Question 5) Internet Security and Acceleration

Posted on
Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone

Single Answer Multiple Choice

You are the network administrator of your company. The network contains an ISA Server 2004 computer named ISA1. ISA1 is configured as an Edge Firewall.

You add another ISA Server 2004 computer named ISA2 on the network. You configure ISA2 as a Point-to-Point Tunneling Protocol (PPTP)-based VPN server on the internal network.

You are required to enable remote VPN clients to connect to the VPN server that is installed on ISA2 to access the internal resources. Which activity should you undertake?

A. Configure path mapping on ISA1 to forward all VPN requests to ISA2.
B. Configure link translation on ISA2 to translate all VPN links to ISA1.
C. Publish the VPN server ISA2 on ISA1 by using a PPTP server publishing rule.
D. Configure ISA1 and ISA2 to use IPSec tunnel mode. Publish VPN server ISA2 by using a server publishing rule.

Answer:
C. Publish the VPN server ISA2 on ISA1 by using a PPTP server publishing rule.

Tutorial:
You should publish the VPN server ISA2 on ISA1 by using a PPTP server publishing rule. Server publishing rules are configured to grant access to internal resources by using protocols other than HTTP and HTTPS. When you create a server publishing rule, you configure the ISA Server to listen for client requests by using a particular port number. When the ISA Server receives a request for that port on its external interface, it checks the server publishing rule to determine the internal server that provides the requested service and forwards the request to the server it has located. The internal server responds to the client request by forwarding the response to ISA Server. The ISA Server then forwards the response to the client. You can use ISA Server 2004 to publish VPN servers on the internal network to enable remote VPN clients to access the internal resources through the internal VPN server. You can use either PPTP or Layer Two Tunneling Protocol over Internet Protocol Security (L2TP over IPSec) to publish a VPN server. To publish a VPN server running PPTP, you are required to configure a server publishing rule that allows a PPTP connection from the Internet to the VPN server. PPTP is not as secure as L2TP over IPSec because L2TP uses digital certificates and pre-shared keys for authentication. If you want to publish the VPN server by using the most secure method, you should create an L2TP server publishing rule on ISA Server that is connected to the Internet and configure VPN connections on the VPN server to use Extensible Authentication Protocol (EAP) authentication. EAP is the most secure remote authentication protocol. EAP uses digital certificates on both the client and the server to provide mutual authentication, data integrity, and data confidentiality. It negotiates encryption algorithms and secures the exchange of session keys. In this situation, we are directed to create PPTP VPN server, so we require a PPTP server publishing rule.

You should not configure path mapping on ISA1 to forward all the VPN requests to ISA2. Path mapping redirects client requests from the ISA Server computer to different locations on one or more Web servers. Path mapping enables you to mask a complex internal Web server configuration and present a simple Web site view to the users on the Internet. You cannot use path mapping to forward VPN requests to a VPN server. Therefore, configuring path mapping on ISA1 to forward all the VPN requests to ISA2 will not enable remote VPN clients to connect to the VPN server installed on ISA2 to access the internal resources.

You should not configure link translation on ISA2 to translate all the VPN links to ISA1. Link translation is used when Web sites published on the ISA Server contain links to other Web servers located on the protected network that are not accessible from the Internet. If the Web pages contain links to a Web server that is not accessible from the Internet, these links appear as broken links. Link translation enables the ISA Server to replace internal server names on Web pages with server names that are accessible from the Internet. Link translation works only for links to the Web server specified in the Web publishing rule. Link translation cannot be used to enable remote VPN clients to connect to the VPN server installed on ISA2 for accessing the internal resources.

You should not configure ISA1 and ISA2 to use the IPSec tunnel mode and publish the VPN server ISA2 by using a server publishing rule. IPSec tunnel mode is a VPN protocol that the ISA Server uses to configure site-to-site VPN connections. ISA Server 2004 supports three VPN protocols for site-to-site VPN connections, PPTP, L2TP/IPSec, and IPSec tunnel mode. When IPSec is used in tunnel mode, IPSec itself provides encapsulation for IP traffic only. IPSec tunnel mode can be used when you want to connect to a third-party VPN server by using a site-to-site VPN connection. Only PPTP and L2TP/IPSec can be used to connect to an internal VPN server that is running ISA Server 2000 or ISA Server 2004 or to a server running Windows Routing and Remote Access Server (RRAS). You should not configure ISA1 and ISA2 to use the IPSec tunnel mode because you can use only PPTP or L2TP over IPSec to publish a VPN server.

Reference:
TechNet, Search, “Publishing a VPN Server in ISA Server 2004″

Self-Paced Training Kit, Implementing Microsoft Internet Security and Acceleration Server 2004, Chapter 8, How to Publish a VPN Server, p. 8-57.

These questions are derived from the Self Test Software Practice Test for Microsoft exam 70-350 – Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004

Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone
cmadmin

ABOUT THE AUTHOR

Posted in Archive|

Comment:

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>