aliload - 2008-10-6 9:05:00
认证名称:Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004
考题数目:90
更新:2008-09-01
1. You are a network administrator for Litware, Inc. The network contains an ISA Server 2004 computer named ISA1. ISA1 is configured to allow outbound Internet access only. A listener named DefaultHTTP is configured to listen for requests on port 80 on the external interface. The Internal network contains two Web sites named HR and Sales, which are used by employees. The HR Web site is stored on a Web server named Web1.litwareinc.com. The Sales Web site is stored on a Web server named Sales1.litwareinc.com. Employees access the Litware, Inc., Web site by using the URL http://www.litwareinc.com. You must allow employees to access both the HR Web site and the Sales Web site from the Internet. You must ensure that employees can access the HR Web site by using the URL http://www.litwareinc.com/hr. You must also ensure that employees can access the Sales Web site by using the URL http://www.litwareinc.com/sales. What should you do?
A. Configure one of the Web servers to listen for HTTP requests on port 8080. Create two server publishing rules. Create one of the rules to respond to requests on port 8080, and configure this rule to forward requests to one internal Web server. Create the other rule to use the DefaultHTTP listener, and configure this rule to forward to the other internal Web server.
B. Configure one of the Web servers to listen for HTTP requests on port 8080. Create a new listener that uses HTTP on port 8080. Create two Web publishing rules. Configure each rule to forward to a different internal Web server. Configure each rule to use a different listener.
C. Create two server publishing rules. Configure each rule to forward to a different internal Web server. Configure each internal Web server to listen for HTTP requests on an unused port.
D. Create two Web publishing rules. Configure each rule to forward to a different internal Web server. Configure each rule to use the DefaultHTTP listener.
Answer: D 2. You are a network administrator for your company. You plan to deploy one ISA Server 2004 computer, three routers,and one switch to provide Internet access to client computers on the network. The planned network is shown in the answer area.
You must ensure that client computers can access the Internet as SecureNAT clients after ISA Server is deployed. You examine several client computers and discover that the default gateway is not configured. You need to configure the correct default gateway for client computers. What should you do?
To answer, drag the appropriate default gateway IP address or addresses to the correct groups of client computers in the answer area. Answer: 3. You are a network administrator for your company. The network contains a single ISA Server 2004 computer named ISA1. ISA1 is not yet configured to allow inbound VPN access. You deploy a new application named App1. The server component of App1
is installed on an internal server named Server1. The client component of App1is installed on employee and partner computers. Employees and partners will establishVPNconnections when they use App1 from outside the corporate network.
You identify the following requirements regarding VPN connections to the corporate network.·Employees must be allowed access to only Server1, three file servers, and an internal Web server named Web1.·Employees must have installed all current software updates and antivirus software before connecting to any internal resources.·Partners must be allowed access to only Server1.·You must not install any software other
than the App1 client on any partner computers. You need to plan the VPN configuration for the company. What should you do?
A. Configure ISA1 to accept incoming VPN connections from partners and employees. Enable Quarantine Control on ISA1. Configure Quarantine Control to disconnect users after a short period of time. Use access rules to allow access to only the permitted resources.
B. Configure ISA1 to accept incoming VPN connections from partners and employees. Enable Quarantine Control on ISA1. Exempt partners from Quarantine Control. Use access rules to allow access to only the permitted resources.
C. Configure ISA1 to accept incoming VPN connections from partners and employees. Enable Quarantine Control on ISA1. Enable RADIUS authentication and user namespace mapping. Configure a Windows Server 2003 Routing and Remote Access server as a RADIUS server. Create a single remote access policy.
D. Add a second ISA Server 2004 computer named ISA2. Configure ISA1 to accept VPN connections from employees. Do not enable Quarantine Control on ISA1. Configure ISA2 to accept VPN connections from partners. Enable Quarantine Control on ISA2.
On each server, use access rules to allow access to only the permitted resources.
Answer: B
4. You are a network administrator for your company. You plan to implement ISA Server 2004 as a SecureNAT firewall for client computers on the network. The implementation will consist of a Windows Server 2003 Network Load Balancing cluster. External client computers that connect to resources published by ISA Server must be load balanced across the Network Load Balancing cluster when they connect by using DNS. You need to plan the external DNS implementation before you deploy ISA Server 2004. What should you do?
A. Create three service locator (SRV) resource records. Configure each record to use the _HTTP service and to reference the IP address of one of the internal interfaces of the Network Load Balancing cluster nodes.
B. Create three host (A) resource records. Configure each record with the IP address of one of the external interfaces of the Network Load Balancing cluster nodes.
C. Create one host (A) resource record. Configure the record with the virtual IP address that is assigned to the external interface of the Network Load Balancing cluster.
D. Create one host (A) resource record. Configure the record with the virtual IP address that is assigned to the internal interface of the Network Load Balancing cluster.
Answer: C 5. You are a network administrator for your company. The company has a main office and three branch offices. You are planning to deploy ISA Server 2004 in the branch offices to provide users with access to the Internet. The ISA Server computers will be configured as stand-alone servers. The Firewall Client installation share will be placed on an existing file server in each branch office. You install Windows Server 2003 on the computers that will run ISA Server 2004. You need to configure additional security for the ISA Server computers. What are three possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose three.)
A. Grant the Allow log on locally right to only the Administrators group.
B. Disable the external network adapter.
C. Enable the Secure Server (Require Security) IPSec policy.
D. Disable the Server service.
E. Remove all users from the Access this computer from the network right.
Answer: E AND D AND A6. You are a network administrator for Contoso, Ltd. Client computers on the internal network are divided among several subnets by using routers. You install an ISA Server 2004 computer named ISA1. ISA1 will be used to allow users to access Web sites on the Internet. You configure TCP/IP on ISA1 as shown in the exhibit. (Click the Exhibit button.)After ISA1 is installed, users report that they cannot access Web sites on the Internet. You need to ensure that users can access Web sites on the Internet. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Configure the internal default gateway to match the external default gateway.
B. Configure a static route to each subnet.
C. Add the IP address of the internal default gateway to the Remote Management Computers computer set.
D. Configure the internal network adapter with a blank default gateway.
E. Create a network set for each subnet.
Answer: D AND B 7. You are the network administrator for your company. The company has a main office, two branch offices, and one research office. An ISA Server array is configured for each of these three offices. All arrays are members of the same ISA Server 2004 enterprise. A Configuration Storage server is located in the main office. Replica Configuration Storage servers are located in each branch office. Administrators at the main office administer the enterprise settings and the main office array. The administrators at each branch office administer the arrays at their respective branch offices. You need to install a new ISA Server array in the research office. You need to ensure that only research office administrators can manage access rules that affect client computers in the research office. What should you do?
A. Configure a replica Configuration Storage server. Assign the research office administrators the ISA Server Array Administrator role.
B. Configure a new array in the existing enterprise. Assign the research office administrators the ISA Server Array Administrator role.
C. Configure a new array in the existing enterprise. Assign the research office administrators the ISA Server Enterprise Administrator role.
D. Configure a new Configuration Storage server in the research office. Configure it as a new enterprise. Assign the research office administrators the ISA Server Enterprise Administrator role.
Answer: D8. You are a network administrator for your company. The network is configured as shown in the exhibit. (Click the Exhibit button.)You are upgrading the Routing and Remote Access servers to ISA Server 2004. You need to configure the Internal network. You need to create access rules that are specific for each subnet. Which three IP address ranges should you use? (Each correct answer presents part of the solution. Choose three.)
A. 10.0.25.1 – 10.0.25.255
B. 172.16.1.0 – 172.16.1.255
C. 172.16.2.0 – 172.16.2.255
D. 172.16.10.0 – 172.16.10.255
E. 192.168.1.0 – 192.168.255.255
Answer: B AND C AND D9. You are a network administrator for your company. You are installing ISA Server 2004 on two computers named ISA1 and ISA2. The network is configured as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that the implementation plan meets the following requirements: ·All devices that pass outbound traffic must perform network address translation (NAT). ·All Internet-accessible internal resources must be published. ·All traffic between two network interfaces on an ISA Server computer must be subject to inspection. Which interface or interfaces should be configured as an internal interface? (Choose all that apply.)
A. Adapter A
B. Adapter B
C. Adapter C
D. Adapter D
Answer: B AND D10. You are the network administrator for your company. The network contains an ISA Server 2004 computer named ISA1. ISA1 is connected to the Internet. All client computers run Windows XP Professional. All client computers are configured as SecureNAT clients and require access to the Internet. Client computers in the marketing department are located in an organizational unit (OU) named Marketing_Computers. An external partner company hosts a custom marketing application named Webapp. Webapp uses SSL and TCP port 3333. You create a security group named Marketing for the marketing department. You add the users in the marketing department to the Marketing group. You create an access rule to allow TCP port 3333 for only the users in the marketing department. Members of the Marketing group report that they cannot connect to Webapp. You need to ensure that only users in the marketing department can connect to Webapp. What should you do?
A. Enable the Firewall Client installation configuration group on ISA1. Add the marketing client computers to the list of trusted computers.
B. Use Group Policy to assign the MS_FWC.msi file to the client computers in the Marketing group.
C. Enable Web Proxy client support on the Local Host network. Enable SSL listening on port 8443.
D. Configure the Internal network on ISA1 to require authentication for all users. Enable SSL certificate authentication on the Internal network.
Answer: B11. You are the administrator of an ISA Server 2000 computer named ISA1. You use the ISA Server 2004 Migration Tool to perform an in-place upgrade on ISA1. You install the Firewall Client installation component on ISA1. Client computers in the sales department run Windows NT Workstation 4.0 with Internet Explorer 5.0 and the Microsoft Proxy 2.0 Winsock Proxy client installed. All other client computers run Windows XP Professional. The ISA Server 2000 Firewall Client was installed on the Windows XP Professional computers by using Group Policy. You discover that all client computer requests to ISA1 are being sent unencrypted. You need to configure all client computers to communicate to ISA1 by using encryption. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Uninstall the Winsock Proxy client from the client computers in the sales department. Run Setup.exe to install the ISA Server 2004 Firewall Client.
B. Uninstall the Winsock Proxy client from the client computers in the sales department. Enable the Allow non-encrypted Firewall client connections setting on the Internal network. C. Uninstall the Winsock Proxy client from the client computers in the sales department. Enable the Require all users to authenticate setting. Configure SSL certificate authentication for all Firewall clients on the Internal network.
D. Upgrade the Firewall Client for ISA Server 2000 software on the Windows XP Professional client computers. Configure the Windows XP Professional computers as Web Proxy clients.
E. Upgrade the Windows XP Professional client computers by assigning the ISA Server 2004 Firewall Client. Configure the software installation package to remove older versions of the software.
Answer: A AND E12. You are the network administrator for your company. The network contains an ISA Server 2004 computer named ISA1. The relevant portion of the network is configured as shown in the exhibit. (Click the Exhibit button.)You configure ISA1 by using the Edge Firewall network template. You create access rules to allow Internet access for users on the network. Users on the network report that they cannot access the Internet. You need to configure the client computers on the network to allow Internet access. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure client computers in BuildingA with a default gateway IP address of 172.16.100.1.
B. Configure client computers in BuildingB with a default gateway IP address of 172.16.50.1.
C. Configure client computers in BuildingA with a default gateway IP address of 10.10.10.1.
D. Configure client computers in BuildingB with a default gateway IP address of 172.16.100.1.
E. Configure client computers in BuildingA with a default gateway IP address of 172.16.30.1.
F. Configure client computers in BuildingB with a default gateway IP address of 10.10.10.1.
Answer: B AND E13. You are the network administrator for your company. The network consists of a single Active Directory domain. The network contains an ISA Server 2004 computer named ISA1. Client computers on the network consist of Windows 98 computers, Windows XP Professional computers, UNIX workstations, and Macintosh portable computers. You configure ISA1 by using the Edge Firewall network template. You manually configure ISA1 with access rules to allow HTTP and HTTPS access to the Internet. You configure ISA1 to require all users to authenticate. You need to provide Internet access for all client computers on the network while preventing unauthorized non-company users from accessing the Internet through ISA1. You also want to reduce the amount of administrative effort needed when you configure the client computers. What should you do?
A. Configure all client computers as Web Proxy clients. Configure Basic authentication on the Internal network.
B. Configure all client computers as Web Proxy clients. Configure Basic authentication on the Local Host network.
C. Configure all client computers as SecureNAT clients. Configure Basic authentication on the Internal network.
D. Configure the Windows-based computers as Firewall clients. Configure the non-Windows-based computers as Web Proxy clients. Configure Basic authentication on the Local Host network.
Answer: A
14. You are the network administrator for your company. The network consists of a single Active Directory domain. All client computers run either Windows 2000 Professional or Windows XP Professional. All client computers are members of the domain. Users on the network use an IP-based client/server application on a server named Server1 to record company data. To increase network security, you install ISA Server 2004 on a computer named ISA1. ISA1 connects to the Internet. You configure automatic discovery on the network. You configure client computers as SecureNAT clients. You verify that client computers can use the application on Server1. You then distribute the Firewall Client software to all client computers by using Group Policy. Users now report that they cannot use the application on Server1. You need to configure client computers on the network to allow the application on Server1 to function properly. Your solution must not affect other applications. What should you do?
A. Configure a Wspcfg.ini file.
B. Configure an Application.ini file.
C. Configure the Management.ini file.
D. Configure the Common.ini file.
Answer: B15. You are the network administrator for Lucerne Publishing. The company has a main office and one branch office. The network contains two ISA Server 2004 computers named ISA1 and ISA2. The relevant portion of the network is configured as shown in the exhibit. (Click the Exhibit button.) ISA1 is located at the main office. ISA2 is located at the branch office and connects to the main office by using a dedicated WAN connection. You configure ISA2 to forward Web requests to ISA1. All client computers are configured to use an internal DNS server in each office. All client computers are configured as SecureNAT clients. While monitoring ISA2, you discover that Web requests from client computers in the branch office for servers located in the branch office are being resolved by ISA2. You need to configure the client computers in the branch office to directly access servers in the branch office. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Configure the client computers as Web Proxy clients of ISA2. Configure the list of domain names available on the Internal network on ISA1 to include the *.lucernepublishing.com domain.
B. Configure the client computers as Web Proxy clients of ISA2. Configure the Web browser to include the *.branch.lucernepublishing.com domain.
C. Configure the client computers as Firewall clients. Configure the list of domain names available on the Internal network on ISA2 to include the
*.branch.lucerncepublishing.com domain.
D. Configure the client computers as Firewall clients. Configure the list of domain names available on the Internal network on ISA1 to include the *.branch.lucerncepublishing.com domain.
Answer: B AND C16. You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory domain named contoso.com. The relevant portion of the network is configured as shown in the exhibit. (Click the Exhibit button.)An ISA Server 2004 computer named ISA1 is configured with the 3-Leg Perimeter network template. All client computers are configured as Firewall clients and Web Proxy clients. Client computers are configured to use a DNS server named DNS1. DNS1 is configured to forward requests to an ISP’s DNS server. An application server named App1 runs a Web-based application. Users on the network report that access to App1 is very slow. You monitor ISA1 and discover that client computer requests for App1 are being passed through ISA1. You need to configure ISA1 to allow faster access to App1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.
A. Create an access rule for DNS client protocol.
B. Enable IP routing between the perimeter network and the Internal network.
C. In the properties of the Internal network on ISA1, enable the Directly access computers specified in the Domains tab option.
D. Add contoso.com to the list of domain names available on the Internal network on ISA1. E. Add app1.contoso.com to the system policy DNS configuration group.
Answer: C AND D17. You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory domain named contoso.com. The network contains an ISA Server 2000 computer named ISA1. All client computers have the ISA Server 2000 Firewall Client software installed. Client computers are configured to use an internal DNS server. Two Windows Server 2003 computers named App1 and App2 run a Web-based application that is used to process company data. You configure ISA1 with protocol rules to allow HTTP, HTTPS, RDP, POP3, and SMTP access. The list of domain names available on the Internal network on ISA1 contains the following entries: ·*.south.contoso.com ·*.north.contoso.com ·*.east.contoso.com ·*.west.contoso.com You perform an in-place upgrade of ISA1 by using the ISA Server 2004 Migration Tool. When you use Network Monitor on ISA1, you discover that client requests for App1 and App2 are being passed through ISA1. You need to provide a solution that will allow clients to directly access company data on App1 and App2. What should you do?
A. Create and configure HTTP, HTTPS, RDP, POP3, and SMTP access rules on ISA1. B. Configure an Application.ini file on the client computers.
C. Redeploy the ISA Server 2004 Firewall Client software by distributing it to the client computers by using Group Policy.
D. Add app1.contoso.com and app2.contoso.com to the list of domain names available on the Internal network on ISA1.
Answer: D18. You are the network administrator for your company. The network contains a single ISA Server 2004 computer, which is named ISA1. ISA1 provides access to the Internet for computers on the Internal network, which consists of a single subnet. The company’s written security policy states that the ISA Server logs must record the user name for all outbound Internet access. All client computers are configured with the Firewall client and the Web Proxy client and are not configured with a default gateway. Users in the marketing department require access to an external POP3 and SMTP mail server so that they can use an alternate e-mail address when they sign up for subscriptions on competitors’ Web sites. You create and apply an ISA Server access rule as shown in the following display.
The marketing department users configure Microsoft Outlook to connect to the external mail server. They report that they receive error messages when they attempt to read or send e-mail from the external mail server. You examine the ISA1 logs and discover that ISA1 denies POP3 and SMTP connections from the client computers. You need to ensure that the marketing department users can connect to the external mail server. What should you do?
A. Configure the marketing computers with the IP address of a DNS server that can resolve external names to IP addresses.
B. Configure the marketing computers with a default gateway address that corresponds to the IP address of ISA1 on the Internal network.
C. On ISA1, enable Outlook in the Firewall client settings.
D. On ISA1, create a computer set that contains the marketing computers.
Answer: C19. You are the network administrator for your company. The network contains a single ISA Server 2004 computer named ISA1. All Internet access for the local network occurs through ISA1. The network contains a Web server named Server1. Server1 is configured as a SecureNAT client. A Web application runs on Server1 that communicates with an external Web site named www.contoso.com. You configure ISA1 with two access rules for outbound HTTP access. The rules are named HTTP Access 1 and HTTP Access 2. HTTP Access 1 is configured to use the All Authenticated Users user set as a condition. HTTP Access 2 is configured to use the All Users user set as a condition, and it restricts outbound HTTP traffic to the IP address of Server1. You verify that users can access external Web sites. However, you discover that the Web application cannot access www.contoso.com. You need to allow the Web application to use anonymous credentials when it communicates with www.contoso.com. You also need to require authentication on ISA1 for all users when they access all external Web sites. What should you do?
A. On Server1, configure Web Proxy clients to bypass the proxy server for the IP address of the server that hosts www.contoso.com.
B. On ISA1, add the fully qualified domain name (FQDN) www.contoso.com to the list of domain names available on the Internal network.
C. On ISA1, disable the Web Proxy filter for the HTTP protocol.
D. Modify the order of the access rules so that HTTP Access 2 is processed before HTTP Access 1.
Answer: D20. You are a network administrator for your company. The network contains an ISA Server 2004 computer named ISA1. ISA1 is configured to allow users in the sales department access to resources on the Internet. Users in the marketing department also want access to resources on the Internet. You add a new network and computers for the marketing department. You install the Firewall Client and configure the Web Proxy client on all computers in the new network. The company’s network is configured as shown in the exhibit. (Click the Exhibit button.) Users in the marketing department report that they cannot access resources on the Internet. You verify that users in the sales department and the internal servers can still access resources on the Internet. You need to ensure that users in the marketing department can access resources on the Internet. What should you do?
A. Configure the marketing computers to use 192.168.0.1 as the default gateway.
B. On ISA1, add a static route for the 192.168.2.1 network.
C. On ISA1, add a network object for the marketing department.
D. Configure the DNS settings of the marketing computers to use a DNS server that can resolve Internet names.
Answer: B21. You are the network administrator for Contoso, Ltd. The network contains an ISA Server 2004 computer named ISA1, which controls access between three segments on the network. The network is configured as shown in the exhibit. (Click the Exhibit button.) A network address translation (NAT) relationship exists from the Internal network to the perimeter network. A Windows Server 2003 computer named DNS1 functions as a DNS server. Web Proxy clients can access Web sites on the Internet. However, when SecureNAT clients try to access hosts on the Internet, they receive the following error message: “Cannot find server or DNS error.” You need to ensure that SecureNAT clients can perform DNS name resolution correctly for hosts on the Internet. You also need to ensure that DNS name resolution is optimized for Active Directory. First, from a SecureNAT client, you run the nslookup command and set the default server to 172.16.0.11. From the Nslookup console, you are able to query name server (NS) resource records on the Internet. What should you do next?
A. On ISA1, replace the DNS server publishing rule with an equivalent access rule.
B. On ISA1, change the NAT relationship between the perimeter network and the Internal network to a route relationship.
C. On AD1, delete the .(root) zone and then disable recursion.
D. On DNS1, remove the forwarding configuration and add a .(root) zone.
Answer: C22. You are the network administrator for your company. The network contains two ISA Server 2004 computers named ISA1 and ISA2. The company has a main office and one branch office. The main office connects to the branch office over a dedicated 56-Kbps frame relay WAN link. A client computer named Client2 in the branch office connects to the main office through ISA2. Two computers in each office are configured as shown in the following table. Users of Client1 and Client2 report that they cannot connect to the Internet. Client2 can connect to the main office network. You want to maintain a high level of security on the external network adapter on ISA1 and on ISA2. You need to verify connectivity to ISA1 from either Client1 or Client2. What should you do?
A. Configure Client1 with the default gateway IP address of the internal network adapter of ISA1. Issue the ping command to 192.168.100.1 from Client1.
B. Configure Client2 with the default gateway IP address of the internal network adapter of ISA2. Issue the tracert command to 172.16.1.1 from Client2.
C. Edit the Diagnostic Services ICMP configuration group on ISA1 by adding the main office network as a destination network. Issue the pathping command to 192.168.100.1 from Client1.
D. Edit the Remote Management ICMP (PING) configuration group on ISA1 by adding Client1 to the Remote Management Computers computer set. Issue the ping command to 192.168.100.1 from Client1.
Answer: D23. You are the network administrator for your company. The network contains two ISA Server 2004 computers named ISA1 and ISA2. The company has a main office and one branch office. ISA1 is located in the main office and connects to the Internet. ISA2 is located in the branch office and connects to the main office over a dedicated WAN link. All client computers run Windows XP Professional. All client computers can update virus definitions from the virus update Web site. ISA2 can connect to the virus update Web site and the Windows Update Web site. You discover that ISA1 cannot connect to the virus update Web site or the Windows Update Web site. The firewall policy on ISA1 is configured as shown in the exhibit. (Click the Exhibit button.)You need to ensure that ISA1 can connect to the virus update Web site and the Windows Update Web site. What should you do?
A. Enable the HTTP connectivity verifiers configuration group. On ISA1, create a network set that has the IP addresses of both the virus update Web site and the Windows Update Web site.
B. Enable the Allowed sites configuration group. On ISA1, add the URL of the virus update Web site to the System Policy Allowed Sites domain name set.
C. Create a new URL set named VirusUpdates that includes the URLs for the virus update Web site and the Windows Update Web site. On ISA2, create a new HTTP access rule that includes the VirusUpdates URL set.
D. Create a new domain name set named VirusUpdates that includes the URLs for the virus update Web site and the Windows Update Web site. On ISA1, create a new HTTP access rule from the Internal network to the VirusUpdates domain name set.
Answer: B24. You are the network administrator for Contoso, Ltd. The relevant portion of the network is configured as shown in the Network exhibit. (Click the Exhibit button.)The company has a main office and one branch office. An ISA Server 2004 computer named ISA2 connects to a Routing and Remote Access server named RRAS1. You create a mailbox for the securityadmin user account on a Microsoft Exchange Server computer named EXCH2. You view the firewall policy on ISA2 as shown in the Firewall Policy exhibit. (Click the Exhibit button.)You configure the dial-on-demand failure alert on ISA2 to send an e-mail alert to the securityadmin@contoso.com SMTP alias. EXCH2 is listed as the mail server on the dial-on-demand failure alert. You confirm that the alert is issued, but the e-mail for the alert is not received. You need to configure ISA2 to ensure that the e-mail alert is received. What should you do?
A. Enable the RPC from ISA Server to trusted servers system policy rule.
B. Enable the Allow SMTP from ISA Server to trusted servers system policy rule.
C. On ISA2, configure an access rule to allow POP3 from the Local Host network to EXCH2.
D. On ISA2, configure a server publishing rule to EXCH2 for Exchange RPC.
Answer: B25. You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory domain named contoso.com. The network contains a Windows Server 2003 domain controller named DC1 and a Windows Server 2003 RADIUS server named RADIUS1. Both DC1 and RADIUS1 are members of the contoso.com domain. The relevant portion of the network is configured as shown in the Network exhibit. (Click theExhibit button.) You configure an ISA Server 2004 computer named ISA1-VPN to meet the following requirements: ·Allow external VPN connections. ·Allow Internet VPN server access for internal VPN clients. ·Allow only RADIUS authentication for VPN connections. The system policy on ISA1-VPN is configured as shown in the System Policy exhibit. (Click the Exhibit button.)A client computer named Client1 can connect to VPN servers on the Internet. However, external VPN client computers cannot be authenticated when they try to connect to ISA1-VPN. You need to ensure that external VPN client computers can create VPN connections to ISA1-VPN. What should you do?
A. Create a new server publishing rule by using RADIUS1.contoso.com. Configure the new publishing rule to use L2TP Server as the protocol. Configure the publishing rule to use the External network as the listener.
B. Create a new server publishing rule by using RADIUS1.contoso.com. Configure the new publishing rule to use PPTP Server as the protocol. Configure the publishing rule to use the Internal network as the listener.
C. Edit the Allow access to directory services for authentication purposes system policy rule by replacing the computer element DC1.contoso.com with RADIUS1.contoso.com.
D. Edit the Allow RADIUS authentication from ISA Server to trusted RADIUS servers system policy rule by replacing the computer element DC1.contoso.com with RADIUS1.contoso.com.
Answer: D26. You are the network administrator for your company. The network contains an ISA Server 2004 computer named ISA1. You deploy an internal certification authority (CA). You deploy client certificates to users. You configure client certificate mapping for internal network users. All client computers are configured as Web Proxy clients. You configure the Internal network to allow only certificate-based authentication for Web Proxy clients. You revoke a user’s certificate. After one week, you discover that ISA1 is still authenticating Web requests for that user. You need to configure ISA1 to deny Internet access to the user. What should you do on ISA1?
A. Add the All Networks (and Local Host) network set as a destination for the Allow access to directory services for authentication purposes system policy rule.
B. Create a new content type set. Select the application/pkix-crl and application/x-x509-ca-cert MIME types as the content types to allow.
C. Enable the Verify that incoming server certificates are not revoked in reverse scenario certificate validation setting on ISA1, and enable the related system policy rule.
D. Enable the Verify that incoming client certificates are not revoked certificate validation setting on ISA1, and enable the related system policy rule.
Answer: D27. You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory domain named contoso.com. The network contains an ISA Server array. The array contains two ISA Server 2004 computers named ISA1 and ISA2. ISA1 and ISA2 connect to the Internet. All client computers on the network are configured as Web Proxy clients. The firewall policy on the ISA Server array is configured as shown in the exhibit. (Click the Exhibit button.)Users report that when they access www.contoso.com Web pages, the network is very slow. You discover that the content download jobs to www.contoso.com have failed. You need to configure the array to allow users on the network to access www.contoso.com Web pages more quickly. What should you do?
A. Enable the Allow HTTP/HTTPS requests from ISA Server to selected servers for connectivity verifiers system policy rule.
B. Enable the Allow HTTP from ISA Server to selected computers for Content Download Jobs system policy rule.
C. Enable a new HTTP access rule that includes the Internal network. Configure the rule to use port 8080.
D. Enable Cache Array Routing Protocol (CARP) on the Local Host network.
Answer: B28. You are the network administrator for your company. The network contains an ISA Server 2000 computer named ISA1. ISA1 connects to the Internet. ISA1 is configured with access rules to allow Internet access for all users. All client computers are configured as Web Proxy clients of ISA1. You are deploying a new ISA Server 2004 computer named ISA2 for use by the research department. You run the ISA Server 2004 Migration Tool on ISA1. You save the resulting configuration to a file named Backupconfig.xml. You install ISA Server 2004 on ISA2, and you import Backupconfig.xml on ISA2. On ISA2, you configure the Internal network with a valid IP address range for the research department client computers. You configure a Web chaining rule on ISA2 to redirect Web requests to ISA1. You configure client computers in the research department as Web Proxy clients of ISA2. Users of the research department client computers report that they cannot connect to the Internet. You need to ensure that users of client computers in the research department can connect to the Internet. What should you do?
A. Change the external IP address on ISA2 to a valid IP address for the external network. B. On ISA2, save its configuration as ISAbackup.xml. Restart the Microsoft Firewall service on ISA2. Then import the configuration.
C. Configure the research department client computers as Firewall clients of ISA2. Enable automatic discovery on ISA2.
D. Perform an ISA Server 2004 in-place upgrade on ISA1. On ISA2, configure access rules to allow Internet access for the research department users.
Answer: A29. You are the network administrator for your company. The network contains an ISA Server 2004 computer named ISA1. ISA1 connects to the Internet. ISA1 is configured with access rules for Internet access. A Windows Server 2003 computer named CERT1 is configured as an internal certification authority (CA). ISA1 can download the certificate revocation list (CRL) from CERT1. You are deploying 10 new ISA Server 2004 computers on the network. On ISA1 you export the firewall policy settings into a file named ISA1export.xml. You configure the network configuration settings on each new ISA Server computer. You import the firewall policy settings from the ISA1export.xml file on each new ISA Server computer. You test the imported configuration on each of the new ISA Server computers. You discover that each new ISA Server computer cannot download the CRL from CERT1. You need to ensure that the new ISA Server computers can download the CRL. What should you do?
A. Edit the ISA1export.xml file by adding the following lines: StorageType=Allow HTTP from ISA Server to all networks (for CRL downloads) String=0 Enabled=1 Import the ISA1export.xml file on each new ISA Server computer.
B. Export the system policy rules on ISA1 by using the Export System Policy task. Import the system policy rules on each new ISA Server computer.
C. Export the array configuration settings on ISA1 to an .xml file. Import the .xml file on the new ISA Server computers.
D. Create a destination set for the new ISA Server 2004 computers. Add this destination set to the destination list on the Allow all HTTP traffic from ISA Server to all networks (for CRL downloads) system policy rule.
Answer: B30. You are the network administrator for your company. The company has a main office and three branch offices. The network contains an ISA Server 2004 computer named ISA1, which is located at the main office. You plan to deploy new ISA Server 2004 computers for the branch offices. You name one of the new computers ISA2. You perform the following tasks: ·Export the ISA Server 2004 configuration on ISA1 to a file named ISASETUPCONFIG.XML. ·Edit the ISASETUPCONFIG.XML file to include a valid external IP address. ·Create a file named C:\Msisaund.ini on ISA2. You install ISA Server 2004 on ISA2 by using an unattended installation. When the installation is finished, you discover that the ISA Server 2004 configuration settings from ISA1 are not copied to ISA2. You need to deploy the ISA Server 2004 computers in the branch offices with the configuration settings from ISA1. You want to accomplish this goal by using the minimum amount of administrative effort. What should you do?
A. Export the system policy rules on ISA1 to another file named ISA1SystemPolicy.xml. Add the following lines to the C:\Msisaund.ini file on ISA2: IMPORTISACONFIG=1 IMPORT_CONFIG=ISASETUPCONFIG.XML IMPORT_CONFIG=ISA1SystemPolicy.xml Run an unattended setup by using this Msisaund.ini file on each new ISA Server 2004 computer.
B. Back up the array configuration on ISA1. Save the file as C:\Msisaunattended.xml. Run the following command from the ISA Server 2004 installation media: setup.exe /unattended:ISASETUPCONFIG.XML C:\Msisaund.ini
C. Create an individual ISASETUPCONFIG.XML file for each branch office ISA Server 2004 computer. Edit each ISASETUPCONFIG.XML file to include the internal network addresses for the respective branch office. Edit the Msisaund.ini file from ISA2 by adding the following line: IMPORT_CONFIG_FILE=ISASETUPCONFIG.XML Run an unattended setup by using the Msisaund.ini file from ISA2 on each new ISA Server 2004 computer. D. Create a file named Msisaunattend.txt. Include the following lines: UNATTENDED=1 EXPORT_ISACONFIG=0 IMPORT_ISACONFIG=1 FILEPATH=ISASETUPCONFIG.XML Run an unattended setup by using this Msisaunattend.txt file on each new ISA Server 2004 computer.
Answer: C