Ch. 13 - On-Premises and Hybrid Network Connectivity

A. Encryption algorithm used., B. VPN gateway SKU selected, & F. Throughput speeds needed.

Azure network adapter connection limitations are determined by which of the following? (Select three.) A. Encryption algorithm used. B. VPN gateway SKU selected. C. S2S VPN connection selected. D. Asymmetrical routing used. E. A subnet's limits when stretched. F. Throughput speeds needed. G. P2S VPN connection selected.

type Pass-through

Organizations want to make applications available to users without having to install the application on each user's computer. This can be done using Remote Desktop Gateway applications with a web interface. Which authentication mode skips the normal authentication request and passes the request to the server that hosts the application?

C. VPN servers & E. Wireless access points

Which of the following are considered RADUIS clients? (Select two.) A. User tablets B. A PC used to work from home C. VPN servers D. User laptops E. Wireless access points

B. Remote access policies

What does a remote access server use for authorization? A. CHAP or MS-CHAP B. Remote access policies C. SLIP or PPP D. Usernames and passwords

B. The web application proxy

What is the computer that remote users connect to? A. The remote desktop gateway B. The web application proxy C. The AD FS server D. The RADIUS server

C. Authenticate remote clients before access to the network is granted.

What is the primary purpose of RADIUS? A. Manage access to a network over a VPN. B. Manage RAID fault-tolerant drive configurations. C. Authenticate remote clients before access to the network is granted. D. Control entry-gate access using proximity sensors.

A. Intercepts outside traffic that's headed to internal applications.

What is the web application proxy's job? A. Intercepts outside traffic that's headed to internal applications. B. Allows the same name to resolve to different IP addresses. C. Enables remote users to access internal resources without being prompted for credentials D. Resolves the name of the computer on the internal network that has the AD FS role.

A virtual network adapter to the routable subnet.--On-premise Second network interface to the extended subnet.--In the cloud A second virtual network adapter to the extended subnet.--On-premise Primary network interface to the routable subnet.--In the cloud

When implementing an Azure extended network, you need a pair of Windows Server VMs. Both VMs act as virtual appliances. Drag the VM type on the left to the proper connections on the right. (You can use a VM type more than once.) --In the cloud --On-premise A virtual network adapter to the routable subnet. Second network interface to the extended subnet. A second virtual network adapter to the extended subnet. Primary network interface to the routable subnet.

D. A Windows Server service that allows users to use any device to access applications from outside the corporate network.

Which of the following BEST describes a WAP? A. A Windows remote management tool allowing one to manage a server from anywhere, anytime, whether on-premise, virtual, in Azure, or on other hosted environments. B. A server used to centralize authentication, authorization, and accounting for multiple remote access servers. C. A server used to perform authentication, authorization, and accounting for remote connections. D. A Windows Server service that allows users to use any device to access applications from outside the corporate network.

D. A set of conditions, constraints, and settings used to authorize which remote users and computers can or cannot connect to a network.

Which of the following BEST describes a network policy? A. A tool that reduces the administrator's workload and minimizes the chance of human error when configuring RADIUS servers and clients. B. A Microsoft feature that controls the working environment of user accounts and computer accounts. C. A method for identifying and verifying the servers and clients that you connect with. D. A set of conditions, constraints, and settings used to authorize which remote users and computers can or cannot connect to a network.

C. Enables you to stretch an on-premises subnet into Azure.

Which of the following BEST describes an Azure extended network? A. Connects a server to the Azure VNet VMs. B. Is useful only for a few on-premise servers at most. C. Enables you to stretch an on-premises subnet into Azure. D. Is a separate download for Server 2016 and 2019.

D. A point-to-site (P2S) VPN connection

Which of the following BEST describes an Azure network adapter? A. Designed for dozens or hundreds of connections B. A slower, secure connection C. A site-to-site (S2S) VPN connection D. A point-to-site (P2S) VPN connection

B. Allows the same name to resolve to different IP addresses.

Which of the following BEST describes split DNS? A. Intercepts outside traffic that's headed to internal applications. B. Allows the same name to resolve to different IP addresses. C. Resolves the name of the computer on the internal network that has the AD FS role. D. Enables remote users to access internal resources without being prompted for credentials.

A. Allows three different servers (one each for authentication, authorization, and accounting). & D. Uses TCP.

Which of the following are characteristics of TACACS+? (Select two.) A. Allows three different servers (one each for authentication, authorization, and accounting). B. Uses UDP. C. Can be vulnerable to buffer overflow attacks. D. Uses TCP. E. Allows two different servers (one for authentication and authorization and another for accounting).

C. RADIUS combines authentication and authorization into a single function, while TACACS+ allows these services to be split between different servers.

Which of the following are differences between RADIUS and TACACS+? A. RADIUS uses TCP, while TACACS+ uses UDP. B. RADIUS supports more protocols than TACACS+. C. RADIUS combines authentication and authorization into a single function, while TACACS+ allows these services to be split between different servers. D. RADIUS encrypts the entire packet contents, while TACACS+ only encrypts the password.

C. A connection to Azure for WAC server. & E. Azure subscription with active account.

Which of the following are items needed to implement an Azure Network Adapter? A. Disabled TCP sequence number randomization. B. A pair of Windows Server VMs. C. A connection to Azure for WAC server. D. An on-premise subnet to be stretched. E. Azure subscription with active account.

A. A firewall configured to allow for asymmetric routing. & E. Site-to-Site (S2S) VPN connection or the Azure express connection

Which of the following are items needed to implement an Azure extended network? (Select two.) A. A firewall configured to allow for asymmetric routing. B. Private IP address pool for gateway subnet that is not smaller than /27. C. An on-premise server with internet connection. D. A virtual VPN gateway inside of Azure. E. Site-to-Site (S2S) VPN connection or the Azure express connection

A. TACACS+ & D. RADIUS

Which of the following are methods for providing centralized authentication, authorization, and accounting for remote access? (Select two.) A. TACACS+ B. PKI C. AAA D. RADIUS E. EAP

B. PAP

Which of the following authentication protocols transmits passwords in cleartext and is considered too unsecure for modern networks? A. CHAP B. PAP C. RADIUS D. EAP

C. Authorization, D. Accounting, & G. Authentication

Which of the following features are used by clients and provided by the RADIUS server? (Select three.) A. Remote access client B. Administration C. Authorization D. Accounting E. Network policies F. NPS templates G. Authentication

A. Lets on-premises VMs keep their original on-premises private IP addresses when migrating to Azure.

Which of the following is TRUE regarding an Azure extended network? A. Lets on-premises VMs keep their original on-premises private IP addresses when migrating to Azure. B. Does not require any VPN appliances. C. Is not designed for dozens or hundreds of connections. D. Is a point-to-site (P2S) VPN connection to the Azure public cloud from an on-premise server.

A. Requires latest version of Azure Network Adapter.

Which of the following is TRUE regarding the Windows Admin Center (WAC)? A. Requires latest version of Azure Network Adapter. B. Is a separate download for Server 2022. C. Does not require any VPN appliances. D. Requires UDP 4789 to be open.

D. Encrypts the entire packet, not just authentication packets.

Which of the following is a characteristic of TACACS+? A. Uses UDP ports 1812 and 1813. B. Supports only TCP/IP. C. Requires that authentication and authorization are combined in a single server. D. Encrypts the entire packet, not just authentication packets.

C. Stretching a subnet is another term for extending a subnet from on-premise to Azure.

Which of the following is true regarding stretching a subnet? A. A network packet leaves on one path, then returns on a different path. B. A point-to-site VPN connection to Azure allows for fast, secure connectivity. C. Stretching a subnet is another term for extending a subnet from on-premise to Azure. D. The basic architecture in Azure cloud allowing cloud resources to communicate securely.

B. 49

Which of the following ports does TACACS use? A. 22 B. 49 C. 50 and 51 D. 1812 and 1813 E. 3389

B. Periodically verifies the identity of a peer using a three-way handshake.

Which of the following security functions does CHAP perform? A. Protects usernames. B. Periodically verifies the identity of a peer using a three-way handshake. C. Allows the use of biometric devices. D. Links remote systems together.

B. Multilink and bandwidth allocation protocol, C. IP settings, G. Encryption, & H. IP filters

Which options are found on the settings tab of the network policy components? (Select four.) A. NAS port type B. Multilink and bandwidth allocation protocol C. IP settings D. Idle timeout E. Authentication methods F. Called station ID G. Encryption H. IP filters I. Day and time restrictions

D. Allows users to use specific network services or connect to specific network resources.

With RADIUS, network managers can centrally manage connection authentication, authorization, and accounting (sometimes referred to as AAA) for many types of network access, such as VPN or wireless access points. Which of the following options best describes authorization? A. Maintains records of what has taken place so the administrator can track the use of services. B. Allows you to create pre-configured elements to avoid errors. C. Identifies the user to determine whether network access is allowed. D. Allows users to use specific network services or connect to specific network resources.

A. Web Application Proxy

You are configuring AD FS. Which server should you deploy on your organization's perimeter network to allow users to access web applications? A. Web Application Proxy B. Federation server C. Relying-party server D. Claims provider

C. Configure one of the remote access servers as a RADIUS server and all other servers as RADIUS clients. & F. Configure network access policies on the RADIUS server.

You are in charge of installing a remote access solution for your network. You decide you need a total of four remote access servers to service all remote clients. Because remote clients might connect to any of the four servers, you decide that each remote access server must enforce the exact same policies. You anticipate that the policies will change frequently. What should you do? (Select two. Each choice is a required part of the solution.) A. Configure each remote access server as a domain controller. B. Use Group Policy to configure network access policies in the default Domain Controllers GPO. C. Configure one of the remote access servers as a RADIUS server and all other servers as RADIUS clients. D. Make each remote access server a member of the RemoteServers group. E. Configure the exact same network access policies on each server. F. Configure network access policies on the RADIUS server.

D. Install the Federation Service on Srv1. Install WAP and the claims-aware web agent on Srv3

You are the manager for the westsim.com domain. Your company has just started a collaborative effort with a partner company. Their network has a single domain named eastsim.com. You decide to implement Active Directory Federation Services (AD FS) to allow users in the partner organization to access a Web application running on your network. You have three servers available, Srv1, Srv2, and Srv3. Srv3 is a web server that runs the claims-aware application. You want to use the Federation Service Web Application Proxy service in your design. You want to use the least number of servers possible. What should you do? A. Install the Federation Service on Srv1. Install the WAP on Srv2. Install the claims-aware web agent on Srv3. B. Install the Federation Service, the WAP, and the claims-aware web agent on Srv3. C. Install the Federation Service and WAP on Srv1. Install the claims-aware web agent on Srv3. D. Install the Federation Service on Srv1. Install WAP and the claims-aware web agent on Srv3

C. Create an A record in the corpnet.com zone hosted on the internet.

You are the network administrator for corpnet.com. You have implemented Active Directory Federation Services (AD FS) to enable single sign-on to a web application named WApp1. You need to enable internet users to access WApp1 using AD FS. You install WAP in the perimeter network. You need to enable internet users to contact the federation proxy server. What should you do first? A. Create a CNAME record in the corpnet.com zone hosted on the internet. B. Create an A record in the corpnet.com zone hosted on the corporate network. C. Create an A record in the corpnet.com zone hosted on the internet. D. Create a CNAME record in the corpnet.com zone hosted on the corporate network.

A. Move NPS1 to the internal network and implement a RADIUS proxy in the perimeter network.

You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. There is one main office located in Chicago. The main office is protected from the internet by a perimeter network. A server named VPN1 located in the perimeter network provides VPN remote access for external clients. A server named NPS1 has the Network Policy Server (NPS) role installed and provides RADIUS services for VPN1. NPS1 is located in the perimeter network and is configured to use Active Directory for authentication requests. There are three domain controllers on the internal network. A new company policy requires that the firewall between the internal network and the perimeter network be configured to allow traffic only between specific IP addresses. The amount of internal servers that can be contacted from the perimeter network must be kept to a minimum. You need to configure remote access to minimize the number of servers on the internal network that can be contacted by servers on the perimeter network. Your solution should not impact the availability of remote access services. What should you do? A. Move NPS1 to the internal network and implement a RADIUS proxy in the perimeter network. B. Configure the firewall between the internal network and the perimeter network to allow traffic between NPS1 and only one of the internal domain controllers. Communication between NPS1 and the other domain controllers should be blocked. C. Configure multiple CNAME records in DNS. D. Configure the firewall between the internal network and the perimeter network to allow only DNS traffic between NPS1 and the internal network.

D. UDP 4789

You have implemented an Azure extended network with a firewall between on-premise and the cloud. Which port do you need to open? A. UDP 4787 B. TCP 4786 C. TCP 4788 D. UDP 4789

E. Configure RA1 through RA10 as RADIUS clients to RA13., F. Configure RADIUS server groups., & G. Configure connection request policies.

You manage the remote access solution for your network. Currently, you have 10 remote access servers named RA1 through RA10. A single RADIUS server named RA11 holds all network access policies for all remote access servers. Due to some recent changes, you decide to add a second RADIUS server, RA12, to your solution. Remote access connections should be directed to either RA11 or RA12 based on the characteristics of the connection. You decide to configure the RA13 server as a RADIUS proxy. Connection requests from RA1 through RA10 will be sent to RA13. All requests will then be forwarded to RA11 or RA12 based on the characteristics of the connection. Which of the following steps are part of your configuration on RA13? (Select three. Each choice is a required part of the solution.) A. Configure the RADIUS servers as RADIUS clients to the RADIUS proxy. B. Configure RADIUS accounting. C. Configure network access policies. D. Configure RA11 and RA12 as RADIUS clients to RA13. E. Configure RA1 through RA10 as RADIUS clients to RA13. F. Configure RADIUS server groups. G. Configure connection request policies.

B. On RA1 and RA2, run Routing and Remote Access. Edit the properties of the server and configure it to use RA3 for authentication.

You manage the remote access solution for your network. Currently, you have two remote access servers, RA1 and RA2, with an additional server, RA3, configured as a RADIUS server. You need to configure RA1 and RA2 to forward authentication requests to RA3. What should you do? A. On RA1 and RA2, run the Network Policy Server. Create a Remote RADIUS server group and identify RA3 as the only member. B. On RA1 and RA2, run Routing and Remote Access. Edit the properties of the server and configure it to use RA3 for authentication. C. On RA1 and RA2, run the Network Policy Server. Add RA3 as a RADIUS server. D. On RA1 and RA2, run the Network Policy Server. Create a network access policy and specify RA3 as the MS-RAS Vendor.

Step 1--Export the internal AD FS server certificate. Step 2--Import AD FS server certificate. Step 3--Configure an SSL certificate on the default IIS website. Step 4--Add an entry for the AD FS server to the hosts file. Step 5--Install the AD FS Proxy role service. Step 6--Configure the AD FS Proxy. Step 7--Configure DNS records.

You need to configure WAP to forward requests to AD FS servers that are not accessible from the internet. Arrange the WAP configuration tasks that you need to complete on the left in the appropriate order on the right. --Configure an SSL certificate on the default IIS website. --Export the internal AD FS server certificate. --Add an entry for the AD FS server to the hosts file. --Import AD FS server certificate. --Configure DNS records. --Install the AD FS Proxy role service. --Configure the AD FS Proxy.

B. Remote access

You often travel away from the office. While traveling, you would like to use a modem on your laptop computer to connect directly to a server in your office to access needed files. You want the connection to be as secure as possible. Which type of connection do you need? A. Intranet B. Remote access C. Virtual private network D. Internet

D. Remote Desktop Gateway applications

You want to make applications available to your company employees without having to install the application on each employee's computer. You can do this by using which of the following? A. Virtual private network (VPN) B. Internet Key Exchange (IKEv2) C. Web Application Proxy (WAP) D. Remote Desktop Gateway applications

D. Configure REM1 and REM2 as REM3's RADIUS clients.

Your company has recently added a traveling sales force. To allow salesmen access to the network while traveling, you install two additional servers. You configure the servers (REM1 and REM2) as remote access servers to accept incoming calls from remote clients. You configure network access policies on each server. The solution is working fine, but you find that you make constant changes to the remote access policies. You install the Network Policy and Access Services role on a third server (REM3). You configure network access policies on REM3. Following the installation, you verify that all clients can connect to REM1 and REM2. Then you delete the custom network access policies on both servers. Now, no clients can make a remote access connection. What should you do? A. Configure each remote access client as REM3's RADIUS client. B. Configure each remote access client to use callback. Configure REM1 and REM2 with the phone number REM3. C. Configure each remote access client to dial REM3 for authentication. D. Configure REM1 and REM2 as REM3's RADIUS clients. E. Configure REM1 and REM2 as RADIUS proxies.