Knowledge Check 13A-B - On-Prem and Hybrid Network Connectivity
You want to implement an Azure WAN solution that provides a traditional hub-and-spoke connectivity model that can provide for a variety of spoke types. Which of the following Azure WAN solutions will meet your networking requirements?
Global transit network architecture
You want to implement an Azure WAN solution where there is a central management location for external connections and hosting services and VNnets to connect to the central location to host workloads. Which of the following Azure WAN solutions will meet your networking requirements?
Hub-and-spoke architecture
Due to the success of your remote access solution, you now have several remote access servers on your network. To centralize administration of network policies, you need to configure the CorpNPS server as a RADIUS server. In this lab, your task is to: · Add the necessary server role and role service(s) to allow CorpNPS to be a RADIUS server. This server will not respond to remote access client requests. Do not add any unnecessary role services. · Identify the following servers in NPS as RADIUS clients: Server/Friendly name IP address CorpVPN1 192.168.0.20 BranchVPN1 192.168.20.20 o Shared secret: J51nj3T% o Vendor: RADIUS Standard · Configure a network policy to allow members of the Sales team to connect using the following settings: o Use Sales as the network access policy name. o Set the type of network access server to Remote Access Server.
1. Add the Network Policy and Access Services Role. a. From Server Manager, select Manage > Add Roles and Features. b. Select Next to begin the Add Roles and Features Wizard. c. Select Next to use the Role-based or feature-based installation type. d. Select Next to use Select a server from a server pool and CorpNPS.CorpNet.local as the destination server. e. Select the Network Policy and Access Services role. f. Select Add Features to include management tools and then select Next. g. Select Next. h. Select Next. i. Select Next to use the Network Policy Server role service. j. Select Install. k. After the installation completes, select Close. 2. Configure clients on the RADIUS server. a. From Server Manager, select Tools > Network Policy Server. b. Maximize the windows for better viewing. c. From the left pane, expand RADIUS Clients and Servers. d. Right-click RADIUS Clients and then select New. e. Enter the Friendly name. f. Enter the Address (IP or DNS). g. At the bottom, in the Shared secret field, enter J51nj3T% as the shared secret. h. In the Confirm shared secret field, re-enter the shared secret. i. Select the Advanced tab. j. In the Vendor name field, make sure Radius Standard is selected. k. Select OK. l. Repeat 2d-2k for additional Radius clients. 3. Create a network policy and add a group. a. From the left pane, expand Policies. b. Right-click Network Policies and select New. c. Enter Sales in the Policy name field. d. Using the Type of network access server drop-down list, select Remote Access Server (VPN-Dialup) and then select Next. e. Select Add to add group membership as a condition. f. Under Groups, select User Groups and then select Add. g. Select Add Groups. ↓↓↓↓CONTINUED
You work as the IT administrator for a small corporate network. You want to let users connect to the branch office LAN through the internet. You need to configure the BranchVPN2 server as a Virtual Private Network (VPN) remote access server. Company security policy allows only ports 80 and 443 through the company firewall. The server has already been configured with certificates to support SSTP. You will not configure network access policies at this time. Use Exhibits to see the relevant portion of the network. In this lab, your task is to: · Configure the BranchVPN2 server to accept VPN remote access connections. o Set the internet connection for the VPN server to Public. o Configure the VPN server to assign addresses to clients in the range of 192.168.200.200 to 192.168.200.250. o Use Routing and Remote Access for authentication. · Configure the VPN server to accept only 15 VPN connections that use the SSTP port.
1. Configure the VPN server. a. From Server Manager, select Tools > Routing and Remote Access. b. From the left pane, right-click BranchVPN2 and select Configure and Enable Routing and Remote Access. c. From the Wizard, select Next. d. Select Next to use Remote access (dial-up or VPN). e. Select VPN, and then select Next. f. Under Network interfaces, select Public, and then select Next. g. Select From a specified range of addresses, and then select Next. h. Select New to enter the range of addresses. i. Configure the new IPv4 address range as follows: § Start IP address field: 192.168.200.200 § End IP address field: 192.168.200.250 § Number of addresses: 51 j. Select OK. k. Select Next. l. Select Next to use No, use Routing and Remote Access to authenticate connection requests is selected. m. Select Finish to complete the Routing and Remote Access Server Setup wizard. n. Select OK to acknowledge the DHCP Relay Agent message.Appropriate VPN ports will be automatically created and enabled to accept remote access connections. 2. Configure the VPN ports. a. From the Routing and Remote Access dialog, expand BranchVPN2. b. Right-click Ports and select Properties. c. Select WAN Miniport (SSTP). d. Select Configure. e. In the Maximum ports field, use 15 and select OK. f. Select Yes to confirm the reduction of the number of ports on this device. g. Select a port type. h. Select Configure. i. Clear all options to disable remote access for all other port types. j. Select OK. k. Repeat step 2g-2j to disable access for the remaining port types. l. Select OK.
You work as the IT administrator for a small corporate network. You need to create a separate subnet to use for testing. The test subnet needs access to the rest of the network through a router, but it should not have any local access to production machines. You have installed Windows Server on the server named CorpRTR, which you plan to use to isolate the test segment from the rest of the network. You'll use traditional routing or NAT. In this lab, your task is to add the necessary role and role services to meet the stated requirements. Do not add unnecessary role services.
1. Select the Remote Access role to be installed. a. From Server Manager, select Add roles and features. b. Select Next to begin the Add Roles and Features wizard. c. Select Next to use Role-based or feature-based installation type. d. Select Next to use CorpRTR.CorpNet.local as the destination server. e. Select Remote Access. f. Select Add Features to add the features that are required for Remote Access. g. Select Next. h. From the Select Features window, select Next. 2. Select the role services for Remote Access and for Web Server (IIS). a. From the Remote Access window, select Next. b. Select Routing, and then select Next. c. From the Web Server Role (IIS) window, select Next. d. From the Role Services windows, select Next to use the default IIS options. e. Select Install. f. Select Close.
You need to configure access using Remote Desktop Gateway you have opened port 443 in the external firewall. Which port should you open in the internal firewall?
3389
Which of the following ports does TACACS use?
49
Which of the following BEST describes a WAP?
A Windows Server service that allows users to use any device to access applications from outside the corporate network.
Which of the following are items needed to implement an Azure extended network? (Select two.)
A firewall configured to allow for asymmetric routing. & Site-to-Site (S2S) VPN connection or the Azure express connection.
Which of the following BEST describes Node.js?
A free (open-source) backend runtime environment that works across multiple platforms.
Which of the following BEST describes an Azure network adapter?
A point-to-site (P2S) VPN connection
Which of the following BEST describes a network policy?
A set of conditions, constraints, and settings used to authorize which remote users and computers can or cannot connect to a network.
When implementing an Azure extended network, you need a pair of Windows Server VMs. Both VMs act as virtual appliances. Drag the VM type on the left to the proper connections on the right. (You can use a VM type more than once.)
A virtual network adapter to the routable subnet. On-premise Second network interface to the extended subnet. In the cloud A second virtual network adapter to the extended subnet. On-premise Primary network interface to the routable subnet. In the cloud
Which of the following BEST describes an Azure relay?
Allows for scoping instead of the shotgun approach of a VPN connection.
Which of the following BEST describes split DNS?
Allows the same name to resolve to different IP addresses.
With RADIUS, network managers can centrally manage connection authentication, authorization, and accounting (sometimes referred to as AAA) for many types of network access, such as VPN or wireless access points. Which of the following options best describes authorization?
Allows users to use specific network services or connect to specific network resources.
What is the primary purpose of RADIUS?
Authenticate remote clients before access to the network is granted.
Which of the following features are used by clients and provided by the RADIUS server? (Select three.)
Authentication & Accounting & Authorization
Which of the following are items needed to implement an Azure Network Adapter?
Azure subscription with active account. & A connection to Azure for WAC server.
You manage the remote access solution for your network. Currently, you have 10 remote access servers named RA1 through RA10. A single RADIUS server named RA11 holds all network access policies for all remote access servers. Due to some recent changes, you decide to add a second RADIUS server, RA12, to your solution. Remote access connections should be directed to either RA11 or RA12 based on the characteristics of the connection. You decide to configure the RA13 server as a RADIUS proxy. Connection requests from RA1 through RA10 will be sent to RA13. All requests will then be forwarded to RA11 or RA12 based on the characteristics of the connection. Which of the following steps are part of your configuration on RA13? (Select three. Each choice is a required part of the solution.)
Configure RADIUS server groups. & Configure RA1 through RA10 as RADIUS clients to RA13. & Configure connection request policies.
Your company has recently added a traveling sales force. To allow salesmen access to the network while traveling, you install two additional servers. You configure the servers (REM1 and REM2) as remote access servers to accept incoming calls from remote clients. You configure network access policies on each server. The solution is working fine, but you find that you make constant changes to the remote access policies. You install the Network Policy and Access Services role on a third server (REM3). You configure network access policies on REM3. Following the installation, you verify that all clients can connect to REM1 and REM2. Then you delete the custom network access policies on both servers. Now, no clients can make a remote access connection. What should you do?
Configure REM1 and REM2 as REM3's RADIUS clients.
You are the network administrator for a small company using Windows Server 2016 and Windows 10 clients. A few of the company's employees want to work from home occasionally . You have decided to provide access using a VPN. What should you do?
Configure a remote access VPN.
You are in charge of installing a remote access solution for your network. You decide you need a total of four remote access servers to service all remote clients. Because remote clients might connect to any of the four servers, you decide that each remote access server must enforce the exact same policies. You anticipate that the policies will change frequently. What should you do? (Select two. Each choice is a required part of the solution.)
Configure network access policies on the RADIUS server. & Configure one of the remote access servers as a RADIUS server and all other servers as RADIUS clients.
You are the network administrator for you company. The network consists of a single Active Directory domain. All the servers run Windows Server 2016. All the clients run Windows 10. You company has a number of product specialists who travel to remote areas. The product specialists complain that their internet connections frequently fail, forcing them to reconnect to the company VPN server. The server and the clients use the L2TP with IPSec VPN protocol. You need to improve VPN performance by allowing the clients to automatically reconnect to the company VPN if the clients' internet connection should fail. What should you do?
Configure the VPN connection to use the Internet Key Exchange version 2 (IKEv2) VPN protocol.
There are several terms used to describe Azure AD application proxy services. Which of the following terms refers to lightweight agents that communicate between Azure AD application proxy architecture components?
Connectors
You are the network administrator for corpnet.com. You have implemented Active Directory Federation Services (AD FS) to enable single sign-on to a web application named WApp1. You need to enable internet users to access WApp1 using AD FS. You install WAP in the perimeter network. You need to enable internet users to contact the federation proxy server. What should you do first?
Create an A record in the corpnet.com zone hosted on the internet.
Which of the following BEST describes an Azure extended network?
Enables you to stretch an on-premises subnet into Azure.
Which of the following is a characteristic of TACACS+?
Encrypts the entire packet, not just authentication packets.
You want to implement an Azure WAN solution that does not utilize the public internet and increases security, speed, and reliability. In addition, you want to utilize P2P Ethernet network connectivity. Which of the following Azure WAN solutions will meet your networking requirements?
ExpressRoute
You are the manager for the westsim.com domain. Your company has just started a collaborative effort with a partner company. Their network has a single domain named eastsim.com. You decide to implement Active Directory Federation Services (AD FS) to allow users in the partner organization to access a Web application running on your network. You have three servers available, Srv1, Srv2, and Srv3. Srv3 is a web server that runs the claims-aware application. You want to use the Federation Service Web Application Proxy service in your design. You want to use the least number of servers possible. What should you do?
Install the Federation Service on Srv1. Install WAP and the claims-aware web agent on Srv3.
What is the web application proxy's job?
Intercepts outside traffic that's headed to internal applications.
Which of the following facilitates transitive connectivity for virtual networks in an Azure WAN solution?
Intra-cloud connectivity
An Azure AD application proxy is designed to provide access for a specific type of application. Which of the following BEST describes that application type?
Legacy applications not capable of modern protocol usage.
Which of the following is TRUE regarding an Azure extended network?
Lets on-premises VMs keep their original on-premises private IP addresses when migrating to Azure.
There are several terms used to describe Azure AD application proxy services. Which of the following terms refers to using either hardware or software to distribute the workload among at least two servers?
Load balancing
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. There is one main office located in Chicago. The main office is protected from the internet by a perimeter network. A server named VPN1 located in the perimeter network provides VPN remote access for external clients. A server named NPS1 has the Network Policy Server (NPS) role installed and provides RADIUS services for VPN1. NPS1 is located in the perimeter network and is configured to use Active Directory for authentication requests. There are three domain controllers on the internal network. A new company policy requires that the firewall between the internal network and the perimeter network be configured to allow traffic only between specific IP addresses. The amount of internal servers that can be contacted from the perimeter network must be kept to
Move NPS1 to the internal network and implement a RADIUS proxy in the perimeter network.
Which options are found on the settings tab of the network policy components? (Select four.)
Multilink and bandwidth allocation protocol & IP settings & Encryption & IP filters
VPN tunneling protocols encrypts packet contents and wraps them in an unencrypted packets. Which of the following networking devices or services prevents (in most cases) the use of IPsec as a VPN tunneling protocol?
NAT
What should you do before you start configuring a remote desktop gateway?
Obtain an SSL certificate
You manage the remote access solution for your network. Currently, you have two remote access servers, RA1 and RA2, with an additional server, RA3, configured as a RADIUS server. You need to configure RA1 and RA2 to forward authentication requests to RA3. What should you do?
On RA1 and RA2, run Routing and Remote Access. Edit the properties of the server and configure it to use RA3 for authentication.
Which of the following are connector types required to deploy an Azure AD application proxy? (Select two.)
On-premise physical hardware
Which of the following authentication protocols transmits passwords in cleartext and is considered too unsecure for modern networks?
PAP
Organizations want to make applications available to users without having to install the application on each user's computer. This can be done using Remote Desktop Gateway applications with a web interface. Which authentication mode skips the normal authentication request and passes the request to the server that hosts the application?
Pass-through
Which of the following security functions does CHAP perform?
Periodically verifies the identity of a peer using a three-way handshake.
Which of the following are standard VPN types used for implementing an Azure WAN solution? (Select two.)
Private connectivity & Site-to-site
When implementing an Azure AD application proxy, where must CNAME records be created?
Public DNS
Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.)
RADIUS & TACACS+
Which of the following are differences between RADIUS and TACACS+?
RADIUS combines authentication and authorization into a single function, while TACACS+ allows these services to be split between different servers.
You want to make applications available to your company employees without having to install the application on each employee's computer. You can do this by using which of the following?
Remote Desktop Gateway applications
You often travel away from the office. While traveling, you would like to use a modem on your laptop computer to connect directly to a server in your office to access needed files. You want the connection to be as secure as possible. Which type of connection do you need?
Remote access
What does a remote access server use for authorization?
Remote access policies
Which of the following are the specific users for which the AD application proxy is designed?
Remote users that need access to legacy applications.
Which of the following is TRUE regarding the Windows Admin Center (WAC)?
Requires latest version of Azure Network Adapter.
Which of the following are use cases associated with implementing an Azure WAN? (Select two.)
Routing & Azure firewall
Which of the following is equipment that facilitates branch connectivity for an Azure WAN solution?
SD-WAN CPE
There are several terms used to describe Azure AD application proxy services. Which of the following terms refers to a service that provides trust to a user's browser while accessing a website or application?
SSL certificates
You have been put in charge of providing a VPN solution for all members of the sales team. Sales team members have been issued new laptop computers running Windows 10. All remote access servers run Windows Server 2016. The salesmen have been complaining that with the previous VPN solution, there were many times that they were unable to establish the VPN solution because the hotel or airport firewalls blocked the necessary VPN ports. You need to come up with a solution that will work in most instances. Which VPN method should you choose?
Secure Socket Tunneling Protocol (SSTP)
You need to configure WAP to forward requests to AD FS servers that are not accessible from the internet. Arrange the WAP configuration tasks that you need to complete on the left in the appropriate order on the right.
Step 1 Export the internal AD FS server certificate. Step 2 Import AD FS server certificate. Step 3 Configure an SSL certificate on the default IIS website. Step 4 Add an entry for the AD FS server to the hosts file. Step 5 Install the AD FS Proxy role service. Step 6 Configure the AD FS Proxy. Step 7 Configure DNS records.
Which of the following is true regarding stretching a subnet?
Stretching a subnet is another term for extending a subnet from on-premise to Azure.
There are several terms used to describe Azure AD application proxy services. Which of the following terms refers to a cryptographic protocol that provides end-to-end security of data sent between applications over the internet?
TLS 1.2
Which of the following are network access setting limitations for an Azure AD application proxy? (Select two.)
Terminating connector TLS traffic. & Load-balanced connector.
You are a network administrator for a small company. All servers are running Windows Server 2016. All clients are running Windows 10. Your company has just opened a branch office in a different part of the country. To provide access to network resources between sites, you have determined that a Windows Server 2106 site-to-site VPN using a Remote Access Services (RAS) gateway would work best for your needs. Before creating the site-to-site VPN, what must you install first? (Select two.)
The DirectAccess and VPN (RAS) role service. & The Remote Access role
What is the computer that remote users connect to?
The web application proxy
Which of the following allows connections to be made between VNets to facilitate an Azure WAN solution?
Transitive connectivity
Match the type of VPN with its description.
Two hosts establish a secure channel and communicate directly. Host-to-host Routers on the edge of each site establish a VPN with the router at the other location. Site-to-site Allows individual users to establish secure connections with a remote computer network. Remote access
You have implemented an Azure extended network with a firewall between on-premise and the cloud. Which port do you need to open?
UDP 4789
Before creating an Azure AD application proxy, which of the following is ALWAYS required?
Users must be synched from on-premise AD to Azure AD, or users must be created in Azure AD.
Which of the following are characteristics of TACACS+? (Select two.)
Uses TCP. & Allows three different servers (one each for authentication, authorization, and accounting).
Azure network adapter connection limitations are determined by which of the following? (Select three.)
VPN gateway SKU selected. & Throughput speeds needed. & Encryption algorithm used.
Which of the following are considered RADUIS clients? (Select two.)
VPN servers & Wireless access points
Which of the following is a traditional VPN setup for an Azure WAN solution?
VPN-CPE
Which of the following BEST describes VNets?
Virtual networks hosted in Azure Cloud.
You are configuring AD FS. Which server should you deploy on your organization's perimeter network to allow users to access web applications?
Web Application Proxy Explanation
o Set an Add membership in the Sales user group condition. o Grant access if the condition is met, regardless of the setting in the Active Directory user account. o For authentication, accept only a smart card or other certificate. Be sure to disallow all other authentication methods. · Configure routing and remote access on BranchVPN1 and CorpVPN1 to use RADIUS authentication and accounting using the following settings: o Authentication provider: RADIUS Authentication o RADIUS Server name: CorpNPS o Shared secret: J51nj3T% o Accounting provider: RADIUS Accounting o Accept default settings.
h. Enter Sales under Enter the object names to select. i. Select OK. j. Select OK. k. Select Next. l. Select Next to use the default of Access granted. m. Select Add. n. Select OK to use the default of Microsoft: Smart card or other certificate. o. Under Less secure authentication methods, unmark all the authentication methods and then select Next. p. Select Next, to use the default settings for the Configure Constraints dialog. q. Select Next, to use the default settings for the Configure Settings dialog. r. Select Finish. 4. Configure a RADIUS client. a. From the top left, select Sites. b. Select the server to be configured as a RADIUS Client. c. From Server Manager, select Tools > Routing and Remote Access. d. Right-click the server and select Properties. e. Select the Security tab. f. Use the Authentication provider drop-down list to select RADIUS Authentication. g. Select Configure. h. Select Add. i. Enter CorpNPS in the Server name field. j. Next to Shared secret, select Change. k. In the New secret field, enter J51nj3T% as the secret.This password must be identical to the one that was entered on the NPS server. l. In the Confirm new secret field, re-enter the shared secret; then select OK. m. Select OK to add the RADIUS server. n. Select OK to close the RADIUS Authentication dialog. o. Use the Accounting provider drop-down list to select RADIUS Accounting. p. Select Configure. q. Select Add. r. Enter CorpNPS in the Server name field. s. Next to Shared secret, select Change. t. In the New secret field, enter J51nj3T% as the secret. This password must be identical to the one that was entered on the NPS server. u. In the Confirm new secret field, re-enter the shared secret; then select OK to add the RADIUS server. ↓↓↓↓↓CONTINUED
Continued
v. Select OK to close the Add RADIUS Server dialog. w. Select OK to close the RADIUS Accounting dialog. x. Select OK to close server properties. y. Repeat step 4 to add the additional RADIUS Client.