Chapter 5 PQ's
You are the network administrator for a small company using Windows Server 2016 and Windows 10 clients. A few of the company's employees want to work from home occasionally . You have decided to provide access using a VPN. What should you do?
Configure a remote access VPN. With a remote-access VPN, a server on the edge of a network (called a VPN concentrator) is configured to accept VPN connections from individual hosts in a client-to-site configuration. Hosts that are allowed to connect using the VPN connection are granted access to resources on the VPN server or the private network.
5.2.6 You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2016. All the clients run Windows 10. westsim.com has a number of product specialists who travel to remote areas. The product specialists complain that their internet connections frequently fail, forcing them to reconnect to the company's VPN server. The server and the clients use the L2TP with IPSec VPN protocol. You need to improve VPN performance by allowing the clients to automatically reconnect to the company VPN if the client's internet connection should fail. What should you do?
Configure the VPN connection to use the Internet Key Exchange version 2 (IKEv2) VPN protocol.
5.2.6 You are the network administrator for you company. The network consists of a single Active Directory domain. All the servers run Windows Server 2016. All the clients run Windows 10. You company has a number of product specialists who travel to remote areas. The product specialists complain that their internet connections frequently fail, forcing them to reconnect to the company VPN server. The server and the clients use the L2TP with IPSec VPN protocol. You need to improve VPN performance by allowing the clients to automatically reconnect to the company VPN if the clients' internet connection should fail. What should you do?
Configure the VPN connection to use the Internet Key Exchange version 2 (IKEv2) VPN protocol.
5.4.4 You are a network administrator for your company. All servers are running Windows Server 2016. Most of the workstations are running Windows 10, 64-bit, however a few computers had to be installed as Windows 10 32-bit machines. You want to create a connection profile using the Connection Manager Administration Kit (CMAK) wizard. To create a connection profile that will work on the 32-bit system, what must you do?
Download, install, and run Remote Server Administration Tools for Windows 10 and run it from a 32-bit machine.
5.1.14 You are the network administrator for your company. Your company has 325 Windows 10 clients. Each of these needs access to the internet. External hosts should not be able to connect to these client computers or to any other servers in your network. Your company has already purchase a public IP address and does not want to purchase any additional public IP addresses.You have decided that implementing NAT on your Windows 2016 server is the best solution. Which of the following types of NAT implementation would best work for this situation?
Dynamic NAT Dynamic NAT automatically maps internal IP addresses with a dynamic port assignment. Thus allowing your 325 clients access to the internet through the one public IP address available. On the NAT device, the internal device is identified by the public IP address and the dynamic port number. Dynamic NAT allows internal (private) hosts to contact external (public) hosts, but not vice versa. External hosts cannot initiate communications with internal hosts. This implementation is also sometimes called many-to-one NAT because many internal private IP address are mapped to one public IP address on the NAT router.
5.1.14 Your company has established a branch office in a nearby town, which also has a small network. The remote office has two servers running Windows Server 2016. You've been instructed to interconnect the two offices. You install the Routing and Remote Access service on one of the Windows Server 2016 computers in your local office and on one of the Windows Server 2016 computers in the remote office. You can successfully ping between the two devices. However, you cannot connect to resources on the other side of the remote access server. What should you do? (Select two. Each answer is required for a working solution.)
Enable LAN routing on both access servers. Configure a static route on each remote access server to the other network.
5.1.14 You want to allow users to connect to the private network. Users will connect to the internet while on the road, then connect to the private network. All users will use laptops that run Windows 10. You configure a Windows Server 2016 server as a router. During a random check one day, you notice that some connections are using PPTP while others are using L2TP. You want to force all connections to use L2TP. What should you do?
In Routing and Remote Access, edit the Ports node. Disable remote access and demand-dial routing connections for PPTP.
5.1.14 To allow users in your company to work from home, you have decided to provide remote access. Users will connect to the remote access server over the internet. This will allow them to access all resources on the company network. You install Windows Server 2016 on a new server and configure it for remote access. You configure the network policies to allow connections between 7:00 a.m. and 8:00 p.m. The next day, you get a call from one of the users reporting that she can connect to the remote access server, but can't access any resources on the company network. You ask her to ping a server on the private network using its IP address, but the ping fails. However, from the remote access server, you can access all resources on the private network. What should you do?
In Routing and Remote Access, enable LAN routing on the server. Explanation To correct the problem, enable LAN routing on the remote access server. Without LAN routing enabled, remote access users will only be able to connect to resources on the remote access server.
5.2.6 VPN tunneling protocols encrypts packet contents and wraps them in an unencrypted packets. Which of the following networking devices or services prevents (in most cases) the use of IPsec as a VPN tunneling protocol?
NAT Explanation IPsec cannot typically be used when static IP addresses are not used by both communication partners. NAT proxy performs network address translation on all communications. For this reason, the IP address seen for a system outside of the proxied network is not the real IP address of that system. This prevents the use of IPsec.
5.1.14 You are configuring routing on a Windows Server 2016 system. The server has two network interfaces installed. Each one is connected to a different network segment. You have installed and enabled the Routing and Remote Access role on the server. Rather than manually configure static routes on the server, you want to configure it to communicate with other routers already in the network to dynamically build its routing table. Click on the routing protocol you would use to do this.
RIP A dynamic routing protocol allows routers to exchange routes with one another. Windows Server 2016 supports the RIP 2 dynamic routing protocol. At startup, the router advertises itself and information about its directly connected networks and requests other routers to respond. To configure RIP, add the RIP protocol, then identify interfaces that will participate in RIP.
5.3.7 You have been put in charge of providing a VPN solution for all members of the sales team. Laptops used by sales team members run Windows 10. All remote access servers run Windows Server 2016. You decide to implement SSTP for the VPN solution. Your company security policy mandates that only necessary firewall ports be opened. What should you do?
SSTP uses SSL, which uses port 443.
5.3.7 You are the network administrator for a growing company based in Texas. Due to rapid growth, your company has acquired two additional companies, one in Idaho and one in Minnesota. All servers in these three sites are running Windows Server 2106. All clients in these three sites are running Windows 10. The company president has asked you to provide a private persistent connection between all sites making the computer resources from each location available to employees at the other locations. You have decided to provide the required connections using VPN. Which type of VPN would best meet the specified requirements?
Site-to-site Explanation With a site-to-site VPN, routers on the edge of each site establish a private VPN with the routers at the other locations. Data from hosts within the site is encrypted before being sent to the other site. With this configuration, individual hosts are unaware of the VPN.
5.1.14 You are the network administrator for a small company that implements NAT to access the internet. However, you recently acquired five servers that must be accessible from outside your network. Your ISP has provided you with five additional registered IP addresses to support these new servers but you don't want the public to access these servers directly. You want to place these servers behind your firewall on the inside network yet still allow them to be accessible to the public from the outside. Which method of NAT translation should you implement for these five servers?
Static Static translation consistently maps an unregistered IP address to the same registered IP address on a one-to-one basis. Static NAT is particularly useful when a device needs to be assigned the same address so it can be accessed from outside the network, such as web servers and other similar devices.
5.1.14 You have a small network at home that is connected to the internet. On this network, you have a server with the IP address of 192.168.55.199/16. You have a single public address that is shared by all hosts on your private network. You want to configure the server as a web server and allow internet hosts to contact the server to browse a personal website. What should you use to allow access?
Static NAT Static NAT maps an internal IP address to a static port assignment. Static NAT is typically used to take a server on the private network (such as a web server) and make it available on the internet. External hosts contact the internal server using the public IP address and the static port. Using a static mapping allows external hosts to contact internal hosts.
5.2.6 You are a network administrator for a small company. All servers are running Windows Server 2016. All clients are running Windows 10. Your company has just opened a branch office in a different part of the country. To provide access to network resources between sites, you have determined that a Windows Server 2106 site-to-site VPN using a Remote Access Services (RAS) gateway would work best for your needs. Before creating the site-to-site VPN, what must you install first? (Select two.)
The DirectAccess and VPN (RAS) role service. The Remote Access role
5.1.14 Which of the following are good reasons to enable NAT?
To translate between internet IP addresses and the IP addresses on your private network. NAT translates the internet IP addresses and the IP addresses on your private network. This allows for multiple computers to share the single IP address used on the Internet.
5.3.7 Match the type of VPN with its description.
Two hosts establish a secure channel and communicate directly. Host-to-host Routers on the edge of each site establish a VPN with the router at the other location. Site-to-site Allows individual users to establish secure connections with a remote computer network. Remote access
5.3.7 You have been put in charge of providing a VPN solution for all members of the sales team. Sales team members have been issued new laptop computers running Windows 10. All remote access servers run Windows Server 2016. The salesmen have been complaining that with the previous VPN solution, there were many times that they were unable to establish the VPN solution because the hotel or airport firewalls blocked the necessary VPN ports. You need to come up with a solution that will work in most instances. Which VPN method should you choose?
Use Secure Socket Tunneling Protocol (SSTP) for the VPN protocol. SSTP uses SSL, which uses port 443. Because SSL is used by many web sites for secure transactions, this port is already opened in most firewalls.
5.4.4 You have recently set up a VPN server to allow your traveling salesmen access to the corporate resources while they are out of the office. You need to configure a new VPN connection on the 50 laptops used by the sales team members. You need to configure the VPN connection to only use Point-to-Point Tunneling (PPTP) with the maximum strength encryption. You want to do this with the least amount of effort as possible. What should you do?
Use the Connection Manager Administration Kit (CMAK) to create a profile. Save the profile to a network share. Have each sales team member run the installation file.
You are the network administrator for your company. Your network consists of a single Active Directory domain with all the servers running Windows Server 2016 and all client computers are running Windows 10. Your company has one main office and several branch offices.There are 200 product specialists on staff who work remotely and connect to the corporate network using a VPN connection to a Routing and Remote Access (RRAS) server located at the main office. The VPN connection uses the L2TP protocol with IPSec for security.A routine audit of help desk tickets reveals that almost 5% of the tickets logged with the help desk relate to incorrect VPN settings on the laptops being used by the product specialists. You need to streamline the creation of VPN connections to reduce the number of configuration errors on the clients. What should you do?
You should use the Connection Manager Administration Kit (CMAK) to create a service profile that will connect the Product Specialists to the company VPN.
