42. You are the network administrator for your company. The network contains an ISA Server 2004 computer named ISA1, which is configured as a remote access VPN server. You configure ISA1 to accept both PPTP and L2TP over IPSec VPN connections from remote access clients. Several users report that they cannot connect to the network. You review the log files on ISA1 and discover that the users with failed connection attempts are all using L2TP over IPSec. You need to ensure that the users can connect to the network. What should you do?
A: Disable IP fragment blocking.
B: Disable IP routing.
C: Disable IP options filtering.
D: Disable verification of incoming client certificates.
 

========================================================================================

Technical Knowledge
There are two additional options, including Intrusion Detection and IP Preferences, which are used to configure how ISA2004 will respond to various attacks or malformed IP packets.
IP preferences are used to block normal packets that may or may not be used by attackers. As shown in the following figure, we can configure the following IP preferences on ISA 2004:
IP option:
We can configure ISA2004 to refuse all packets that have the IP options flag set in the header.  
The IP options flags that are most commonly used by attackers are the source routing options. The source route option in the IP header allows the sender to override routing decisions that are normally made by the routers between the source and destination machines. An attacker can use source routing to reach addresses on the internal network that normally are not reachable from other networks, by routing the traffic through another computer that is reachable from both the other network and the internal network.
IP fragments
We can also configure ISA Server to drop all IP fragments. A single IP datagram can be separated into multiple datagrams of smaller sizes known as IP fragments. In the teardrop attack, multiple IP fragments are sent to a server. When the destination computer tries to reassemble these packets, it is unable to do so. It may fail, stop responding, or restart. If we enable this option, then all fragmented packets are dropped. Enabling IP fragment filtering can interfere with streaming audio and video. In addition, Layer Two Tunneling Protocol (L2TP) over IPSec connections may not be established successfully because packet fragmentation may take place during certificate exchange.
 IP routing
When IP routing is enabled, ISA Server sends the original network packet from one network to another. ISA Server can filter the network packet. When IP routing is disabled, ISA Server sends only the data (and not the original network packet) to the destination. Also, when IP routing is disabled, ISA Server sends each packet through the firewall in user mode. Disabling IP routing is more secure, but can also decrease router performance.
Correct Answers:  A
A: Correct: Enabling IP fragment filtering can interfere with L2TP over IPSec connections because packet fragmentation may take place during certificate exchange.
B: Incorrect
C: Incorrect
D: Incorrect

Figure: The properties of IP preferences

35.You are a network administrator for Contoso, Ltd. Client computers on the internal network are divided among several subnets by using routers. You install an ISA Server 2004 computer named ISA1. ISA1 will be used to allow users to access Web sites on the Internet. You configure TCP/IP on ISA1 as shown in the exhibit. (Click the Exhibit button.) After ISA1 is installed, users report that they cannot access Web sites on the Internet. You need to ensure that users can access Web sites on the Internet. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A:Configure the internal default gateway to match the external default gateway.
B:Configure a static route to each subnet.
C:Add the IP address of the internal default gateway to the Remote Management Computers computer set.
D:Configure the internal network adapter with a blank default gateway.
E:Create a network set for each subnet.

============================================================================ 

The topology

 

Correct Answers:  B, D
A: Incorrect: Only one of several Gateway addresses of a computer is available. So we make external Default gateway of ISA to be unique available by configuring the internal network adapter with a blank default gateway.
B: Correct: see the topology
C: Incorrect
D: Correct
E: Incorrect

34.You are a network administrator for your company. You plan to implement ISA Server 2004 as a SecureNAT firewall for client computers on the network. The implementation will consist of a Windows Server 2003 Network Load Balancing cluster. External client computers that connect to resources published by ISA Server must be load balanced across the Network Load Balancing cluster when they connect by using DNS. You need to plan the external DNS implementation before you deploy ISA Server 2004. What should you do?
A: Create three service locator (SRV) resource records. Configure each record to use the _HTTP service and to reference the IP address of one of the internal interfaces of the Network Load Balancing cluster nodes.
B: Create three host (A) resource records. Configure each record with the IP address of one of the external interfaces of the Network Load Balancing cluster nodes.
C: Create one host (A) resource record. Configure the record with the virtual IP address that is assigned to the external interface of the Network Load Balancing cluster.
D: Create one host (A) resource record. Configure the record with the virtual IP address that is assigned to the internal interface of the Network Load Balancing cluster.
Correct Answers:  C
 

==================================================== 

The Topology

 

A: Incorrect: SRV records are not used for External users to access resources, but used to support Active Directory to work properly. SO A records should be taken.
B: Incorrect: The IP of ISA for External users accessing should be configured to use the virtual IP of the ISA array if NLB is enabled, or the IP of one of the array members if NLB is not enabled.
C: correct
D: Incorrect: Internal virtual IP of ISA array cannot be connected by External users.

33.You are a network administrator for your company. The network is configured as shown in the exhibit. (Click the Exhibit button.) You are upgrading the Routing and Remote Access servers to ISA Server 2004. You need to configure the Internal network. You need to create access rules that are specific for each subnet. Which three IP address ranges should you use? (Each correct answer presents part of the solution. Choose three.)

A: 10.0.25.1     - 10.0.25.255
B: 172.16.1.0   - 172.16.1.255
C: 172.16.2.0   - 172.16.2.255
D: 172.16.10.0 - 172.16.10.255
E: 192.168.1.0 - 192.168.255.255
 

============================================================================= 

Technical knowledge
ISA server supports 3 types of network: Internal, External and perimeter network, but unlimited number of networks.   
The servers that are accessible from Internet are usually isolated on their own network, such as a Perimeter network (also known as Demilitarized zone, or DMZs). The servers and client computers that are not accessible from Internet are located in an Internal network.
According to the topic, we need define an Internal network address ranges. As shown in the topic picture, client computers and servers that are located in the network of 172.16.0.0/16 are not accessible from Internet, so
Correct Answers:  B, C, D

3.You are the network administrator for your company. The network contains an ISA Server 2004 array. The array contains six members. You enable Cache Array Routing Protocol (CARP) so that outbound Web requests are resolved within the array. Soon after you enable CARP on the array, Web users on the corporate network report that Internet access is slower than normal.  You use Network Monitor to check network traffic patterns on each of the ISA Server 2004 array members. You discover that there is very high network utilization on the intra-array network. You need to reduce the amount of intra-array traffic. What should you do?
A: Enable Network Load Balancing on the intra-array network.
B: Configure the client computers as SecureNAT clients.
C: Use automatic discovery to configure the client computers as Web Proxy clients.
D: Enable CARP on the intra-array network.

 

=================================================== 

Technical knowledge
When CARP is enabled, the cache drives on all the servers in the array are treated as a single logical cache drive. In this way, cached objects can be efficiently distributed among the member servers.
For the client setting, Web Proxy client is a good choice, because the Web Proxy clients connect to the array using the array DNS name to download the CARP script. The clients use the script to determine which array member to connect to when accessing Web content. Consequently, it can reduce the amount of intra-array traffic.
 
So the Correct Answers is C.

29.You are the network administrator for your company. The network contains an ISA Server 2004 computer named ISA1. The company uses Microsoft Exchange Server 2003 as its e-mail server. The companys written security policy states that all user names and passwords must be encrypted when they are sent over the Internet. The company is adopting Web-enabled cellular phones and wants to allow users to use these phones to access their e-mail over the Internet. The phones have a Wireless Access Protocol (WAP) browser and an e-mail client that is capable of only POP3 and IMAP4. You need to configure ISA1 to give users access from their cellular phones to e-mail. You need to ensure that you adhere to the companys security policy. What should you do?
A: Create an HTTPS server publishing rule. Configure the rule to point to the Microsoft Outlook Web Access site.
B: Create an HTTPS server publishing rule. Configure the rule to point to the Microsoft Outlook Mobile Access site.
C: Create a POP3 server publishing rule. Configure the rule to point to an Exchange Server 2003 computer.

================================================== 

Correct Answers:  B
Technical knowledge
A: Incorrect: OWA is not used to Mobile Phone clients, but used to Web Client computer to access Exchange.
B: Correct: OMA is used to Mobile Phone clients to access Exchange.
C: Incorrect: According to requirements for more Security, publishing rule for POP3 should not be created. POP3s is good choice.
D: Incorrect: The reason same as C, IMAP4s is good choice.

27.You are the network administrator for your company. The network contains an ISA Server 2004 computer. A network rule defines a network address translation (NAT) relationship between the Internal network and the External network. The Internal network contains a Windows Server 2003 computer named Server1. You need to perform remote administration of Server1 by using Remote Desktop. You also need to allow users to establish a Remote Desktop connection to Server1 by using the non-standard TCP port 12345. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A:Configure a new protocol definition for TCP port 12345 inbound named RDP-x.
B:Configure a new protocol definition for TCP port 12345 outbound named RDP-x.
C:Create an access rule that uses RDP-x.

D:Create a server publishing rule that uses RDP-x.

===================================================== 

Technical knowledge
Protocol definition:
Defining a new protocol element needs 3 main options: protocol type, port range, direction.
Protocol type: TCP, UDP, ICMP or IP levels.
Prot Range: 1-65536
Direction: If Protocol type is TCP, inbound and outbound are optional.
              If protocol type is UDP, there are 4 options: Send, Receive, Send and Receive, Receive and Send.
If protocol element is used to Access rule, outbound of TCP or “Send and Receive” of UDP is usually chosen as protocol element direction. The protocol element is used to publishing rule, we usually choose TCP Inbound or UDP “Receive and Send” as the protocol direction.
Correct Answers:  A, D

A: correct: In this topic, we need to define a TCP protocol element for publishing rule, so Inbound should be chosen.  
B: Incorrect: The new protocol is used to publishing rule, and protocol type is TCP, so Outbound should not be chosen.
C: Incorrect

26.You are the administrator of an ISA Server 2004 computer named ISA1. ISA1 is connected to the Internet. All client computers are configured as SecureNAT clients. The companys new written security policy states that only Web-based traffic will be allowed on the network. In the past, all instant messaging applications were allowed. You need to configure ISA1 to block all instant messaging traffic and all other non-Web traffic. What should you do?
A: Delete all current access rules. Create a new access rule that has only HTTP and HTTPS as the allowed protocols.Configure HTTP filtering and add signatures for instant messaging applications.
B: Create a new access rule that denies all instant messaging protocols. Create a new access rule that has only HTTP and HTTPS as the allowed protocols.
C: Create a new access rule that has only HTTP and HTTPS as the allowed protocols.Configure HTTP filtering and add signatures for instant messaging applications.Unbind the HTTP filter from the HTTP protocol definition.

====================================================

Technical knowledge
HTTP filter and signatures
HTTP filter can used to filter the packets going through the ISA server. Many internet applications now use HTTP to tunnel the application traffic. The only way to block these types of applications without blocking all HTTP traffic is to use HTTP filter.
The HTTP filter can block HTTP requests based on the following options: Length of request headers, length of URL, request method, file extension, signature and so on.
An HTTP signature can be any string of characters in the HTTP header or body. To block an application based on signatures, we must identify the specific patterns the application uses in request headers, response headers, and body, and then modify the HTTP policy to block packets based on that string. As shown in the following figure, the signature is used to block MSN with port 80 traffic.

 

Correct Answers:  A
A: Correct: Denying all IM (such as MSN) protocols and setting HTTP filtering can blocking IM traffics.
B: Incorrect: IM applications not only have own ports, but also can use HTTP to tunnel the traffic. AS a consequence, we cannot block IM traffic only by denying IM ports.
C: Incorrect: HTTP filter would be unavailable once unbinding from the HTTP protocol definition.
D: Incorrect: We can block any, but not all IM traffic by denying IM server IP. Because IM clients can transfer requests to a proxy server first, then the proxy server direct the request to the IM server. IM clients are able to find lots of proxy servers.

25.You are the network administrator for your company. The network contains a single ISA Server 2004 computer named ISA1. The companys written security policy states that ISA1 must authenticate users before users on the Internet are allowed to access corporate Web servers. You install a new Web server on the Internal network. Partners and customers will access the Web pages hosted by this Web server only from the Internet. You need to configure ISA1 to publish the Web site hosted by this Web server, and you need to adhere to the companys security policy. What should you do?
A: Create a Web publishing rule. Configure the rule to require user authentication.
B: Create a Web publishing rule. Configure the rule to perform link translation.
C: Create an HTTP server publishing rule. Configure the rule to specify that requests appear to come from ISA1.

===============================================================================

Technical knowledge

Web publishing rule with user authentication: We can configure ISA Server to require that all external users authenticate before their requests are forwarded to the Web server hosting the published content. This protects the internal Web server from authentication attacks. Web publishing rules support several methods of authentication, including Remote Authentication Dial-In User Service (RADIUS), integrated, basic, digest, digital certificates, and RSA SecurID.

 Correct Answers:  A
A: Correct: According to the test, we need to create a Publish rule on ISA server for External clients to access the Web server located in internal network, and configure the rule to require authentication.
B: Incorrect: Link translation can be used when the published Web site has pages that contain absolute links. We must map Absolute links to the link which external clients can access. But link translation is unavailable in this case.
C: Incorrect: To adhere to the security policy, ISA server need to authenticate users. This point is not mentioned by the answer.

22.You are the network administrator for your company. ISA Server 2004 is installed as the companys firewall. All of the companys portable computers run Microsoft Outlook 2003. The companys written security policy states that all e-mail communications to the Microsoft Exchange Server 2003 computer over the Internet must be encrypted. You need to ensure that all employees use Outlook 2003, whether they use e-mail in the office or use e-mail remotely over the Internet. What should you do?
A: Configure Microsoft Outlook Web Access on an internal server. Configure an HTTPS Web publishing rule to direct traffic to the Exchange Server computer.
B: Configure Microsoft Outlook Web Access on an internal server. Configure an HTTP Web publishing rule to direct traffic to the Exchange Server computer.
C: Configure an RPC Proxy server. Create a server publishing rule to direct all Exchange RPC traffic to the RPC Proxy server.

=====================================================
 The topology  

 Technical knowledge
Secure outlook client connection:
Outlook clients are MAPI (Message application interface) clients, and MAPI use RPCs to connect to Exchange server. ISA2004 can be used to publish Exchange server for outlook RPC clients. Even then, the traffic between outlook clients and ISA server is not secure because of the low level of encryption available to secure RPC traffic.
For more security, RPC over HTTP can offer high-level security. In internal network, we can configure an RPC proxy server to accept and respond to outlook client which use RPC over HTTP. In this method, outlook clients send requests through HTTP packets to the RPC proxy server, RPC Proxy server converts the HTTP packets into normal RPC packets, and then the normal packets will be directed to Exchange server.(For more details, see the article http://support.microsoft.com/default.aspx?scid=kb;en-us;833401.)Then we can create secure Web Publish rule to publish RPC virtual directory through ISA Server.
Correct Answers:  D
 
A: Incorrect.  Outlook clients cannot connect to Exchange through OWA.
B: Incorrect
C: Incorrect. To make the connection more secure, we must create an HTTPS Web publishing rule.
D: Correct