to a server that is not accessible from the Internet would appear as a broken link. Link translation can be used to publish complex Web sites providing content from many servers while hiding the complexity from the Internet users.
Part 4: Create policy rules for mail server publishing (3 Questions)


QUESTION NO: 115
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 to enhance network security and a domain controller named CERTKILLER-DC01 hosts the DNS server and the network has an Exchange 2003 server named CERTKILLER-SR02. The CertKiller.com network senior managers have requested for permission to use their Personal Digital Assistants (PDAs) and mobile phones to access their company e-mails. You want to allow the senior manager group access to the company -emails using PDAs. You are required to ensure that the Senior Managers group can access the e-mails using their PDAs through ActiveSync even when outside the office.
What should you do?
A. An IMAP server publishing rule should be created and configure the rule to point to the Exchange 2003 server.
B. A POP3 server publishing rule should be created and select the Exchange ActiveSync option on the Select Services page.
C. An HTTP server publishing rule should be created and configure the rule to point to the Exchange 2003 server.

D. A mail server publishing rule should be created and select the Exchange ActiveSync option on the Select Services page.
Answer: D
Explanation:
In the scenario you should remember that the Exchange ActiveSync service allows users to synchronize their Exchange information with their ActiveSync enabled mobile devices.

Incorrect Answers:
A: This rule should not be configured in the scenario because the rule cannot be used to configure users to access their e-mails using PDAs through ActiveSync.
B: This rule should not be configured in the scenario because the rule cannot be used to configure users to access their e-mails using PDAs through ActiveSync.
C: This configuration should not be used in the scenario because the ISA server must be enabled to allow the users access to company e-mails using their PDAs.Reference:


QUESTION NO: 116
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01configured as an Edge Firewall to enhance network security and control access to the Internet and the network also contains an Exchange 2003 server named CERTKILLER-SR02. You recently decided to enable secure and encrypted access to the Exchange server for Microsoft Outlook 2003 clients using the following steps: You configure an RPC Proxy server.You create a Web listener configures for SSL.You create an HTTPS Web publishing rule on CERTKILLER-SR01 to direct traffic to the RPC Proxy server.
The CertKiller.com network internal and remote employees use Outlook 2003 to access company e-mails. The network also contains contractors who access their mailboxes using Outlook Express. You want to enable secure and encrypted access for the contractors.
What should you do?
A. A new server publishing rule should be created and enable the POP3, IMAP4, and SMTP protocols.
B. You should upgrade to Outlook 2003 and create a new server publishing rule to enable POP3, SMTP and IMAP4 protocols.
C. The clients should be upgraded to Outlook 2003 and make use of the existing publishing rule.

D. A new server publishing rule should be created and enable the POP3, IMAP4, and SMTP protocols.
Answer: A
Explanation:
In the scenario you should try and remember that the RPC over HTTP feature can be enabled by configuring an RPC Proxy server and a secure Web publishing rule to publish the server to secure RPC traffic.

Incorrect Answers:
B: The new rule should not be created to enable POP3, IMAP4 and SMTP as the Outlook express clients use only POP3 or IMAP4 to read messages.
C: This configuration should not be made in the scenario even though hit may involve less administration effort.Reference:
D: The new rule should not be created to enable POP3, IMAP4 and SMTP as the Outlook express clients use only POP3 or IMAP4 to read messages.


QUESTION NO: 117
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2004 computer named CERTKILLER-SR10.
CERTKILLER-SR10 has three network adapters which are connected as follows:To the InternetTo the Internal networkTo a perimeter network
The perimeter network adapter and the internal network adapter are connected to private address networks.
You were given the instructions to configure CERTKILLER-SR10 by applying the 3-Leg Perimeter network template. You then run the 3-Leg Perimeter Network Template wizard and make the following changes to the firewall policy: Create an access rule to allow all traffic between the Internal network and the Internet; between the Internal network and the perimeter network.You also create an access rule to allow SMTP traffic from an SMTP server on the perimeter network to a Microsoft Exchange Server computer on the Internal network.Create a server publishing rule to allow SMTP traffic from the External network to the SMTP server on the perimeter network.
After the changes the employees of CertKiller.com complains that they cannot receive e-mail messages from users outside of the Internal network.
You need to allow the employees to receive e-mail messages from other users on the Internet with out creating a server publishing rule.

What should you do?
A. You need to change the network rule that controls the route relationship between the perimeter network and the Internal network to Route.
B. You need to change all network rules that control the route relationship between the Internal network, perimeter network, and External network to Route.
C. You need to change the network rule that controls the route relationship between the perimeter network and the External network to Nat.
D. You need to change all network rules that control the route relationship between the Internal network, perimeter network, and External network to Nat.
Answer: A
Explanation:
The trihomed DMZ Template allows you to configure the ISA firewall with three or more network adapters to use the additional network adapters are Perimeter network or DMZ segments. The trihomed DMZ Network sets some interesting Network Rules, which might be counterintuitive to the majority of ISA firewall administrators. After running the trihomed DMZ Network Template, you'll find that: A new Network Object, the Perimeter Network Object, is created. A Network Rule named Perimeter Access sets a Route relationship from the Perimeter Network to the Internet A Network Rule name Perimeter Configuration sets a NAT relationship between the Internal and VPN Clients network and the Perimeter Network.
The Network Rules are a bit problematic. The Perimeter Access Network Rule sets a route relationship between the Perimeter Network and the Internet. This means that you'll need to use public addresses in the DMZ segment. You're going to find that things don't work the way you planned if you use private addresses in the DMZ segment. If you use this trihomed DMZ Network Template you'll need to change the Perimeter Access Network Rule to NAT if you use private addresses in the DMZ segment. Even more problematic is that the Template sets the route relationship between the DMZ segment and the Internal network to NAT. While this is a reasonable configuration if you use public addresses on the DMZ segment, it isn't our preferred configuration when private addresses are used on the DMZ segment. The Perimeter Configuration Network Rule sets the route relationship between the Internal and VPN clients Networks to NAT. While NAT will work, it doesn't work with all protocols, and you can run into issues that you wouldn't have problems with if you chose a Route relationship between the Internal and VPN Clients Networks and the DMZ segment. If you use public addresses on the DMZ segment, then you need to leave the route relationship as NAT. But if you are using private addresses on the trihomed DMZ segment, then change the route relationship to Route.

Part 5: Create policy rules for server publishing (8 Questions)


QUESTION NO: 118
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as an Edge Firewall configured with two IP addresses one for the internal and one for the external network adapter. You want to publish two FTP server named CERTKILLER-SR02 and CERTKILLER-SR03 located on the internal network. CERTKILLER-SR02 will be accessed by the internal users and CERTKILLER-SR03 will be accessed by the users of the Finance department to share the latest product versions with a few customers.
You are required to ensure that the Users on the Internet are able to access and download information from CERTKILLER-SR02 and ensure that the Finance department accesses a nonstandard port on CERTKILLER-SR03.
What should you do?
A. A server publishing rule should be created for the RDP protocol on port 21 and configure the rule to enable port override option.
B. Two server publishing rules should be created and configure the rule for CERTKILLER-SR01 to allow anonymous access using the default FTP port and configure a new outbound protocol definition named FTPKing for non-standard TCP port. The rule must be configured for CERTKILLER-SR03 to use FTPKing.
C. A server publishing rule should be created and configured to allow access to two different ports.
D. Two server publishing rules should be created and configure the rule for CERTKILLER-SR01 to allow anonymous access using the default FTP port and configure a new inbound protocol definition named FTPKing for non-standard TCP port. The rule must be configured for CERTKILLER-SR03 to use FTPKing.
Answer: D
Explanation:
In the scenario you should create two server publishing roles because server publishing rules are configured to grant access to internal resources using protocols other than HTTP and HTTPS.

Incorrect Answers:
A: This configuration should not be considered for usage in the scenario because the Terminal Services uses port 3389 to communicate between client and the server.
B: This configuration should not be made as it is impossible to configure two ports for used using a single server publishing rule.

C: In the scenario you are not require to configure any outbound settings as this option will not help you achieve the scenario objective.Reference:


QUESTION NO: 119
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 used to control Internet access with all the users configured as Firewall and Web Proxy clients. The CertKiller.com network security policy requires that the IP addresses of remote clients be visible to the published servers on the internal network which contains an application server named CERTKILLER-SR02. A user from a partner company named Rory Allen requires access to CERTKILLER-SR02 for remote administration. You want to allow a Remote Desktop Connection to CERTKILLER-SR02 using a nonstandard TCP port. You make the following configurations: Create a new protocol definition for the nonstandard TCP port.Create a server publishing rule that uses the new protocol definition.
Rory Allen recently reported he is unable to access CERTKILLER-SR02 using a Remote Desktop connection.
What should you do?
A. The server publishing rule should be modified to use the default TCP port for connection.
B. The server publishing rule should be modified to allow authentication on the ISA server.
C. The server publishing rule should be modified to use the default TCP port for connection and configure it to redirect the requests on the default port to the nonstandard TCP port.
D. CERTKILLER-SR02 should be configured as a SecureNAT client.
Answer: D
Explanation:
Remember in the scenario that the server publishing rules do not provide the option of authentication as it is implemented using Network Address Translation (NAT) and the internal servers must be configured as SecureNAT clients.

Incorrect Answers:
A: This configuration should not be made in this scenario because RDP uses port 3389 to communicate between the clients and the server.
B: This option should not be considered for usage in the scenario because server publishing rules do not support authentication of users.Reference:

C: This configuration should not be made in this scenario because RDP uses port 3389 to communicate between the clients and the server.


QUESTION NO: 120
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All the client computers in CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Sales department. The CertKiller.com network contains an ISA Server 2004 named CERTKILLER-SR10. CertKiller.com also contains two servers named CERTKILLER-SR11 and CERTKILLER-SR12. CERTKILLER-SR11 has Terminal Services installed and hosts a critical accounting application named CK_Account. The server, CERTKILLER-SR12, runs Windows Server 2003 and Remote Desktop connections are enabled. You also create a Web publishing rule to publish the Remote Desktop connections virtual directory.
One morning you received complains that the users in the Sales department cannot establish a Terminal Services connection, but they can connect to the Remote Desktop Web Connection site by using Internet Explorer.
You need to ensure that Sales department users can access CK_Account.
What should you do?
A. You need to configure an RDP server publishing rule.
B. You need to configure an RPC Services server publishing rule.
C. You need to configure a new RDP protocol definition.
D. You need to configure a new RPC protocol definition.
Answer: A
Explanation:
The Windows XP and Windows Server 2003 Remote Desktop Web Connection feature allows you to connect to RDP servers through an easy to use Web browser interface. The remote desktop Web connection client on the Internet establishes an HTTP connection (which can be secured with SSL) to the Web listener on the external interface of the ISA firewall. The ISA firewall then performs stateful application layer inspection on the connection, and then reverse proxies the connection to the Remote Desktop Web Services Server on the corporate network. At this point, the Web server returns to the remote client the option to install the RDP ActiveX control. After the ActiveX control is installed, the user can then enter the RDP server name and domain. He can optionally enter a user name and domain name that will be forwarded to the RDP server's logon page. After the user enters this information, a second connection is established from the remote desktop Web client to the ISA firewall. This is not an HTTP connection - it is an RDP connection. Unlike the first connection that was made to the Remote Desktop Web Service Server on TCP port 80 (or TCP 443 if SSL encryption is used for the HTTP connection), the second connection is made to the default RDP protocol port, which is TCP port 3389. The ISA firewall's RDP Server Publishing Rule listener intercepts the second connection and the connection attempt is forwarded to the RDP server the user wants to connect to.



QUESTION NO: 121
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
CertKiller.com contains an ISA Server 2000 computer named CERTKILLER-SR13. Microsoft Exchange Server 2003 is used as the CertKiller.com e-mail server. CertKiller.com has acquired Web-enabled cellular phones for the users to access their e-mail over the Internet. The Web-enabled cellular phones have a Wireless Access Protocol (WAP) browser and an e-mail client that is capable of only POP3 and IMAP4.
A new CertKiller.com security policy requires that all user names and passwords must be encrypted when they are sent over the Internet. You need to configure CERTKILLER-SR13 to give users access from their cellular phones to e-mail and still comply with the CertKiller.com security policy.
What should you do?
A. You need to create an HTTPS server publishing rule and configure the rule to point to the Microsoft Outlook Web Access site.
B. You need to create an HTTPS server publishing rule and configure the rule to point to the Microsoft Outlook Mobile Access site.
C. You need to create a POP3 server publishing rule and configure the rule to point to en Exchange Server 2003 computer.
D. You need to create an IMAP server publishing rule and configure the rule to point to an Exchange Server 2003 computer.
Answer: B
Explanation:
Exchange Server 2003 allows users of wireless and small devices, such as mobile phones, personal digital assistants (PDAs), or smart phones (hybrid devices that combine the functionality of mobile phones and PDAs), access to exchange data. Outlook Web Access provides access to a computer running Exchange Server through a Web browser. The POP3, IMAP4, and SMTP options allow you to publish both secure and non-secure versions (default settings) of these protocols. Secure versions of these protocols use SSL to encrypt both user credentials and data. The ISA firewall will publish these protocols using Server Publishing Rules, but you must configure the Exchange Server with the appropriate Web site certificates to complete the configuration if you want to use the secure version of these protocols.



QUESTION NO: 122
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Sales department. The CertKiller.com network contains two ISA Server 2004 computers named CERTKILLER-SR20 and CERTKILLER-SR21. A portion of the network is seen in the exhibit.

A new CertKiller.com security policy requires that employees must connect to the VPN server installed on CERTKILLER-SR21 in the most secure method. You need to configure CERTKILLER-SR21 to allow employees to connect to the VPN server on CERTKILLER-SR21.
What should you do?
A. You need to create a PPTP server publishing rule on CERTKILLER-SR20 and to configure VPN connections to use EAP authentication on CERTKILLER-SR21.
B. You need to create an L2TP server publishing rule on CERTKILLER-SR20 and to configure VPN connections to use EAP authentication on CERTKILLER-SR21.
C. You need to create a PPTP server publishing rule on CERTKILLER-SR20 and to configure VPN connections to use PAP authentication on CERTKILLER-SR21.
D. You need to create an L2TP server publishing rule on CERTKILLER-SR20 and to configure VPN connections to use PAP authentication on CERTKILLER-SR21
Answer: B Explanation:


A VPN client uses special Transmission Control Protocol/Internet Protocol (TCP/IP)-based protocols called tunneling protocols to connect to a virtual connection port on a VPN server. The tunneling protocols use encryption protocols to provide data security as the data is sent across the public network. The two VPN protocols supported by ISA Server are Microsoft Point-to-Point Tunneling Protocol (PPTP) or the Layer 2 Tunneling Protocol (L2TP). PPTP and L2TP use encryption protocols ensure that the connection is private or secure by encrypting all traffic sent across a public network. The PPTP VPN protocol uses the Microsoft Point-to-Point Encryption protocol (MPPE) to protect data moving through the PPTP virtual networking connection. The L2TP/IPSec VPN protocol uses Internet Protocol Security (IPSec) to encrypt data moving through the L2TP virtual network. Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. It is typically used if the remote access client and remote access server cannot negotiate a more secure form of authentication. Extensible Authentication Protocol (EAP) is the most secure remote authentication protocol. It uses certificates on both the client and the server to provide mutual authentication, data integrity, and data confidentiality. It negotiates encryption algorithms and secures the exchange of session keys. Use EAP if you are implementing multifactor authentication technologies such as smart cards or universal serial bus (USB) token devices.


QUESTION NO: 123
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
CertKiller.com contains an ISA Server 2004 computer named CERTKILLER-SR10. A network rule defines a network address translation (NAT) relationship between the Internal network and the External network.
You have received instructions to use Remote Desktop to perform remote administration of CERTKILLER-SR10. The instructions also state to allow users to establish a Remote Desktop connection to CERTKILLER-SR10 by using the non-standard TCP port 12345.
Which actions should you do? (Each correct answer presents part of the solution. Choose TWO.)
A. You need to configure a new protocol definition for TCP port 12345 inbound named RDP-x.
B. You need to configure a new protocol definition for TCP port 12345 outbound named RDP-x.
C. You need to create an access rule that uses RDP-x.
D. You need to create a server publishing rule that uses RDP-x.

Answer: A,D
Explanation:
Creating Server Publishing Rules is simple compared to Web Publishing Rules. The only things you need to know when creating a Server Publishing Rule are: The protocol or protocols you want to publish The IP address where the ISA firewall accepts the incoming connections The IP address of the Protected Network server you want to publish A Server Publishing Rule uses protocols with the primary connection set as Inbound, Receive or Receive/Send. Since there is no protocol called RDP-x using port 12345, you need to create it. After the creation you can create a server publishing rule that uses this custom protocol. You need to configure this rule for inbound traffic.


QUESTION NO: 124
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All the client computers in CertKiller.com are running Windows XP Professional.
The CertKiller.com contains an ISA Server 2004 named CERTKILLER-SR20. The CertKiller.com has decided to upgrade to the latest version of Microsoft Exchange Server and to configure a server publishing rule to allow inbound secure Exchange RPC connections to the Exchange Server computer. A new CertKiller.com security policy requires that all incoming connections from the Internet into the corporate network must be encrypted, and only SSL Web connections are allowed. You need to allow users to connect to Outlook Web Access and to comply with the company's security policy.
What should you do?
A. You need to create an NNTPS server publishing rule.
B. You need to create an HTTP Web publishing rule.
C. You need to delete the current Exchange RPC server publishing rule and create an HTTPS Web publishing rule.
D. You need to delete the current Exchange RPC server publishing rule and create an IMAPS server publishing rule.
Answer: C
Explanation:
Outlook Web Access (OWA) provides access to a computer running Exchange Server through a Web browser. OWA does not require any client software or client configuration other than a Web browser. Although OWA does not provide all of the functionality provided by a full Outlook client, the fact that it is easy to deploy and does not require any special client makes OWA an attractive option for providing remote access. In this scenario you must delete the current RPC Server Publishing Rule and create a new HTTPS Web Publishing rule for our OWA Clients.



QUESTION NO: 125
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional. CertKiller.com is divided into several departments of which the Marketing department is one. The Marketing department contains a Windows Server 2003 Web server named CERTKILLER-SR15.
You have received instruction to install a new Server 2004 computer named CERTKILLER-SR16. A new CertKiller.com security policy requires that all HTTP traffic must go through CERTKILLER-SR16.
The Marketing department has created a new Web site so that the employees in their department can access their data. The new Web site has its own server publishing rule on CERTKILLER-SR16. Security requirements state that employees must not be able to access the new Web site from an untrusted client computer. To this end you need to configure the server publishing rule to meet the security requirements by enabling the appropriate network object.
What should you do?
A. Enable the External network object.
B. Enable the Local Host network object.
C. Enable the Quarantined VPN Clients network object.
D. Enable the All Protected Networks network object.
Answer: D
Explanation:
The All Protected Networks Network Object includes all Networks defined on the ISA firewall except for the default External Network. You might use the All Protected Networks Network Object when you want to apply an Access Rule that controls outbound access for all networks behind the ISA firewall. The Quarantined VPN Clients Network is a "virtual" or "just in time" Network where addresses are dynamically assigned to this Network when quarantined VPN clients connect to the ISA firewall. The Quarantined VPN Client Network is only used when VPN Quarantine is enabled on the ISA firewall. Internal Network includes all computers (IP addresses) that were specified as internal during the installation process. The default External network created during ISA firewall setup includes all addresses that are not already defined by another Network on the ISA firewall. The default External Network doesn't contain any dialog boxes for you to perform customer configurations. Any address that isn't defined by some other Network on the ISA firewall is automatically included in the default External Network.



QUESTION NO: 126
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com has its headquarters in Chicago and branch office in Miami.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as an Edge Firewall. The branch office users require access to the internal resources of the main office but the branch office uses a third-party VPN server. You want to design a solution that is secure for the connection. You plan to implement a site-to-site VPN connection between the offices.
During the course of the day you configure CERTKILLER-SR01 as a VPN server and enabled the L2TP/IPSec on CERTKILLER-SR01. The branch office users later started reporting that they are unable to connect to CERTKILLER-SR01. You want to ensure they are able to access the internal resources.
What should you do?
A. CERTKILLER-SR01 should be configured to use IPSec tunnel mode.
B. The IPSecPol tool should be installed on the third-party VPN server in the branch office.
C. CERTKILLER-SR01 should be configured to use PPTP.
D. The IPSecPol tool should be installed on CERTKILLER-SR01.
Answer: A
Explanation:
In the scenario you should remember that IPSec is used in tunnel mode to provide encapsulation for IP traffic for IP traffic only and that IPSec tunnel mode can be used to connect to a third-party VPN server.

Incorrect Answers:
B: This tool should not be considered for installation on CERTKILLER-SR01 nor should it be installed on the third-party VPN server because the tool is used to configure IPSec policies either in Active Directory or the local or remote registry.
C: This protocol should not be used in the scenario because the protocol is used to connect to an ISA server or Windows Routing and Remote Access servers.Reference:
D: This tool should not be considered for installation on CERTKILLER-SR01 nor should it be installed on the third-party VPN server because the tool is used to configure IPSec policies either in Active Directory or the local or remote registry.



QUESTION NO: 127
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com has its headquarters in Chicago and branch office in Dallas.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 used to control Internet access both inbound and outbound. The CertKiller.com branch office also contains an ISA server named CERTKILLER-SR02 both the office ISA servers are configured as Edge Firewall. During the course of the day you configure a site-to-site L2TP/IPSec VPN connection using certificate-based machine authentication between CERTKILLER-SR01 and CERTKILLER-SR02.
Recently the CertKiller.com network users that run Windows NT Workstation 4.0 report they are unable to access resources in the main office. You are required to ensure that all the branch office users are able to access resources in the main office using the least amount of administrative effort.
What should you do?
A. The Microsoft L2TP/IPSec VPN client should be downloaded and installed on the client computers running Windows NT Workstation 4.0.
B. All the computers should be upgraded to Windows XP Professional and create an access rule on CERTKILLER-SR01 to enable outbound access to PPTP.
C. Another access rule should be created on CERTKILLER-R02 to enable outbound access to PPTP for client computers running Windows NT Workstation 4.0.
D. Another access rule should be created to enable outbound access to L2TP/IPSec with EAP for client computers running Windows NT Workstation 4.0.
Answer: A
Explanation:
You should remember in the scenario if you are to enable client computers running Windows NT Workstation 4.0 you are required to download and install the Microsoft L2TP/IPSec VPN Client for those computers.

Incorrect Answers:
B: This option should not be used in the scenario because the PPTP option is only used when the server does not support machine certificate authentication.
C: This option should not be used in the scenario because the PPTP option is only used when the server does not support machine certificate authentication.

D: This option should not be used in the scenario because the result will be not all branch users will be able to access resources in the main office.Reference:


QUESTION NO: 128
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com has its headquarters in Chicago and branch office in Miami.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 in the main office and a Routing and Remote Access Server (RRAS) named CERTKILLER-SR02 in the branch office configured to connect to each other using a site-to-site L2TP/IPSec VPN connection that uses pre-shared keys. You are busy planning to migrate the RRAS on CERTKILLER-SR02 to the ISA server CERTKILLER-SR01 and perform the following steps: Install ISA Server 2004 on CERTKILLER-SR02Remove the preshared key from the RRAS console and enter the preshared key on the Authentication tab of the VPN properties dialog box on CERTKILLER-SR02
After the migration the branch office users start reporting they are unable to connect to resources in the main office. You are required to ensure that the branch office users can access resources on the main office using the site-to-site L2TP/IPSec VPN connection with preshared keys for authentication.
What should you do?
A. The pre-shared key should be entered in the RRAS console on CERTKILLER-SR02 and re-enter the pre-shared key in the RRAS console on CERTKILLER-SR02.
B. The pre-shared key should be exported from CERTKILLER-SR02 to CERTKILLER-SR01.
C. CERTKILLER-SR02 should be configured to use L2TP/IPSec.
D. Outgoing VPN connections should be enabled on CERTKILLER-SR02.
Answer: D
Explanation:
You should remember in the scenario that when you are upgrading RRAS to ISA Server 2004 that the credentials for site-to-site connections are not exported and outgoing VPN connections are enabled on the ISA server until you configure them.

Incorrect Answers:
A: This configuration should not be used in the scenario as you would be unable to establish a site-to-site L2TP/IPSec VPN connection.
B: There is no need for you to make this configuration in the scenario as it has already been done.

C: There is no need to export the pre-shared key in the scenario because when you are upgrading RRAS to ISA Server 2004 that the credentials for site-to-site connections are not exported.Reference:


QUESTION NO: 129
You work as the network administrator at CertKiller.com branch office. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com has its headquarters in Chicago and branch office in Dallas
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 in the main office and a DNS server named CERTKILLER-SR02 in the branch office. You recently configured CERTKILLER-SR01 as a remote access VPN server to enable a site-to-site PPTP VPN connection with the main office ISA server CERTKILLER-SR03. The CertKiller.com main office also has a DHCP server named CERTKILLER-SR04.
The CertKiller.com main office users started reporting that they are unable to connect to the branch office using the site-to-site VPN connection, you check the Event Viewer on CERTKILLER-SR03 and note the error below:
"Unable to contact a DHCP server. The Automatic Private IP Address 169.254.160.130 will be assigned to dial-in clients. Clients may be unable to access resources on the network."
You are required to ensure that VPN clients from the main office are able to connect toe the branch office network using the site-to-site VPN connection.
What should you do? (Choose TWO.)
A. CERTKILLER-SR04 should be configured to include an IP address pool for the branch office.
B. CERTKILLER-SR01 should be configured to use CERTKILLER-SR04 as the DHCP server.
C. A DHCP server must be installed and configured at the branch office.
D. CERTKILLER-SR01 should be configured wit ha static pool of IP addresses to assign to the VPN clients
Answer: C,D
Explanation:
You should remember in the scenario when you configure the ISA server to use a DHCP server to assign IP addresses or a static pool of IP addresses you are not required to create special routing table entries to support the VPN clients.


Incorrect Answers:
A: The configurations here should not be used in the network as the servers are located on different segments. You should not configure CERTKILLER-SR03 to include an IP address pool for the branch office users in the scenario.Reference:
B: The configurations here should not be used in the network as the servers are located on different segments. You should not configure CERTKILLER-SR03 to include an IP address pool for the branch office users in the scenario.Reference:


QUESTION NO: 130
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All the client computers in CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Research department that is situated in Chicago. Due to company growth the CEO has opened a branch office in New York. You have been instructed by the CEO to connect the two offices to each other so that users in New York can access file, Web and database servers at the Chicago office.
You then connect the Chicago and the New York office with a site-to-site VPN connection and configure L2TP over IPSec as the VPN protocol for the site-to-site connection. You configure the ISA Server computers in Chicago and New York to use computer certificates and to use a preshared key.
The L2TP over IPSec connection was established, but when you check the connection parameters in the IPSec console, you find out that the preshared key is used to establish the IPSec connection.
You need to allow the computer certificates to be used instead of the preshared key for the IPSec negotiations.
What should you do?
A. You need to remove the preshared key from only the Chicago office ISA Server computer's remote site network configuration.
B. You need to remove the preshared key from only the New york office ISA Server computer's remote site network configuration.
C. You need to remove the preshared key from the ISA Server computer's remote site network configuration at Chicago and New York offices.
D. You need to remove the computer certificates on the ISA Server computers at both offices and replace them with user certificates.

Answer: C
Explanation:
Site-to-site VPNs allow you to connect entire networks to one another. This can lead to significant cost savings for organizations that are using dedicated frame relay links to connect branch offices to the main office, or branch offices to one another. The ISA firewall supports site-to-site VPN networking using the following VPN protocols: PPTP (Point-to-Point Tunneling Protocol) L2TP/IPSec (Layer Two Tunneling Protocol over IPSec) IPSec Tunnel Mode L2TP/IPSec is more secure than PPTP and IPSec tunnel mode. However, to ensure that you have a secure site-to-site VPN connection using L2TP/IPSec, you must use machine certificates on all ISA firewall VPN gateways.


QUESTION NO: 131
You work as the network administrator at CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Your duties include administering the ISA Server 2004 computer.
CertKiller.com operates in a joint venture with a partner company. To this end the CertKiller.com management have an agreement on the network so that the employees in you company can access over the Internet, the partner company VPN server. The partner VPN server do support machine certificate authentication for VPN connections. You received instructions to enable a network address translation (NAT) relationship between the Internal network and the External network. In your solution you need to ensure that company users can access the partner VPN server.
What should you do? (Each correct answer presents part of the solution. Choose TWO.)
A. Dean Austin needs to create an access rule to enable outbound access to the PPTP Client protocol.
B. Dean Austin needs to create an access rule to enable outbound access to the IPSec with Encapsulating Security Payload (ESP) Server protocol.
C. Dean Austin needs to create an access rule to enable outbound access to the IKE Client protocol.
D. Dean Austin needs to create an access rule to enable outbound access to the IPSec NAT-T Client protocol.
Answer: C,D
Explanation:
You can configure the ISA firewall to allow outbound access to VPN servers on the Internet. The ISA firewall supports all true VPN protocols, including PPTP, L2TP/IPSec, and IPSec NAT Traversal (NAT-T).

Although ISA Server supports PPTP passthrough out of the box, there is no built-in support for IPSec passthrough . The reason for this is that the IPSec protocols are not Network Address & Port Translation compatible. The IPSec protocols are designed to authenticate and/or encrypt information in the packet. When a NAPT device (i.e. an ISA server) tries to change the information in the packet, it will either cause the packet to be considered invalid by an IPSec protocol, or it will be unable to perform the translation because information the NAPT device needs to access is encrypted. The IPSec Working Group has worked out a solution called NAT Traversal or in short NAT-T. To make NAT-T work on the ISA Server we need to create an access rule that uses the IPSec IKE Clients protocol and the IPSec NAT-T protocol.


QUESTION NO: 132
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com has its headquarters in Chicago and a branch office in Dallas. The Chicago office and the Dallas officer are connected to each other with a site-to-site VPN connection. The headquarters in Chicago contains an ISA Server 2004 computer named CERTKILLER-SR12 and the branch office in Dallas contains an ISA Server 2004 computer named CERTKILLER-SR13. The headquarters in Chicago has two network IDs: 192.168.1.0/24 and 192.168.2.0/24. A portion of the network is configured as seen in the exhibit.

The network, 192.168.1.0/24 is directly connected to CERTKILLER-SR12 and is configured as the default Internal network. The network, 192.168.2.0/24 is connected to the 192.168.1.0/24 network by a router on the Chicago office Internal network. You also created two subnet network objects in the ISA Server Management console for 192.168.1.0/24 and 192.168.2.0/24. The internal network adapter on CERTKILLER-SR13 is on network ID 10.0.0.0/24. You also created the following access rules:On CERTKILLER-SR12 and CERTKILLER-SR13, to allow all traffic to and from the Chicago and Dallas networks.On CERTKILLER-SR12 to allow all traffic between the default Internal network and the Dallas network.
The next day you have received reports from the users on the network ID 192.168.2.0/24 complaining that they cannot connect to computers at the branch office in Dallas. You need to ensure that all users at the headquarters in Chicago can connect to resources located on the Dallas network.
What should you do?

A. You need to add the addresses in network ID 192.168.2.0/24 to the default Internal network at the headquarters in Chicago.
B. You need to add the addresses in network ID 10.0.0.0/24 to the default Internal network at the headquarters in Chicago.
C. You need to remove the router connecting the two networks at the headquarters and place both network IDs on a single Ethernet broadcast segment.
D. You need to create a subnet network object representing the 192.168.2.0/24 network on ISA2 and add this network object to the list of destination computers that the branch office computers can connect to.
Answer: A
Explanation:
Site-to-site VPNs allow you to connect entire networks to one another. The ISA firewall supports site-to-site VPN networking using the following VPN protocols: PTP (Point-to-Point Tunneling Protocol) 2TP/IPSec (Layer Two Tunneling Protocol over IPSec) PSec Tunnel Mode The internal network users (192.168.1.0/24) from the headquarters can connect to the internal network (10.0.0.0/24) in the branch office. However the network users behind the router (192.168.2.0/24) can not . You did create a new subnet object but we forgot to add the 192.168.2.0/24 subnet to the internal network addresses.


QUESTION NO: 133
You work as the network administrator at CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Your duties at CertKiller.com include administering an ISA Server 2004 computer named CERTKILLER-SR50.
CertKiller.com is in a joint venture with a partner company and for operational purposes there is an agreement between CertKiller.com and its partner regarding the network. This agreement stipulates that the CertKiller.com employees can access over the Internet, a partner VPN server. The partner VPN server does not support machine certificate authentication for VPN connections. You this end you need to enable a route relationship between the Internal network and the External network so that you can ensure that the CertKiller.com employees can access the partner VPN server.
What should you do?
A. Dean Austin needs to create an access rule to enable outbound access to the PPTP Client protocol.
B. Dean Austin needs to create an access rule to enable outbound access to the IPSec with Encapsulation Security Payload (ESP) Server protocol.

C. Dean Austin needs to create an access rule to enable outbound access to the IKE Client protocol.
D. Dean Austin needs to create an access rule to enable outbound access to the L2TP Client protocol.
Answer: A
Explanation:
A remote access VPN server accepts VPN calls from VPN client machines. A remote access VPN server allows single client machines and users access to corporate network resources after the VPN connection is established. You can use any VPN client software that supports PPTP or L2TP/IPSec to connect to a VPN server. PPTP uses Point-to-Point Protocol (PPP) user authentication methods and Microsoft Point-to-Point Encryption (MPPE) to encrypt IP traffic. PPTP supports the use of Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) for password-based authentication. For stronger authentication for PPTP connections, you can implement a public key infrastructure (PKI) using smart cards or certificates and Extensible Authentication Protocol Transport Level Security (EAP-TLS). L2TP/IPSec is the more secure of the two VPN protocols it uses PPP user authentication methods and IPSec encryption to encrypt IP traffic. This combination uses certificate-based computer authentication to create IPSec security associations in addition to PPP-based user authentication. L2TP/IPSec provides data integrity, data origin authentication, data confidentiality, and replay protection for each packet. The ISA firewall can pass PPTP VPN connections from any Protected Network to the Internet with the help of its PPTP filter. The ISA firewall's PPTP filter intercepts the outbound PPTP connection from the Protected Network client and mediates the GRE (Generic Routing Encapsulation/IP Protocol 47) Protocol and the PPTP control channel (TCP 1723) communications. The only thing you need to do is create an Access Rule allowing outbound access to PPTP.


QUESTION NO: 134
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. CertKiller.com has an office in London and a branch office in Milan.
The offices are not connected to each other. CertKiller.com management wants a connection between offices and to this end you received instructions to connect London and Milan by means of a site-to-site VPN. The London office contains an ISA Server 2004 computer named CERTKILLER-SR15 and the Milan office contains an ISA Server 2004 computer named CERTKILLER-SR16. Both CERTKILLER-SR15 and CERTKILLER-SR16 has certificates installed and you configure these servers to use certificates and preshared key. At each office, the preshared key is configured as the office name on the ISA Server computer at that office.

One morning you run the ping command on CERTKILLER-SR15 to the Milan office, but the site-to-site VPN fails. To continue your attempt, you open the Routing and Remote Access console and manually dial the demand-dial interface, but receive the following error message: "The last connection attempt failed because: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."
You need to enable the site-to-site VPN connection by using the most secure IPSec authentication method possible.
What should you do?
A. You need to reboot CERTKILLER-SR15 and CERTKILLER-SR16.
B. You need to re-enter the preshard keys on CERTKILLER-SR15 and CERTKILLER-SR16 and change the preshared keys so that they include mixed-case letters, numbers, and symbols.
C. You need to remove the preshared key from the remote site network configuration on CERTKILLER-SR15 and CERTKILLER-SR16.
D. You must delete the remote site network on CERTKILLER-SR15 and CERTKILLER-SR16, and re-create the remote site networks with the original parameters.
Answer: C
Explanation:
Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPSec) - Layer Two Tunneling Protocol (L2TP) is an industry-standard Internet tunneling protocol that provides encapsulation for sending Point-to-Point Protocol (PPP) across IP networks. The Microsoft implementation of the L2TP protocol uses Internet Protocol security (IPSec) encryption to protect the data stream from the VPN client to the VPN server. L2TP/IPSec connections require user-level authentication and, in addition, computer level authentication using computer certificates OR a pre-shared key. In this case you were using both, thus you need to remove the per-shared keys to achieve highest possible security.


QUESTION NO: 135
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com.
CertKiller.com has an office in London. Due to company growth the CEO has opened another office in Paris. You have created a site-to-site VPN connection between two ISA Server 2004 computers named CERTKILLER-SR11 and CERTKILLER-SR12. CERTKILLER-SR11 is located in London and CERTKILLER-SR12 in Paris. You also create remote site networks on CERTKILLER-SR11 and CERTKILLER-SR12 and choose the L2TP over IPSec VPN protocol.

You want to use a preshared key for the IPSec authentication. For this you opened the Routing and Remote Access console and enter the preshared key in the Properties dialog box for the Routing and Remote Access server.
The site-to-site L2TP over IPsec connection is successful. However, when you reboot CERTKILLER-SR11 and CERTKILLER-SR12, you notice that the site-to-site connection fails. You need to ensure that the L2TP over IPSec site-to-site VPN connections continue to function properly after CERTKILLER-SR11 and CERTKILLER-SR12 are restarted.
What should you do?
A. You need to re-enter the preshared keys on CERTKILLER-SR11 and CERTKILLER-SR12. Change the preshared keys so that they include mixed-case letters, numbers, and symbols.
B. You need to remove all certificates for CERTKILLER-SR11 and CERTKILLER-SR12.
C. On CERTKILLER-SR11 and CERTKILLER-SR12, remove the preshared key from the Routing and Remote Access console, and enter the key on the Authentication tab of the Virtual Private Networks (VPN) Properties dialog box.
D. You need to install user certificates on CERTKILLER-SR11 and CERTKILLER-SR12 and enable EAP user authentication for the demand-dial accounts.
Answer: C
Explanation:
Error 792 can be caused by: You have a preshared key that is configured on the client, but the key is not configured on the Routing and Remote Access Service server. VPN server is not a valid machine certificate or is missing. The IPSec Policy Agent service is stopped and started without stopping and starting the Routing and Remote Access service on the remote computer. The IPSec Policy Agent service is not running when you start the Routing and Remote Access service. The ISA Server computer is configured to block IP fragments. In this case you need to enable the use of a custom IPSec policy and configure a preshared key in the Virtual Private Networks (VPN) Properties dialog box and NOT in the RRAS console. VPN properties should be configured in the ISA Console and not in the RRAS console because the ISA console overrides RRAS settings.


QUESTION NO: 136
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Sales department. CertKiller.com has its headquarters in Chicago and branch office in Miami. CertKiller.com network contains two ISA Server 2004 computers named CERTKILLER-SR25 that is in Chicago and CERTKILLER-SR26 that is in Miami. CERTKILLER-SR25 is running Windows Server 2003 and CERTKILLER-SR26 is running Windows 2000 Server.

You have received instructions to create a site-to-site VPN connection between CERTKILLER-SR25 and CERTKILLER-SR26. You the configure IPSec tunnel mode for the site-to-site connection. When you test the site-to-site site VPN connection, the connection attempt fails. You need to enable the IPSec tunnel mode site-to-site VPN connection between Chicago and Miami.
What should you do?
A. You need to install the IPSecPol tool on CERTKILLER-SR25.
B. You need to install the IPSecPol tool on CERTKILLER-SR26.
C. You need to configure a custom IPSec policy on CERTKILLER-SR25.
D. You need to configure a custom IPSec policy on CERTKILLER-SR26.
Answer: B
Explanation:
IPSec tunnel mode - Tunneling is the entire process of encapsulation, routing, and decapsulation . Tunneling wraps, or encapsulates, the original packet inside a new packet. When tunneling is combined with data confidentiality, the original packet data is not revealed to those listening to traffic on the network. The tunnel is the logical data path through which the encapsulated packets travel. When tunneling is combined with data confidentiality, it can be used to provide a VPN. The encapsulated packets travel through the network inside the tunnel. When Internet Protocol security (IPSec) is used in tunnel mode, IPSec itself provides encapsulation for IP traffic only. The primary reason for using IPSec tunnel mode is interoperability with other routers, gateways, or end systems that do not support L2TP over IPSec or PPTP VPN tunneling. To create a remote site network that uses the IPSec protocol tunneling mode on a computer running Windows 2000, you must install the IPSecPol tool, available on the Microsoft website.
Part 2: Configure ISA Server 2004 as a remote access VPN server (8 Questions)


QUESTION NO: 137
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com has its headquarters in Chicago and branch office in Dallas. The Dallas office users require access to the resources in the main office.

The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as a VPN server. The shared resources in the main office are highly confidential and a CertKiller.com network security policy states that all remote VPN clients fulfill the requirements below: The remote client computers have Windows XP Professional SP2 installed.The remote VPN client should have updated antivirus software.All the network connections on the remote VPN clients must have Windows Firewall enabled.
In the network main office you configure VPN quarantine control on the ISA 2003 Server and also create the CK_Quarantinetest.vbs script to validate the client configuration. You are required to ensure only remote VPN clients passing the security criteria are allowed to access the resources.
What should you do?
A. An access rule must be configured for the CK_Quarantinetest.vbs script to run when a remote VPN client attempts to connect to the VPN server.
B. The registry entry for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rqs key to pass CK_Quarantinetest.vbs as a parameter should be configured for AllowedSet key.
C. The location of the CK_Quarantinetest.vbs script must be passed as a parameter to the Rqs.exe components.
D. A Connection Manager (CM) profile should be created that includes the CK_Quarantinetest.vbs script and distribute the CM profile to all remote VPN clients in the branch office.
Answer: D
Explanation:
In the scenario you should remember that the CM profile is used to contain a script that performs validation checks on the remote-access client computer to verify the network policies.

Incorrect Answers:
A: There is no need to create an access rule for the script you should simply create a CM profile that uses the CK_Quarantinetest.vbs script.
B: This option should not be used in the scenario because the option will not enable the branch office users to access the VPN server remotely.
C: There is no need for this configuration in the scenario because you should simply create a CM profile that uses the CK_Quarantinetest.vbs script.Reference:


QUESTION NO: 138
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.

The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as an Edge Firewall outside the Active Directory domain. The CertKiller.com network domain contains an internal enterprise Certification Authority (CA). The CertKiller.com network security policy states that all VPN connections must be configured to use L2TP/IPSec with certificate-based authentication. You plan to configure CERTKILLER-SR01 as a VPN server.
You later configure a Group Policy Object (GPO) to enable CERTKILLER-SR01 and other network computers to acquire computer certificates through automatic enrollment and perform the following tasks to ensure this for CERTKILLER-SR01: You create a access rule to allow all protocols from CERTKILLER-SR01 to the internal network.You disable the Enforce strict RPC compliance setting temporarily.You disable the RPC application filter temporarily.
You then discover that automatic enrollment has failed for CERTKILLER-SR01 but was successful for the client computers. You are required to ensure CERTKILLER-SR01 can successfully acquire the computer certificate.
What should you do? (Choose TWO.)
A. The CERTKILLER-SR01 firewall should be restarted to request the certificate.
B. The Enforce strict RPC compliance checkbox should be enabled and the RPC filter should be enabled on CERTKILLER-SR01.
C. CERTKILLER-SR01 should be joined to the domain.
D. A Web enrollment site must be used to obtain the certificate.
Answer: C,D
Explanation:
In the scenario you should try to remember that in order to request a certificate for an ISA server that you do not enforce strict RPC compliance by modifying the firewall then will the auto enrollment succeed.

Incorrect Answers:
A: The only time you will be required to do this is when you are making use of Certificates MMC before disabling the RPC filter.
B: This option should not be used in the scenario because DCOM is a RPC protocol required for services such as enrollment of certificates.Reference:


QUESTION NO: 139
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.

The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as a remote VPN server using L2TP/IPSec which will be used to provide network employees connecting as remote VPN client access to required internal resources. You later ensure the internal Certification Authority (CA) is online and has the permissions needed to issue certificates. You are busy requesting a server certificate from the CA. You receive the error message below:
"The certificate request failed because of one of the following conditions: The certificate request was submitted to a Certification Authority that was not started. You do not have the permissions to request certificates from the available CAs."
You are now required to ensure that a server certificate is successfully issued to the ISA server to enable CERTKILLER-SR01 to function as an L2TP/IPSec-based remote access VPN server.
What should you do?
A. The Extensible authentication protocol (EAP) with smartcard or other certificate check box should be selected on CERTKILLER-SR01.
B. The Verify that incoming client certificates are not revoked check box should be selected on CERTKILLER-SR01.
C. The CA root certificate should be manually placed into the Trusted Root Certification Authorities store on CERTKILLER-SR01.
D. The System Policy should be edited to clear the Enforce strict RPC compliance check box on CERTKILLER-SR01.
Answer: D
Explanation:
In the scenario you should remember that DCOM traffic to the ISA server can only be allowed when the Enforce strict RPC compliance check box has been unchecked.

Incorrect Answers:
A: This option should only be used in the situation where the remote site gateway or VPN client initiates a connection to the ISA Server CERTKILLER-SR01.
B: This option should only be used if you want to stop users from connecting to the server if their certificates are revoked.
C: This would only be required if all the servers are not members of the domain and in the scenario all computers are members of the domain.Reference:
QUESTION NO: 140

You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 and all client computers are configured as Web Proxy clients. You are busy configuring CERTKILLER-SR01 as a L2TP/IPSec VPN server by using certificate-based authentication to provide secure access to the internal network resources for remote VPN clients.
During the course of the day you deploy client certificates on CERTKILLER-SR01 and other remote users using an external CA. You want to configure CERTKILLER-SR01 to deny access to clients with revoked certificates. You decide to enable the Allow HTTP from the ISA Server to all networks for CRL download system policy rule. You are required to prevent VPN clients with revoked certificates from establishing a VPN connection.
What should you do? (To answer, configure the following exhibit appropriately)


Explanation:

You should select the 'Verify that the incoming client certificates are not revoked' checkbox. This option prevents remote users from connecting the ISA server if their certificates have been revoked.


QUESTION NO: 141
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All the client computers in CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Sales department that is situated in Dallas. Due to company growth the CEO has opened a branch office in Miami. ISA Server 2004 Standard Edition is in operation at the Dallas and Miami office. The Miami and Dallas office is connected with a site-to-site VPN connection. You also configure the remote site networks and access rules to allow communications between the Dallas and Miami office's networks Later during the day you received the following complaints:The employees in the Dallas office cannot connect to the resources on the servers in the Miami office.The employees in the Miami office cannot connect to the resources on the servers in the Dallas office.

During your investigation you opened the Event Viewer services log on the ISA Server computer in each office. You see the following error messagE: "Unable to contact a DHCP server. The Automatic Private IP Address 169.254.99.87 will be assigned to dial-in clients. Clients may be unable to access resources on the network."
You need to enable users at the Dallas and the Miami office to connect to resources on the other side of the site-to-site VPN connection.
What should you do?
A. You need to install and configure a DHCP server at the Dallas office.
B. You need to install and configure a DHCP server at the Miami office.
C. You need to install and configure a DHCP server at each office.
D. You need to configure both ISA Server computers to use their ISP's DHCP server.
Answer: C
Explanation:
Site-to-site VPNs allow you to connect entire networks to one another. The ISA firewall supports site-to-site VPN networking using the following VPN protocols: PPTP (Point-to-Point Tunneling Protocol) L2TP/IPSec (Layer Two Tunneling Protocol over IPSec) IPSec Tunnel Mode One of the considerations could be to configure DHCP to assign IP addresses to VPN clients and gateways. You can use either DHCP or a static address pool. However, if you choose to use a static address pool and you assign on subnet IP addresses to VPN clients and gateways, then you will need to remove those addresses from the definition of the Internal Network (or any other Network for which these might represent overlapping addresses). In this scenario we can see that DHCP is not correctly configured or missing. You need to install DHCP server in the Dallas and Miami office, because the scenario stated that both offices could not connect to each other.


QUESTION NO: 142
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. At CertKiller.com, the development department does the research and testing of all new software developments in a lab prior to deployment to the production network.
CertKiller.com contains an ISA Server 2004 computer named CERTKILLER-SR14 which is configured as a VPN server and allows only VPN connections that use PPTP. CertKiller.com also contains a RADIUS server named CERTKILLER-SR17 to offer authentication and authorization for VPN client connections. CERTKILLER-SR14 is configured to use CERTKILLER-SR17 to provide authentication and authorization for VPN client connections.

You want to configure CERTKILLER-SR14 to also allow VPN connections that use L2TP an industry-standard Internet tunneling protocol. You also are going to use CERTKILLER-SR14 in the lab for testing to use preshared keys for authentication. On CERTKILLER-SR14 in the Routing and Remote Access console, you enable the Allow custom IPSec policy for L2TP connection option and enter a value for a preshared key. In the ISA Server Management console, you also enable L2TP over IPSec settings in the VPN Clients Properties dialog box.
In the CertKiller.com lab there is a workstation which is running Windows XP Professional with Service Pack 2. To test the L2TP functionality on CERTKILLER-SR14, you configure a VPN connection object on the workstation. The VPN connection object is configured to use the same preshared key that you configured on CERTKILLER-SR14. When you use L2TP to connect to CERTKILLER-SR14, you receive the following error messagE: "Error 792: The L2TP connection failed because security negotiation timed out."
You need to configure CERTKILLER-SR14 to support L2TP connections that use preshared keys.
What should you do?
A. In the ISA Server Management console you need to enable the use of a custom IPSec policy. Configure a preshared key in the Virtual Private Networks (VPN) Properties dialog box.
B. In the ISA Server Management console you need to enable EAP in the Virtual Private Networks (VPN) Properties dialog box.
C. In the RADIUS remote access policy profile for the VPN connection you need to add MD5-Challenge as an authentication method.
D. In the RADIUS remote access policy profile for the VPN connection, you need to add Protected Extensible Authentication Protocol (PEAP) as an authentication method.
Answer: A
Explanation:
Error 792 can be caused by: You have a preshared key that is configured on the client, but the key is not configured on the Routing and Remote Access Service server. VPN server is not a valid machine certificate or is missing. The IPSec Policy Agent service is stopped and started without stopping and starting the Routing and Remote Access service on the remote computer. The IPSec Policy Agent service is not running when you start the Routing and Remote Access service. The ISA Server computer is configured to block IP fragments. In this case you need to enable the use of a custom IPSec policy and configure a preshared key in the Virtual Private Networks (VPN) Properties dialog box and NOT in the RRAS console. VPN properties should be configured in the ISA Console and not in the RRAS console because the ISA console overrides RRAS settings.



QUESTION NO: 143
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Development department. The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR20 which functions as a remote access VPN server for the network. CERTKILLER-SR20 is configured to use PPTP or L2TP over IPSec for remote access VPN clients to connect to.
The employees in the Development department complains that after connect to CertKiller.com network, they cannot access file shared on the network file server without first being presented with an authentication prompt. You need to ensure that users are not asked for credentials when they access file shares.
What should you do? (Each correct answer presents part of the solution. Choose TWO.)
A. The employees in the Development department should log on by using their domain credentials via dial-up networking.
B. You need to configure CERTKILLER-SR20 as a RADIUS client.
C. You need to create an access rule to enable the LDAP and LDAP5 protocols form the Local Host network to the Internal network.
D. You need to join CERTKILLER-SR20 to the domain.
Answer: A,D
Explanation:
The placement of the ISA VPN server ultimately governs how user accounts are accessed during authentication. The following authentication methods are available: Authenticating directly against Active Directory. Implement RADIUS Authentication. Authenticate against local users.
In this case you need to join CERTKILLER-SR20 to the domain. After that you can simply instruct the employees to logon by using their domain credentials via dial-up networking.


QUESTION NO: 144
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.

CertKiller.com consists of a Development department. The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR12. You received instructions to configure CERTKILLER-SR12 as a remote access VPN server for the network to accept PPTP and L2TP over IPSec for remote access VPN clients to connect to. You want to control VPN access by using a remote access policy.
You then configure CERTKILLER-SR12 to allow VPN access to members of the Domain Users global group, but the VPN connections fail. During your investigation of the properties of several domain user accounts and you find out that the Control access through Remote Access Policy option is not presented. You need to enable remote access permission by using a remote access policy.
What should you do?
A. You need to configure a RADIUS-based remote access policy.
B. You need to configure the ISA Server remote access policy.
C. You need to elevate the domain functional level.
D. You need to enable user mapping for VPN client connections.
Answer: C
Explanation:
The Control access through remote access policy option is unavailable while the Active Directory is in Mixed mode. Therefore we must enable these options and change the Active Directory to Native mode. Note that when you change the Active Directory from Mixed mode to Native mode, it cannot be reversed.
Part 3: Diagnose and resolve VPN connectivity issues (12 Questions)


QUESTION NO: 145
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. The CertKiller.com network domain functional level is at Windows Server 2000 mixed-mode.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as a remote access VPN server that allows L2TP/IPSec remote access client connections. During the course of the day you configured CERTKILLER-SR01 to allow VPN access to members of the Domain Users global group whilst ensuring you take other steps to ensure their access and the users report they successfully can access the VPN server. A new network user named Rory Allen has joined the Finance departments. You create a user account with the default settings. Rory Allen has reported that he is unable to connect to the remote VPN server.

What should you do?
A. The user account properties should be modified for dial-in access.
B. The remote access policy must be modified to add the user Rory Allen.
C. The domain functional level should be downgraded.
D. User mapping should be enabled for the remote VPN clients.
Answer: A
Explanation:
In the scenario you should remember that the domain functional level is at Windows 2000 server mixed-mode. You created a user account with the default setting which in this functional level has the dial-in permissions disabled.

Incorrect Answers:
B: This option should not be used in the scenario because Rory Allen still will be unable to access the remote access VPN.
C: This should not be considered in the scenario because upgrading the functional level of a domain is a one way process.
D: You should not consider using this option in the scenario because User mapping is used to map VPN clients connecting to the ISA server using non-Windows authentication methods such as RADIUS.Reference:


QUESTION NO: 146
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as an Edge Firewall and is configured as a remote access VPN server that allows Point-to-Point Tunneling Protocol (PPTP) remote access connections. The remote VPN clients of CertKiller.com access resources on the internal network but some users started reporting they are unable to access some resources on the internal network. You are required to determine whether the VPN client connections are successful or not.
What should you do?

A. A report job should be created.
B. A connectivity verifier should be set up.
C. The Web Proxy log view should be used.
D. A session filter should be configured.
Answer: D
Explanation:
You should remember that in the scenario you can use session monitoring to determine whether a VPN client connection is successful or not making this the best choice to use.

Incorrect Answers:
A: This option should not be used in the scenario because the report job is used to create a report automatically on a specified schedule and can not be used for the scenario.
B: This should not be considered in the scenario because the verifier allows an ISA server to check connectivity by sending HTTP GET requests to the specified computer.
C: This option is only useful if you are trying to determine which users can not access an external Web site while other users are able to.Reference:


QUESTION NO: 147
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as an Edge Firewall. The CertKiller.com network users travel frequently and require access to internal network resources to get updated information while traveling. You decided to configure CERTKILLER-SR01 as a remote access VPN server configured to allow L2TP/IPSec remote access client connections to the remote users. You are required to configure dial-in permissions in Active Directory to enable the remote users to access the VPN server remotely using the least amount of administrative effort.
What should you do?
A. A new access policy must be created and configure the dial-up permissions for each user manually.
B. Dial-in access must be configured on a per-account basis in Active Directory.
C. The domains functional level should be lowered.
D. The remote access policy should be modified.
Answer: D Explanation:

In the scenario you should consider modifying the remote access policy because the domain is Windows Server 2003 you are simply able to modify the remote access policy.

Incorrect Answers:
A: This option should not be used in the scenario as there is way to much administrative effort involved with the process.
B: This should not be considered in the scenario because in Windows Server 2003 this is controlled by remote access policy.
C: This should not be considered in the scenario because upgrading the functional level of a domain is a one way process.Reference:


QUESTION NO: 148
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as an Edge Firewall. You are in the process of configuring CERTKILLER-SR01 as a remote access VPN server to enable remote client access to internal network resources. You configured CERTKILLER-SR01 to support only EAP authentication for the remote VPN clients and a user certificate has been issued to all remote VPN client computers. You are required to ensure that access policy rules are applied to users logging in by using Windows authentication are also applied to all remote VPN clients logging in using EAP authentication.
What should you do?
A. User mapping should be enabled for the remote VPN clients.
B. The When username does not contain a domain, use this domain option should be deselected in the VPN Clients Properties dialog box.
C. CERTKILLER-SR01 should be configured as a stand-alone server outside the domain.
D. CERTKILLER-R01 should be configured to use MS-CHAPv2 authentication.
Answer: A
Explanation:
In the scenario the best option is to enable user mapping as this would allow you to ensure that access policy rules are applied to users logging in using Windows authentication and EAP authentication.

Incorrect Answers:
B: This option should not be used in the scenario because this option can only be enabled if you have user mapping enabled.

C: This configuration should not be considered in the scenario because the server should be part of the domain when making these configurations.
D: This should not be configured in the scenario as you already require the users only to use EAP authentication and issued user certificates.Reference:


QUESTION NO: 149
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All the client computers in CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Development department. The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR10. CERTKILLER-SR10 is a member of a workgroup and functions as a remote access VPN server for the CertKiller.com network.
The configuration of the ISA Server 2004 computer only accepts EAP authentication for VPN clients. The VPN clients of CertKiller.com have user certificates from the corporate enterprise certification authority (CA).
One morning the users complain that they cannot connect to the CertKiller.com network. They receive the following error messagE: "Error 691: Access was denied because the username and/or password were invalid for the domain." You need to ensure that VPN users can connect to the network.
What should you do?
A. You need to join CERTKILLER-SR10 to the corporate network domain.
B. You need to place the CA certificate into the VPN clients' Trusted Root Certification Authorities computer certificate store.
C. You need to enable remote access permissions for the VPN user accounts in Active Directory.
D. You need to configure CERTKILLER-SR10 to use RADIUS authentication.
Answer: A
Explanation:
You can significantly enhance the security of your ISA firewall's VPN remote access client connections by using EAP user certificate authentication. User certificate authentication requires that the user possess a user certificate issued by a trusted certificate authority. Both the ISA firewall and the remote access VPN client must have the appropriate certificates assignment to them. You must assign the ISA firewall a machine certificate that the firewall can use to identify itself. Users must be assigned user certificates from a certificate authority that the ISA firewall trusts. When both the remote access client machine presenting the user certificate and the ISA firewall contain a common CA certificate in their Trusted Root Certification Authorities certificate stores, the client and server trust the same certificate hierarchy. Before we are able to use EAP we must join the ISA Server to the domain. Otherwise we get the dreaded error 691 as stated in this scenario.



QUESTION NO: 150
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All the client computers in CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Research department. The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR12. CERTKILLER-SR12 acts as a DHCP and a VPN server. The DHCP options are assigned to the VPN client computers which are as follows: DNS, WINS and Domain name. CERTKILLER-SR12 has a DHCP scope that consists of three DHCP options.
One morning you have received complains that the VPN users cannot the files shares when logged on to the network. During the investigation you find out that no WINS or DNS server address is assigned to the VPN clients, and no primary domain name is listed.
You need to ensure that the DHCP options are assigned to the VPN client computers.
What should you do? (Each correct answer presents part of the solution. Choose TWO.)
A. You need to remove the DHCP server from CERTKILLER-SR12 and place it on a computer that is behind CERTKILLER-SR12.
B. You need to configure the Routing and Remote Access internal network adapter as a DHCP client.
C. You need to configure VPN address assignment to use the Internal network for the DHCP, DNS and WINS services in the ISA Server Management console.
D. You need to install a DHCP Relay Agent on CERTKILLER-SR12.
Answer: A,D
Explanation:
The Dynamic Host Configuration Protocol (DHCP) allows you to automatically assign IP addressing information to VPN clients. IP addressing information the DHCP server can assign to VPN clients includes: IP address WINS server address DNS server address Primary domain name
The ISA Server firewall/VPN server can be configured to use a static address pool or DHCP to assign IP addresses to VPN clients and gateways. When you use a static address pool, the IP address pool is configured on the ISA Server firewall/VPN server, and WINS and DNS server addresses are assigned based on the WINS and DNS server address settings on the internal interface of the ISA Server firewall/VPN server. You can use DHCP to assign VPN clients an IP address, a WINS server address, a DNS server address, and a primary domain name, as well as other DHCP options. In order to fully utilize the information a DHCP server can provide to the VPN client, the ISA Server firewall/VPN server must be configured with a DHCP Relay Agent. The DHCP Relay Agent acts as a "DHCP proxy" between the VPN client and the DHCP server. The DHCP Relay Agent forwards the DHCP messages between the VPN client and DHCP server and back.



QUESTION NO: 151
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2004 computer named CERTKILLER-SR15.
CertKiller.com contains of a Sales department. Some of the employees in the Sales department goes in to the field to market the product and travel with their laptop and establishes a VPN connection to connect to CERTKILLER-SR15. The remote employees need to use a smart card when they establish VPN connections.
During one of you routine monitoring you notice that the remote users can still establish VPN connections to CERTKILLER-SR15 after their smart card certificate has been revoked and a new certification revocation list (CRL) has been published.
You need to ensure that users whose smart card certificates are revoked cannot establish VPN connections to CERTKILLER-SR15.
What should you do?
A. You need to select the Use RADIUS for authentication check box.
B. You need to select the Extensible authentication protocol (EAP) with smart card or another certificate check box.
C. You need to select the Verify that incoming client certificates are not revoked check box.
D. You need to select the Verify that incoming server certificates are not revoked in a reverse scenario check box.
Answer: C
Explanation:
If you want to make sure that the incoming client certificates are not revoked - Select this check box to specify that when CERTKILLER-SR15 receives a certificate from a client, it will automatically check if the certificate is revoked. If the certificate is revoked, the client request will be denied. Verify that incoming server certificates are not revoked in a forward scenario - Select this check box to specify that CERTKILLER-SR15 will automatically check if incoming server certificates, in an SSL bridging scenario, are revoked. If the certificate is revoked, the request will be denied. Verify that incoming server certificates are not revoked in a reverse scenario - Select this check box to specify that CERTKILLER-SR15 will automatically check if server certificates, in a Web publishing scenario, are revoked. If the certificate is revoked, the request will be denied. You must ensure that can users cannot establish VPN connections to CERTKILLER-SR15 after their smart card certificate has been revoked and a new certification revocation list (CRL) has been published. Therefore you must enable the Verify that incoming client certificates are not revoked checkbox in the general settings of CERTKILLER-SR15.



QUESTION NO: 152
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR10 which functions as a remote access VPN server for the network. CERTKILLER-SR10 is configured to use PPTP or L2TP over IPSec for remote access VPN clients to connect. All remote access VPN client computers are configured as both Web Proxy and Firewall clients of CERTKILLER-SR10. You then create an access rule to allow domain users on the VPN Clients network access to all protocols and Web sites on the Internet.
A CertKiller.com manager named Andy Reid has used his laptop by using a local user account and establishes a VPN connection to CERTKILLER-SR10 by using his domain credentials. You discover that Andy Reid cannot connect to the internal network when the VPN connection to CERTKILLER-SR10 is active. You need to ensure that Andy Reid can access the Internet network while maintaining a VPN connection to CERTKILLER-SR10.
What should you do?
A. You need to disable the Firewall client before establishing the VPN connection.
B. You need to disable the Web Proxy configuration before establishing the VPN connection.
C. You need to create an access rule to allow connections from the VPN Clients network to the internal network.
D. You need to remote the authentication requirement on the access rule that allows VPN Clients access to the Internet.
Answer: C Explanation:

In this case, Andy Reid logs on to his laptop by using a local user account and establish a VPN connection to CERTKILLER-SR10 by using his domain credentials. This means that the VPN tunnel has been correctly setup and is fully functional. He needs to create a rule that allow him to connect to the internal network. This means that he must create an access rule to allow connections from the VPN Clients network to the internal network.


QUESTION NO: 153
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com.
CertKiller.com contains a Research department that is responsible for conducting research in the software field. The Research department contains an ISA Server 2004 computer named CERTKILLER-SR14. CERTKILLER-SR14 is configured with an external network adapter that is connected to the Internet and an internal network adapter that is connected to the Internal network which has a address range is of 10.0.0.0 through 10.0.0.255.
You then define the VPN assignment as a static pool that extends from 10.0.1.0 through
10.0.1.255 and enable VPN client access. You then test the VPN configuration and establish a VPN connection to CERTKILLER-SR14 from an external Windows XP Professional client computer.
While you were on a VPN session with CERTKILLER-SR14, you find out that the client computer cannot browse external Web sites. When sitting with this problem, you made sure that the internal client computers can browse external Web sites, which was positive.
What should you do to ensure that VPN clients can browse external Web sites while connected to CERTKILLER-SR14 and to ensure that all requests for external Web sites from VPN clients are processed through CERTKILLER-SR14?
A. You need to clear the check box to use the default gateway on the remote network on the VPN clients, in the VPN connection object in the Network Connections folder.
B. You need to configure the dial-up and virtual network settings for the VPN connection object to use the proxy server settings for CERTKILLER-SR14 on the VPN clients, in the Internet Explorer.
C. You need to reconfigure the VPN address assignments to use DHCP on CERTKILLER-SR14 and ensure that the address assignments are within the range defined for the Internal network.
D. You need to create an access rule that allows outbound HTTP and HTTPS access from the VPN client network for the All Authenticated Users user set on CERTKILLER-SR14.
Answer: D Explanation:

In this case the VPN Clients network does not have access to the internet because there is no access rule that allow that traffic. Therefore you need to create an access rule that allows outbound HTTP and HTTPS access from the VPN client network for the All Authenticated Users user set to the external network. ISA Server assigns computers to networks and then uses network rules, network access rules, and publishing rules to restrict the movement of network traffic between networks. These concepts are also used by ISA Server to manage VPN connections. ISA Server uses the following networks for VPN connections: VPN Clients network. This network contains the IP addresses of all of the VPN clients that have connected using VPN client access. Quarantined VPN Clients network. This network contains the IP addresses of all of the VPN clients that have connected using VPN client access but have not yet cleared quarantine. Remote-site network. This network contains the IP addresses of all of the computers in a remote site when a site-to-site VPN connection is configured. Additional remote-site networks are created for each remote-site connection.


QUESTION NO: 154
You work as the network administrator at CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2004 computer named CERTKILLER-SR15. CERTKILLER-SR15 allows outgoing connections to the Internet. A network rule defines a network address translation (NAT) relationship between the Internal network and the Internet.
CertKiller.com consists of a Finance department. The users in this department require access to PPTP and L2TP over IPSec VPN servers on the Internet. You then configure all network computers, with the exception of CERTKILLER-SSR15, as both Web Proxy and Firewall clients and create access rules on CERTKILLER-SR15 to allow outbound connections to the Internet by using PPTP Client, IPSec NAT Traversal (NAT-T) Client, and IKE Client protocols.
One morning you have received complains that the users in the Finance department cannot connect to Internet PPTP and L2TP over IPSec VPN servers. You need to ensure that users can connect to PPTP and L2TP over IPSec VPN servers on the Internet.
What should you do?
A. You need to disable the Web Proxy client configuration on the network computers.
B. You need to disable the Firewall client configuration on the network computers.
C. You need to configure the network computers as SecureNAT clients.
D. You need to configure the network computers to use IPSec tunnel mode.
Answer: C Explanation:

You can configure the ISA firewall to allow outbound access to VPN servers on the Internet. The ISA firewall supports all true VPN protocols, including PPTP, L2TP/IPSec, and IPSec NAT Traversal (NAT-T). Although ISA Server supports PPTP passthrough out of the box, there is no built-in support for IPSec passthrough . The reason for this is that the IPSec protocols are not NAPT (Network Address & Port Translation) compatible. The IPSec protocols are designed to authenticate and/or encrypt information in the packet. When a NAPT device (i.e. an ISA server) tries to change the information in the packet, it will either cause the packet to be considered invalid by an IPSec protocol, or it will be unable to perform the translation because information the NAPT device needs to access is encrypted. The IPSec Working Group has worked out a solution called NAT Traversal or in short NAT-T. To make NAT-T work on the ISA Server we need to create an access rule that uses the IPSec IKE Clients protocol and the IPSec NAT-T protocol. Because the PPTP VPN protocol requires GRE (an IP level protocol that does not use TCP or UDP as a transport), machines configured as only Firewall and/or Web Proxy clients will not be able to connect to Internet VPN servers using PPTP. The machine must also be configured as a SecureNAT client to successfully complete the PPTP connection.


QUESTION NO: 155
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR14 which has VPN Quarantine Control enabled on it. CertKiller.com also has quite a few policies for the client computers to connect to CERTKILLER-SR14. To make sure that the policies is complied to, you have created a Connection Manager (CM) profile and install it all the VPN client computers. The CM profile contains a script named quarantine.vbs that performs several tests on VPN client computers to ensure that the VPN client computers adhere to the CertKiller.com policies. If a computer passes the tests, the script executes the following command: RQC %1 %2 %3 %4 SV1.
The variables in the command represent the parameters inherited from the CM profile which are as follows:
One morning, some of the users at CertKiller.com complain that after they establish a VPN connection with CERTKILLER-SR14, they receive a message that their computer has been placed in quarantine mode. After the message the VPN connection is terminated, and they are prompted to reconnect.
You then make sure that the client computer configurations conform to CertKiller.com policies and

passed the tests on the quarantine.vbs script.
During the investigation you notice that the System log displays a large number of instances of the following warning message: "A remote access client at IP address w.x.y.z connected by CertKiller\username has been rejected because it presented the following unrecognized quarantine string: SV1"
You need to ensure that VPN client computers can be moved out of the Quarantined VPN Clients network when the quarantine.vbs script executes successfully.
What should you do?
A. You need to create a new CM profile by using the Connection Manager Administration Kit (CMAK). Append the text string "SV1" to the lost of parameters for the custom action.
B. You need to edit the quarantine.vbs scipt so that it used the following command: RQC %DialRasEntry% %TunnelRasEntry% 7250 %Domain% %UserName%
C. On the ISA Server 2004 computer, configure the AllowedSets values for the RQS service by including the text string "SV1".
D. You need to use the Connection Manager Administration Kit (CMAK) to change the post-connect action to Rqc.exe.
Answer: C
Explanation:
The VPN quarantine control feature allows you to screen VPN client machines before allowing them access to the organizations network. Configuring quarantine control on ISA Server requires a number of configuration steps. Create a client-side script that validates client configuration information. Use CMAK to create a CM profile that includes a notification component and the client-side script. Create and install a listener component on the ISA Server. Enable quarantine control on ISA Server. Configure network rules and access rules for the Quarantined VPN Clients network.
The Network Quarantine Service (Rqs.exe) provides the listener service for computers running ISA Server to support VPN Quarantine. This component must be installed on all computers running ISA Server that will provide quarantine services. The easiest way to install the Network Quarantine Service and configure ISA Server to support listener network traffic is to use the ConfigureRQSForISA.vbs script provided with ISA Server 2004. The syntax to use this script is:
Cscript ConfigureRQSForISA.vbs /install SharedKey1\0SharedKey2 < pathto RQS.exe> The /install command line switch installs the listener service. To uninstall the listener service, use /remove. The SharedKey value is the key that the notification component will send to the listener component. The notification message sent by Rqc.exe contains a text string that indicates the version of the quarantine script being run. This string is configured for Rqc.exe as part of its command-line parameters, as run from the quarantine script. Rqs.exe compares this text string to a set of text strings stored in the registry of the computer running ISA Server. If there is a match, the quarantine conditions are removed from the connection. If the client provides a shared key that is not in the allowed set, it will be disconnected. There can be more than one shared key, separated by \0". defines where the listener executable is located.

In this case you can see that the scriptversion name is SV1. This script will be executed on the client side. On the ISA server there must be a registry entry called allowedsets with a value SV1.


QUESTION NO: 156
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com has its headquarters in Chicago and a branch office in Dallas. CertKiller.com network contains two ISA Server 2004 computers named CERTKILLER-SR21 and CERTKILLER-SR22 respectively. CERTKILLER-SR21 is located in Chicago and CERTKILLER-SR22 is located in Dallas. Chicago and Dallas are connected with an IPSec tunnel mode site-to-site VPN. CERTKILLER-SR21 that is in Chicago has three addresses bound to its external network adapter. CERTKILLER-SR22 in Dallas makes use of a non-primary IP address to establish the IPSec tunnel mode connection to CERTKILLER-SR21.
The employees in Dallas report that they can connect to file shares at Chicago, but cannot connect to the Microsoft Outlook Web Access Web site. You need to ensure that the employees in Dallas can access the Outlook Web Access Web site.
What should you do?
A. You need to use a network address translation (NAT) relationship between the Chicago and Dallas network.
B. You need to add IP addresses to the external network adapter of CERTKILLER-SR22.
C. You need to change the Phase II IPsec configuration on both CERTKILLER-SR21 and CERTKILLER-SR22 to use Message Digest 5 (MD5) as its integrity algorithm.
D. You need to create a new protocol definition for TCP port 80 outbound and use the definition in the access rule.
Answer: D
Explanation:

The employees in the Dallas office can connect to file shares at the main office, which means that the VPN tunnel has been correctly setup and is fully functional. All you need to do is create a rule that allow the employees in Dallas to connect to the OWA website. This means that you must create a new protocol definition for TCP port 80 outbound and use the definition in the access rule.

QUESTION NO: 157
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 used to control Internet access and that is configured by using the 3-Leg Perimeter network template. You recently enabled Web caching on CERTKILLER-SR01 and configured all the client computers as Web Proxy clients. You are busy using the Microsoft SQL Server 2000 Desktop Engine (MSDE) database log storage format for the Web Proxy logs and have configured the total size of the log file to 10 GB.
The CertKiller.com network users report that access to frequently visited sites is very slow. You configure the following System Monitor performance counters to find the sources of slow performance: Memory\Pages/sec.PhysicalDisk\Avg. Disk Queue Length.
You are required to choose which counter would indicate the worst performance bottleneck.
What should you do?
A. A high Memory\Page/sec value and a low PhysicalDisk\Avg. Disk Queue Length value.
B. A low Memory\Page/sec value and a low PhysicalDisk\Avg. Disk Queue Length value.
C. A low Memory\Page/sec value and a high PhysicalDisk\Avg. Disk Queue Length value.
D. A high Memory\Page/sec value and a high PhysicalDisk\Avg. Disk Queue Length value.
Answer: D
Explanation:
Remember in the scenario if you are experiencing slow Web performance after configuring MSDE the best method to check performance is used in the answer.

Incorrect Answers:
A: The scenario requires that you select the worst performance stat and these three options do not have the worst performance bottleneck.Reference:
B: The scenario requires that you select the worst performance stat and these three options do not have the worst performance bottleneck.Reference:

C: The scenario requires that you select the worst performance stat and these three options do not have the worst performance bottleneck.Reference:


QUESTION NO: 158
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 used to control Internet access as all the network users of CertKiller.com require Internet access. The network users often visit the same Web site on the Internet. You enable forward caching on CERTKILLER-SR01 to accelerate outbound requests from the internal users.
The CertKiller.com internal users started reporting that the Web sites access is very slow. You suspect that insufficient memory is causing CERTKILLER-SR01 to perform slowly. You decide to monitor CERTKILLER-SR01 by adding the following counter to the System Monitor: Memory\Pages/sec.ISA Server Cache\Memory Usage Ratio Percent (%).
You decided to delegate the task to an assistant named Dean Austin but Dean Austin reports that he is unable to monitor the performance by using system monitor.
What should you do?
A. Dean Austin must be added to the Server Operators domain group.
B. An access rule must be created to allow Dean Austin to connect to CERTKILLER-SR01.
C. The ISA Server Basic Monitoring rights must be assigned to Dean Austin.
D. Dean Austin should be added to the Windows Server 2003 Performance Monitor Users group.
Answer: D
Explanation:
In the scenario you should keep in mind that only the members of the Performance Monitor Users group are capable of monitoring and using performance counters on domain controllers in the domain.

Incorrect Answers:
A: This option should not be considered in the scenario because in order to view and use performance counters the users are required to be members of the Performance Monitor Users group are capable of monitoring and using performance counters on domain controllers in the domain.Reference:
B: This option should not be considered in the scenario because in order to view and use performance counters the users are required to be members of the Performance Monitor Users group are capable of monitoring and using performance counters on domain controllers in the domain.Reference:

C: This option should not be considered in the scenario because in order to view and use performance counters the users are required to be members of the Performance Monitor Users group are capable of monitoring and using performance counters on domain controllers in the domain.Reference:


QUESTION NO: 159
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as an Edge Firewall used to control Internet access and all the client computers are configured as Firewall clients and Web Proxy clients. The CertKiller.com network regularly accesses a partner Web site that is updated frequently. You enable Web caching on CERTKILLER-SR01 and configure a content download job to run regularly after office hours to ensure that the users have access to the latest information without utilizing precious bandwidth. The CertKiller.com network users started reporting the partner Web site access is very slow. You decide to add the counters below to the System Monitor to monitor performance bottlenecks: Memory\Pages/sec.PhysicalDisk\Avg. Disk Queue Length.
You are required to verify the cache disk parameters to identify the reason of the slow performance.
What should you do? (Choose all that apply)
A. The ISA Server Cache\Total Actively Refreshed URLs performance counter should be added to the System Monitor console.
B. The ISA Server Cache\Memory Usage Ratio Percent (%) performance counter should be added to the System Monitor console.
C. The ISA Server Cache\Total URLs Cached performance counter should be added to the System Monitor console.
D. The ISA Server Cache\URL Commit Rate (URL/sec) performance counter should be added to the System Monitor console.
E. The ISA Server Cache\Total Disk Failures performance counter should be added to the System Monitor console.
Answer: C,D,E Explanation:

In the scenario you should configure these performance counters to determine whether or no the CertKiller.com network is operating efficiently or are suffering from performance bottlenecks.

Incorrect Answers:
A: This counter should not be considered for use in the scenario because it is used to display the cumulative number of URLs in the cache that have been actively refreshed.
B: The performance counter in question in this option should not be considered for use in the scenario because the counter is used to display the ratio between cache fetches from the memory cache and the total cache fetches.Reference:


QUESTION NO: 160
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 used to control Internet access both outbound and inbound. You configure CERTKILLER-SR01 as a Web caching server. The CertKiller.com network regularly accesses a partner Web site that is updated frequently. You configure a content download job to run regularly every morning before office hours to ensure that the users have access to the latest information without utilizing precious bandwidth.
The Network users started reporting that access to the partner Web site is slow. You suspect the problem us occurring because the cache is getting trimmed because of insufficient memory. You are required to verify that reduction in the cache size due to low memory is the cause of the slow performance and should select which performance counters to use.
What should you do? (Choose TWO.)
A. Memory\Cache Bytes.
B. Memory\Available Bytes.
C. Memory\Pages/sec.
D. ISA Server Cache\Memory Usage Ratio Percent (%).
Answer: A,B
Explanation:
In the scenario you should keep in mind that you can use Windows 200 Server or Windows Server 2003 System monitor to access the performance of an ISA server computer. You can use ISA Server Performance Monitor installed with the ISA Server Management Console.


Incorrect Answers:
C: This performance counter should not be used in the scenario because the counter measures the number of pages per second that are paged out of Random Access Memory (RAM) to hard disk or paged into RAM from hard disk.
D: This performance counter should not be used in the scenario because the counter display the ratio between cache fetches from the memory cache and the total cache fetches.Reference:


QUESTION NO: 161
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR18 which is configured to provide forward Web caching for users on the Internet network. All CertKiller.com employees work from 8AM to 5PM on usual business days. One morning you received a compliant from the employees that when they are very busy, it takes longer than usual for Web pages to appear. With this information you suspect that insufficient memory is the source of the slow performance of CERTKILLER-SR18.
You need to confirm you suspicions and thus have to decide to add the appropriate System Monitor performance counters to find out whether insufficient memory is indeed the source of the slow performance.
What should you do? (Each correct answer presents part of the solution. Choose TWO.)
A. Add the Memory\Pages/sec System Monitor counter.
B. Add the Process(W3Prefch)\Pool Nonpaged Bytes System Monitor counter.
C. Add the ISA Server Cache\Memory Usage Ratio Percent (%) System Monitor counter.
D. Add the Physical Disk\Avg. Disk Queue Length System Monitor counter.
E. Add the ISA Server Cache\Disk Write Rate (writes/sec) System Monitor counter
F. Add the Memory\Pool Nonpaged Bytes System Monitor counter.
Answer: A,C
Explanation:
The ISA Server installation configures several new performance objects that you can use to monitor system performance on the computer running ISA Server. You view the performance objects and their associated performance counters in real time in System Monitor. System Monitor is a monitoring tool that is included with Windows 2000 and Windows Server 2003. Memory\Pages/sec - Pages/sec is the rate at which pages are read from or written to disk to resolve hard page faults. This counter is a primary indicator of the kinds of faults that cause system-wide delays. Process(W3Prefch)\Pool Nonpaged Bytes - Pool Nonpaged Bytes is the size, in bytes, of the nonpaged pool, an area of system memory (physical memory used by the operating system) for objects that cannot be written to disk, but must remain in physical memory as long as they are allocated. ISA Server Cache\Memory Usage Ratio Percent (%) - Shows the percentage of the total amount of cache fetches that are from the memory cache. A high percentage may indicate that it is worthwhile allocating more available memory resources to the cache. A low percentage may indicate that memory resources may be better used elsewhere. Physical Disk\Avg. Disk Queue Length - Is the average number of both read and write requests that were queued for the selected disk during the sample interval. ISA Server Cache\Disk Write Rate (writes/sec) - Measures the number of writes per second to the disk cache for the purpose of writing URL content to the cache disk. Memory\Pool Nonpaged Bytes - Pool Nonpaged Bytes is the size, in bytes, of the nonpaged pool, an area of system memory (physical memory used by the operating system) for objects that cannot be written to disk, but must remain in physical memory as long as they are allocated.



QUESTION NO: 162
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com.
The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR10 and a Windows Server 2003 computer named CERTKILLER-SR11. CERTKILLER-SR10 is configured to generate daily reports and automatically publish them to a shared folder named CK_Reports on CERTKILLER-SR11. With this report, you also create an account named CK\IsaReport. You configure CERTKILLER-SR10 to create reports in the security context of the CK\IsaReport account.
The existing permissions on the CK_Reports folder are as follows.
You need to configure the minimum NTFS permissions on the CK_Reports folder.
What should you do?
A. You need to change the system object from Full Control to Modify.
B. You need to change CK\IsaReport object from Full Control to Read.
C. You need to change CK\IsaReport object from Full Control to Write.
D. You need to change the system object from Full Control to Read and Write.
Answer: C
Explanation:

Reports are collections of information generated from data collected from the ISA Server log files. You can use the reporting feature to summarize and analyze common usage patterns.
You can also use reports to monitor the security of your network. You can generate a report immediately or you can schedule reports to generate on a recurring basis. To allow others to view the published report, give them read permissions to that folder. In this case you are using the CK\ IsaReport account; therefore you should remove the FULL Control permissions and change it to write permissions.

QUESTION NO: 163
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com consists of a Development department. The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR12 which functions as a remote access VPN server for the network. CERTKILLER-SR12 is configured to accept PPTP and L2TP over IPSec for remote access VPN clients to connect to.
One morning you have received a compliant that the users cannot connect to the CertKiller.com network. You then open the log file on CERTKILLER-SR12 and notice that the users with failed connection attempts are all using L2TP over IPSec. You need to ensure that the users can connect to the network.
What should you do?
A. You need to disable IP fragment blocking.
B. You need to disable IP routing.
C. You need to disable IP options filtering
D. You need to disable verification of incoming client certificates.
Answer: A
Explanation:
You can also configure ISA Server to drop all IP fragments. If you enable this option, then all fragmented packets are dropped when ISA Server filters packet fragments. A common attack that uses IP fragments is the teardrop. The Layer Two Tunneling Protocol (L2TP) over IPSec connections may not be successfully established because packet fragmentation may take place during certificate exchange. This scenario has IP fragment blocking enabled; therefore you must disable it to allow L2TP over Ipsec communication.

Part 2: Configure and run reports (4 Questions)


QUESTION NO: 164
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 configured as an Edge Firewall that is used to control Internet access outbound and inbound. The CertKiller.com management has requested a report published for a Web server on the internal network that should include the IP address of the Web clients. You configure CERTKILLER-SR01 to generate the required report a publish the report to a shared folder. You grant the Allow Read permission for the shared folder to the management staff.
You decide to test the report. You discover that the report contains only the internal IP address of CERTKILLER-SR01. You are required to ensure that the report displays the IP addresses of clients who made the Web requests.
What should you do?
A. Server publishing should be used to log the original IP address of the client who made the request.
B. The allowed permissions granted for the management staff for the shared folder should be changed from Allow Read to Allow Full Control.
C. Web publishing must be used to log the original IP address of the client who made the Web request
D. Third-party ISA server add-ons should be used to generate the required report.
Answer: A
Explanation:
In the scenario you should consider using the server publishing to log the original IP address of the client making the Web request and the source IP address in the host header does not change when a request is forwarded by the server publishing rule.

Incorrect Answers:
B: This option should not be considered in the scenario because the shared folder permissions are used to control user access to the folder where the reports are published.
C: This option should no be used in the scenario because the source header of the host will be changed who made the Web request resulting in you not getting the original IP address.

D: This option should not be used in the scenario because the ISA server does have built-in Report Publishing feature.Reference:


QUESTION NO: 165
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 used to control Internet access. The CertKiller.com network security policy states that all the shared folders that exist should have the minimum NTFS permissions required for job performance and no other user other than the ISA Server administrator should be granted any administrative right on TEESCKING-SR01 and all shared folders on the network are configured with Allow Read permission by default.
The CertKiller.com management recently requested a report on the We sites that the network employee's visit frequently. You create a report job on CERTKILLER-SR01 and configure the job to send an e-mail containing a link to the report to the CertKiller.com management. You alter additionally publish the report in the security context of the CERTKILLER-SR01\Administrator account to a shared folder to which the management have Allow Read permission. You later check the shared folder. You discover the report was not published. You are required to ensure the Management is able to access the weekly report whilst adhering to network security policy.
What should you do?
A. The Allow Read & Execute permission should be granted to the CERTKILLER-SR01\Administrator account for the shared folder.
B. The Allow Full Control permission should be granted to the CERTKILLER-SR01\Administrator account for the shared folder.
C. The Allow Modify permission should be granted to the CERTKILLER-SR01\Administrator account for the shared folder.
D. The Allow Write permission should be granted to the CERTKILLER-SR01\Administrator account for the shared folder.
Answer: D
Explanation:
You should remember in the scenario that you are required to have the Allow Write permission in order to have the report published and by granting the user the required permissions the scenario objective is achieved.


Incorrect Answers:
A: These permissions should not be granted in the scenario because all of the options here do not adhere to the network security policy of CertKiller.com and therefore they are not to be used in the scenario.Reference:
B: These permissions should not be granted in the scenario because all of the options here do not adhere to the network security policy of CertKiller.com and therefore they are not to be used in the scenario.Reference:
C: These permissions should not be granted in the scenario because all of the options here do not adhere to the network security policy of CertKiller.com and therefore they are not to be used in the scenario.Reference:


QUESTION NO: 166
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. The client computers at CertKiller.com are running Windows XP Professional.
CertKiller.com contains a Development department. The CertKiller.com network contains an ISA Server 2004 computer named CERTKILLER-SR14 which gives Internet access to the employees of the Development department.
You have configured the client computers that connect to the network as SecureNAT clients. You also create an access rule on CERTKILLER-SR14 that allows all users access to all protocols on the External network. After the creation of the access rule, you view the Firewall log and the Web Proxy filter log on CERTKILLER-SR14 and notice that the URLs of Web sites visited by Development employees are not displayed.
You need to ensure that the URLs of Web sites visited by employees are displayed in the CERTKILLER-SR14 log files.
What should you do?
A. You need to configure all network computers as Web Proxy clients.
B. You need to configure all network computers as Firewall clients.
C. You need to configure CERTKILLER-SR14 to require authentication for Web requests.
D. You need to configure CERTKILLER-SR14 to require authentication for all protocols.
Answer: A
Explanation:
The user name is only included in Firewall and Web Proxy logs when a client sends that information to the ISA firewall. A client piece is always required to send user information to the firewall since there are no provisions in the layer 1 through 6 headers to provide this information. Only the Firewall client and Web Proxy client configurations can send user information to the ISA firewall and have this information included in the log files. SecureNAT client connections allow for logging of the source IP address, but user information is never recorded for machines configured as only SecureNAT clients. Note that there is no option to log the URL in the Firewall Logging Properties. The reason for this is that the Firewall client doesn't send the URL for Web sites accessed via the Firewall client. However you can fix this by correctly setting up the Web proxy client configuration.



QUESTION NO: 167
You work as a network administrator at CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Sever 2004 computer named CERTKILLER-SR15.
CERTKILLER-SR15 has been configured to generate daily and monthly. You configured a report that shows the employees activities of the weekends of the last three months. However, reports for the last five weekends display correct data but for the previous weekends cannot be displayed. Only monthly activity summary reports are available for previous months. You need to provide custom reports that show the actual activity for all the weekends during the last three months.
What should you do?
A. You must configure the Microsoft Data Engine (MSDE) database log files to be saved for 130 days and restore the MSDE database log files from backup for the last three months.
B. You must configure daily reports to be saved for 130 days and restore the log summary files from backup for the last three months.
C. You must delete the log summary files and configure daily reports to be saved for 130 days. Disable and then re-enable log summary reports.
D. You must create a new folder for each of the weekends in the IsaReports folder and copy the respective daily report files for each day of a weekend into their corresponding folders.
Answer: B
Explanation:
ISA Server can be configured to produce reports that provide summary information about activity that occurs on the server. These reports can be created on an on-demand basis, or can be scheduled to be created on a recurring scheduled basis. Reports are collections of information generated from data collected from the ISA Server log files. The ISA Server reporting mechanism collates data from ISA Server logs into a database on each ISA Server computer. By default 35 daily summaries and at least 13 monthly summaries will be saved. Thus daily information from the last month will be available. But in this scenario he needs daily information (log summaries) from previous months. Therefore he needs to restore these log summaries from backup and generate reports from these log summaries.

Part 3: Configure logging and alerts (6 Questions)


QUESTION NO: 168
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 used to control Internet access. The CertKiller.com network security policy states that all URLs of the Web sites visited by the users on the internal network be logged. To ensure that the Web sites are logged you configure all client computers as Web Proxy clients and configure CERTKILLER-SR01 to log information in a text file format.
The network users of the Reporting group require access to information store in the ISA server logs to consolidate the annual report. You want to grant permissions to view the ISA server logs to the Reporting group and ensure they are unable to create firewall policies.
What should you do?
A. The ISA Server Extended Monitoring role should be assigned to the users of the Reporting group.
B. The ISA Server Basic Monitoring role should be assigned to the users in the Reporting group.
C. The ISA Server Full Administrator role should be assigned to the Reporting group.
D. The ISA Server Basic Monitoring role with special privileges should be assigned to users in the Reporting group.
Answer: A
Explanation:
Remember in the scenario that the ISA Server Extended Monitoring role allows users to perform monitoring tasks, log configuration, alert definition configuration as well as export and import secret configuration information.

Incorrect Answers:
B: These options should not be used in the scenario because users assigned this role are unable to view log files.
C: This option should not be used as the Reporting group would be able to do what they desire.Reference:

D: These options should not be used in the scenario because users assigned this role are unable to view log files.


QUESTION NO: 169
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional. CertKiller.com has its headquarters in Chicago and branch office in Dallas.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 in the branch office used to control Internet access both inbound and outbound. The CertKiller.com network clients are all configured as Web Proxy clients. You configured CERTKILLER-SR01 to log all the data in a text file format. The CertKiller.com management staff requested information about sites the client's visited from the log files which you check using the Log Viewer and discover the log information is displayed. You are required to ensure that you are able to view the information using the Log Viewer.
What should you do?
A. The ISA server log files must be configured to be saved in the Microsoft SQL Server 2000 Desktop Engine (MSDE) database log storage format.
B. All the client computers should be configured as SecureNAT clients on the network.
C. All the client computers should be configured as Firewall clients on the network.
D. The ISA server log files should be configured to be saved in a text file format.
Answer: A
Explanation:
In the scenario you should always remember that only log files stored in the MSDE format can be viewed later using the Log Viewer.

Incorrect Answers:
B: Only the Web Proxy clients would be able to resolve Web sites through the ISA server using this configuration in the scenario.
C: Only the Web Proxy clients would be able to resolve Web sites through the ISA server using this configuration in the scenario.
D: There is no need for you to configure this type of format as it is already used in the scenario.Reference:
QUESTION NO: 170

You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 used to control Internet access and the network also deployed a SMTP server named CERTKILLER-SR02 and a DNS server named CERTKILLER-SR03. You recently created a DNS intrusion alert that will detect host name overflow and zone transfer attacks. You additionally configured the actions below if a DNS intrusion is detected: Send e-mail to [email protected] a program named CKDNSAlert.cmd.Write the event to the Windows event log.
During the course of the day you discover that when a DNS intrusion is detected the event was written to the Windows event log and the e-mail was sent to the specified e-mail account but the CKDNSAlert.cmd program did not execute. You run the batch separately and it works fine. You verify that the user account and validated the account under whose security context the CKDNSAlert.cmd program executes. You also ensure the program has the log on as a batch job right. You are required to ensure the CKDNSAlert.cmd program runs.
What should you do?
A. A System Policy rule must be defined to allow the Local Host network to access the folder in which the CKDNSAlert.cmd program resides.
B. A Firewall access rule should be enabled to allow the Local Host network to access the folder in which the CKDNSAlert.cmd program resides.
C. The user account should be granted the Allow Full Control permission for the folder in which the CKDNSAlert.cmd program resides.
D. The password of the user account under whose security context the CKDNSAlert.cmd program runs should be reconfigured.
Answer: D

Explanation:
In the scenario you should remember that you are required to reconfigure the password of the account in question if the program does not run and it has the Log on as batch job right assigned.
Incorrect Answer: A, B: These options should not be considered for use in the scenario because the ISA server is referred to as the Local Host network you only require a user account that has the Log on as a batch job right.
C: This option would not help in the scenario because the user already has enough permissions to run the program.

Reference:


QUESTION NO: 171
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 used to control Internet access both inbound and outbound. The CertKiller.com network security policy states that login for the network daily and monthly summaries should be done for at least 65 days and two years. You make the changes below to the Log summary Properties dialog box of the ISA server: Change the value of the Daily summaries files from the default value of 32 to 66.Change the value of the Monthly summaries field from the default value of 13 to 25.
Later during the course of the day you receive a request from the CertKiller.com management for the daily Web usage summary for the past two months and the monthly Web usage report for the past two years. You then generate the required report and configure it to send an e-mail to the CertKiller.com management with a link to the report. The CertKiller.com management receives the e-mail but complain that they receive a "Page cannot be displayed" message wile attempting to open the link. You open the report from CERTKILLER-SR01 and check to ensure the report opens properly. You are required to ensure that the CertKiller.com management can access the report.
What should you do?
A. A new folder should be created and specify the path to the new folder in the This folder field on the Log Summary Properties dialog box.
B. The System Policy rule must be enabled to allow the Local Host network to access the internal network by using SMTP protocol.
C. The value of the Daily and Monthly summaries should be changed to the default values.
D. The report should be published to a shred folder.
Answer: D
Explanation:
In the scenario you should always remember that in order for user to view the report it is imperative that you first publish the report to a shared folder.

Incorrect Answers:
A: This should not be done in the scenario because the report was created successfully. You only need publish it to a shared folder.
B: This should not be done in the scenario because this action should only be used to access the internal network in the scenario.Reference:

C: This should not be done in the scenario because the report was created successfully. You only need publish it to a shared folder.


QUESTION NO: 172
You work as the network administrator at CertKiller.com. The CertKiller.com network consists of a single Active Directory domain named CertKiller.com. All servers on the CertKiller.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The CertKiller.com network recently deployed an ISA server named CERTKILLER-SR01 used to control Internet access both outbound and inbound. You decided to configure and define the intrusion detection alert in the form of an e-mail when five or more incidents of intrusions are detected by the ISA server. You are required to configure the alert in such a way that the e-mail is sent to you and need to select which options to use.
What should you do?
A. The Report to Windows event log option should be selected on the Actions tab of the Intrusion detected Properties dialog box and enable e-mail forwarding in the Windows Event Viewer.
B. The Run a program option should be selected on the Actions tab of the Intrusion detected Properties dialog box and choose the e-mail service to be launched.
C. The Run a program option should be selected on the Actions tab of the Intrusion detected Properties dialog box and choose a batch file to send the mail to the SMTP service.
D. The Send e-mail option should be selected on the Actions tab of the Intrusion detected Properties dialog box.
Answer: D
Explanation:
In the scenario you best choice is to select the send e-mail option on the Actions tab of the Intrusion detected Properties dialog box because Intrusion detection is a feature of ISA which is used to detect when an attack against the server is made.

Incorrect Answers:
A: This option should not be used in the scenario because this option specifies that the event will be written in the Windows Event Log when the alert conditions are met.
B: This option should not be used in the scenario because this option specifies that a specific program be run when the alert conditions are met.Reference:
C: This option should not be used in the scenario because this option specifies that a specific program be run when the alert conditions are met.Reference:



QUESTION NO: 173
You work as the network administrator for CertKiller.com. The CertKiller.com network consist of a single Active Directory domain named CertKiller.com. Your duties include administering an ISA Server 2004 computer named CERTKILLER-SR21. CertKiller.com is divided into several departments.
CERTKILLER-SR21 provides forward Web caching for the employees on the Internal network. CERTKILLER-SR21 has a 512 MB of RAM and a single 60-GB hard disk and Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) database logging is enabled.
One morning you receive a report from a Sales department employee named Kara Lang complaining that is takes longer than usual for Web pages to appear. You need to identify the source of the slow performance. To this end you should choose the appropriate System Monitor performance counters that will enable you to identify the source of the slow performance.
What should you do? (Each correct answer presents part of the solution. Choose TWO.)
A. Select the Memory\Pages/sec System Monitor performance counter.
B. Select the Memory\Pool Nonpaged Bytes System Monitor performance counter.
C. Select the MSSQL$MSFW:Databases(*)\Transactions/sec System Monitor performance counter.
D. Select the MSSQL$MSFW:MemoryManager\Target Server Memory (KB) System Monitor performance counter.
E. Select the Physical Disk\Avg. Disk Queue Length System Monitor performance counter.
F. Select the Physical Disk\SplitIO/sec System Monitor performance counter.
Answer: A,E
Explanation:
You can view the performance objects and their associated performance counters in real time in System Monitor. System Monitor is a monitoring tool that is included with Windows 2000 and Windows Server 2003. Memory\Pages/sec - Pages/sec is the rate at which pages are read from or written to disk to resolve hard page faults. This counter is a primary indicator of the kinds of faults that cause system-wide delays. Memory\Pool Nonpaged Bytes - Pool Nonpaged Bytes is the size, in bytes, of the nonpaged pool, an area of system memory (physical memory used by the operating system) for objects that cannot be written to disk, but must remain in physical memory as long as they are allocated. Physical Disk\Avg. Disk Queue Length - Is the average number of both read and write requests that were queued for the selected disk during the sample interval. MSSQL$MSFW :Databases (*)\Transactions/sec - Number of transactions started for the database. MSSQL$MSFW :MemoryManager \Target Server Memory - Total amount of dynamic memory the server is willing to consume.