28.)You are the administrator of your company network. You implement ISA server to control access to internet sites, as follows:
User Access
Management, Management Information Unrestricted access at all times
Service Department
Sales Department, Marketing Department, Access limited to certain sites during work
Finance Department, Accounting hours; unrestricted access after work hours
Department, Legal Department
You network consists of a Microsoft Windows 2000 domain. Each department has its own organizational unit. Except for MIS personnel, all user accounts are members of the Company Users group. All members of company Users also have membership in groups located in the appropriate departmental OU.
When you review the ISA server log files, you discover that users who are not members of Management or MIS have un restricted access to Internet sites during business hours.
How should you correct this problem?
A. Delete the After Hours site and content rules.
-B. Edit the schedule of the After Hours site and content rule.
C. Restrict the allowed content of all site and content rules.
D. Restrict the allowed content only of the site and content rules that apply to non-Management and non-MIS users.
29.)You are the administrator of your company network, which consists of a single Microsoft Windows 2000 domain. The network is connected to the Internet by dedicated Tl line. You install ISA Server to control user access to the Internet and to secure the network from the Internet.
You want to accomplish the following goals:
-All users in the domain must be able to send and receive e-mail on the mail server of your ISP
-External users must be able to perform a directory query of your Active Directory
-Administrative users must have unrestricted access to the Internet.
-Non-administrative users must be able to access only approved external web sites, and only during work hours.
-Non-administrative users must be able to access only approval FTP sites, and only during work hours.
You take the following actions:
-Create site and content rules, as summarized in this table:
Rule Name Action Applies to Schedule Destination Set
Admins Allow Domain Always All Destinations
Admins
Users-FTP Allow Domain Users Always Approved FTP Sites
Users-Web Allow Domain Users Work Hours Approve Web Sites
-Create protocol rules, as summarized in this table:
Rule Name Allowed Protocols Applies To
Administrators All lP traffic Domain Admins
Users Selected Protocols: Domain Users
FTP (Client)
HTTP (Client)
LDAP
DNS Querv (Client)
Which result or results do these actions produce? (Choose all that apply)
A. All users in the domain must be able to send and receive e-mail on the mail server of your ISP.
B. Extemal users must be able to perform a directory query of your Active Directory.
-C. Administrative users must have unrestricted access to the Internet.
-D. Non-administrative users must be able to access only approved extemal web sites, and only during work
E. Non-administrative users must be able to access only approval FTP sites, and only during work hours.
30.)You administer a stand-alone ISA server computer. Your company network includes 4,000 computers that use this server to access Internet resources.
The server uses the default site and content rule and the default lP packet filters. Packet filters is enabled. The server has two protocol rules that are detailed here.
Name Scope Action Protocol Applies To Schedule
Web Array Allow HTTP Any request Always
Web(Secure) Array Allow HTTPS Any request Always
Users report that they cannot access Internet sites that require secure transmission of data. You verify that they can access Internet sites that do not require secure transmission.
You must ensure that users can access Internet sites that require secure transmission of data. What should you do?
A. Create a new protocol rule that allows the use ofHTTPS.
-B. Create a new lP packet filter that allows the use ofnetwork traffic on port 443.
C. Create a new web publishing rule that redirects SSL requests as HTTP requests.
D. Configure the ISA server computer to ask unauthenticated users for identification for outgoing web requests.
E. Install and configure a stand-alone Microsoft Windows 2000-based Certificate Authority on the Internal network.
31.)You are the administrator of your company network, which consists of a main office and three branch offices. Each bran ch office has a dedicated Tl connection to the main office. The main office has a Tl connection to the Internet. In addition, each bran ch office has a dedicated 12S-Kbps DSL line for Internet connectivity.
Company policy allows users limited access to web-based resources. The company wants to ensure that the local caching server at each office will serve all web requests before routing any requests to the Internet. The company also wants to ensure that all requests are forwarded to the Internet go through the main office.
You install ISA server arrays at each bran ch office and create the routing rules shown here.
ISA Management
Order Name Action Cache
1 Branch Office Route Connect if object not in cache, never
cache the response.
Last Default Rule Route to alternate Connect ifvalid object not in cache,
destination cache the response only.
Later you discover that many identical requests from the bran ch offices are being served repeatedly from the cache at the main office. You also discover that requests are being sent directly to the Internet from the bran ch offices.
Which two actions should you take to correct this problem? Each correct answer presents part of the solution. (Choose two)
A. Route all repeat requests from the branch offices to an internal web site.
B. Route all repeat requests from the main office to an internal web site.
-C. Remove the backup connection from the routing rules for branch offices.
D. Remove the backup connection from the routing rules for main office.
-E. Configure the branch office arrays to cache responses from the upstream array.
F. Configure the main office array to cache all content.
32.)You are the network administrator for your company. You install ISA server on a computer named ISA¬serverl. You enable outbound Web Access on this computer. Outgoing Web requests on ISA_server1 are configured as shown in the exhibit named "Add/Edit Listeners",
You enable logging for the Firewall service and the Web Proxy service. Both services use the ISA Server file format for logging. You examine the contents of the log file created by ISA server, as shown in the exhibit named "Log File".
WEBEXTD200011022- Note Pad
#Software: Microsoft® Internal security and acceleration Server #Version: 1.0
#Date: 2000-10-22
#Fields:c-ip 10.10.100.200 10.10.100.200 10.10.100.200
cs-username anonymous anonymous anonymous
e-agent sc-authenticated
Mozilla/4.0 (compatible; MSIE Mozilla/4.0 (compatible; MSIE Mozilla/4.0 (compatible; MSIE
For each user on your network, you must be able to log the user authentication information for external web requests. You do not want users to be prompted to enter credentials. You must also maintain the security of user credentials.
What should you do?
A. Select Ask authenticated users for identification on the outgoing Web requests tab. Configure an individuallistener for outgoing web requests. Use integrated authentication.
B. Select Ask authenticated users for identification on the incoming Web requests tab. Configure an individuallistener for outgoing web requests. Use integrated authentication.
C. Select Ask unauthenticated users for identification on the outgoing Web request tab. Use basic authentication and specify the root domain on outgoing Web requests.
-D. Select Ask unauthenticated users for identification on the outgoing Web request tab. Configure outgoing Web requests to use a client certificate.
33.)Your company network consists of a single Microsoft Windows 2000 site. It includes an ISA server enterprise array consisting of a single computer named ISAl. You install ISA server on a new computer, which you name ISA2. You decide to add ISA2 to the array on a different subnet in the same Windows 2000 site.
ISA2 successfully joins the enterprise array, and the setup log file indicates that the setup was successful. Your SecureNAT and firewall client computers are still capable of accessing Internet resources through the default enterprise policies of ISAl. However, these computers cannot access Internet resources through ISA2.
You must enable ISA2 to provide access to Internet resources. What should you do?
A. Create a custom enterprise policy setting for ISA2. Enable outbound client access through the new
policy.
B. Disable array-level access rules that restrict your enterprise policies.
C. Delete the ISA installation directory. Run the installation again.
-D. Edit the local address table to ensure that it contains only address ranges from your company network.
34.)You are setting up an ISA server computer named ISAl. This server will provide Internet access for users on your company network.
You have already installed Microsoft Windows 2000 Server and configured ISAl for Internet access. You are now configuring the internal network adapter. You will be using an lP address of 192.168.0.2/24.
You need to finish configuring ISAl so that it can transmit packets to all computers on your network. What should you do?
A. In the TCP/IP properties for the internal network adapter, specify a default gateway with the address 192.168.0.1
B. In the TCPIIP properties for the extemal network adapter, specify a default gateway with the address 192.168.0.1
C. From a command prompt, issue this command:
Route-f add 0.0.0.0 mask 255.255.255.0 192.168.0.1
D. From a command prompt, issue this command:
Route-f add 0.0.0.0 mask 255.255.252.0 192.168.0.1
E. From a command prompt, issue this command:
Route-p add 192.168.9.0 mask 255.255.255.0 192.168.0.1
-F. From a command prompt, issue this command:
Route-p add 192.168.8.0 mask 255.255.252.0 192.168.0.1
35.)You are the administrator of your company network, which includes an ISA server computer named ISAl.1t also includes an FTP server named FTP1, located on a dedicated computer. You configure FTPl to use TCP port 2021 for the initial connection from an FTP client
Now you want to enable Internet users to connect to FTPl through ISAl. What should you do?
A. On ISA1, create a packet filter for the dynamic local port (1025-5000). Configure the direction for the packet filter as "both" and the remote port as TCP port 2021.
-B. Create a new protocol definition for TCP port 2021. In the protocol definition, configure a secondary connection for TCP port 20 outbound. U se the new protocol definition to create a server publishing rule.
C. Create a new protocol definition for TCP port 2021. Create a new protocol rule that includes both the new protocol definition and the FTP Download Only protocol definition. Configure the rule so it is always available to everyone.
D. On ISA1, delete the server publishing rule for FTP1. Install the Firewall client software on FTP1.
Configure a wspcfg.ini file to bind TCP port 20 as a local port and TCP port 2021 as a server port.
36.)You are the administrator of a Microsoft Windows 2000 network that consists of a single Windows 2000 domain. You want to install ISA server on a member server in this domain. You log on to the domain by using an account that has sufficient permissions to set up software on the member server. However, when you run the Enterprise Initialization utility to update th~hema, you receive this error message:
ISA Server Enterprise Tool-Error
You must be a member of the Enterprise Administrator group, Schema Admins group and Administrators on the local machine to perform this operation.
The program will now exit.
You need to resolve this problem and resume the installation of ISA server. What should you do?
A. Use the run as command to launch the Enterprise Initialization utility in the security context of an account that belongs to the Schema Admins group.
B. Use the run as command to launch the Enterprise Initialization utility in the security context of an account that belongs to the Domain Admins group for the domain.
-C. Add the Active Directory snap-in to manage the schema. In the Active Directory schema console, configure the interface to allow schema updates
D. Add the Active Directory snap-in to manage the schema. In the Active Directory schema console, transfer the schema master to the ISA server computer.
37.)You are the network administrator of Woodgrove bank. Your network consists of several Microsoft Windows 2000 domains in a single forest.Company policy allows only L2TP VPN connections. You run the appropriate ISA server wizards to enable a two-way demand-dial VPN connection between the main office and all branch offices. When you attempt to manually connect the demand-dial interface within Routing and Remote Access, you receive this error message:
Routing And Remote Access
An error occurred during connection of the interface.
The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiation with the remote computer.
How should you correct this problem?
-A. On all ISA server computers, install a computer certificate issued by a certificate authority trusted by all these servers.
B. Promote all ISA server computers to domain controllers in the same domain.
C. Include all lP ranges from the remote networks in the local address table of each ISA server computer.
D. Configure an IPSec policy to force encryption of all traffic on VPN connection.
38.)You are the administrator of an ISA server computer at Fabrikam,Inc. This computer, which is named ISA-Server1, is connected to the Internet. All users and computers on your company network belong to a single Microsoft Windows 2000 domain.
Fabricam,Inc., maintains a company policy regarding access to certain games-related Internet sites. When users attempt to access such sites, ISA-server1 should redirect their requests to a special company web site at http://games.fabrikam.net. A routing rule named Games site is used to implement this policy on ISA-server1.
Three months after the games site rule is created, the company installs a new Tl connection to the Internet. All users except members of the Temps security group should now have free access to games¬related Internet sites.
You want to ensure that members of Temp are the only users who are redirected to the special web site. You need to configure ISA-server1 to accomplish this goal.
Which two actions should you take? Each correct answer is part of the solution. (Choose two)
A. Include the lP addresses of the members of Temps in the destination set used in the games site rule.
-B. Remove the games site rule from the list of routing rules.
-C. Create a new site and content rule that applies only to Temps. This rule redirects users to http://games.fabrikam.net
D. Create a new web publishing rule that applies to the domain users security group. This rule allows access to games-related sites on the Internet.
E. Create a new web publishing rule that applies only to Temps. This rule redirects users to http://games.fabrikam.net
39.)You are the administrator of your company network. Your employer is a design and manufacturing company that holds several original patents. Currently, the company has no Internet connection. Management wants to implement Internet connectivity to allow Internet e-mail and to host a web site. Because of the sensitive nature of company data, management wants to prevent security breaches and loss of data.
The company uses a Microsoft Exchange server 5.5 computers for all internal e-mail. Design specifications state that this computer will host a secure web site for mobile employees, a public web site for customer access, and all Internet e-mail.
Management wants to ensure that no traffic originating from the Internet can enter the internal network. Which two actions should you take? Each correct answer presents part of the solution. (Choose two)
A. Create packet filters on the ISA server computer for the POP3 and SMTP protocols.
B. Create packet filters on the ISA server computer for the Exchange server RPC protocols.
C. Create packet filters on the ISA server computer for the HTTP and HTTPS protocols.
-D. Create a web publishing rule on the ISA server computer to redirect all HTTP and HTTPS requests to the web server.
-E. Create a secure mail server publishing rule on the ISA server computer to redirect all mail protocols to the exchange server.
|