Remote Access Management
You are the server administrator for the westsim.com domain. Your network has a main office in Tulsa, with a branch office in Norman. You want to provide a site-to-site VPN solution to connect the two sites that supports NAP health certificates. Which protocol should you use?
Internet Protocol Security (IPsec)
You are the network administrator for westsim.com. The network consists of a single domain named westsim.com. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. The main office contains a server named RRASl that has been configured to provide DirectAccess connectivity for clients. Clients complain that when they connect via DirectAccess, they are not able to resolve intranet names. What should you do?
Check for .westsim.com in the Name Resolution Policy Table.
You have decided to implement Network Access Protection (NAP) on your network. You want to impose the following restrictions: Computers without antivirus software should not be allowed to connect. Computers without the latest security updates should not be allowed to connect. No other health checks should be performed. You create two health policies and two network policies: one each for compliant computers, and one each for non-compliant computers. Which of the following settings would you choose when configuring the non-compliant health policy?
Client fails one or more SHV checks
You have decided to implement Network Access Protection (NAP) with IPsec on your network. You have installed the NPS role, configured the System Health Validator (SHV), created health policies, and configured network policies. Which additional steps will you need to perform to complete the configuration? (Select two. Each choice is a possible action.)
Define restricted, boundary, and secure networks Configure a Health Registration Authority (HRA)
You need to configure the properties of the user shown in the image below such that remote access to your organization's VPN server is controlled using NPS Network Policy. What tab would you click on to make this change?
Dial-In
You would like to implement DirectAccess on your corporate network. Which of the following is not an infrastructure requirement for using DirectAccess?
Network access for files server role
You have been asked to implement a wireless solution for your company network. To improve security, you decide to implement 802.1x authentication using smart cards and certificates for all wireless users. Which authentication protocol will you use?
PEAP-EAP-TLS
your organization uses a routed network. the network sues windows server 2012 systems with the routing and remote access role installed to connect the various network segments together. Your network is very static in nature with changes happening only rarely. To reduce network traffic, you decide to reduce the frequency of RIP routing updates sent between routers. Click the option in the RIP interface properties you would use to do this.
Periodic announcement interval (seconds): 30
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8 Enterprise. There is a single main office located in New York. A perimeter network separates the main office from the Internet. Corporate policy requires that all servers be isolated from the Internet. No external clients may directly access internal resources unless the connection is secure. External connections to servers located in the perimeter network are permitted. You plan to implement DirectAccess to support encrypted connections from remote clients to the internal network. A server named RRASl will provide DirectAccess connections for the clients. The DirectAccess clients will use IP-HTTPS connections. Certificates for the DirectAccess clients and servers will be issued by an Enterprise root CA named CA1. You need to configure CA1 to support DirectAccess clients. What should you do?
Publish the CA1 Certificate Revocation List (CRL) on a server in the perimeter network.
You are configuring routing on a Windows Server 2012 system. Rather than manually configure static routes on the server, you want to configure it to communicate with other routers already in the network to dynamically build its routing table.
RIP Version 2 for Internet Protocol
You have decided to implement Network Access Protection (NAP) on your network. You want to impose the following restrictions: Computers without antivirus software should not be allowed to connect. Computers without the latest security updates should not be allowed to connect. No other health checks should be performed. Which NAP component would you modify to enable the health checks that should be performed when clients attempt to connect?
System Health Validator (SHV)
You are troubleshooting network communications on a Windows Server 2012 system. You need to verify that the default gateway is configured correctly.
route print -4
You manage Windows 7 and Windows 8 notebooks that have been joined to the mydomain.com Active Directory domain. Because these notebook systems are frequently taken on sales visits to client sites, you have decided to implement DirectAccess on your network. You run the setup for DirectAccess on the DA1 server with the following choices: End-to-end authentication with a smart card required for authentication Root certificate from ca1.mydomain.com Security group name of DirectAccessGroup The Network Location service runs on the DirectAccess server You need to configure the client computers for the DirectAccess connection. What should you do?
Add the computer account for each client computer to the DirectAccessGroup security group.
You want to let clients on your private network connect to the Internet through Server1. Server1 connects to the Internet using a dial-up connection. On Server1, you enable the Routing and Remote Access Service and install the NAT routing protocol. All computers in your network use Automatic Private IP addressing. There is no DHCP server on the network. You want to use the private IP address range 172.16.65.1 to 172.16.65.250. How would you configure Server1?
Assign an IP address of 172.16.65.1 to the LAN interface of Server1. Configure the NAT routing protocol to automatically assign addresses in the range of 172.16.65.2 through 172.16.65.250 to computers on the private interface
You are the network administrator for a small private network. You have been providing VPN access to company users for the past few months through a Windows Server 2012 R2 Routing and Remote Access server. Your company recently decided to require the strongest authentication possible to connect to the Remote Access server. You've set up a certificate server and changed the authentication protocol on the server to require certificates. Remote users are complaining that they can no longer access the Remote Access server. What should you do?
Change the authentication protocol on each client to EAP-TLS
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. You have a server named VPN1 that is configured to accept VPN connections from remote clients. VPN1 is configured as a RADIUS client of a server named RADIUSl. Management decides to implement remote access auditing. You need to track when and how long each user is connected via remote access. What should you do?
Configure RADIUS accounting on RADIUSI
Your company has recently added a traveling sales force. To allow salesmen access to the network while traveling, you install two additional servers. You configure the servers (REM1 and REM2) as remote access servers to accept incoming connections from remote clients. You configure network access policies on each server. The solution is working fine, but you find that you must make constant changes to the remote access policies. You install the Network Policy and Access Services role on a third server (REM3). You configure network access policies on REM3. Following the installation, you verify that all clients can connect to REM1 and REM2. You then delete the custom network policies on both servers. Now, no clients can make a remote access connection. What should you do?
Configure REM1 and REM2 as RADIUS clients of REM3.
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8 Enterprise edition. The main office contains a server named RRASl. You are in the process of configuring RRASl to support DirectAccess connections. You need to configure RRASl to allow IPv6 connectivity for the clients to RRASl for the purpose of DirectAccess. What should you do?
Configure Windows Firewall with Advanced Security to allow ICMPv6 Echo Requests.
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. There is a single main office located in New York. The company has deployed Network Access Protection (NAP) on the internal network. A server named NAP1 is configured with the Network Policy and Access Services role. You need to ensure that clients accessing the computer using wireless access points are authenticated using 802.1x authentication and are evaluated by NAP. What should you do?
Configure all wireless access points as RADIUS clients to NAP1.
You have decided to implement Network Access Protection (NAP) with RD Gateway on your network. You have installed the NPS role, configured the System Health Validator (SHV), created health policies, and configured network policies. Which additional step will you need to perform to complete the configuration?
Configure connection authorization policies
You are in charge of installing a remote access solution for your network. You decide you need a total of four remote access servers to service all remote clients. Because remote clients might connect to any of the four servers, you decide that each remote access server must enforce the exact same policies. You anticipate that the policies will change frequently. What should you do? (Select two. Each choice is a required part of the solution.)
Configure network policies on the RADIUS server. Configure one of the remote access servers as a RADIUS server, and all other servers as RADIUS clients.
You are in charge of installing a remote access solution for your network. You decide you need a total of four remote access servers to service all remote clients. Because remote clients might connect to any of the four servers, you decide that each remote access server must enforce the exact same policies. You anticipate that the policies will change frequently. What should you do? (Select two. Each choice is a required part of the solution.)
Configure one of the remote access servers as a RADIUS server, and all other servers as RADIUS clients. Configure network policies on the RADIUS server.
You are implementing NAT on a Windows Server 2012 system using Routing and Remote Access. You installed two network interfaces in the server: • The Ethernet connection is connected to external network that uses registered IP addresses. • The Ethernet1 connection is connected to the internal network where private IP addressing is used. The Ethernet connection is assigned an IP address of 137.65.1.23/16, while the Ethernet1 connection is assigned an IP address of 172.17.1.1/16. You enabled Routing and Remote Access on the server and configured it for NAT. You defined the Ethernet connection as the private interface and the Erthernet1 connection as the public interface with NAT enabled. When you test the configuration, it doesn't work correctly. What should you do to fix it?
Configure the Ethernet interface as the public interface and enable NAT on it
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. westsim.com has a number of Product Specialists who travel to remote areas. The Product Specialists complain that their Internet connections frequently fail, forcing them to reconnect to the company VPN server. The server and the clients use the L2TP with IPSec VPN protocol. You need to improve VPN performance by allowing the clients to automatically reconnect to the company VPN if the clients' Internet connection should fail. What should you do?
Configure the VPN connection to use the Internet Key Exchange version 2 (IKEv2) VPN protocol.
You have decided to implement Network Access Protection (NAP) with 802.1x authentication on your network. You have installed the Network Access and Policy Server role, configured the System Health Validator (SHV), created health policies, and configured network policies. Which additional steps will you need to perform to complete the configuration? (Select two. Each choice is a possible action.)
Configure the enforcement point as a RADIUS client In the network policy, configure VLAN memberships
The Portland site in your company network has the only connection to the Internet. To allow all Windows 8 computers on the network to access the Internet through the Portland connection, youinstall and configure the NAT routing protocol on a server in Portland. You decide to use IP addresses in the range of 192.168.40.1 through 192.168.40.50 for the network. The Portland server is configured to use an IP address of 192.168.40.1. Web1 is a Web server configured with an IP address of 192.168.40.2 and a default gateway of 192.168.40.1. Your Internet service provider has allocated two IP addresses, 207.46.179.16 and 207.46.179.17, to your network. You want to allow Internet users from outside your internal network to use an IP address of 207.46.179.17 to access the resources on the Web1 server through the NAT service on Portland. What should you do?
Configure the public interface of the NAT routing protocol to use an address pool with a starting address of 207.46.179.16 and a mask of 255.255.255.254. Reserve a public IP address of 207.46.179.17 for the private IP address of 192.168.40.2
Margaret is in charge of configuring the remote access solution for her network. The network consists of a single subnet. A DHCP server on the private network assigns IP addresses to hosts on the private network. A single remote access server, RASSRV, provides remote access connections for 10 Windows 8 laptops. Remote clients have access to resources on the private network through RASSRV. Margaret wants the clients to receive their IP addresses from the DHCP server. What should Margaret do? Configure each client with the IP address of the DHCP server. Configure the remote access server to use DHCP for addressing. Configure the remote access server with a range of IP addresses that fall within the range of addresses configured on the DHCP server. Configure the remote access policies to identify DHCP as the addressing method. Configure RASSRV as a DHCP proxy.
Configure the remote access server to use DHCP for addressing.
You have decided to implement Network Access Protection (NAP) on your network. You decide to create two categories of computers. Those that pass all health checks Those that fail one or more health checks Those that pass all checks should be granted full network access, while those that fail one or more should be granted access only to the quarantine network. How should you configure NAP for this scenario? (Select two. Each choice is a required part of the solution.)
Configure two Network Policies Configure two Health Policies
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. The network consists of several main offices and branch offices. A Windows 2012 R2 server installed with the Network Policy and Access Services role acts as the router for each office. You have been instructed to use NPS to configure IP Filters to control which traffic is passed to the local network. The filters must be identical at each office. You must achieve this goal using the minimum amount of administrative effort. What should you do?
Create a Network Policy Server (NPS) template at one NPS server configured with the appropriate IP Filters, then export the template to the other NPS servers
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. You need to provide access to remote clients who belong to the Remote group. You install the Network Policy Server (NPS) on a server named VPN1. You configure VPN1 to act as a VPN server and add all of the user accounts to the Remote group. You configure a server named RADIUSl with the NPS role. You configure VPN1 to be a RADIUS client of RADIUSl. You need to configure RADIUSl to process authentication requests from VPN1. What should you do?
Create a connection request policy
You have decided to implement Network Access Protection (NAP) with a VPN on your network. You have installed the NPS role, configured the System Health Validator (SHV), created health policies, and configured network policies. Which additional step will you need to perform to complete the configuration?
Create a connection request policy that uses PEAP authentication and has quarantine checks enabled
You manage a network with two locations: New York and Los Angeles. All computers are members of a single domain named northsim.com. You have been put in charge of creating a remote access solution, so that sales team members can connect to both sites using a VPN connection. On a server in the New York location, you configure a network policy that allows access to VPN users who are members of the Sales group. You test the connection and find that everything is working properly. You install a second remote access server in the Los Angeles location. However, when you try to connect using the VPN connection, the connection is refused, even though you used the same user account that was able to connect to the server in the New York location. What should you do?
Create a network policy on the server in Los Angeles that is similar to the policy on the server in New York.
You manage the remote access solution for your network. Currently, you have 10 remote access servers named RA1 through RA10. A single RADIUS server named RA11 holds all network policies for all remote access servers. Due to some recent changes, you decide to add two more RADIUS servers, RA12 and RA13, to your solution. Remote access authentication should be directed to either of the three servers so that requests are load balanced between them. You add RA14 to configure it as a RADIUS proxy. You configure RA1 through RA10 as RADIUS clients to RA14. Authentication requests will be received by RA14, then directed to one of the three RADIUS servers. How should you complete the configuration of RA14? (Select two. Each choice is a required part of the solution.)
Create a single RADIUS server group with RA11, RA12, and RA13 as members of the group. Create a single connection request policy.
You have a laptop that runs Windows 8 Enterprise. You want to use the laptop to connect to your corporate intranet while you are at home or traveling. Your solution should meet the following requirements: The computer should connect automatically to the intranet without user initiation. All communications between your laptop and the intranet should be encrypted. The connection should allow for remote management of the computer from the corporate intranet. Internet traffic should be directed to Internet servers without going through servers at the corporate network. The solution should work through firewalls where only HTTP and HTTPS are permitted. Which feature should you implement?
DirectAccess
You are the administrator of a large network. Your company has offices in several states, as well as several locations within the city of Chicago. Each location has its own Active Directory domain, complete with DNS server and DHCP configuration. You are opening a network segment for a research and development arm of the company. Communication from this segment to the rest of the network will be using PPP. You need an authentication method that will allow for a high degree of flexibility. It must support authentication using One Time Passwords, MD5- Challenge, or Transport Layer Security for smart cards. Encryption is not necessary in this implementation. Which authentication protocol should you choose?
EAP
You have decided to use Network Access Protection (NAP) with 802.1x authentication on your network. You have already configured the necessary servers and services. Now you need to configure client computers to connect to the network. Which enforcement client should you enable on the client?
EAP Quarantine Enforcement Client
You manage a Windows 7 computer connected to a business network using switches and multiple subnets.
Edit the IPv4 properties and change the default gateway
Your company has established a branch office in a nearby town, which also has a small network. The remote office has two servers running the Windows Server 2012 R2. You've been instructed to interconnect the two offices using a VPN tunnel. You install the Routing and Remote Access service on one of the Windows Server 2012 R2 computers in your local office and on one of the Windows Server 2012 R2 computers in the remote office. You enable the VPN service on both servers. You can successfully ping between the two devices. However, you cannot connect to resources on the other side of the remote access server. What should you do? (Select two. Each answer is required for a working solution.) Change the authentication protocol on the server to EAP-TLS. Change the authentication protocol on the server to MS-CHAP v2. Add certificate services to the remote access server. Enable LAN routing on both access servers. Configure a static route on each remote access server to the other network.
Enable LAN routing on both access servers. Configure a static route on each remote access server to the other network
You are configuring a new network policy for temporary employees using the New Network Policy wizard in the Network Policy Server console. If the conditions and constraints you configured in the policy are met and the policy grants access to a client, you want the policy to apply 128-bit MPPE. What settings category would you use to do this?
Encryption
You have a laptop computer that runs Windows 8 Enterprise. The computer is a member of a domain. You want to use DirectAccess to access application servers on your corporate intranet. Application servers run Windows Server 2003 and Windows Server 2008. You want to configure a single access method for all servers and clients. Which connection method should you use?
Full enterprise network access (end-to-edge)
You are configuring Network Policy Server (NPS) for RADIUS. You've heard that NPS includes a template type that you can use to assign a shared secret when you configure the RADIUS client and server. Assuming you are using Windows Server 2012 R2, which command can you use to view a list of available shared secret templates?
Get-NpsSharedSecretTemplate
You have decided to implement Network Access Protection (NAP) on your network. You want to impose the following restrictions: Computers without antivirus software should not be allowed to connect. Computers without the latest security updates should not be allowed to connect. No other health checks should be performed. You create two health policies and two network policies: one each for compliant computers, and one each for non-compliant computers. Only computers that pass all health checks should be allowed to connect to the unrestricted network. You perform a check of the configuration and find that a computer with antivirus software, but without the latest security patches is allowed to connect. Another computer that has no antivirus software, but with the required security updates is also allowed to connect. Only computers missing both the antivirus software and the security updates are prevented from connecting. You need to modify the configuration so that any client failing one or more health checks is not allowed to connect Which NAP component would you modify?
Health Policy
You have decided to implement Network Access Protection (NAP) on your network. You want to impose the following restrictions: Computers without antivirus software should not be allowed to connect. Computers without the latest security updates should not be allowed to connect. No other health checks should be performed. You create two health policies and two network policies: one each for compliant computers, and one each for non-compliant computers. Only computers that pass all health checks should be allowed to connect to the unrestricted network. You are configuring the network policy for the non-compliant computers. Which of the following will be part of the network policy configuration? (Select three.)
Identify remediation server groups that can be used For NAP enforcement, select Allow limited access For authentication, choose Perform machine health check only
Several employees in your company have personal laptop computers that they bring to work and connect to the company network. Because they often use these laptops while traveling or to help them do their jobs, you can't prevent them from connecting to the network. However, you are concerned that many of these computers don't have the latest security patches installed. You want to implement a solution so that computers are checked for the latest security updates as they connect to the network. If the required updates are missing, you want to prevent these computers from having full access to the private network. What should you do?
Implement Network Access Protection (NAP) with a quarantine network.
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. The main office contains a server named RRASl, that has been configured to provide DirectAccess connectivity for clients. A group named DirectAccess Clients has been enabled for DirectAccess. Users complain that they are unable to connect to the internal network using DirectAccess. You need to ensure that the users can connect to RRASl using DirectAccess. What should you do?
In Active Directory Users and Computers, add the computer accounts of the users' computers to the DirectAccess Clients group.
You want to allow Research users to connect to the private network through a VPN connection. Users will connect to the Internet while on the road, then connect through a VPN server to the private network. All users will use laptops that run Windows 7 or Windows 8. You configure a Windows Server 2012 R2 server as a router and configure it to accept VPN connections. During a random check one day, you notice that some connections are using PPTP while others are using L2TP. You want to force all connections to use L2TP. What should you do? In Routing and Remote Access, edit the PPTP ports and set the number of ports to O. On each client computer, configure L2TP as the VPN connection type. In Routing and Remote Access, edit the Ports node. Disable remote access and demand-dial routing connections for PPTP. In Routing and Remote Access, configure a remote access policy to accept only L2TP connections.
In Routing and Remote Access, edit the Ports node. Disable remote access and demand-dial routing connections for PPTP.
You are adding a new Internet connection to connect your private network to the Internet. A server running Windows Server 2012 R2 with Routing and Remote Access and NAT connects the private network to the Internet. The ISP currently hosts your Web server, but you want to move that server into your private network. You want all Web traffic sent to 135.74.16.86 to be redirected to the server on your private network with address 10.1.1.3. What should you do?
In Routing and Remote Access, edit the properties of the public network interface running the NAT protocol. Redirect HTTP to 10.1.1.3
You want to provide remote access using a VPN server to users in your company so that they can work from home. Users will connect to the remote access server using a VPN connection over the Internet in order to access all resources on the company network. You install Windows Server 2012 R2 on a new server (Remotel) and configure it for remote access. You configure the network policies to allow connections between 7am and 8pm. The next day, you get a call from one of the users reporting that she can connect to the remote access server, but can't access any resources on the company network. You ask her to ping a server on the private network using its IP address, but the ping fails. From the remote access server, you can access all resources on the private network. What should you do? On the private network, grant remote access users permissions to resources. In Routing and Remote Access, configure RIP and add the LAN interfaces to the routing protocol. In Routing and Remote Access, configure a static route to the company network. In Routing and Remote Access. enable LAN routing on the server.
In Routing and Remote Access. enable LAN routing on the server.
You are the administrator of a large Active Directory network running at Windows Server 2008 functional level. All client computers run Windows 7 or Windows 8. Your company has offices in several states, as well as several locations within the city of Chicago. Each location has its own Active Directory domain, complete with DNS and DHCP servers. The company has just opened a new office in Des Moines. You have created a new Active Directory domain to serve Des Moines. The users in Des Moines will access many of the resources in the Chicago office, so you create a shortcut trust between Chicago and Des Moines. This is a two-way transitive trust. You need to choose the appropriate network access authentication protocol. Which method should you choose?
Kerberos
Maria is configuring a remote access solution for her network. A single server, RASSrv, runs Windows 2012 R2 and is the remote access server. Approximately 20 remote clients, all running Windows 8, will connect to the server. Maria wants to use a secure remote authentication method that encrypts passwords but does not require additional hardware. What is the most secure authentication method that Maria should use?
MS-CHAP v2
Manuela is in charge of maintaining the VPN solution for her network. The VPN server was installed about two months ago and services a total of 25 clients. All clients run Windows 7 and Windows 8 and connect to the VPN server through the Internet. Occasionally, users complain that they are unable to establish a VPN connection. The problem is not isolated to any specific user and typically goes away after the user waits for a while before trying the connection again. Manuela checks the VPN server and finds it is obtaining IP addresses from a DHCP server to assign to clients. The DHCP Console shows that 30 addresses have been leased to the VPN server. A total of 20 L2TP ports are configured on the VPN server for incoming connections. What should Manuela do? Decrease the IP address lease time. Delete all L2TP ports. Manually configure PPTP ports. Manually configure additional L2TP ports. Configure the IP address pool with additional addresses. Add another network card to the server to provide additional client connections.
Manually configure additional L2TP ports.
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 8. There is one main office located in Chicago. The main office is protected from the Internet by a perimeter network. A server named VPN1 located in the perimeter network provides VPN remote access for external clients. A server named NPSl has the Network Policy Server (NPS) role installed and provides RADIUS services for VPN1. NPSl is located in the perimeter network and is configured to use Active Directory for authentication requests. There are three domain controllers on the internal network. A new company policy requires that the firewall between the internal network and the perimeter network be configured to allow traffic only between specific IP addresses. The amount of internal servers that can be contacted from the perimeter network must be kept to a minimum. You need to configure remote access to minimize the number of servers on the internal network that can be contacted by servers on the perimeter network. Your solution should not impact the availability of remote access services. What should you do?
Move NPSl to the internal network and implement a RADIUS Proxy in the perimeter network.
A group of telecommuting employees has been granted approval by upper management to use VPN internet access between the hours of 8:00 AM and 5:00 PM. No other employees will be allowed remote access to the network. The telecommuting employee computers are running Windows 8. You create an Active Directory group named TeleCommute and place all telecommuting employee user accounts into this group. You create a new network policy (named Telecommute Policy) with the following conditions: Day and time: 8:00 am to 5:00 pm every day Windows group membership: TeleCommute group NAS Port Type: Virtual (VPN) You configure remote access permissions for all users in the TeleCommute group to allow remote access. The list of network policies is as follows in the Network Policy Server console: When you test the remote access connection, no users are allowed to connect to the remote access server. What should you do?
Move the TeleCommute Policy network policy up in the list
You are configuring a new network policy for temporary employees using the New Network Policy wizard in the Network Policy Server console. If the conditions and constraints you configured in the policy are met and the policy grants access to a client, you want non-compliant clients to be allowed access only to a restricted network where their system can be remediated before being granted full network access. Click the settings category you would use to configure this.
NAP Enforcement
You are implementing NAT on a Windows Server 2012 system using Routing and Remote Access. You installed two network interfaces in the server: • The Ethernet connection is connected to the external network that uses registered IP addresses. * The Ethernet1 connection is connected to the internal network where private IP addressing is used. The Ethernet connection is assigned an IP address of 137.65.1.23/16 while the Ethernet1 connection is assigned an IP address of 172.17.1.1/16. You enabled Routing and Remote Access on the server and are using the Custom Configuration option in the Routing and Remote Access Server Setup Wizard to configure NAT. Click on the options that must be selected to enable NAT on the server
NAT LAN routing
You have purchased a new laptop that runs Windows 8 Enteprise. You want to use DirectAccess to connect the computer to your corporate intranet from home. Your home network is connected to the Internet with a single public IP address and NAT. Firewalls between your network and the intranet allow only HTTP and HTTPS traffic. What should you do to configure the laptop for the DirectAccess connection?
Obtain a computer certificate for the laptop
You manage the remote access solution for your network. Currently you have two remote access servers, RA1 and RA2, with an additional server, RA3, configured as a RADIUS server. You need to configure RA1 and RA2 to forward authentication requests to RA3. What should you do?
On RA1 and RA2, run Routing and Remote Access. Edit the properties of the server and configure it to use RA3 for authentication.
Consider the routed network shown in the exhibit. Host A tries to ping Host B, but gets no response.
On Router2, enter route add -p 172.17.0.0/16 172.18.0.1 On Router1, enter route add -p172.19.0.0/16 172.18.0.2
You have been put in charge of providing a VPN solution for all members of the Sales team. Laptops used by Sales team members run Windows 8. All remote access servers run Windows Server 2012 R2. You decide to implement SSTP for the VPN solution. Your company security policy mandates that only necessary firewall ports be opened. What should you do? Open UDP port 500 in the firewall Open port 1723 in the firewall Open port 443 in the firewall Open port 1701 in the firewall
Open port 443 in the firewall
Your organization has recently deployed an internal Web server that needs to be accessible by users outside your organization through the Internet. To enable this, you decide to implement the Web Application Proxy role service and publish the internal Web site. You do not want users to be required to enter credentials to access the internal network, but you do want the internal Web server itself to perform authentication before allowing access to Web server content. What option would you use in the Publish New Application Wizard to enable this configuration?
Pass-through
You have been assigned to create a remote access strategy for your network. All full-time company employees should be allowed remote access during any time of the day. In addition, you have some contractors who are working with the Marketing department who should be allowed access only between 6am and 6pm. You have create a special group called Contractors, and defined the following network policies on the server. Remote Access Policy Name - Allow Any Conditions - Domain Users group membership VPN connection Permissions - Allow access, ignoring Active Directory Constraints - None Remote Access Policy Name - Contractors Allow Conditions - Contractors group membership VPN connection Permissions - Allow access, ignoring Active Directory Constraints - None Remote Access Policy Name - Contractors Deny Night Conditions - Contractors Group membership VPN connection 6pm to 6am Permissions - Deny access, ignoring Active Directory Constraints - None
Policy #1 Contractors Deny Night Policy #2 Contractors Allow Policy #3 Allow Any
You have been assigned to create a remote access strategy for your network. All full-time company employees should be allowed remote access during any time of the day. In addition, you have some contractors who are working with the Marketing department who should be allowed access only between 6am and 6pm. What should you do?
Remove the constraints from the Contractors Deny Night policy and add a condition for 6pm to 6am.
You have been put in charge of providing a VPN solution for all members of the Sales team. Sales team members have been issued new laptop computers running Windows 8. All remote access servers run Windows Server 2012 R2. Salesmen complain that with the previous VPN solution, there were many times that they were unable to establish the VPN solution because the hotel or airport firewalls blocked the necessary VPN ports. You need to come up with a solution that will work in most instances. Which VPN method should you choose? Internet Protocol Security (IPsec) in tunnel mode Point-to-Point Tunneling Protocol (PPTP) Layer Two Tunneling Protocol (L2TP) Secure Socket Tunneling Protocol (SSTP)
Secure Socket Tunneling Protocol (SSTP)
You are the network administrator for eastsim.com. The network consists of a single domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. A server at the main office named NP1 runs the Network Access Policy (NPS) server role. You need to disable IPv6 for all connections except for the tunnel interface and the IPv6 Loopback address. What should you do?
Select Properties of the Local Area Connection and uncheck Internet Protocol Versions 6 (TCP/IPv6).
You are implementing NAT on a Windows Server 2012 system using Routing and Remote Access. You installed two network interfaces in the server: • The Ethernet connection is connected to external network that uses registered IP addresses. • The Ethernet1 connection is connected to the internal network where private IP addressing is used. The Ethernet connection is assigned an IP address of 137.65.1.23/16, while the Ethernet1 connection is assigned an IP address of 172.17.1.1/16. You enabled Routing and Remote Access on the server and configured it for NAT. You defined the Ethernet1 connection as the private interface and the Ethernet connection as the public interface with NAT enabled. Which of the following is true regarding this implementation?
The NAT router can forward DNS requests to the DNS servers on the public network
You have a laptop computer that runs Windows 8 Enterprise. The computer is a member of a domain. You want to use DirectAccess to access application servers on your corporate intranet. Application servers run Windows Server 2008 R2. You need to implement a solution that does the following: All communications sent to the private network over the Internet are encrypted. Client computers authenticate with application servers on the intranet. Following authentication, traffic on the intranet is not encrypted. What should you do? (Select two. Each choice is a required part of the solution.)
Upgrade application servers to Windows Server 2008 R2. Configure selected server access (modified end-to-edge)
You have purchased a new laptop that runs Windows 8 Professional. You want to use DirectAccess to connect the computer to your corporate intranet. You will use Group Policy to enforce DirectAccess settings on the client. What should you do to configure the laptop for the DirectAccess connection? (Select two.)
Upgrade the computer to Windows 8 Enterprise. Join the computer to a domain.
You are the network administrator for westsim.com. A server named RRAS1 has been purchased to function as a router between the internal network and the perimeter network.
You should remove the default gateway entry from the internal network interface on RRAS1
You are the network administrator for northsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2012 R2. All the clients run Windows 7 or Windows 8. northsim.com is interested in implementing remote access for Product Specialists that travel across the country. You install the Routing and Remote Access Service (RRAS) on a member server and configure the server to accept VPN connections. You need to select a remote access authentication protocol. Your solution must offer the highest degree of security. What should you do?
You should select Extensible Authentication Protocol (EAP).
