ExamWise For MCP MCSE Certification: Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition Exam 70-227 (With Online Exam)

ExamWise For Installing, Configuring, & Administering Microsoft Internet Security and Acceleration Server 2000 Enterpri...

Author: Michael Yu Chak Tin

8 downloads 419 Views 2MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

ExamWise For Installing, Configuring, & Administering Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition Examination 70-227

Online practice exam provided by BeachFront Quizzer, Inc., Friendswood, Texas www.bfqonline.com

Author Michael Yu Chak Tin Published by TotalRecall Publications, Inc. 1103 Middlecreek Friendswood, TX 77546 281-992-3131 NOTE: THIS IS BOOK IS GUARANTEED: See details at www.TotalRecallPress.com

TotalRecall Publications, Inc. This Book is sponsored by BeachFront Quizzer, Inc. Copyright

2003 by TotalRecall Publications, Inc. All rights reserved.

Printed in the

United States of America. Except as permitted under the United States Copyright Act of 1976, No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic or mechanical or by photocopying, recording, or otherwise without the prior permission of the publisher. The views expressed in this book are solely those of the author, and do not represent the views of any other party or parties. Printed in United States of America Printed and bound by Data Duplicators of Houston Texas Printed and bound by Lightning Source, Inc. in the USA and UK ISBN: 1-59095-623-0 UPC: 6-43977-03227-0 The sponsoring editor is Bruce Moran and the production supervisor is Corby Tate.

Worldwide eBook distribution by:

This publication is not sponsored by, endorsed by, or affiliated with Microsoft, Inc. The “Windows® 2000, MCSE™, MCSD™, MCSE+I™, MCT™” Microsoft logos are trademarks or registered trademarks of Microsoft, Inc. in the United States and certain other countries. All other trademarks are trademarks of their respective owners. Throughout this book, trademarked names are used. Rather than put a trademark symbol after every occurrence of a trademarked name, we used names in an editorial fashion only and to the benefit of the trademark owner. No intention of infringement on trademarks is intended. Disclaimer Notice: Judgments as to the suitability of the information herein for purchaser’s purposes are necessarily the purchaser’s responsibility. BeachFront Quizzer, Inc. and TotalRecall Publications, Inc. extends no warranties, makes no representations, and assumes no responsibility as to the accuracy or suitability of such information for application to the purchaser’s intended purposes or for consequences of its use.

This book is dedicated to my parents John

and Esther Yu for their support and encouragement.

Michael Yu Chak Tin

ExamWise¥

For

Windows£ 2000 ISA Server Certification

Installing, Configuring, & Administering Microsoft£ Internet Security and Acceleration Server 2000 Enterprise Edition Examination 70-227

Michael Yu Chak Tin About the Author Michael Yu Chak Tin Born in Hong Kong and educated in the US, Michael Yu Chak Tin has worked for Fortune 500 companies as well as small high-tech startups, both in Hong Kong and in the US. During his time in Silicon Valley, Michael developed invaluable experience in internal process improvement applications that automated much of his employer's operations. At Pacific Rim Networks Ltd., Michael has participated in the management of technology projects, and the evaluation of new technologies for business applications. For years, Michael has been providing content and writing exam study guides for the leading IT Certification sites worldwide. Michael has been working extensively on new Internet venture development. His experience and knowledge in shaping strategic framework are valuable assets essential to the success of a venture.

About the Editor Alan Grayson Alan Grayson (M.S. Systems Management, MCSE 2000, MCSE+I, MCDBA, MCSA, MCT, CNE-3/4, Net+, Server+, Master CIW Administrator, CIW E-Commerce Designer, CIW-CI) has seven years experience as a computer professional. He teaches at Mercer University in Macon, GA. You may email him at [email protected] or [email protected].

About the Book This manual is designed to provide information to help readers study for and pass Microsoft’s Internet Security and Acceleration (ISA) Server 2000 Enterprise Edition certification exam. Every effort has been made to make this manual as complete and accurate as possible. Just reviewing the table of contents, you will see that through BFQ Press, I was given the freedom to build on what I have learned from running a Voc Tech school. For example, the chapter numbers are written in Base 2. This wasn’t done to annoy you. The goal is through reinforcement, learn binary math, since that is how much of computing works. Who should NOT buy this book! If you are looking for solid training material to pass 70227 (Microsoft Installing, Configuring, & Administering Microsoft® Internet Security and Acceleration Server 2000 Enterprise Edition) DON”T buy this work. This title (ExamWise) is a “I just want to make sure I know what I think I know before I spend a couple hundred bucks on 70-227.” This book contains over 450 questions directly related to the Installing, Configuring, & Administering Microsoft® Internet Security and Acceleration Server 2000 Enterprise Edition certification topics. If you want/need a certification/reference/killer idea book with the additional goal of taking 70-227 , try the InsideScoop to Installing, Configuring, & Administering Microsoft® Internet Security and Acceleration Server 2000 Enterprise Edition ISBN 159095-013-5 or ExamInsight for Installing, Configuring, & Administering Microsoft® Internet Security and Acceleration Server 2000 Enterprise Edition ISBN 1-59095-020-8 from BFQ Press. The CD that accompanies that book has enough data to keep anyone busy studying for the next year.

About Online Testing www.bfqonline.com practice tests include Self Study sessions with instant feed back, simulative and adaptive testing with detailed explanations. Register at www.BFQPress.com or send an email Located in the back of the book is a 30-day voucher for online testing.

NOTE: THIS BOOK IS GUARANTEED: See details at www.totalrecallpress.com

Table of Contents VII

Table of Contents

About the Author ...................................................................................................IV

About the Editor ....................................................................................................IV

About the Book.......................................................................................................V

About Online Testing..............................................................................................V

About 70-227 Certification .....................................................................................X

Chapter 1: Installing ISA Server Chapter 2: Managing ISA Server Services

1

59

Chapter 3: Managing Policies and Rules

119

Chapter 4: The Client Computer

177

Chapter 5: Using ISA Server

221

Chapter 6: Terminology

345

Money Back Book Guarantee

427

70-227 Free Practice Exam Online

428

VIII Forward

Forward Internet Security and Acceleration (ISA) Server 2000 is the next generation of Proxy Server, providing secure, fast, and manageable Internet connectivity by integrating an extensible, multilayer enterprise firewall with the Proxy architecture. ISA Server comes in two editions: Standard Edition and Enterprise Edition. The Standard Edition is a standalone server suitable for small to medium networks. For large-scale deployments, server array support, multi-level policy, and computers with more than four processors, you will need to use the Enterprise Edition. According to Microsoft, the 70-227 Certification exam identifies your ability to implement, administer, and troubleshoot information systems that incorporate ISA Server 2000. This exam requires exposure to the ISA Server Enterprise Edition. When you pass this exam, you achieve Microsoft Certified Professional status. You also earn elective credit toward Microsoft Certified Systems Engineer certification. Candidates for this exam should have experience operating in medium to very large computing environments that use the Microsoft Windows 2000 Server operating system. They should have a minimum of one year's experience implementing and administering network operating systems in environments that have between 200 and 26,000+ supported users and are spread across multiple physical locations. This book is organized to follow Microsoft’s published exam objectives for the 70-227 Certification exam. In addition to using this book for exam preparation, you are encouraged to use the enclosed Beachfront Quizzer test modules to constantly assess your study progress.

Michael Yu Chak Tin

Introduction IX

Introduction This courseware is designed for use in two ways. 1. Instructor-led course 2. Self-study

Welcome! This manual has been designed to provide information for students to pass (green bar) the Microsoft Installing, Configuring, & Administering Microsoft® Internet Security and Acceleration Server 2000 Enterprise Edition certification test.

Self-Study Students This manual may also be used for self-study purposes. This title was written for the student who has some networking experience with Windows 2000 Server, and either requires no to little instruction on theory. If you begin with this book, and it mostly sounds like communications from another planet, here are your choices: Set this book aside and order ExamInsight ISBN #1-59095-032-1. OR, return this book for credit toward InsideScoop ISBN 1-59095-013-5 by Calling 281-992-3131 If you are getting along, (barely) with this book you may wish to order the Installing, Configuring, & Administering Microsoft® Internet Security and Acceleration Server 2000 Enterprise Edition] CD Test simulation and study guide. It has a very large number of unique links to Internet sites explaining topics staring from definitional in nature to extremely detailed techo-speak.

X About 70-227 Certification

About 70-227 Certification Today, many human resource departments demand Microsoft certification at either the MCP, MCSA, or MCSE level prior to hiring employees, and often require it within 90 to 180 days after being hired. For current employees, attainment of these certifications is often the basis for a pay raise and/or promotion. When the Exam 70-227: Installing, Configuring, and Administering Microsoft® Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition group wrote the exam, they focused on two official primary objectives for test questions. The two official objectives were: 1) is this a valid question for someone with 18 to 24 months full time field experience? And 2) Does this answer the objective fairly? If you find yourself somewhat lacking in some of the details involved in networking, and would like a reference for additional materials, please contact us at [email protected] and we can assist you. Exam Preparation Guide Exam 70-227: Installing, Configuring, and Administering Microsoft® Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition http://www.microsoft.com/traincert/exams/70-227.asp Information you will find in their document will include the following.

Credit Toward Certification When you pass the Installing, Configuring, and Administering Microsoft® Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition exam, you achieve Microsoft Certified Professional status. You also earn credit toward the following certifications: x Elective credit toward Microsoft Certified Systems Administrator on Microsoft Windows 2000 certification x Elective credit toward Microsoft Certified Systems Engineer on Microsoft Windows 2000 certification

About 70-227 Certification XI

Audience Profile Candidates for this exam operate in medium to very large computing environments that use the Microsoft Windows® 2000 Server operating system. They have a minimum of one year's experience implementing and administering network operating systems in environments that have the following characteristics: x Between 200 and 26,000+ supported users x Multiple physical locations x Outbound access for typical client services and applications, such as Web access, e-mail, Telnet, FTP, virtual private networking (VPN), desktop management, and access control policies x Hosting of network services, such as internal and external Web hosting, messaging, and firewall x Connectivity needs that include connecting individual offices and users at remote locations to the corporate network and connecting corporate networks to the Internet x ISA Chaining

Skills Being Measured This certification exam measures your ability to implement, administer, and troubleshoot information systems that incorporate the Enterprise Edition of Microsoft Internet Security and Acceleration (ISA) Server 2000. Wherever the term "ISA Server" occurs in this prep guide or in the content of the exam, it refers only to ISA Server 2000, Enterprise Edition. It does not refer to ISA Server 2000, Standard Edition. Before taking the exam, you should be proficient in the job skills listed below. A. Installing ISA Server 1. Preconfigure network interfaces. x Verify Internet connectivity before installing ISA Server. x Verify DNS name resolution. 2. Install ISA Server. Installation modes include integrated, firewall, and cache. x Construct and modify the local address table (LAT). x Calculate the size of the cache and configure it. x Install an ISA Server computer as a member of an array. 3. Upgrade a Microsoft Proxy Server 2.0 computer to ISA Server. x Back up the Proxy Server 2.0 configuration. 4. Troubleshoot problems that occur during setup.

XII About 70-227 Certification B. Configuring and Troubleshooting ISA Server Services 1. Configure and troubleshoot outbound Internet access. 2. Configure ISA Server hosting roles.

x Configure ISA Server for Web publishing.

x Configure ISA Server for server proxy.

x Configure ISA Server for server publishing.

3. Configure H.323 Gatekeeper for audio and video conferencing. x Configure gatekeeper rules. Rules include telephone, e-mail, and Internet Protocol (IP). x Configure gatekeeper destinations by using the Add Destination Wizard. 4. Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections. x Set up and verify routing rules for static IP routes in Routing and Remote Access. 5. Configure and troubleshoot virtual private network (VPN) access. x Configure the ISA Server computer as a VPN endpoint without using the VPN Wizard. x Configure the ISA Server computer for VPN pass-through. 6. Configure multiple ISA Server computers for scalability. Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP)

About 70-227 Certification XIII C. Configuring, Managing, and Troubleshooting Policies and Rules 1.

Configure and secure the firewall in accordance with corporate standards. x Configure the packet filter rules for different levels of security, including system hardening. 2. Create and configure access control and bandwidth policies. x Create and configure site and content rules to restrict Internet access. x Create and configure protocol rules to manage Internet access. x Create and configure routing rules to restrict Internet access. x Create and configure bandwidth rules to control bandwidth usage. 3. Troubleshoot access problems.

x Troubleshoot user-based access problems.

x Troubleshoot packet-based access problems.

4. Create new policy elements. Elements include schedules, bandwidth priorities, destination sets, client address sets, protocol definitions, and content groups. 5. Manage ISA Server arrays in an enterprise.

x Create an array of proxy servers.

x Assign an enterprise policy to an array.

D. Deploying, Configuring, and Troubleshooting the Client Computer 1. Plan the deployment of client computers to use ISA Server services. Considerations include client authentication, client operating system, network topology, cost, complexity, and client function. 2. Configure and troubleshoot the client computer for secure network address translation (SecureNAT). 3. Install the Firewall Client software. Considerations include the cost and complexity of deployment. x Troubleshoot autodetection. 4. Configure the client computer's Web browser to use ISA Server as an HTTP proxy.

XIV About 70-227 Certification E. Monitoring, Managing, and Analyzing ISA Server Use 1. Monitor security and network usage by using logging and alerting. x Configure intrusion detection. x Configure an alert to send an e-mail message to an administrator. x Automate alert configuration. x Monitor alert status. 2. Troubleshoot problems with security and network usage. x Detect connections by using Netstat. x Test the status of external ports by using Telnet or Network Monitor. 3. Analyze the performance of ISA Server by using reports. Report types include summary, Web usage, application usage, traffic and utilization, and security. 4. Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis. x Analyze the performance of the ISA Server computer by using Performance Monitor. x Analyze the performance of the ISA Server computer by using reporting and logging. x Control the total RAM used by ISA Server for caching.

Installing ISA Server 1

Chapter 1: Installing ISA Server The objective of this chapter is to provide the reader with an understanding of the following: 1.

Preconfigure network interfaces.

2.

Verify Internet connectivity before installing ISA Server.

3.

Verify DNS name resolution.

4.

Install ISA Server. Installation modes include integrated, firewall, and cache.

5.

Construct and modify the local address table (LAT).

6.

Calculate the size of the cache and configure it.

7.

Install an ISA Server computer as a member of an array.

8.

Upgrade a Microsoft Proxy Server 2.0 computer to ISA Server.

9.

Back up the Proxy Server 2.0 configuration.

10. Troubleshoot problems that occur during setup.

2 Chapter 1

I

Introduction

ISA Server is a combination of firewall and Proxy Server. With Proxy Server, we can perform NAT, caching and basic filtering. ISA Server has much stronger capabilities in network protection. It is also tightly integrated with Windows 2000 and Active Directory. If you are familiar with Proxy Server, you will find that ISA Server is very easy to configure. This is because they share the same underlying concepts and theories. A firewall is a hardware/software combination that acts as a point of access for traffic going in and out of an internal network. You can deploy ISA server as a single bastion host or as part of a perimeter network. You can also use the various filters provided to protect your network.

Installing ISA Server 3 1. View the Graphic to answer this question: Michael is the enterprise security administrator for your company's network. He has the ISA Server CD with him. From where should he run the setup command for launching the ISA program shown in the graphic?

A. \iserv\i386 B. \isa\i386 C. \msisa\i386 D. \serv\i386 E. \server\i386

4 Chapter 1 1. View the Graphic to answer this question: Michael is the enterprise security administrator for your company's network. He has the ISA Server CD with him. From where should he run the setup command for launching the ISA program shown in the graphic?

A. \iserv\i386 *B. \isa\i386 C. \msisa\i386 D. \serv\i386 E. \server\i386 Explanation: To install ISA server: At a command prompt, type Path\isa\i386\msisaent.exe, where Path is the path to the Microsoft Internet Security and Acceleration Server installation files. The path may be the root folder of the ISA Server CD or a shared folder on your network that contains the ISA Server files.

Installing ISA Server 5 2. You are going to set up an ISA server for your company. What is the command for beginning the ISA Server enterprise initialization process?

A. ISAautorun.exe B. Setup.exe C. I386.exe D. Winnt-isa

3. Tony is planning to install An ISA Server to protect his network. However, he is unable to do so. Which of the following are the requirements he must fulfill in order to proceed with the installation?

A. You must be a member of the Enterprise Admins groups. B. You must be a member of the Schema Admins groups. C. You must be a member of the OU Admins groups. D. You must be a member of the Domain Admins groups.

6 Chapter 1 2. You are going to set up an ISA server for your company. What is the command for beginning the ISA Server enterprise initialization process?

*A. ISAautorun.exe B. Setup.exe C. I386.exe D. Winnt -isa Explanation: If you downloaded the ISA Server installation files from the Web, or if you copied the contents of the ISA Server CD, run the ISAautorun.exe file at a command prompt to begin the ISA Server enterprise initialization.

3. Tony is planning to install An ISA Server to protect his network. However, he is unable to do so. Which of the following are the requirements he must fulfill in order to proceed with the installation?

*A. You must be a member of the Enterprise Admins groups. *B. You must be a member of the Schema Admins groups. C. You must be a member of the OU Admins groups. D. You must be a member of the Domain Admins groups. Explanation: In order to install the ISA Server schema to Active Directory, you must be an administrator on the local computer. In addition, you must be a member of the Enterprise Admins and Schema Admins groups.

Installing ISA Server 7 4. View the Graphic to answer this question: You are the network administrator for your company's network. Which of the following are the valid ways to proceed in order for you to reach a screen identical to what is shown in the graphic.

A. Directly from the CD B. Run from a network share. C. Copy the installation files to the hard drive and install locally. D. Run from a floppy.

8 Chapter 1 4. View the Graphic to answer this question: You are the network administrator for your company's network. Which of the following are the valid ways to proceed in order for you to reach a screen identical to what is shown in the graphic.

*A. Directly from the CD

*B. Run from a network share.

*C. Copy the installation files to the hard drive and install locally.

D. Run from a floppy. Explanation: All these are the valid ways to install ISA Server.

Installing ISA Server 9 5. You are planning to install ISA Server so that your network will be protected. Unfortunately, the installation fails when you try to update the Active Directory schema. Which of the following are the requirements you must fulfill in order to ensure a successful integration of ISA server schema and Active Directory schema?

A. You must be a member of the local administrator for the server that holds ISA B. You must be a member of the local administrator for all the domain controllers. C. You must be a member of the local administrator for at least one domain controller. D. You must be a member of the domain administrator for at least one domain controller.

6. You are the enterprise security administrator for your company's network. Your assistant accidentally runs the enterprise initialization process. You must undo it immediately. Which of the following methods can you use?

A. Reinstall the entire Active Directory. B. Reinstall ISA server. C. Modify the schema objects. D. Remove the ISA schema objects.

10 Chapter 1 5. You are planning to install ISA Server so that your network will be protected. Unfortunately, the installation fails when you try to update the Active Directory schema. Which of the following are the requirements you must fulfill in order to ensure a successful integration of ISA server schema and Active Directory schema? *A. You must be a member of the local administrator for the server that holds ISA B. You must be a member of the local administrator for all the domain controllers. C. You must be a member of the local administrator for at least one domain controller. D. You must be a member of the domain administrator for at least one domain controller. Explanation: In order to install the ISA Server schema to Active Directory, you must be an administrator on the local computer. In addition, you must be a member of the Enterprise Admins and Schema Admins groups.

6. You are the enterprise security administrator for your company's network. Your assistant accidentally runs the enterprise initialization process. You must undo it immediately. Which of the following methods can you use? *A. Reinstall the entire Active Directory. B. Reinstall ISA server. C. Modify the schema objects. D. Remove the ISA schema objects. Explanation: The enterprise initialization process copies the ISA Server schema information to the Active Directory. Because the Active Directory does not support deletion of schema objects, the enterprise initialization process is irreversible.

Installing ISA Server 11 7. Recently, your company's network has been hacked. As the enterprise security administrator, you plan to install An ISA Server to protect your network. You plan to run the enterprise initialization process. Which of the following is true?

A. The ISA Server schema has to be installed once to the Active Directory for the entire enterprise. B. The ISA Server schema has to be installed once to the Active Directory for every domain. C. The ISA Server schema has to be installed once to the Active Directory for every OU. D. The ISA Server schema has to be installed once to the Active Directory for every enforcement point.

8. Johnny is the new help desk for your company. He plans to install ISA Server to protect the network. However, he wants to install it in the easiest way. How should he invoke the Setup Wizard?

A. By running the setup command. B. By running the ISAsetup command. C. By running the NTsetup command. D. By running the i386 command.

12 Chapter 1 7. Recently, your company's network has been hacked. As the enterprise security administrator, you plan to install An ISA Server to protect your network. You plan to run the enterprise initialization process. Which of the following is true? *A. The ISA Server schema has to be installed once to the Active Directory for the entire enterprise. B. The ISA Server schema has to be installed once to the Active Directory for every domain. C. The ISA Server schema has to be installed once to the Active Directory for every OU. D. The ISA Server schema has to be installed once to the Active Directory for every enforcement point. Explanation: The ISA Server schema only has to be installed once to the Active Directory for the entire enterprise.

8. Johnny is the new help desk for your company. He plans to install ISA Server to protect the network. However, he wants to install it in the easiest way. How should he invoke the Setup Wizard? *A. By running the setup command. B. By running the ISAsetup command. C. By running the NTsetup command. D. By running the i386 command. Explanation: To install the server software, at a command prompt, type Path\isa\setup where Path is the path to the Microsoft Internet Security and Acceleration (ISA) Server installation files. The path may be the root folder of the ISA Server CD or a shared folder on your network that contains the ISA Server files.

Installing ISA Server 13 9. You want to install ISA Server in order to protect your network. You want the ISA Server to be installed as a standalone server. What should you do?

A. By installing ISA server on a server that is not part of a Windows 2000 domain. B. By installing ISA server on a server that is part of a Windows 2000 domain. C. By selecting the Standalone option during install. D. By removing Active Directory on the network.

10. You have a standalone ISA Server installed in your network. In order to enable the server to join an array, which of the following should you do?

A. Add the server to a Windows 2000 domain and then join it to an array. B. Add the server to a security server group and then join it to an array. C. Reinstall ISA D. Modify the registry.

14 Chapter 1 9. You want to install ISA Server in order to protect your network. You want the ISA Server to be installed as a standalone server. What should you do?

*A. By installing ISA server on a server that is not part of a Windows 2000 domain. B. By installing ISA server on a server that is part of a Windows 2000 domain. C. By selecting the Standalone option during install. D. By removing Active Directory on the network. Explanation: If the computer on which you are installing ISA Server is not part of a Windows 2000 domain, then ISA Server will be installed as a standalone server. You can subsequently add the server to a Windows 2000 domain, and then join it to an array.

10. You have a standalone ISA Server installed in your network. In order to enable the server to join an array, which of the following should you do?

*A. Add the server to a Windows 2000 domain and then join it to an array. B. Add the server to a security server group and then join it to an array. C. Reinstall ISA D. Modify the registry. Explanation: If the computer on which you are installing ISA Server is not part of a Windows 2000 domain, then ISA Server will be installed as a standalone server. You can subsequently add the server to a Windows 2000 domain, and then join it to an array.

Installing ISA Server 15 11. You have a computer with Windows 2000 server installed. This computer has a PII366 CPU and 256M RAM. Which of the following should you do before ISA server can be installed?

A. 450MHZ CPU B. 384M RAM C. Windows 2000 SP1 D. Windows 2000 SP2 E. Windows 2000 SP3

12. You plan to install an ISA Server to protect your network. You have ISA Server installed on a domain controller. Which of the following has been modified by the installation?

A. Active Directory schema B. TCP/IP driver's dynamic port range C. NetBIOS driver D. Server metabase

16 Chapter 1 11. You have a computer with Windows 2000 server installed. This computer has a PII366 CPU and 256M RAM. Which of the following should you do before ISA server can be installed?

A. 450MHZ CPU B. 384M RAM *C. Windows 2000 SP1 D. Windows 2000 SP2 E. Windows 2000 SP3 Explanation: Be sure to install Windows 2000 Service Pack 1 before you install ISA Server.

12. You plan to install an ISA Server to protect your network. You have ISA Server installed on a domain controller. Which of the following has been modified by the installation?

*A. Active Directory schema *B. TCP/IP driver's dynamic port range C. NetBIOS driver D. Server metabase Explanation: As part of the installation process, ISA Server modifies the TCP/IP driver's dynamic port range, setting it to 65,535. This modification will take affect after the computer is rebooted.

Installing ISA Server 17

13. You installed ISA Server on a domain controller. What the effective TCP/IP driver's dynamic port range is before the server is rebooted?

A. Unchanged B. 1023

C. 6535

D. 65535

14. Kane is the security administrator for your company's network. He installed ISA Server to protect his network. The server is installed on a domain controller. Due to office maintenance, he shuts down the server for 4 hours. What is the effective TCP/IP driver's dynamic port range after the server is started again?

A. Unchanged B. 1023

C. 6535

D. 65535

18 Chapter 1 13. You installed ISA Server on a domain controller. What the effective TCP/IP driver's dynamic port range is before the server is rebooted?

*A. Unchanged B. 1023 C. 6535 D. 65535 Explanation: As part of the installation process, ISA Server modifies the TCP/IP driver's dynamic port range, setting it to 65,535. This modification will take affect after the computer is rebooted.

14. Kane is the security administrator for your company's network. He installed ISA Server to protect his network. The server is installed on a domain controller. Due to office maintenance, he shuts down the server for 4 hours. What is the effective TCP/IP driver's dynamic port range after the server is started again?

A. Unchanged B. 1023 C. 6535 *D. 65535 Explanation: As part of the installation process, ISA Server modifies the TCP/IP driver's dynamic port range, setting it to 65,535. This modification will take affect after the computer is rebooted.

Installing ISA Server 19 15. Which of the following is REQUIRED for ISA server to be installed on a backup domain controller?

A. Windows 2000 Domain. B. 3 NICs. C. 384MB RAM D. Domain controller password. E. CD Key.

16. You are installing ISA Server for your personal network lab. Which of the following are valid installation options you can choose?

A. Typical B. Full C. Custom D. Domain controller E. Workgroup

20 Chapter 1 15. Which of the following is REQUIRED for ISA server to be installed on a backup domain controller?

A. Windows 2000 Domain. B. 3 NICs. C. 384MB RAM D. Domain controller password. *E. CD Key. Explanation: The CD Key is the 10-digit number located on back of the ISA Server CD-ROM case.

16. You are installing ISA Server for your personal network lab. Which of the following are valid installation options you can choose?

*A. Typical *B. Full *C. Custom D. Domain controller E. Workgroup Explanation: You can select to perform a typical installation, Full installation, or Custom installation.

Installing ISA Server 21 17. You are the enterprise security administrator for your company's network. You want to install ISA Server. You want to choose which ISA Server components to be installed. Which of the following are the valid choices?

A. ISA Management only B. ISA Server services C. ISA Server extensions D. ISA Management client E. ISA management driver

18. You are deploying an ISA Server for your network. You want to make sure that the array of ISA Server computers you installed earlier can be administered remotely. Which of the following can be done?

A. Install ISA management on your server. B. Install ISA device drivers on your Windows 2000 Pro. C. Install ISA Server services on your server. D. Install ISA Server extensions on your W98 client.

22 Chapter 1 17. You are the enterprise security administrator for your company's network. You want to install ISA Server. You want to choose which ISA Server components to be installed. Which of the following are the valid choices?

*A. ISA Management only *B. ISA Server services *C. ISA Server extensions D. ISA Management client E. ISA management driver Explanation: If you install only ISA Management, you can use the server on which ISA Management is installed to administer remotely one or more arrays of ISA Server computers.

18. You are deploying an ISA Server for your network. You want to make sure that the array of ISA Server computers you installed earlier can be administered remotely. Which of the following can be done?

*A. Install ISA management on your server. B. Install ISA device drivers on your Windows 2000 Pro. C. Install ISA Server services on your server. D. Install ISA Server extensions on your W98 client. Explanation: If you install only ISA Management, you can use the server on which ISA Management is installed to administer remotely one or more arrays of ISA Server computers.

Installing ISA Server 23 19. View the Graphic to answer this question: Michael is planning to install ISA Server for his network. He received a dialog box during the installation. He asked you for help. In order for you to select which array to join, which of the following conditions must be met?

A. You must have previously initialized the enterprise. B. You must have registered the copy of ISA Server you have. C. You must have obtained the enterprise license key set from MS web site. D. You must have obtained the standard license key set from MS web site.

24 Chapter 1 19. View the Graphic to answer this question: Michael is planning to install ISA Server for his network. He received a dialog box during the installation. He asked you for help. In order for you to select which array to join, which of the following conditions must be met?

*A. You must have previously initialized the enterprise. B. You must have registered the copy of ISA Server you have. C. You must have obtained the enterprise license key set from MS web site. D. You must have obtained the standard license key set from MS web site. Explanation: You previously initialized the enterprise; you can now select which array to join. If you did not initialize the enterprise, then ISA Server will be installed as a standalone server.

Installing ISA Server 25 20. You are the enterprise administrator for your company's network. You are installing An ISA Server to protect your network. Which of the following are valid ISA server modes?

A. Firewall mode B. Cache mode C. Integrated mode D. Domain controller mode

26 Chapter 1 20. You are the enterprise administrator for your company's network. You are installing An ISA Server to protect your network. Which of the following are valid ISA server modes?

*A. Firewall mode *B. Cache mode *C. Integrated mode D. Domain controller mode Explanation: You can select to install ISA Server in firewall mode, cache mode, or integrated mode.

Installing ISA Server 27 21. Mr.Chu is planning to install An ISA Server to protect his network. He wants to be able to secure network communication by configuring rules. Which of the following are the valid ISA server modes he should use?


22. You are the administrator for your company's network. You just installed an ISA Server computer to protect your network. You want to be able to publish the internal servers for external access without compromising network security. Which of the following are the valid ISA server modes you should use?


28 Chapter 1 21. Mr.Chu is planning to install An ISA Server to protect his network. He wants to be able to secure network communication by configuring rules. Which of the following are the valid ISA server modes he should use?

*A. Firewall mode B. Cache mode *C. Integrated mode D. Domain controller mode Explanation: In the firewall mode, you can secure network communication by configuring rules that control communication between your corporate network and the Internet. In firewall mode, you can also publish internal servers, thereby sharing data on your internal servers with Internet users.

22. You are the administrator for your company's network. You just installed an ISA Server computer to protect your network. You want to be able to publish the internal servers for external access without compromising network security. Which of the following are the valid ISA server modes you should use?

*A. Firewall mode B. Cache mode *C. Integrated mode D. Domain controller mode Explanation: In firewall mode, you can secure network communication by configuring rules that control communication between your corporate network and the Internet. In firewall mode, you can also publish internal servers, thereby sharing data on your internal servers with Internet users.

Installing ISA Server 29 23. Because bandwidth is your primary concern, you decide to conserve bandwidth on your slow 256K WAN link. Which of the following is the valid ISA server mode you should use?


24. You are the security administrator for your company's network. You want to install An ISA Server to protect your network. Network security is your top concern. Which of the following are the steps you can take to achieve this?

A. Deploy the Firewall mode. B. Deploy the Cache mode. C. Configure the appropriate rules. D. Implement IP filters on the internal interface.

30 Chapter 1 23. Because bandwidth is your primary concern, you decide to conserve bandwidth on your slow 256K WAN link. Which of the following is the valid ISA server mode you should use?

A. Firewall mode *B. Cache mode C. Integrated mode D. Domain controller mode Explanation: In cache mode you can improve network performance and save bandwidth by storing commonly accessed objects closer to the user. You can then route requests from Internet users to the appropriate Web server.

24. You are the security administrator for your company's network. You want to install An ISA Server to protect your network. Network security is your top concern. Which of the following are the steps you can take to achieve this?

*A. Deploy the Firewall mode. B. Deploy the Cache mode. *C. Configure the appropriate rules. D. Implement IP filters on the internal interface. Explanation: In firewall mode, you can secure network communication by configuring rules that control communication between your corporate network and the Internet.

Installing ISA Server 31 25. You are installing ISA Server on a computer. Which of the following is a component that must be specified during ISA setup if you choose to run in integrated mode?

A. Cache drive. B. Web cache filter. C. L1 Cache amount. D. L2 Cache amount. E. Page file.

26. You are installing ISA Server on a computer. Which of the following is a requirement that must be met if you choose to run ISA in integrated mode?

A. A remote 2GB drive partition. B. A local 2GB drive partition. C. A remote NTFS drive. D. A local NTFS drive. E. A 300mhz+ CPU.

32 Chapter 1 25. You are installing ISA Server on a computer. Which of the following is a component that must be specified during ISA setup if you choose to run in integrated mode?

*A. Cache drive. B. Web cache filter. C. L1 Cache amount. D. L2 Cache amount. E. Page file. Explanation: If you install ISA Server in integrated or cache mode, then you must configure which cache drives to use.

26. You are installing ISA Server on a computer. Which of the following is a requirement that must be met if you choose to run ISA in integrated mode?

A. A remote 2GB drive partition. B. A local 2GB drive partition. C. A remote NTFS drive. *D. A local NTFS drive. E. A 300mhz+ CPU. Explanation: You must use an NTFS partition for caching and the drive must be a local drive. Typically, the best performance is obtained if you use a drive different from the one on which the main Microsoft Internet Security and Acceleration (ISA) Server system and the Windows 2000 operating system are installed. It is further recommended that you format the drive before using it for caching.

Installing ISA Server 33 27. Which of the following steps should you take if you plan to install ISA in cache mode?

A. Create a 1GB partition as the D drive. B. Create a 1GB NTFS partition as the D drive. C. Format the newly created partition. D. Defrag the newly created partition. E. Convert the newly created partition to NTFS.

28. You are the enterprise security administrator for your company's network. There is an ISA Server computer in your network. You want to use the ISA Server caching feature. Your current server disk volume uses FAT partitions. How do you proceed with the installation?

A. Directly from the CD. B. Run from a network share. C. Copy the installation files to the hard drive and install locally. D. Run the convert command.

34 Chapter 1 27. Which of the following steps should you take if you plan to install ISA in cache mode?

A. Create a 1GB partition as the D drive. *B. Create a 1GB NTFS partition as the D drive. *C. Format the newly created partition. D. Defrag the newly created partition. E. Convert the newly created partition to NTFS. Explanation: You must use an NTFS partition for caching and the drive must be a local drive. Typically, the best performance is obtained if you use a drive different from the one on which the main Microsoft Internet Security and Acceleration (ISA) Server system and the Windows 2000 operating system are installed. It is further recommended that you format the drive before using it for caching.

28. You are the enterprise security administrator for your company's network. There is an ISA Server computer in your network. You want to use the ISA Server caching feature. Your current server disk volume uses FAT partitions. How do you proceed with the installation?

A. Directly from the CD. B. Run from a network share. C. Copy the installation files to the hard drive and install locally. *D. Run the convert command. Explanation: If you want to use the ISA Server caching feature, you must install ISA Server on a computer that has at least one partition formatted as an NTFS volume. If your current server disk volume uses FAT partitions, you can convert these partitions to NTFS by using Convert, which is included with Windows 2000 Server. Convert does not overwrite the data on the disk.

Installing ISA Server 35 29. You are the enterprise security administrator for your company's network. You are installing An ISA Server to protect your network. You want to set up ISA array in your NT4 domain. Which of the following steps must be taken?

A. All array members must be in the same domain. B. All array members must be in the same site. C. All array members must be in the same subnet. D. All array members must be of the same hardware configuration. E. All array members must be in the same domain.

36 Chapter 1 29. You are the enterprise security administrator for your company's network. You are installing An ISA Server to protect your network. You want to set up ISA array in your NT4 domain. Which of the following steps must be taken?

*A. All array members must be in the same domain. *B. All array members must be in the same site. C. All array members must be in the same subnet. D. All array members must be of the same hardware configuration. E. All array members must be in the same domain. Explanation: All array members must be in the same domain and in the same site. A site is a set of computers in a well-connected TCP/IP subnet. A domain is a collection of computers, defined by the administrator, that share a common directory (Active Directory) database.

Installing ISA Server 37 30. You are planning an install of the Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition software. Which of the following hardware requirements, on your current system, do you need to verify.

A. Computer with 300 MHz or higher Pentium II-compatible CPU B. 256 megabytes of RAM C. 500 MB of available hard-disk space D. Windows 2000 compatible network adapter E. Processors with 512 Cache

38 Chapter 1 30. You are planning an install of the Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition software. Which of the following hardware requirements, on your current system, do you need to verify.

*A. Computer with 300 MHz or higher Pentium II-compatible CPU *B. 256 megabytes of RAM C. 500 MB of available hard-disk space *D. Windows 2000 compatible network adapter E. Processors with 512 Cache Explanation: To use Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition, you need Computer with the following requirements.

1. 300 MHz or higher Pentium II-compatible CPU running Microsoft Windows(r) 2000 Server or Windows 2000 Advanced Server with Service Pack 1 or later.

OR

2. Windows 2000 Datacenter Server operating system with / 256 megabytes (MB) of RAM / 20 MB of available hard-disk space / Windows 2000 compatible network adapter for communicating with the internal network / Additional Windows 2000 compatible network adapter, modem, or ISDN adapter for communicating with the Internet or an upstream server / One local hard-disk partition formatted with the NTFS.

Installing ISA Server 39 31. You are the network administrator of your company. You want to use Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition on your eight-way server, which of the following must be done?

A. Upgrade all CPUs to the same speed. B. Increase memory to 1GB C. Increase hard drive space to 10GB. D. Install Windows 2000 SP2. E. Install Internet Explorer 5.5

32. You are setting up a new ISA server on a domain controller. Which of the following are the valid OS requirements of ISA?

A. Microsoft Windows 2000 Server with Service Pack 1 or later B. Microsoft Windows 2000 Advanced Server with Service Pack 1 or later C. Microsoft Windows 2000 Datacenter Server D. Microsoft Windows 2000 Pro with Service Pack 1 or later E. Microsoft Windows 2000 Web Server with Service Pack 1 or later

40 Chapter 1 31. You are the network administrator of your company. You want to use Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition on your eight-way server, which of the following must be done?

A. Upgrade all CPUs to the same speed. B. Increase memory to 1GB C. Increase hard drive space to 10GB. D. Install Windows 2000 SP2. *E. Install Internet Explorer 5.5 Explanation: A maximum of four processors is supported. ISA will not install on a computer with more than four processors.

32. You are setting up a new ISA server on a domain controller. Which of the following are the valid OS requirements of ISA?

*A. Microsoft Windows 2000 Server with Service Pack 1 or later *B. Microsoft Windows 2000 Advanced Server with Service Pack 1 or later *C. Microsoft Windows 2000 Datacenter Server D. Microsoft Windows 2000 Pro with Service Pack 1 or later E. Microsoft Windows 2000 Web Server with Service Pack 1 or later Explanation: ISA can be installed on computer with 300 MHz or higher Pentium IIcompatible CPU running Microsoft Windows(r) 2000 Server or Windows 2000 Advanced Server with Service Pack 1 or later, or Windows 2000 Datacenter Server operating system.

Installing ISA Server 41 33. You've been given the task to install ISA server on a computer for your company. You only want to install ISA management only. Which of the following OSes are supported?

A. Win9x B. Win NT 4 Server C. Win NT 4 WS D. Windows 2000 Pro E. Windows 2000 Server

34. You install five ISA Servers to protect your network. Each of these servers has a single CPU. How many licenses will you need to purchase from Microsoft?

A. 1 License B. 2 Licenses C. 3 Licenses D. 4 Licenses E. 5 Licenses

42 Chapter 1 33. You've been given the task to install ISA server on a computer for your company. You only want to install ISA management only. Which of the following OSes are supported?

A. Win9x B. Win NT 4 Server C. Win NT 4 WS *D. Windows 2000 Pro *E. Windows 2000 Server Explanation: For remote ISA Server administration, you need only install ISA Management, which can run on Windows 2000 Professional or above.

34. You install five ISA Servers to protect your network. Each of these servers has a single CPU. How many licenses will you need to purchase from Microsoft?

A. 1 License B. 2 Licenses C. 3 Licenses D. 4 Licenses *E. 5 Licenses Explanation: Microsoft created the processor-based licensing model to simplify the acquisition and maintenance of server software licenses. Customers acquire a Processor License for each CPU contained in the machine running their server software.

Installing ISA Server 43 35. You install four ISA Servers to protect your network of 400 users. Each of these servers has a single CPU. How many Client Access licenses will you need to purchase from Microsoft?

A. 1 Licenses B. 2 Licenses C. 3 Licenses D. 4 Licenses E. No Client Access Licenses are required.

36. You install four ISA Servers to protect your network of 600 users. Each of these servers has a single CPU. You also have two Exchange Servers running inside your network. How many Internet Connector licenses will you need to purchase from Microsoft?

A. 1 License B. 2 Licenses C. 3 Licenses D. 4 Licenses E. No Internet Connector Licenses are required.

44 Chapter 1 35. You install four ISA Servers to protect your network of 400 users. Each of these servers has a single CPU. How many Client Access licenses will you need to purchase from Microsoft?

A. 1 Licenses B. 2 Licenses C. 3 Licenses D. 4 Licenses *E. No Client Access Licenses are required. Explanation: Microsoft created the processor-based licensing model to simplify the acquisition and maintenance of server software licenses. Customers are no longer required to purchase additional Server Licenses, Client Access Licenses (CALs), or Internet Connector Licenses.

36. You install four ISA Servers to protect your network of 600 users. Each of these servers has a single CPU. You also have two Exchange Servers running inside your network. How many Internet Connector licenses will you need to purchase from Microsoft?

A. 1 License B. 2 Licenses C. 3 Licenses D. 4 Licenses *E. No Internet Connector Licenses are required. Explanation: Microsoft created the processor-based licensing model to simplify the acquisition and maintenance of server software licenses. Customers are no longer required to purchase additional Server Licenses, Client Access Licenses (CALs), or Internet Connector Licenses.

Installing ISA Server 45 37. You install six ISA Servers to protect your network. Which of the following correctly describe the processor licenses you purchase from Microsoft?

A. Processor License includes access for an unlimited number of users to connect from outside the firewall only. B. Processor License includes access for an unlimited number of users to connect from inside the firewall only. C. Processor License includes access for an unlimited number of users to connect from either inside the corporate local area network or wide area network or outside the firewall. D. Processor License includes access for limited number of users to connect from either inside the corporate local area network or wide area network or outside the firewall, based on CALs. E. Processor License includes access for limited number of users to connect from the Internet, based on CALs.

38. You are considering the deployment of ISA server to protect your network. You need to migrate your array of Proxy servers to ISA Servers. Which of the following actions is recommended before you proceed with the migration?

A. Remove all the members. B. Synchronize all the members. C. Register the array with Active Directory. D. Apply the service pack to the array.

46 Chapter 1 37. You install six ISA Servers to protect your network. Which of the following correctly describe the processor licenses you purchase from Microsoft? A. Processor License includes access for an unlimited number of users to connect from outside the firewall only. B. Processor License includes access for an unlimited number of users to connect from inside the firewall only. *C. Processor License includes access for an unlimited number of users to connect from either inside the corporate local area network or wide area network or outside the firewall. D. Processor License includes access for limited number of users to connect from either inside the corporate local area network or wide area network or outside the firewall, based on CALs. E. Processor License includes access for limited number of users to connect from the Internet, based on CALs. Explanation: Processor License includes access for an unlimited number of users to connect from either inside the corporate local area network (LAN) or wide area network (WAN) or outside the firewall.

38. You are considering the deployment of ISA server to protect your network. You need to migrate your array of Proxy servers to ISA Servers. Which of the following actions is recommended before you proceed with the migration? *A. Remove all the members. B. Synchronize all the members. C. Register the array with Active Directory. D. Apply the service pack to the array. Explanation: Before you can migrate an array of Proxy Server 2.0 computers, it is recommended that you remove all the members.

Installing ISA Server 47 39. You are considering the deployment of ISA server to protect your network. You need to migrate your Proxy servers to ISA Servers. Which of the following direct upgrade paths are not supported?

A. Proxy Server 1.0 B. Proxy Server 2.0 C. BackOffice Server 4.0 D. Small Business Server 4.0

40. Since you want to take advantage of ISA Server, you decide to migrate your array of Proxy servers to an array of ISA Servers. In order for the new set up to support IPX, which of the following must be done?

A. Synchronize all the members. B. Register the array with Active Directory. C. Apply the service pack to the array. D. Support for IPX is not available in ISA. E. Support for AppleTalk is not available in ISA.

48 Chapter 1 39. You are considering the deployment of ISA server to protect your network. You need to migrate your Proxy servers to ISA Servers. Which of the following direct upgrade paths are not supported?

*A. Proxy Server 1.0 B. Proxy Server 2.0 *C. BackOffice Server 4.0 *D. Small Business Server 4.0 Explanation: Direct upgrade from Proxy Server 1.0, BackOffice Server 4.0 or Small Business Server 4.0 is not supported.

40. Since you want to take advantage of ISA Server, you decide to migrate your array of Proxy servers to an array of ISA Servers. In order for the new set up to support IPX, which of the following must be done?

A. Synchronize all the members. B. Register the array with Active Directory. C. Apply the service pack to the array. *D. Support for IPX is not available in ISA. E. Support for AppleTalk is not available in ISA. Explanation: As stated in the technical documents obtained from Microsoft, ISA Server does not support the IPX protocol.

Installing ISA Server 49 41. Your boss asks you to enhance the security of his company's network. You need to migrate your Proxy servers to ISA Servers. Which of the following is NOT true concerning the migration?

A. Direct upgrade from Proxy Server 1.0, BackOffice Server 4.0 or Small Business Server 4.0 is supported. B. There is an automatic option to return to Proxy Server 2.0 once the upgrade to ISA Server has been started. C. ISA Server does not support the IPX protocol. D. You should back up your Proxy Server settings before performing the migration.

42. As the enterprise security administrator for your company's network, you need to migrate your Proxy servers to ISA Servers. The proxy servers are running on NT4 servers. You need to stop and disable all the Proxy Server services first before an upgrade is possible. Which of the following represents the Microsoft Winsock Proxy service?

A. wspsrv B. mspadmin C. mailalrt D. w3svc

50 Chapter 1 41. Your boss asks you to enhance the security of his company's network. You need to migrate your Proxy servers to ISA Servers. Which of the following is NOT true concerning the migration?

*A. Direct upgrade from Proxy Server 1.0, BackOffice Server 4.0 or Small Business Server 4.0 is supported. *B. There is an automatic option to return to Proxy Server 2.0 once the upgrade to ISA Server has been started. C. ISA Server does not support the IPX protocol. D. You should back up your Proxy Server settings before performing the migration. Explanation: Direct upgrade from Proxy Server 1.0, BackOffice Server 4.0 or Small Business Server 4.0 is NOT supported. In addition, there is NO automatic option to return to Proxy Server 2.0 once the upgrade to ISA Server has been started.

42. As the enterprise security administrator for your company's network, you need to migrate your Proxy servers to ISA Servers. The proxy servers are running on NT4 servers. You need to stop and disable all the Proxy Server services first before an upgrade is possible. Which of the following represents the Microsoft Winsock Proxy service?

*A. wspsrv B. mspadmin C. mailalrt D. w3svc Explanation: To stop and disable all the Proxy Server services type "net stop service_name" at a command prompt. You need to stop the Proxy Server services first before performing an upgrade.

Installing ISA Server 51 43. You want to migrate your Proxy servers to ISA Servers. The proxy servers are running on NT4 servers. You need to stop and disable all the Proxy Server services first before performing an upgrade. Which of the following represents the Microsoft Proxy Server Administration?


44. You want to migrate your Proxy servers to ISA Servers. The proxy servers are running on NT4 servers. You need to stop and disable all the Proxy Server services first. Which of the following represents the Proxy Alert Notification service?


52 Chapter 1 43. You want to migrate your Proxy servers to ISA Servers. The proxy servers are running on NT4 servers. You need to stop and disable all the Proxy Server services first before performing an upgrade. Which of the following represents the Microsoft Proxy Server Administration?

A. wspsrv *B. mspadmin C. mailalrt D. w3svc Explanation: To stop and disable all the Proxy Server services type "net stop service_name" at a command prompt. You need to stop the Proxy Server services first before performing an upgrade.

44. You want to migrate your Proxy servers to ISA Servers. The proxy servers are running on NT4 servers. You need to stop and disable all the Proxy Server services first. Which of the following represents the Proxy Alert Notification service?

A. wspsrv B. mspadmin *C. mailalrt D. w3svc Explanation: Type net stop service_name at a command prompt.

Installing ISA Server 53 45. You are the enterprise security administrator for your company's network. You need to maintain a network with both the Proxy servers and the ISA servers running together. When ISA Server is installed, which of the following must be done?

A. All downstream chain members connecting to the ISA Server computer must connect to port 8080. B. All downstream web browsers connecting to the ISA Server computer must connect to port 8080. C. Alternatively, reconfigure the ISA server to listen on port 80 instead. D. Alternatively, reconfigure the ISA server to listen to port 443 instead.

46. You are migrating your Proxy servers to ISA Servers. Which of the following Proxy Server 2.0 cache configuration information will be migrated to ISA Server?

A. Cache drive specifications B. Cache size C. Cache content D. Cache storage engine

54 Chapter 1 45. You are the enterprise security administrator for your company's network. You need to maintain a network with both the Proxy servers and the ISA servers running together. When ISA Server is installed, which of the following must be done?

*A. All downstream chain members connecting to the ISA Server computer must connect to port 8080. *B. All downstream web browsers connecting to the ISA Server computer must connect to port 8080. *C. Alternatively, reconfigure the ISA server to listen on port 80 instead. D. Alternatively, reconfigure the ISA server to listen to port 443 instead. Explanation: The Proxy Server 2.0 listened for client HTTP requests on port 80, but when ISA Server is installed, it listens on port 8080 for the Web Proxy service. Therefore, all downstream chain members (or browsers) connecting to the ISA Server computer must connect to port 8080. You can also configure ISA Server to listen on port 80.

46. You are migrating your Proxy servers to ISA Servers. Which of the following Proxy Server 2.0 cache configuration information will be migrated to ISA Server?

*A. Cache drive specifications *B. Cache size C. Cache content D. Cache storage engine Explanation: Proxy Server 2.0 cache configurations are migrated to ISA Servers, including cache drive specifications, size, and all other properties. Proxy Server 2.0 cache content will not be migrated, because ISA Server's cache storage engine is vastly different and more sophisticated.

Installing ISA Server 55 47. You are the enterprise security administrator for your company's network. You need to migrate your Proxy servers to ISA Servers. Which of the following correctly describe ISA's support for SOCKS?

A. A SOCKS application filter is included. B. Client SOCKS applications can communicate with the network using the applicable policy to determine if the client request is allowed. C. Client SOCKS applications cannot communicate with the network.] D. Migration of Proxy Server 2.0 SOCKS rules to ISA Server policy is supported. E. Migration of Proxy Server 2.0 SOCKS rules to ISA Server policy is not supported.

56 Chapter 1 47. You are the enterprise security administrator for your company's network. You need to migrate your Proxy servers to ISA Servers. Which of the following correctly describe ISA's support for SOCKS?

*A. A SOCKS application filter is included. *B. Client SOCKS applications can communicate with the network using the applicable policy to determine if the client request is allowed. C. Client SOCKS applications cannot communicate with the network.] D. Migration of Proxy Server 2.0 SOCKS rules to ISA Server policy is supported. *E. Migration of Proxy Server 2.0 SOCKS rules to ISA Server policy is not supported. Explanation: ISA Server includes a SOCKS application filter, which allows client SOCKS applications to communicate with the network, using the applicable policy to determine if the client request is allowed. Migration of Proxy Server 2.0 SOCKS rules to ISA Server policy is not supported.

Notes:

Managing ISA Server Services 59

Chapter 2: Managing ISA Server Services The objective of this chapter is to provide the reader with an understanding of the following: 1.

Configure and troubleshoot outbound Internet access.

2.

Configure ISA Server hosting roles.

3.

Configure ISA Server for Web publishing.

4.

Configure ISA Server for server proxy.

5.

Configure ISA Server for server publishing.

6.

Configure H.323 Gatekeeper for audio and video conferencing.

7.

Configure gatekeeper rules. Rules include telephone, e-mail, and Internet Protocol (IP).

8.

Configure gatekeeper destinations by using the Add Destination Wizard.

9.

Set up and troubleshoot dial-up connections and Routing and Remote Access dial-on-demand connections.

10. Set up and verify routing rules for static IP routes in Routing and Remote Access. 11. Configure and troubleshoot virtual private network (VPN) access. 12. Configure the ISA Server computer as a VPN endpoint without using the VPN Wizard. 13. Configure the ISA Server computer for VPN pass-through. 14. Configure multiple ISA Server computers for scalability. Configurations include Network Load Balancing (NLB) and Cache Array Routing Protocol (CARP).

60 Chapter 2

Introduction

This chapter introduces the configuration of the various services provided by ISA server in addition to simple outbound access. The services covered are mainly related to publishing servers to the outside world so that external clients can access the internal resources securely. On the server side, you will most likely use ISA Management, which is a MMC snap in, to manage the ISA services on the server side. The default view of this snap in is called the Task Pad View, which includes shortcuts to the most common configuration tasks. For detailed configuration, you may wish to switch to the Advanced View. When you start ISA server for the first time, you may want to use the Getting Started Wizard, which will guide you through many initial configuration steps. Always remember, you must log on as an Administrator or a Server Operator in order to administer the ISA server.

Managing ISA Server Services 61 1. You are the administrator for your company's network. Since network security is your top concern, you want to define access policy for your SMTP traffic. Your ISA server is running in cache mode. Which of the following are the valid steps to take?

A. Deploy the Firewall mode. B. Deploy the Cache mode. C. Implement IP filters on the internal interface. D. Edit the registry.

2. You are configuring an ISA server computer for your company. You want to define application filters. Your ISA server is running in cache mode. Which of the following are the valid steps to take?

A. Deploy the Firewall mode. B. Deploy the Cache mode. C. Configure the appropriate GPO. D. Edit the registry.

62 Chapter 2 1. You are the administrator for your company's network. Since network security is your top concern, you want to define access policy for your SMTP traffic. Your ISA server is running in cache mode. Which of the following are the valid steps to take?

*A. Deploy the Firewall mode. B. Deploy the Cache mode. C. Implement IP filters on the internal interface. D. Edit the registry. Explanation: Cache mode support access policy only for HTTP protocol.

2. You are configuring an ISA server computer for your company. You want to define application filters. Your ISA server is running in cache mode. Which of the following are the valid steps to take?

*A. Deploy the Firewall mode. B. Deploy the Cache mode. C. Configure the appropriate GPO. D. Edit the registry. Explanation: Cache mode does not support application filters. It supports web filters though.

Managing ISA Server Services 63 3. View the Graphic to answer this question: You plan to install ISA Server to protect your network. Which of the following features are supported ONLY by the mode shown in the graphic?

A. Web filters B. Real-time monitoring C. Alerts D. Reports E. All the choices are available in both the firewall mode and the cache mode.

64 Chapter 2 3. View the Graphic to answer this question: You plan to install ISA Server to protect your network. Which of the following features are supported ONLY by the mode shown in the graphic?

A. Web filters B. Real-time monitoring C. Alerts D. Reports *E. All the choices are available in both the firewall mode and the cache mode. Explanation: All of them are available both in the firewall mode and in the cache mode. The graphic represents an ISA Server in firewall service mode.

Managing ISA Server Services 65 4. You are considering the deployment of ISA server to protect your network. You want to use the ISA Server caching feature. Your system has three partitions that are completely empty.

Drive D - 1GB FAT Drive E - 2 GB FAT32 Drive F - 500MB NTFS

By default, which drive will be used to hold cached data?

A. Drive D B. Drive E C. Drive F D. All the drives E. All FAT drives

5. According to the default settings, when creating a new ISA servers array, which of the following is true?

A. The new array will adopt the default enterprise policy settings. B. The new array must contain customized policy settings. C. The new array must be reinitialized. D. The new array must reinstall the schema into Active Directory.

66 Chapter 2 4. You are considering the deployment of ISA server to protect your network. You want to use the ISA Server caching feature. Your system has three partitions that are completely empty.

Drive D - 1GB FAT Drive E - 2 GB FAT32 Drive F - 500MB NTFS

By default, which drive will be used to hold cached data?

A. Drive D B. Drive E *C. Drive F D. All the drives E. All FAT drives Explanation: By default the setup process searches for the largest NTFS partition and sets a default cache size of 100 megabytes (MB) if there are at least 150 MB available.

5. According to the default settings, when creating a new ISA servers array, which of the following is true?

*A. The new array will adopt the default enterprise policy settings. B. The new array must contain customized policy settings. C. The new array must be reinitialized. D. The new array must reinstall the schema into Active Directory. Explanation: Since no protocol rules are defined, no traffic will be allowed to pass.

Managing ISA Server Services 67 6. You plan to install ISA Server to protect your network. You want to use the ISA Server caching feature. Your system has three partitions that are completely empty.

Drive D - 1GB NTFS Drive E - 2 GB FAT32 Drive F - 500MB NTFS

After installation, how much free space will drive D has?

A. 900MB B. 1200MB C. 1000MB D. 500MB E. 600MB

68 Chapter 2 6. You plan to install ISA Server to protect your network. You want to use the ISA Server caching feature. Your system has three partitions that are completely empty.

Drive D - 1GB NTFS Drive E - 2 GB FAT32 Drive F - 500MB NTFS

After installation, how much free space will drive D has?

*A. 900MB B. 1200MB C. 1000MB D. 500MB E. 600MB Explanation: By default the setup process searches for the largest NTFS partition and sets a default cache size of 100 megabytes (MB) if there are at least 150 MB available. Drive D will be chosen. 100MB will be used for caching, so only 900MB will be left.

Managing ISA Server Services 69 7. You are the enterprise security administrator for your company's network. You installed ISA server on a computer. How do you call up the GUI for managing ISA?

A. Run ISAMan.exe B. Run ISA.exe C. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management. D. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Client. E. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Driver.

70 Chapter 2 7. You are the enterprise security administrator for your company's network. You installed ISA server on a computer. How do you call up the GUI for managing ISA?

A. Run ISAMan.exe B. Run ISA.exe *C. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management. D. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Client. E. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Driver. Explanation: To open ISA Management, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

Managing ISA Server Services 71 8. You installed ISA Server on a standalone server. According to the default settings on your standalone server, who can configure the array policy?

A. Members of the Administrators group on the local computer. B. Members of the Domain Administrators group on any domain controller. C. Members of the Enterprise Administrators group on the Active Directory. D. Members of the Server Operators group on any domain.

9. You are the enterprise security administrator for your company's network. There is a new ISA server computer in your network. According to the default settings on your arrays, who can configure the array policy?

A. Members of the Administrators group on the local computer. B. Members of the Domain Administrators group on any domain controller. C. Members of the Enterprise Administrators group on the Active Directory. D. Members of the Server Operators group on any domain.

72 Chapter 2 8. You installed ISA Server on a standalone server. According to the default settings on your standalone server, who can configure the array policy?

*A. Members of the Administrators group on the local computer. B. Members of the Domain Administrators group on any domain controller. C. Members of the Enterprise Administrators group on the Active Directory. D. Members of the Server Operators group on any domain. Explanation: For standalone servers, members of the Administrators group on the local computer can configure array policy. For arrays, members of the Domain Admins and Enterprise Admins group can configure policies.

9. You are the enterprise security administrator for your company's network. There is a new ISA server computer in your network. According to the default settings on your arrays, who can configure the array policy?

A. Members of the Administrators group on the local computer. *B. Members of the Domain Administrators group on any domain controller. *C. Members of the Enterprise Administrators group on the Active Directory. D. Members of the Server Operators group on any domain. Explanation: For standalone servers, members of the Administrators group on the local computer can configure array policy. For arrays, members of the Domain Admins and Enterprise Admins group can configure policies.

Managing ISA Server Services 73 10. View the Graphic to answer this question: You installed ISA Server using the default setting. With the default setting, Packet Filtering will be enabled in which of the modes shown in the graphic?

A. Firewall mode B. Integrated mode C. Cache mode D. Packet filtering is not available with any of those modes.

74 Chapter 2 10. View the Graphic to answer this question: You installed ISA Server using the default setting. With the default setting, Packet Filtering will be enabled in which of the modes shown in the graphic?

*A. Firewall mode *B. Integrated mode C. Cache mode D. Packet filtering is not available with any of those modes. Explanation: Packet filtering is enabled in firewall mode and in integrated mode, and is disabled in cache mode.

Managing ISA Server Services 75 11. Which of the following correctly describe the default settings of the ISA server publishing feature?

A. A default Web publishing rule discards all access requests from the outside. B. A default Web publishing rule puts all access requests from the inside in queue. C. A default Web publishing rule accepts all access requests from the outside. D. A default Web publishing rule accepts all access requests from the inside.

12. According to the default settings of the ISA server publishing feature, which of these internal servers are accessible by external clients?

A. Web server B. DNS server C. Domain controller D. DHCP server E. No internal servers are accessible to external clients

76 Chapter 2 11. Which of the following correctly describe the default settings of the ISA server publishing feature?

*A. A default Web publishing rule discards all access requests from the outside. B. A default Web publishing rule puts all access requests from the inside in queue. C. A default Web publishing rule accepts all access requests from the outside. D. A default Web publishing rule accepts all access requests from the inside. Explanation: No internal servers are accessible to external clients.

12. According to the default settings of the ISA server publishing feature, which of these internal servers are accessible by external clients?

A. Web server B. DNS server C. Domain controller D. DHCP server *E. No internal servers are accessible to external clients Explanation: No internal servers are accessible to external clients.

Managing ISA Server Services 77 13. You are the administrator for your company's network. You installed an ISA Server in your network. According to the default settings, which of the following caching types are enabled?

A. HTTP B. FTP C. Active D. Inactive E. Query

14. Your network has an ISA Server installed. You are configuring the Local Address Table. If you install ISA Server in integrated mode, which of the following must be done?

A. Configure the address ranges to include in the local address table. B. Configure the address ranges to exclude in the local address table. C. Configure the address ranges to filter in the local address table. D. Configure the port ranges to monitor in the local address table. E. Configure the port ranges to monitor in the remote address table.

78 Chapter 2 13. You are the administrator for your company's network. You installed an ISA Server in your network. According to the default settings, which of the following caching types are enabled?

*A. HTTP *B. FTP C. Active D. Inactive E. Query Explanation: disabled.

By default, HTTP and FTP caching are enabled. Active caching is

14. Your network has an ISA Server installed. You are configuring the Local Address Table. If you install ISA Server in integrated mode, which of the following must be done?

*A. Configure the address ranges to include in the local address table. B. Configure the address ranges to exclude in the local address table. C. Configure the address ranges to filter in the local address table. D. Configure the port ranges to monitor in the local address table. E. Configure the port ranges to monitor in the remote address table. Explanation: If you install ISA Server in integrated or firewall mode, then you must configure the address ranges to include in the local address table.

Managing ISA Server Services 79 15. View the Graphic to answer this question: You are setting up an ISA Server computer. You are configuring the Local Address Table. If you install ISA Server in firewall mode, which of the following must be done?

A. Configure the address ranges to include in the local address table. B. Configure the address ranges to exclude in the local address table. C. Configure the address ranges to filter in the local address table. D. Configure the port ranges to monitor in the local address table. E. Configure the port ranges to filter in the local address table.

80 Chapter 2 15. View the Graphic to answer this question: You are setting up an ISA Server computer. You are configuring the Local Address Table. If you install ISA Server in firewall mode, which of the following must be done?

*A. Configure the address ranges to include in the local address table. B. Configure the address ranges to exclude in the local address table. C. Configure the address ranges to filter in the local address table. D. Configure the port ranges to monitor in the local address table. E. Configure the port ranges to filter in the local address table. Explanation: If you install ISA Server in integrated or firewall mode, then you must configure the address ranges to include in the local address table.

Managing ISA Server Services 81 16. Recently, your company bought some new computers and you have installed ISA server on them. You want to set up an ISA server array. What functions can be provided by the array?

A. Fault tolerance B. Load balancing C. Distributed naming D. Aggregated network throughout

17. You are the network administrator of your company. You need to monitor the status of your ISA solution. Which of the following options should you choose if the alert should be reissued immediately when the event recurs?

A. Immediately. B. After manual reset of alert. C. If time since last execution is more than D. Immediate Recurs

82 Chapter 2 16. Recently, your company bought some new computers and you have installed ISA server on them. You want to set up an ISA server array. What functions can be provided by the array?

*A. Fault tolerance *B. Load balancing C. Distributed naming D. Aggregated network throughout Explanation: ISA Server computers can be grouped together in arrays. An array is a group of ISA Server computers used to provide fault tolerance, load balancing, and distributed caching. Arrays allow a group of ISA Server computers to be treated and managed as a single, logical entity.

17. You are the network administrator of your company. You need to monitor the status of your ISA solution. Which of the following options should you choose if the alert should be reissued immediately when the event recurs?

*A. Immediately. B. After manual reset of alert. C. If time since last execution is more than D. Immediate Recurs Explanation: If the alert should be reissued immediately when the event recurs, click Immediately.

Managing ISA Server Services 83 18. You want to set up an ISA server array. Which of the following are the requirements that you must fulfill?

A. Your computer must be a member of a Windows 2000 domain. B. The ISA Server enterprise must be initialized. C. The cache directory must be specified. D. The server NICs must be validated. E. The Active Directory schema must have been locked.

19. You are the enterprise security administrator for your company's network. You're configuring an ISA server computer. Under which of the following conditions will the settings be saved in the registry?

A. When the domain is Windows 2000 based. B. When the domain is NT 4 based. C. When Active Directory is running. D. When you choose to save the settings as files.

84 Chapter 2 18. You want to set up an ISA server array. Which of the following are the requirements that you must fulfill?

*A. Your computer must be a member of a Windows 2000 domain. *B. The ISA Server enterprise must be initialized. C. The cache directory must be specified. D. The server NICs must be validated. E. The Active Directory schema must have been locked. Explanation: In order to install ISA Server as an array member, the computer must be a member of a Windows 2000 domain. Furthermore, you the ISA Server enterprise must be initialized before you can install ISA Server as an array member.

19. You are the enterprise security administrator for your company's network. You're configuring an ISA server computer. Under which of the following conditions will the settings be saved in the registry?

A. When the domain is Windows 2000 based. *B. When the domain is NT 4 based. C. When Active Directory is running. D. When you choose to save the settings as files. Explanation: Standalone server can be installed in Windows NT 4 domains. Configuration information is stored in the registry.

Managing ISA Server Services 85 20. You want to set up ISA array in your NT4 domain. Which of the following steps must be taken?

A. Upgrade the domain to Windows 2000. B. Install Active Directory. C. Configure DFS. D. Configure EFS. E. Enable the DHCP service.

21. View the Graphic to answer this question: You are installing an ISA server on a computer for your company. You need support on enterprise wide policy. Which of the following must be done?

A. Install Active Directory. B. Initialize the enterprise. C. Configure Standalone server. D. Configure ISA Array. E. Configure Active Directory Schema.

86 Chapter 2 20. You want to set up ISA array in your NT4 domain. Which of the following steps must be taken?

*A. Upgrade the domain to Windows 2000. *B. Install Active Directory. C. Configure DFS. D. Configure EFS. E. Enable the DHCP service. Explanation: ONLY standalone server can be installed in Windows NT 4 domains.

21. View the Graphic to answer this question: You are installing an ISA server on a computer for your company. You need support on enterprise wide policy. Which of the following must be done?

*A. Install Active Directory. *B. Initialize the enterprise. C. Configure Standalone server. *D. Configure ISA Array. E. Configure Active Directory Schema. Explanation: ONLY ISA array can deploy enterprise wide policy.

Managing ISA Server Services 87 22. You are the enterprise security administrator for your company's network. You install an ISA Servers to protect your network. You want to perform remote ISA Server administration. Which of the following ISA components will you need?

A. ISA Management B. ISA services C. ISA drivers D. ISA filters E. ISA Remote Control Tool

23. You are installing ISA Servers to protect your network. You are configuring TCP/IP for the ISA server's internal interface. Which of the following is a valid guideline to follow?

A. You should enter a permanently reserved IP address for the ISA Server computer. B. You should enter an appropriate subnet mask for your local network. C. Addressing assigned by DHCP should not be used for the internal network adapter. D. Addressing assigned by DHCP Relay Agent should be used for internal network adapter.

88 Chapter 2 22. You are the enterprise security administrator for your company's network. You install an ISA Servers to protect your network. You want to perform remote ISA Server administration. Which of the following ISA components will you need? *A. ISA Management B. ISA services C. ISA drivers D. ISA filters E. ISA Remote Control Tool Explanation: For remote ISA Server administration, you need only install ISA Management, which can run on Windows 2000 Professional or above.

23. You are installing ISA Servers to protect your network. You are configuring TCP/IP for the ISA server's internal interface. Which of the following is a valid guideline to follow? *A. You should enter a permanently reserved IP address for the ISA Server computer. *B. You should enter an appropriate subnet mask for your local network. *C. Addressing assigned by DHCP should not be used for the internal network adapter. D. Addressing assigned by DHCP Relay Agent should be used for internal network adapter. Explanation: When setting TCP/IP properties for any internal network adapter, you should enter a permanently reserved IP address for the ISA Server computer and an appropriate subnet mask for your local network. Addressing assigned by DHCP should not be used for the internal network adapter, since it might reset the default gateway you selected for the ISA Server computer. The external network adapter can use DHCP or its IP address is statically defined, including the default gateway and DNS settings.

Managing ISA Server Services 89 24. You are installing ISA Servers to protect your network. You are configuring TCP/IP for the ISA server's external interface. Which of the following is true?

A. You must use a static IP. B. You must statically define the route. C. You may use address assigned by DHCP. D. The subnet mask must match that of the internal interface.

25. You want to maintain a network with both the Proxy servers and the ISA servers running together. A computer running Proxy Server 2.0 is downstream of the ISA Server computer. Which of the following is supported?

A. Web proxy chaining B. Winsock proxy chaining C. Firewall chaining D. SecureNAT chaining

90 Chapter 2 24. You are installing ISA Servers to protect your network. You are configuring TCP/IP for the ISA server's external interface. Which of the following is true?

A. You must use a static IP. B. You must statically define the route. *C. You may use address assigned by DHCP. D. The subnet mask must match that of the internal interface. Explanation: When setting TCP/IP properties for any internal network adapter, you should enter a permanently reserved IP address for the ISA Server computer and an appropriate subnet mask for your local network. Addressing assigned by DHCP should not be used for the internal network adapter, since it might reset the default gateway you selected for the ISA Server computer. The external network adapter can use DHCP or its IP address is statically defined, including the default gateway and DNS settings.

25. You want to maintain a network with both the Proxy servers and the ISA servers running together. A computer running Proxy Server 2.0 is downstream of the ISA Server computer. Which of the following is supported?

*A. Web proxy chaining B. Winsock proxy chaining C. Firewall chaining D. SecureNAT chaining Explanation: When a computer running Proxy Server 2.0 is downstream of the ISA Server computer, only Web proxy chaining is supported. Proxy Server 2.0 does not support upstream Winsock Proxy chaining.

Managing ISA Server Services 91 26. You need to maintain a network with both the Proxy servers and the ISA servers running together. A computer running Proxy Server 2.0 is upstream of the ISA Server computer. Which of the following is supported?

A. Web proxy chaining B. Winsock proxy chaining C. Firewall chaining D. SecureNAT chaining

27. As the network administrator for your company's network, you need to maintain a network with both the Proxy servers and the ISA servers running together. When ISA Server is installed, which port will it listen to for the Web Proxy service?

A. Port 80 B. Port 110 C. Port 119 D. Port 8080 E. Port 443

92 Chapter 2 26. You need to maintain a network with both the Proxy servers and the ISA servers running together. A computer running Proxy Server 2.0 is upstream of the ISA Server computer. Which of the following is supported?

*A. Web proxy chaining *B. Winsock proxy chaining *C. Firewall chaining D. SecureNAT chaining Explanation: When an ISA Server computer is the downstream server, both Web Proxy and Firewall chaining are supported. (In Proxy Server 2.0, "Firewall chaining" was called "Winsock Proxy chaining.")

27. As the network administrator for your company's network, you need to maintain a network with both the Proxy servers and the ISA servers running together. When ISA Server is installed, which port will it listen to for the Web Proxy service?

A. Port 80 B. Port 110 C. Port 119 *D. Port 8080 E. Port 443 Explanation: Proxy Server 2.0 listened for client HTTP requests on port 80, but when ISA Server is installed, it listens on port 8080 for the Web Proxy service. Therefore, all downstream chain members (or browsers) connecting to the ISA Server computer must connect to port 8080. You can also configure ISA Server to listen on port 80.

Managing ISA Server Services 93 28. You are using ISA server to protect your network. To enable ISA to publish internal servers, which of the following must be done?

A. Configure the publishing servers as Winsock Proxy clients. B. Configure the publishing servers as Sock Proxy clients. C. Configure the publishing servers as Web Proxy clients. D. Configure the publishing servers as Firewall clients.

29. You are the network administrator of your company. You need to monitor the status of your ISA solution. Which of the following are the valid alert actions?

A. Send an e-mail message. B. Execute a command. C. Log the event. D. Stop or start any ISA Server service. E. Monitor the event via Network Monitor.

94 Chapter 2 28. You are using ISA server to protect your network. To enable ISA to publish internal servers, which of the following must be done?

*A. Configure the publishing servers as Winsock Proxy clients.

*B. Configure the publishing servers as Sock Proxy clients.

*C. Configure the publishing servers as Web Proxy clients.

D. Configure the publishing servers as Firewall clients. Explanation: Proxy Server 2.0 required that you configure publishing servers as Winsock Proxy clients. ISA Server allows you to publish internal servers, without requiring any special configuration or software installation on the publishing server. Instead, the ISA Server computer treats the publishing servers as SecureNAT clients. Web publishing rules and server publishing rules that are configured on the ISA Server computer make the servers securely accessible to specific external clients. No additional configuration is required on the publishing server.

29. You are the network administrator of your company. You need to monitor the status of your ISA solution. Which of the following are the valid alert actions?

*A. Send an e-mail message.

*B. Execute a command.

*C. Log the event.

*D. Stop or start any ISA Server service.

E. Monitor the event via Network Monitor. Explanation: You can set one or more of the following actions to be performed when an alert condition is met.

Managing ISA Server Services 95 30. View the Graphic to answer this question: You are the network administrator of your company. You are monitoring the status of your ISA solution using the tool shown in the graphic. You want to stop or start any ISA Server service via alerts. Which of the following services can be manipulated with this method?

A. Firewall service B. Web Proxy service C. Scheduled Content Download service D. Server service E. Workstation service

96 Chapter 2 30. View the Graphic to answer this question: You are the network administrator of your company. You are monitoring the status of your ISA solution using the tool shown in the graphic. You want to stop or start any ISA Server service via alerts. Which of the following services can be manipulated with this method?

*A. Firewall service *B. Web Proxy service *C. Scheduled Content Download service D. Server service E. Workstation service Explanation: You can set one or more of the following actions to be performed when an alert condition is met.

Managing ISA Server Services 97 31. You are monitoring the status of your ISA solution. Which of the following options should you choose if the alert should be reissued only after the alert is reset?


32. You are monitoring the status of your ISA solution. Which of the following options should you choose if the alert should be reissued after a specified amount of time?


98 Chapter 2 31. You are monitoring the status of your ISA solution. Which of the following options should you choose if the alert should be reissued only after the alert is reset?

A. Immediately. *B. After manual reset of alert. C. If time since last execution is more than D. Immediate Recurs Explanation: If the alert should be reissued only after the alert is reset, click on After Manual Reset of Alert.

32. You are monitoring the status of your ISA solution. Which of the following options should you choose if the alert should be reissued after a specified amount of time?

A. Immediately. B. After manual reset of alert. *C. If time since last execution is more than D. Immediate Recurs Explanation: If the alert should be reissued after a specified amount of time, click "If Time Since Last Execution is more than", and then type the number of minutes that should elapse before the action should be performed.

Managing ISA Server Services 99 33. You are the network administrator of your company. You need to monitor the status of your ISA solution. You are configuring alerts and events. What does a dropped packets event indicate?

A. If packet filtering is enabled, an allow filter does not specifically allow the packet or a block filter specifically denies the packet. B. An attempt was made to count the services running on a computer by probing each port for a response. C. Could not establish dial-up connection, either because the phone book could not be accessed or during run time. D. Cannot access configuration information. E. The ISA server services will be terminated.

34. You are monitoring the status of your ISA solution. You are configuring alerts and events. What does a configuration error event indicate?

A. If packet filtering is enabled, an allow filter does not specifically allow the packet or a block filter specifically denies the packet. B. An attempt was made to count the services running on a computer by probing each port for a response. C. Could not establish dial-up connection, either because the phone book could not be accessed or during run time. D. Cannot access configuration information. E. The ISA server services will be terminated.

100 Chapter 2 33. You are the network administrator of your company. You need to monitor the status of your ISA solution. You are configuring alerts and events. What does a dropped packets event indicate?

*A. If packet filtering is enabled, an allow filter does not specifically allow the packet or a block filter specifically denies the packet. B. An attempt was made to count the services running on a computer by probing each port for a response. C. Could not establish dial-up connection, either because the phone book could not be accessed or during run time. D. Cannot access configuration information. E. The ISA server services will be terminated. Explanation: When you create an alert, you specify one of the events that triggers the alert.

34. You are monitoring the status of your ISA solution. You are configuring alerts and events. What does a configuration error event indicate?

A. If packet filtering is enabled, an allow filter does not specifically allow the packet or a block filter specifically denies the packet. B. An attempt was made to count the services running on a computer by probing each port for a response. C. Could not establish dial-up connection, either because the phone book could not be accessed or during run time. *D. Cannot access configuration information. E. The ISA server services will be terminated. Explanation: When you create an alert, you specify one of the events that triggers the alert.

Managing ISA Server Services 101 35. You are configuring alerts and events. What does an IP half scan attack event indicate?

A. If packet filtering is enabled, an allow filter does not specifically allow the packet or a block filter specifically denies the packet. B. An attempt was made to count the services running on a computer by probing each port for a response. C. Could not establish dial-up connection, either because the phone book could not be accessed or during run time. D. Cannot access configuration information. E. No corresponding ACK packets were communicated.

36. You are the network administrator of your company. You need to monitor the status of your ISA solution. Which of the following are the valid trigger alerts when intrusion detection is enabled?

A. All ports scan attack B. Enumerated port scan attack C. Ping of death attack D. UDP bomb attack E. Windows out of band attack

102 Chapter 2 35. You are configuring alerts and events. What does an IP half scan attack event indicate?

A. If packet filtering is enabled, an allow filter does not specifically allow the packet or a block filter specifically denies the packet. B. An attempt was made to count the services running on a computer by probing each port for a response. C. Could not establish dial-up connection, either because the phone book could not be accessed or during run time. D. Cannot access configuration information. *E. No corresponding ACK packets were communicated. Explanation: An IP half scan attack event means repeated attempts to a destination computer were made and no corresponding ACK packets were communicated.

36. You are the network administrator of your company. You need to monitor the status of your ISA solution. Which of the following are the valid trigger alerts when intrusion detection is enabled?

*A. All ports scan attack *B. Enumerated port scan attack *C. Ping of death attack *D. UDP bomb attack *E. Windows out of band attack Explanation: If intrusion detection is enabled, you can configure a series of intrusions trigger alerts.

Managing ISA Server Services 103 37. You are the network administrator of your company. You need to monitor the status of your ISA solution. Which of the following are the valid intrusion detection application filters?

A. DNS intrusion detection filter B. POP intrusion detection filter C. SMTP intrusion detection filter D. DHCP intrusion detection filter E. WINS intrusion detection filter

38. You are the network administrator of your company. You need to monitor the status of your ISA solution. Which of the following DNS related intrusion attempts can be detected by ISA?

A. DNS hostname overflow B. DNS length overflow C. DNS zone transfer from privileged ports (1-1024) D. DNS zone transfer from high ports (above 1024) E. DNS host files transfer.

104 Chapter 2 37. You are the network administrator of your company. You need to monitor the status of your ISA solution. Which of the following are the valid intrusion detection application filters?

*A. DNS intrusion detection filter *B. POP intrusion detection filter C. SMTP intrusion detection filter D. DHCP intrusion detection filter E. WINS intrusion detection filter Explanation: Microsoft Internet Security and Acceleration (ISA) Server includes application filters which analyze all incoming traffic for specific intrusions.

38. You are the network administrator of your company. You need to monitor the status of your ISA solution. Which of the following DNS related intrusion attempts can be detected by ISA?

*A. DNS hostname overflow *B. DNS length overflow *C. DNS zone transfer from privileged ports (1-1024) *D. DNS zone transfer from high ports (above 1024) E. DNS host files transfer. Explanation: The DNS intrusion detection filter intercepts and analyzes DNS traffic destined for the internal network. You can configure the filter to check for the following intrusion attempts: DNS hostname overflow, DNS length overflow, DNS zone transfer from privileged ports (1-1024) and DNS zone transfer from high ports (above 1024).

Managing ISA Server Services 105 39. You are the network administrator of your company. You need to enable intrusion detection on ISA. Which of the following are the valid steps to take?

A. In the console tree of ISA Management, right-click IP Packet Filters and then click Properties. On the General tab, select Enable packet filtering. Select the Enable intrusion detection check box. B. In the console tree of ISA Management, right-click IP Packet Filters and then click Logging. On the Advanced tab, select Enable packet filtering. Select the Enable intrusion detection check box. C. In the console tree of ISA Management, right-click IP Packet Filters and then click ID Properties. On the General tab, select the Set intrusion detection check box. D. In the console tree of ISA Management, right-click IP Packet Filters and then click Properties, On the General tab, select Enable filtering. Select the Enable intrusion detection check box.

40. You are the network administrator of your company. You enable intrusion detection on ISA. You select the port scan option. Which of the following should you do to complete the configuration?

A. In Detect after attacks on, type the maximum number of well-known ports that can be scanned before generating an event. B. In Detect after attacks on, type the total number of ports that can be scanned before generating an alert. C. On the Advanced tab, click Enable packet filtering. D. On the Filtering tab, click Enable intrusion detection. E. On the Port tab, click Enable intrusion detection.

106 Chapter 2 39. You are the network administrator of your company. You need to enable intrusion detection on ISA. Which of the following are the valid steps to take? *A. In the console tree of ISA Management, right-click IP Packet Filters and then click Properties. On the General tab, select Enable packet filtering. Select the Enable intrusion detection check box. B. In the console tree of ISA Management, right-click IP Packet Filters and then click Logging. On the Advanced tab, select Enable packet filtering. Select the Enable intrusion detection check box. C. In the console tree of ISA Management, right-click IP Packet Filters and then click ID Properties. On the General tab, select the Set intrusion detection check box. D. In the console tree of ISA Management, right-click IP Packet Filters and then click Properties, On the General tab, select Enable filtering. Select the Enable intrusion detection check box. Explanation: To open ISA Management, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

40. You are the network administrator of your company. You enable intrusion detection on ISA. You select the port scan option. Which of the following should you do to complete the configuration? *A. In Detect after attacks on, type the maximum number of well-known ports that can be scanned before generating an event. *B. In Detect after attacks on, type the total number of ports that can be scanned before generating an alert. C. On the Advanced tab, click Enable packet filtering. D. On the Filtering tab, click Enable intrusion detection. E. On the Port tab, click Enable intrusion detection. Explanation: If you select Port scan, then do the following: In Detect after attacks on, type the maximum number of well-known ports that can be scanned before generating an event. In Detect after attacks on, type the total number of ports that can be scanned before generating an alert.

Managing ISA Server Services 107 41. You are the network administrator of your company. You are asked to implement Network Load Balancing (NLB) for your network. What are the advantages of NLB?

A. Fault-Tolerance B. Active Directory C. Performance D. Reliability E. Cluster Service

42. You are deploying Network Load Balancing (NLB) for your network. What are the requirements for installing NLB?

A. Windows 2000 Advanced Server must be installed. B. Active Directory must be implemented. C. All computers must use TCP/IP networking protocol. D. All computers must be installed in the same mode.

108 Chapter 2 41. You are the network administrator of your company. You are asked to implement Network Load Balancing (NLB) for your network. What are the advantages of NLB?

*A. Fault-Tolerance B. Active Directory *C. Performance *D. Reliability *E. Cluster Service Explanation: When you deploy ISA Server, fault tolerance can be achieved when you combine two or more ISA Server computers into a single cluster, NLB can provide the reliability and performance that mission-critical servers need.

42. You are deploying Network Load Balancing (NLB) for your network. What are the requirements for installing NLB?

*A. Windows 2000 Advanced Server must be installed. B. Active Directory must be implemented. *C. All computers must use TCP/IP networking protocol. *D. All computers must be installed in the same mode. Explanation: To deploy NLB with ISA Server, all ISA Servers that join the cluster must be running Windows 2000 Advanced Server. They must use TCP/IP as the networking protocol. In addition, they must all be installed in the same mode.

Managing ISA Server Services 109 43. How do you physically implement Network Load Balancing (NLB)?

A. On the external network adapter on each ISA Server computer, configure the Network Load Balancing properties by setting the Primary IP address to the IP address of the NLB cluster. B. On the internal network adapter on each ISA Server computer, configure the Network Load Balancing properties by setting the Primary IP address to the IP address of the NLB cluster. C. Assign a priority to each machine in the cluster. The priority settings must be unique within the cluster. D. Assign a priority to one of the machines in the cluster. The priority settings must be unique within the cluster. E. Every single network adapter's TCP/IP stack must be configured with both the dedicated and the cluster address, with the dedicated address being ordered first.

110 Chapter 2 43. How do you physically implement Network Load Balancing (NLB)?

A. On the external network adapter on each ISA Server computer, configure the Network Load Balancing properties by setting the Primary IP address to the IP address of the NLB cluster. *B. On the internal network adapter on each ISA Server computer, configure the Network Load Balancing properties by setting the Primary IP address to the IP address of the NLB cluster. *C. Assign a priority to each machine in the cluster. The priority settings must be unique within the cluster. D. Assign a priority to one of the machines in the cluster. The priority settings

must be unique within the cluster.

*E. Every single network adapter's TCP/IP stack must be configured with both the dedicated and the cluster address, with the dedicated address being ordered first. Explanation: On the internal network adapter on each ISA Server computer, configure the Network Load Balancing properties by setting the Primary IP address to the IP address of the Network Load Balancing cluster. All hosts in the cluster must point to this cluster IP address. You will then want to assign a priority to each machine in the cluster. The priority settings must be unique within the cluster.

The Dedicated IP address must be the unique IP address of the ISA Server computer's internal network adapter, as this IP address is for individually addressing each host in the cluster. Usually this is the original IP address assigned to the host before you selected an IP address for the NLB configuration.

Every single network adapter's TCP/IP stack must be configured with both the dedicated and the cluster address, with the dedicated address being ordered first.

Managing ISA Server Services 111 44. You are the network administrator of your company. Your ISA server has two network adapters; you want to assign priority to them so that the bandwidth can be balanced. How should you assign the priorities to both of the network adapters?

A. The one with the dedicated address must have a higher metric value, so that it can have a lower priority than the one with the cluster address. B. The one with the dedicated address must not have a metric value, so that it will not have a higher priority than the one with the cluster address. C. The one with the dedicated address must have a lower metric value, so that it can have a higher priority than the one with the cluster address. D. The one with the dedicated address must have a lower metric value, so that it can have a lower priority than the one with the cluster address. E. Every single network adapter's TCP/IP stack must be configured with both the dedicated and the cluster address, with the dedicated address being ordered first. If your server has more than one network adapters, the one with the dedicated address must have a lower metric value, so that it can have a higher priority than the one with the cluster address.

112 Chapter 2 44. You are the network administrator of your company. Your ISA server has two network adapters; you want to assign priority to them so that the bandwidth can be balanced. How should you assign the priorities to both of the network adapters?

A. The one with the dedicated address must have a higher metric value, so that it can have a lower priority than the one with the cluster address. B. The one with the dedicated address must not have a metric value, so that it will not have a higher priority than the one with the cluster address. *C. The one with the dedicated address must have a lower metric value, so that it can have a higher priority than the one with the cluster address. D. The one with the dedicated address must have a lower metric value, so that it can have a lower priority than the one with the cluster address. E. Every single network adapter's TCP/IP stack must be configured with both the dedicated and the cluster address, with the dedicated address being ordered first. If your server has more than one network adapters, the one with the dedicated address must have a lower metric value, so that it can have a higher priority than the one with the cluster address.

Managing ISA Server Services 113 45. You are the network administrator of your company. You are asked to implement Cache Array Routing Protocol (CARP) for your network. What are the advantages of CARP?

A. Provide Scaling there are multiple ISA server computers configured to be arrayed as a single physical cache. B. Provide Scaling there are multiple ISA server computers configured to be arrayed as a single logical cache. C. Provide efficiency there are multiple ISA server computers configured to be arrayed as a single logical cache. D. Provide efficiency there are multiple ISA server computers configured to be arrayed as a single physical cache. E. There is no query messaging between the ISA Servers.

46. You are the network administrator of your company. You implemented CARP for your network. However, it doesn't take any effect when your ISA server is responding to incoming web requests. You ensure that CARP is enabled for outgoing web requests in all the ISA servers in the array. What should you do?

A. Disable CARP for outgoing web requests in all the ISA servers in the array. B. Suspend CARP for outgoing web requests in all the ISA servers in the array. C. Manually enable CARP for incoming web requests. D. Restart CARP service. E. Reinstall CARP service.

114 Chapter 2 45. You are the network administrator of your company. You are asked to implement Cache Array Routing Protocol (CARP) for your network. What are the advantages of CARP? A. Provide Scaling there are multiple ISA server computers configured to be arrayed as a single physical cache. *B. Provide Scaling there are multiple ISA server computers configured to be arrayed as a single logical cache. *C. Provide efficiency there are multiple ISA server computers configured to be arrayed as a single logical cache. D. Provide efficiency there are multiple ISA server computers configured to be arrayed as a single physical cache. *E. There is no query messaging between the ISA Servers. Explanation: CARP stands for Cache Array Routing Protocol. CARP is a technology that uses hash-based routing to determine the best path through an array to resolve a request. This means you deploy CARP to provide scaling and efficiency when there are multiple ISA Server computers configured to be arrayed as a single logical cache. The key advantage of CARP compares to the other technologies is the fact that there is no query messaging between the ISA servers, thus avoiding the heavy query congestion caused by the increasing number of servers. It also prevents the duplication of contents in the array.

46. You are the network administrator of your company. You implemented CARP for your network. However, it doesn't take any effect when your ISA server is responding to incoming web requests. You ensure that CARP is enabled for outgoing web requests in all the ISA servers in the array. What should you do? A. Disable CARP for outgoing web requests in all the ISA servers in the array. B. Suspend CARP for outgoing web requests in all the ISA servers in the array. *C. Manually enable CARP for incoming web requests. D. Restart CARP service. E. Reinstall CARP service. Explanation: By default, CARP is enabled only for outgoing Web requests in all the ISA servers in an array. CARP for incoming Web requests must be enabled manually. In case you want to manually enable CARP, go into the console tree of ISA Management, right-click on the array and then click Properties - Incoming Web requests (or Outgoing Web requests).

Managing ISA Server Services 115 47. View the Graphic to answer this question: You are using an utility to verify whether the computer is configured to permit connections on some particular ports. You type a command as shown on the graphic. After typing this command, nothing happens. What is the reason?

A. The IP address is not true. B. The port is blocked. C. The computer is configured to permit connections on that port. D. The computer is hung.

116 Chapter 2 47. View the Graphic to answer this question: You are using an utility to verify whether the computer is configured to permit connections on some particular ports. You type a command as shown on the graphic. After typing this command, nothing happens. What is the reason?

A. The IP address is not true. B. The port is blocked. *C. The computer is configured to permit connections on that port. D. The computer is hung. Explanation: You may use the Telnet tool to verify that the computer is configured to permit connections on the particular ports. To do so, type the following command: telnet <port>. If there is no error message, the computer is configured to permit connections on that port. If you receive an error message, the computer may not be configured to permit connections on that port.

Notes:

Managing Policies and Rules 119

Chapter 3: Managing Policies and Rules The objective of this chapter is to provide the reader with an understanding of the following: 1.

Configure and secure the firewall in accordance with corporate standards.

2.

Configure the packet filter rules for different levels of security, including system hardening.

3.

Create and configure access control and bandwidth policies.

4.

Create and configure site and content rules to restrict Internet access.

5.

Create and configure protocol rules to manage Internet access.

6.

Create and configure routing rules to restrict Internet access.

7.

Create and configure bandwidth rules to control bandwidth usage.

8.

Troubleshoot access problems.

9.

Troubleshoot user-based access problems.

10. Troubleshoot packet-based access problems.

120 Chapter 3

Introduction You can use the ISA Server Security Configuration Wizard to apply system security settings to the ISA Server. In fact, ISA Server uses Windows 2000 security templates to configure the operating system for security. The security levels available in the ISA Server Security Configuration Wizard include Secure, Limited Services and Dedicated.

Managing Policies and Rules 121 1. View the Graphic to answer this question: You are planning to install An ISA Server to protect your network. You want to use the ISA Server caching feature. You define an NTFS partition and format it. However, the ISA Server caching feature does not recognize the drive. What might have gone wrong?

A. You did not apply SP1. B. You did not install the correct version of ISA C. You did not set the SCSI ID correctly. D. Your drive is configured as the slave drive. E. You did not assign a drive letter to the drive.

122 Chapter 3 1. View the Graphic to answer this question: You are planning to install An ISA Server to protect your network. You want to use the ISA Server caching feature. You define an NTFS partition and format it. However, the ISA Server caching feature does not recognize the drive. What might have gone wrong?

A. You did not apply SP1. B. You did not install the correct version of ISA C. You did not set the SCSI ID correctly. D. Your drive is configured as the slave drive. *E. You did not assign a drive letter to the drive. Explanation: Windows 2000 allows you to format a drive without assigning a letter. However, ISA Server caching does not recognize these drives.

Managing Policies and Rules 123 2. You are the enterprise security administrator for your company's network. You want to perform remote ISA Server administration. However, you do not have a spare machine for installing ISA management. Which of the following can you do?

A. Use Terminal Services in Remote Administration mode on the computer running ISA Server. B. Use Terminal Services in Application Service mode on the computer running ISA Server. C. Use Terminal Services in Remote Administration mode on a separate computer. D. Use Terminal Services in Application Service mode on a separate computer.

3. You are configuring TCP/IP for the ISA server's internal interface. You found that the default gateway you selected for the ISA Server computer is reset. Which of the following may have caused this problem?

A. You used DHCP for this interface. B. You used static IP for this interface. C. There has been a sudden power outrage. D. The data files are corrupted. E. The DNS server has been configured.

124 Chapter 3 2. You are the enterprise security administrator for your company's network. You want to perform remote ISA Server administration. However, you do not have a spare machine for installing ISA management. Which of the following can you do? *A. Use Terminal Services in Remote Administration mode on the computer running ISA Server. B. Use Terminal Services in Application Service mode on the computer running ISA Server. C. Use Terminal Services in Remote Administration mode on a separate computer. D. Use Terminal Services in Application Service mode on a separate computer. Explanation: You do not have to install the ISA Management tool on another computer at all for remote administration. Instead, you can use a Terminal Services session to administer ISA Server.

3. You are configuring TCP/IP for the ISA server's internal interface. You found that the default gateway you selected for the ISA Server computer is reset. Which of the following may have caused this problem? *A. You used DHCP for this interface. B. You used static IP for this interface. C. There has been a sudden power outrage. D. The data files are corrupted. E. The DNS server has been configured. Explanation: When setting TCP/IP properties for any internal network adapter, you should enter a permanently reserved IP address for the ISA Server computer and an appropriate subnet mask for your local network. Addressing assigned by DHCP should not be used for the internal network adapter, since it might reset the default gateway you selected for the ISA Server computer. The external network adapter can use DHCP or its IP address is statically defined, including the default gateway and DNS settings.

Managing Policies and Rules 125 4. You are setting up an ISA server computer. Which of the following can be done with the Getting Started Wizard?

A. Creating policy elements, which you will use when you create rules. B. Creating protocol rules and site and content rules C. Setting system security level and configure packet filtering. D. Configuring routing and chaining to determine how client requests are routed to the destination server. E. Creating cache policy to determine which objects are cached.

5. ISA Server supports which of the following authentication methods?

A. Basic B. Digest C. Integrated Windows D. Client certificate E. Advanced

126 Chapter 3 4. You are setting up an ISA server computer. Which of the following can be done with the Getting Started Wizard?

*A. Creating policy elements, which you will use when you create rules. *B. Creating protocol rules and site and content rules *C. Setting system security level and configure packet filtering. *D. Configuring routing and chaining to determine how client requests are routed to the destination server. *E. Creating cache policy to determine which objects are cached. Explanation: All of the above can be done by the wizard.

5. ISA Server supports which of the following authentication methods?

*A. Basic *B. Digest *C. Integrated Windows *D. Client certificate E. Advanced Explanation: ISA Server supports the following authentication methods: basic, digest, integrated Windows, and client certificate. By default, when you install ISA Server, the integrated Windows authentication method is configured for Web requests.

Managing Policies and Rules 127 6. View the Graphic to answer this question: You are implementing ISA server. How do you create an action for the type of rule shown in the graphic?

A. In the console tree of ISA Management, click Web Publishing Configuration. In the details pane, right-click the applicable Web publishing rule and then click Advanced Properties and go to the Action tab. B. In the console tree of ISA Management, click Publishing Rules. In the Web pane, right-click the applicable Web publishing rule and then click Properties and go to the Policy tab. C. In the console tree of ISA Management, click Web Publishing Rules. In the details pane, right-click the applicable Web publishing rule and then click Properties and go to the Action tab. D. In the console tree of ISA Management, click Web Publishing Rules. In the details pane, right-click the applicable Web publishing rule and then click Properties and go to the setting tab.

128 Chapter 3 6. View the Graphic to answer this question: You are implementing ISA server. How do you create an action for the type of rule shown in the graphic?

A. In the console tree of ISA Management, click Web Publishing Configuration. In the details pane, right-click the applicable Web publishing rule and then click Advanced Properties and go to the Action tab. B. In the console tree of ISA Management, click Publishing Rules. In the Web pane, right-click the applicable Web publishing rule and then click Properties and go to the Policy tab. *C. In the console tree of ISA Management, click Web Publishing Rules. In the details pane, right-click the applicable Web publishing rule and then click Properties and go to the Action tab. D. In the console tree of ISA Management, click Web Publishing Rules. In the details pane, right-click the applicable Web publishing rule and then click Properties and go to the setting tab. Explanation: To open ISA Management, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

Managing Policies and Rules 129 7. Which of the following is the default authentication method used by ISA?


8. Which of the following is the authentication method you should use in a network with a majority of browsers being Netscape Navigator?


130 Chapter 3 7. Which of the following is the default authentication method used by ISA?

A. Basic B. Digest *C. Integrated Windows D. Client certificate E. Advanced Explanation: ISA Server supports the following authentication methods: basic, digest, integrated Windows, and client certificate. By default, when you install ISA Server, the integrated Windows authentication method is configured for Web requests.

8. Which of the following is the authentication method you should use in a network with a majority of browsers being Netscape Navigator?

*A. Basic B. Digest C. Integrated Windows D. Client certificate E. Advanced Explanation: Internet Explorer 5 supports integrated Windows authentication, however, other Web browsers may support only the basic authentication method. In this case, no requests will be allowed, since the user cannot be authenticated. ISA Server rejects Web requests that were previously allowed by Proxy Server. You can configure basic authentication for all Web requests.

Managing Policies and Rules 131 9. You are the ISA server administrator of your company. You need to manage and troubleshoot the ISA server access policy. Somehow, your clients cannot browse the external Web sites. Which of the following is the likely cause?

A. You did not create rules that will allow communication. B. The IP filter is effective. C. IP forwarding has not been enabled. D. The external interface has not been initialized. E. The internal interface has not been initialized.

10. You are the ISA server administrator of your company. You need to manage and troubleshoot the ISA server access policy. Somehow, your clients cannot browse the external Web sites. You confirm that you have created rules that will allow communication. You also confirm that the users have the permissions to browse the Internet. Which of the following is the likely cause?

A. The IP filter is effective. B. The IP filter is ineffective. C. IP forwarding has not been enabled. D. The external interface has not been initialized. E. Client browser's proxy port has not been configured properly.

132 Chapter 3 9. You are the ISA server administrator of your company. You need to manage and troubleshoot the ISA server access policy. Somehow, your clients cannot browse the external Web sites. Which of the following is the likely cause?

*A. You did not create rules that will allow communication. B. The IP filter is effective. C. IP forwarding has not been enabled. D. The external interface has not been initialized. E. The internal interface has not been initialized. Explanation: Initially ISA Server is configured so that no communication is allowed to or from the Internet. You can create rules that will allow communication, according to your corporate security policy.

10. You are the ISA server administrator of your company. You need to manage and troubleshoot the ISA server access policy. Somehow, your clients cannot browse the external Web sites. You confirm that you have created rules that will allow communication. You also confirm that the users have the permissions to browse the Internet. Which of the following is the likely cause?

A. The IP filter is effective. B. The IP filter is ineffective. C. IP forwarding has not been enabled. D. The external interface has not been initialized. *E. Client browser's proxy port has not been configured properly. Explanation: You should check the browser settings of the client to ensure that the proxy port is specified correctly. The default port for ISA Server is 8080.

Managing Policies and Rules 133 11. You are managing and troubleshooting the ISA server access policy. Somehow, none of your clients can browse any external Web site. You need to allow the user John to access the web site www.tom.com. Which of the following should you do?

A. Create protocol rules to allow John to use the protocols. B. Create site and content rules to allow John access to particular sites. C. Define the appropriate protocol rules. D. Define the appropriate site and content rules.

12. You are the ISA server administrator. Your clients receive a 502 error every time they try to browse the Web. Which of the following is likely the cause?

A. You did not create rules that will allow communication. B. The IP filter is effective. C. IP forwarding has not been enabled. D. The external interface has not been initialized. E. The authentication method is not supported.

134 Chapter 3 11. You are managing and troubleshooting the ISA server access policy. Somehow, none of your clients can browse any external Web site. You need to allow the user John to access the web site www.tom.com. Which of the following should you do?

*A. Create protocol rules to allow John to use the protocols.

*B. Create site and content rules to allow John access to particular sites.

*C. Define the appropriate protocol rules.

D. Define the appropriate site and content rules. Explanation: You may create protocol rules to allow specific users to use the protocols. Then create site and content rules that allow users access to particular sites, using the protocols specified by the protocol rules.

12. You are the ISA server administrator. Your clients receive a 502 error every time they try to browse the Web. Which of the following is likely the cause?

*A. You did not create rules that will allow communication. B. The IP filter is effective. C. IP forwarding has not been enabled. D. The external interface has not been initialized. E. The authentication method is not supported. Explanation: Initially ISA Server is configured so that no communication is allowed to or from the Internet. You can create rules that will allow communication, according to your corporate security policy.

Managing Policies and Rules 135 13. You are the ISA server administrator. Your clients receive a 502 error every time they try to browse the Web. You confirm that the appropriate rules have been defined. Authentication is required in some of the access rules. Which of the following is likely the cause?

A. The IP filter is effective. B. IP forwarding has not been enabled. C. The external interface has not been initialized. D. No authentication methods were configured for the listener E. The authentication method is not supported.

14. Recently, you found a big problem related to the ISA Server. After disabling a protocol rule, your clients can still use the specified protocol. Which of the following is the likely problem?

A. This is normal. B. You did not SAVE the changes. C. You did not COMMIT the changes. D. You did not APPLY the changes.

136 Chapter 3 13. You are the ISA server administrator. Your clients receive a 502 error every time they try to browse the Web. You confirm that the appropriate rules have been defined. Authentication is required in some of the access rules. Which of the following is likely the cause?

A. The IP filter is effective. B. IP forwarding has not been enabled. C. The external interface has not been initialized. *D. No authentication methods were configured for the listener E. The authentication method is not supported. Explanation: It is likely the problem that some access policy rule requires authentication, but no authentication methods were configured for the listener.

14. Recently, you found a big problem related to the ISA Server. After disabling a protocol rule, your clients can still use the specified protocol. Which of the following is the likely problem?

*A. This is normal. B. You did not SAVE the changes. C. You did not COMMIT the changes. D. You did not APPLY the changes. Explanation: Existing client sessions are not terminated when you disable a protocol rule, although new sessions will not be opened.

Managing Policies and Rules 137 15. Recently, you found a big problem related to the ISA Server. After disabling a protocol rule, your clients can still use the specified protocol. How do you make your changes immediately effective with the least effort?

A. Shut down and reboot the server. B. Restart the ISA service. C. Disconnect the client sessions. D. APPLY the changes. E. COMMIT the changes.

16. In your company's network, for some reasons your clients cannot use a specific protocol definition, although a protocol rule has been configured to allow access. Which of the following is the likely cause?

A. You have enabled an application filter. B. You have disabled an application filter. C. You have disabled a listener. D. You have disabled the associated port. E. You have enabled the associated port.

138 Chapter 3 15. Recently, you found a big problem related to the ISA Server. After disabling a protocol rule, your clients can still use the specified protocol. How do you make your changes immediately effective with the least effort?

A. Shut down and reboot the server. B. Restart the ISA service. *C. Disconnect the client sessions. D. APPLY the changes. E. COMMIT the changes. Explanation: Existing client sessions are not terminated when you disable a protocol rule, although new sessions will not be opened.

16. In your company's network, for some reasons your clients cannot use a specific protocol definition, although a protocol rule has been configured to allow access. Which of the following is the likely cause?

A. You have enabled an application filter. *B. You have disabled an application filter. C. You have disabled a listener. D. You have disabled the associated port. E. You have enabled the associated port. Explanation: If you disable an application filter, all traffic that uses the protocol definition is blocked, even if protocol rules seem to allow the traffic.

Managing Policies and Rules 139 17. In your company's network, for some reasons your clients cannot use a specific protocol definition, although a protocol rule has been configured to allow access. How do you fix the problem?

A. Enable the application filter. B. Create a protocol rule that allows access to the specific clients. C. Restart the server. D. Disconnect the client sessions. E. Restart the ISA service.

18. You are the ISA server administrator of your company. Your ISA Server always fails to authenticate a Netscape user. How do you fix the problem without compromising security?

A. Change the authentication method. B. Disable the authentication method. C. Disconnect the client sessions. D. Restart the ISA service. E. Reboot the computer.

140 Chapter 3 17. In your company's network, for some reasons your clients cannot use a specific protocol definition, although a protocol rule has been configured to allow access. How do you fix the problem?

*A. Enable the application filter.

*B. Create a protocol rule that allows access to the specific clients.

C. Restart the server. D. Disconnect the client sessions. E. Restart the ISA service. Explanation: If you disable an application filter, all traffic that uses the protocol definition is blocked, even if protocol rules seem to allow the traffic.

18. You are the ISA server administrator of your company. Your ISA Server always fails to authenticate a Netscape user. How do you fix the problem without compromising security?

*A. Change the authentication method. B. Disable the authentication method. C. Disconnect the client sessions. D. Restart the ISA service. E. Reboot the computer. Explanation: Netscape browsers cannot pass user credentials in NTLM format. You can configure ISA Server to require other authentication methods, including Basic or Digest.

Managing Policies and Rules 141 19. You are the ISA server administrator of your company. You need to manage and troubleshoot the ISA server policy. Which of the following are the valid policy elements in ISA?

A. Bandwidth priorities B. Client address sets C. Content groups D. Destination sets E. Dial-up entries Protocol definitions

20. You are the ISA server operator. When creating rules, how do you specify when the rules are in effect?

A. By using Client address sets B. By using Content groups C. By using Destination sets D. By using Dial-up entries E. By using Schedules

142 Chapter 3 19. You are the ISA server administrator of your company. You need to manage and troubleshoot the ISA server policy. Which of the following are the valid policy elements in ISA?

*A. Bandwidth priorities *B. Client address sets *C. Content groups *D. Destination sets *E. Dial-up entries Protocol definitions Explanation: Policy elements include Bandwidth priorities, Client address sets, Content groups, Destination sets, Dial-up entries, Protocol definitions, and Schedule.

20. You are the ISA server operator. When creating rules, how do you specify when the rules are in effect?

A. By using Client address sets B. By using Content groups C. By using Destination sets D. By using Dial-up entries *E. By using Schedules Explanation: Microsoft Internet Security and Acceleration (ISA) Server comes preconfigured with the following schedules: Weekends, which permits access all day on Saturday and Sunday / Work Hours, which permits access between 9 AM and 5 PM on Mondays through Fridays.

Managing Policies and Rules 143 21. You are the ISA server operator. Which of the following rules can have schedule applied

A. Site and content rules. B. Protocol rules. C. Bandwidth rules. D. Access Control rules E. Web rules

22. What is being used to define the priority level applied to connections that pass through ISA?

A. Client address sets B. Content groups C. Destination sets D. Dial-up entries E. Bandwidth priorities

144 Chapter 3 21. You are the ISA server operator. Which of the following rules can have schedule applied

*A. Site and content rules.

*B. Protocol rules.

*C. Bandwidth rules.

D. Access Control rules E. Web rules Explanation: Microsoft Internet Security and Acceleration (ISA) Server comes preconfigured with the following schedules: Weekends, which permits access all day on Saturday and Sunday / Work Hours, which permits access between 9 AM and 5 PM on Mondays through Fridays.

22. What is being used to define the priority level applied to connections that pass through ISA?

A. Client address sets B. Content groups C. Destination sets D. Dial-up entries *E. Bandwidth priorities Explanation: Bandwidth priorities define the priority level applied to connections that pass through Microsoft Internet Security and Acceleration Server. A network connection that is assigned a bandwidth priority will have a greater chance to pass through ISA Server than a connection that does not have a bandwidth priority. Furthermore, a network connection with higher bandwidth priority will be more likely to pass through ISA Server.

Managing Policies and Rules 145 23. View the Graphic to answer this question: You are configuring a new ISA Server computer. Refer to the graphic, which of the following correctly describe connections without an assigned bandwidth priority?

A. They will have lower priority than connections with assigned priorities. B. They will have higher priority than connections with assigned priorities. C. They will have the same priority as connections with assigned priorities. D. They will not be allowed to pass at all. E. They will not be allowed to route data to another subnet.

146 Chapter 3 23. View the Graphic to answer this question: You are configuring a new ISA Server computer. Refer to the graphic, which of the following correctly describe connections without an assigned bandwidth priority?

*A. They will have lower priority than connections with assigned priorities. B. They will have higher priority than connections with assigned priorities. C. They will have the same priority as connections with assigned priorities. D. They will not be allowed to pass at all. E. They will not be allowed to route data to another subnet. Explanation: Bandwidth priorities define the priority level applied to connections that pass through Microsoft Internet Security and Acceleration Server. A network connection that is assigned a bandwidth priority will have a greater chance to pass through ISA Server than a connection that does not have a bandwidth priority. Furthermore, a network connection with higher bandwidth priority will be more likely to pass through ISA Server.

Managing Policies and Rules 147 24. You are the ISA server operator. You are configuring bandwidth priorities for your ISA server. Which bandwidth priorities can be controlled?

A. Outbound bandwidth B. Inbound bandwidth C. Eitherbound bandwidth D. Unibound bandwidth

25. You are the ISA server administrator of your company. When a client requests an object using a specific protocol, what must you perform to allow access?

A. Create a protocol rule, indicating clients that are allowed access to specific destination sets. B. Create a site and content rule, indicating which protocols can be used to access the specific destinations. C. Create a protocol rule, indicating which protocols can be used to access the specific destinations. D. Create a site and content rule, indicating clients that are allowed access to specific destination sets.

148 Chapter 3 24. You are the ISA server operator. You are configuring bandwidth priorities for your ISA server. Which bandwidth priorities can be controlled?

*A. Outbound bandwidth *B. Inbound bandwidth C. Eitherbound bandwidth D. Unibound bandwidth Explanation: Bandwidth priorities are directional and can be controlled as: Outbound bandwidth, the bandwidth priority allocated for requests from internal clients for objects on the Internet / Inbound bandwidth, the bandwidth priority allocated for requests from external clients for objects on the local network.

25. You are the ISA server administrator of your company. When a client requests an object using a specific protocol, what must you perform to allow access?

A. Create a protocol rule, indicating clients that are allowed access to specific destination sets. B. Create a site and content rule, indicating which protocols can be used to access the specific destinations. *C. Create a protocol rule, indicating which protocols can be used to access the specific destinations. *D. Create a site and content rule, indicating clients that are allowed access to specific destination sets. Explanation: When a client requests an object using a specific protocol, ISA Server checks the protocol rules. If a protocol rule specifically denies use of the protocol, the request is denied. Furthermore, the request will be processed only if a protocol rule specifically allows the client to communicate using the specific protocol, and if a site and content rule specifically allows access to the requested object.

Managing Policies and Rules 149 26. You are the ISA server operator. You are configuring bandwidth priorities for your ISA server. Which of the following is true regarding bandwidth priority configuration?

A. The bandwidth priority can be any number between 0 and 199. B. The bandwidth priority can be any number between 1 and 200. C. The bandwidth priority can be any number between 1 and 1000. D. The larger the number, the higher priority it is. E. The lower the number, the higher priority it is.

27. You are the ISA server administrator of your company. You need to manage and troubleshoot the ISA server policy. Which of the following is true regarding the userdefined protocol definitions?

A. They can be created. B. They can be edited. C. They can be deleted. D. They can be encrypted.

150 Chapter 3 26. You are the ISA server operator. You are configuring bandwidth priorities for your ISA server. Which of the following is true regarding bandwidth priority configuration?

A. The bandwidth priority can be any number between 0 and 199. *B. The bandwidth priority can be any number between 1 and 200. C. The bandwidth priority can be any number between 1 and 1000. *D. The larger the number, the higher priority it is. E. The lower the number, the higher priority it is. Explanation: You can use the bandwidth priority to create and configure bandwidth rules, which determine how much scheduling priority is allocated for specific network connections. For example, you can create a bandwidth priority called Best Access with outbound and inbound bandwidth priority set to 10. You can also create a bandwidth priority called Good Access, with outbound and inbound bandwidth set to one. Then, you can use these bandwidth priorities when you configure bandwidth rules.

27. You are the ISA server administrator of your company. You need to manage and troubleshoot the ISA server policy. Which of the following is true regarding the userdefined protocol definitions?

*A. They can be created. *B. They can be edited. *C. They can be deleted. D. They can be encrypted. Explanation: User-defined protocol definitions can be edited or deleted. Protocol definitions installed with application filters cannot be modified, although they can be deleted. Protocol definitions included with ISA Server cannot be modified or deleted.

Managing Policies and Rules 151 28. You are managing and troubleshooting the ISA server configuration. Which of the following is true regarding the Protocol definitions installed with application filters?

A. They can be edited. B. They can be deleted. C. They can be applied. D. They can be encrypted.

29. You are managing and troubleshooting the ISA server configuration. Which of the following is true regarding the Protocol definitions included with ISA Server?

A. They can be edited. B. They can be deleted. C. They can be applied. D. They can be encrypted.

152 Chapter 3 28. You are managing and troubleshooting the ISA server configuration. Which of the following is true regarding the Protocol definitions installed with application filters?

A. They can be edited. *B. They can be deleted. *C. They can be applied. D. They can be encrypted. Explanation: User-defined protocol definitions can be edited or deleted. Protocol definitions installed with application filters cannot be modified, although they can be deleted. Protocol definitions included with ISA Server cannot be modified or deleted.

29. You are managing and troubleshooting the ISA server configuration. Which of the following is true regarding the Protocol definitions included with ISA Server?

A. They can be edited. B. They can be deleted. *C. They can be applied. D. They can be encrypted. Explanation: User-defined protocol definitions can be edited or deleted. Protocol definitions installed with application filters cannot be modified, although they can be deleted. Protocol definitions included with ISA Server cannot be modified or deleted.

Managing Policies and Rules 153 30. You are creating a protocol definition for your ISA server, which of the following MUST be specified?

A. Port number B. Low-level protocol C. Direction D. Secondary connections E. Bandwidth

31. You are creating a protocol definition for your ISA server. Which of the following are valid low level protocols?

A. HTTP B. HTTPS C. FTP D. TCP E. UDP

154 Chapter 3 30. You are creating a protocol definition for your ISA server, which of the following MUST be specified?

*A. Port number *B. Low-level protocol *C. Direction D. Secondary connections E. Bandwidth Explanation: The option secondary connections are entirely optional.

31. You are creating a protocol definition for your ISA server. Which of the following are valid low level protocols?

A. HTTP B. HTTPS C. FTP *D. TCP *E. UDP Explanation: The option Low-level protocol is either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

Managing Policies and Rules 155 32. You are configuring protocol definition for your company's ISA server. Which of the following are valid directions?

A. Inbound B. Outbound C. Both bounds D. Eitherbound

33. You need to manage and troubleshoot the ISA server policy. Which of the following is true concerning the secondary connection option in a protocol definition?

A. This is Optional. B. This is the range of port numbers, protocol, and direction used for additional connections or packets that follow the initial connection. C. You can configure only one secondary connection. D. You can configure only two secondary connection.

156 Chapter 3 32. You are configuring protocol definition for your company's ISA server. Which of the following are valid directions?

*A. Inbound *B. Outbound C. Both bounds D. Eitherbound Explanation: The option Direction is either Inbound or Outbound.

33. You need to manage and troubleshoot the ISA server policy. Which of the following is true concerning the secondary connection option in a protocol definition?

*A. This is Optional. *B. This is the range of port numbers, protocol, and direction used for additional connections or packets that follow the initial connection. C. You can configure only one secondary connection. D. You can configure only two secondary connection. Explanation: Secondary connections are the range of port numbers, protocol, and direction used for additional connections or packets that follow the initial connection. You can configure one or more secondary connections


34. As an ISA server engineer certified by Microsoft, you need to manage and troubleshoot the ISA server policy. Base on the following table:

Name Port

Protocol

Number: Type:

FTP Client:

21

TCP

FTP client Read-only

21

TCP

Gopher

70

TCP

HTTP

80

TCP

HTTP-S

443

TCP

Which of the above protocols are defined by the ISA server?

A. FTP client B. FTP client Read-only C. Gopher D. HTTP E. HTTP-S

158 Chapter 3 34. As an ISA server engineer certified by Microsoft, you need to manage and troubleshoot the ISA server policy. Base on the following table:

Name Port

Protocol

Number: Type:

FTP Client:

21

TCP

FTP client Read-only

21

TCP

Gopher

70

TCP

HTTP

80

TCP

HTTP-S

443

TCP

Which of the above protocols are defined by the ISA server?

A. FTP client B. FTP client Read-only *C. Gopher *D. HTTP *E. HTTP-S Explanation: The other protocols are defined by the FTP access filter.


35. As an ISA server engineer certified by Microsoft, you need to manage and troubleshoot the ISA server policy. Which of the following correctly describe protocol definitions that are included with application filters?

A. They have secondary connections. B. The application filter is informed the ISA Server computer on which secondary connections to open. C. They do not have secondary connections. D. The application filter itself informs the ISA Server computer which secondary connections to open.

160 Chapter 3 35. As an ISA server engineer certified by Microsoft, you need to manage and troubleshoot the ISA server policy. Which of the following correctly describe protocol definitions that are included with application filters?

A. They have secondary connections. B. The application filter is informed the ISA Server computer on which secondary connections to open. *C. They do not have secondary connections. *D. The application filter itself informs the ISA Server computer which secondary connections to open. Explanation: Protocol definitions that are included with application filters do not have secondary connections. This is because the application filter itself informs the ISA Server computer which secondary connections to open for the client, according to the specific protocols.

Managing Policies and Rules 161 36. You are the ISA server administrator of your company. You need to manage and troubleshoot the ISA server policy. As you know, the application filter will inform the ISA Server computer which secondary connections to open for the client, according to the specific protocols. Given the following event, arrange them in the correct order.

A-The ISA Server computer notifies the filter about the connection.

B-The client opens a primary connection to a server on the Internet.

C-The filter informs the ISA Server computer to allow that particular secondary

connection. D-The ISA Server computer opens the specific port, as indicated by the application filter. E-The filter examines the data that is flowing through the primary connection and determines which secondary connection the client is going to use.

A. Order: B A E C D B. Order: A B C D E C. Order: C D A B E D. Order: E D B A C E. Order: A B E C D

162 Chapter 3 36. You are the ISA server administrator of your company. You need to manage and troubleshoot the ISA server policy. As you know, the application filter will inform the ISA Server computer which secondary connections to open for the client, according to the specific protocols. Given the following event, arrange them in the correct order.

A-The ISA Server computer notifies the filter about the connection. B-The client opens a primary connection to a server on the Internet. C-The filter informs the ISA Server computer to allow that particular secondary connection. D-The ISA Server computer opens the specific port, as indicated by the application filter. E-The filter examines the data that is flowing through the primary connection and determines which secondary connection the client is going to use.

*A. Order: B A E C D B. Order: A B C D E C. Order: C D A B E D. Order: E D B A C E. Order: A B E C D Explanation: Memorize this order.

Managing Policies and Rules 163 37. You are the enterprise ISA server administrator of your company. Which of the following are the valid ways for applying the enterprise policy at the array level?

A. Enterprise policy only. B. Combined enterprise and array policy. C. Array policy only. D. Group Policy only.

38. You are the ISA server administrator of your company. You are configuring the ISA server policy. You specify that the enterprise policy be applied at the array level using an Enterprise policy only setting. Which of the following correctly describe this setting?

A. All the enterprise policy applies. B. New rules can be added at the array level. C. Only the selected enterprise policy applies. D. No new rules can be added at the array level.

164 Chapter 3 37. You are the enterprise ISA server administrator of your company. Which of the following are the valid ways for applying the enterprise policy at the array level?

*A. Enterprise policy only.

*B. Combined enterprise and array policy.

*C. Array policy only.

D. Group Policy only. Explanation: The enterprise administrator can select how the enterprise policy should be applied at the array level.

38. You are the ISA server administrator of your company. You are configuring the ISA server policy. You specify that the enterprise policy be applied at the array level using an Enterprise policy only setting. Which of the following correctly describe this setting?

A. All the enterprise policy applies. B. New rules can be added at the array level. *C. Only the selected enterprise policy applies. *D. No new rules can be added at the array level. Explanation: In this case, the administrator at the enterprise level dictates that only the selected enterprise policy applies. No new rules can be added at the array level.

Managing Policies and Rules 165 39. You are implementing ISA server. You need to manage and troubleshoot the ISA server policy. You specify that the enterprise policy be applied at the array level using a Combined enterprise and array policy setting. Which of the following correctly describe this setting?

A. An array policy is added to the enterprise policy. B. The enterprise policy overrides the array policy. C. The array policy cannot be more permissive than the enterprise policy. D. NO array policy is added to the enterprise policy. E. The enterprise policy is overridden by the array policy.

40. You are implementing ISA server. You specify that the enterprise policy be applied at the array level using an Array policy only setting. Which of the following correctly describe this setting?

A. No enterprise policy is applied to the array. B. An array policy is added to the enterprise policy. C. The array administrator can create any rule. D. An array policy is removed from the enterprise policy.

166 Chapter 3 39. You are implementing ISA server. You need to manage and troubleshoot the ISA server policy. You specify that the enterprise policy be applied at the array level using a Combined enterprise and array policy setting. Which of the following correctly describe this setting?

*A. An array policy is added to the enterprise policy.

*B. The enterprise policy overrides the array policy.

*C. The array policy cannot be more permissive than the enterprise policy.

D. NO array policy is added to the enterprise policy. E. The enterprise policy is overridden by the array policy. Explanation: In this case, an array policy is added to the enterprise policy. The enterprise policy overrides the array policy. That is, the array policy can impose additional limitations, but cannot be more permissive than the enterprise policy.

40. You are implementing ISA server. You specify that the enterprise policy be applied at the array level using an Array policy only setting. Which of the following correctly describe this setting?

*A. No enterprise policy is applied to the array. B. An array policy is added to the enterprise policy. *C. The array administrator can create any rule. D. An array policy is removed from the enterprise policy. Explanation: In this case, no enterprise policy is applied to the array. The array administrator can create any rule - rules that allow or deny access.

Managing Policies and Rules 167 41. You need to manage and troubleshoot the ISA server policy. Which of the following rules cannot be created or enabled at the enterprise level?

A. Publishing rules only B. Packet filtering only C. Publishing rules and Packet filtering D. Publishing Packet filtering only

42. You are implementing ISA server. Which of the following can be specified by the content groups?

A. MIME types B. File extensions C. Service timeout D. File directories

168 Chapter 3 41. You need to manage and troubleshoot the ISA server policy. Which of the following rules cannot be created or enabled at the enterprise level?

A. Publishing rules only B. Packet filtering only *C. Publishing rules and Packet filtering D. Publishing Packet filtering only Explanation: Publishing rules cannot be created at the enterprise level. However, the enterprise administrator can specify whether an array is allowed to publish servers, by creating Web publishing rules or server publishing rules. Similarly, packet filtering cannot be enabled at the enterprise level.

42. You are implementing ISA server. Which of the following can be specified by the content groups?

*A. MIME types *B. File extensions C. Service timeout D. File directories Explanation: Content groups specify MIME types and file extensions. When you create a site and content rule or a bandwidth rule, you can limit the rule application to specific content groups. This allows you additional granularity when you configure security policy, as you can limit access not only to a particular destination, but also to specific content.

Managing Policies and Rules 169 43. You are implementing ISA server. Which of the following correctly describe the application of content groups?

A. Content groups apply to any HTTP traffic. B. Content groups apply to any FTP traffic. C. Content groups apply to HTTP traffic that passes through the Web Proxy service. D. Content groups apply to tunneled FTP traffic, which passes through the Web Proxy service.

44. You are operating an ISA server computer. You want to create a content group, what should you do?

A. In the console tree of ISA Management, right-click Content Groups. Click New and then click Content Group. In Name, type the name of the content group. Set the Available Types, and finally click Add. B. In the console tree of ISA Management, right-click General. Click New Content Group and then click Content Group. In Name, type the name of the content group. Set the Available Types, and finally click Add. C. In the console tree of ISA Management, right-click Advanced. Click New Group and then click Content. In Name, type the name of the content group. Set the Available Types, and finally click Add. D. In the console tree of ISA Management, right-click Advanced. Click New Content Group and then click Group configuration. In Name, type and the name of the content group. Set the available Types, and finally click Add.

170 Chapter 3 43. You are implementing ISA server. Which of the following correctly describe the application of content groups?

A. Content groups apply to any HTTP traffic. B. Content groups apply to any FTP traffic. *C. Content groups apply to HTTP traffic that passes through the Web Proxy service. *D. Content groups apply to tunneled FTP traffic, which passes through the Web Proxy service. Explanation: Content groups apply only to HTTP and tunneled FTP traffic, which passes through the Web Proxy service.

44. You are operating an ISA server computer. You want to create a content group, what should you do?

*A. In the console tree of ISA Management, right-click Content Groups. Click New and then click Content Group. In Name, type the name of the content group. Set the Available Types, and finally click Add. B. In the console tree of ISA Management, right-click General. Click New Content Group and then click Content Group. In Name, type the name of the content group. Set the Available Types, and finally click Add. C. In the console tree of ISA Management, right-click Advanced. Click New Group and then click Content. In Name, type the name of the content group. Set the Available Types, and finally click Add. D. In the console tree of ISA Management, right-click Advanced. Click New Content Group and then click Group configuration. In Name, type and the name of the content group. Set the available Types, and finally click Add. Explanation: When you create content groups, it is recommended that you specify the content's MIME type and file extension.

Managing Policies and Rules 171 45. You are deploying ISA server in your company's network. How do you create a Web publishing rule?

A. In the console tree of ISA Management, right-click Web Publishing Rules, point to New, and then click Rule. B. In the console tree of ISA Management, right-click Rules, point to Web Publishing, click Add, and then click Rule. C. In the console tree of ISA Management, right-click Web Rules, point to Publishing, select New, and then click Add Rule. D. In the console tree of ISA Management, right-click Publishing Rules, point to Web Publishing, click Add, and then click Rule.

46. You are the network administrator of your company. You are deploying ISA Server. You wish to achieve fault tolerance. What should you do?

A. Set up a single ISA Server computer on two or more clusters. B. Combine two or more clusters into a single ISA Server computer. C. Set up a cluster on a single ISA Server computer. D. Combine two or more ISA Server computers into a single cluster.

172 Chapter 3 45. You are deploying ISA server in your company's network. How do you create a Web publishing rule?

*A. In the console tree of ISA Management, right-click Web Publishing Rules, point to New, and then click Rule. B. In the console tree of ISA Management, right-click Rules, point to Web Publishing, click Add, and then click Rule. C. In the console tree of ISA Management, right-click Web Rules, point to Publishing, select New, and then click Add Rule. D. In the console tree of ISA Management, right-click Publishing Rules, point to Web Publishing, click Add, and then click Rule. Explanation: To open ISA Management, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

46. You are the network administrator of your company. You are deploying ISA Server. You wish to achieve fault tolerance. What should you do?

A. Set up a single ISA Server computer on two or more clusters. B. Combine two or more clusters into a single ISA Server computer. C. Set up a cluster on a single ISA Server computer. *D. Combine two or more ISA Server computers into a single cluster. Explanation: When you deploy ISA Server, fault tolerance can be achieved when you combine two or more ISA Server computers into a single cluster, NLB can provide the reliability and performance that mission-critical servers need.

Managing Policies and Rules 173 47. You installed an ISA Server to protect your network. With the default access control setting, which of the following traffics are allowed to pass?

A. In bound B. Out bound C. Eitherbound D. No traffic will be allowed to pass

48. Which of the following are the valid actions you can create for a Web publishing rule in ISA Server?

A. Discard the request. B. Redirect requests to a hosted site. C. Modify the request. D. Filter the request. E. Cache the request.

174 Chapter 3 47. You installed an ISA Server to protect your network. With the default access control setting, which of the following traffics are allowed to pass?

A. In bound B. Out bound C. Eitherbound *D. No traffic will be allowed to pass Explanation: Since no protocol rules are defined by default, no traffic will be allowed to pass. You must manually configure the protocol rules first.

48. Which of the following are the valid actions you can create for a Web publishing rule in ISA Server?

*A. Discard the request.

*B. Redirect requests to a hosted site.

C. Modify the request. D. Filter the request. E. Cache the request. Explanation: To refuse requests, click Discard the request. To forward requests to the server or servers used for Internet publishing, click Redirect requests to a hosted site. The request will be redirected to the path and computer.

Notes:

The Client Computer 177

Chapter 4: The Client Computer The objective of this chapter is to provide the reader with an understanding of the following: 1.

Plan the deployment of client computers to use ISA Server services. Considerations include client authentication, client operating system, network topology, cost, complexity, and client function.

2.

Configure and troubleshoot the client computer for secure network address translation (SecureNAT).

3.

Install the Firewall Client software. Considerations include the cost and complexity of deployment.

4.

Troubleshoot autodetection.

5.

Configure the client computer's Web browser to use ISA Server as an HTTP proxy.

178 Chapter 4

Introduction

ISA Server supports three different types of clients. According to Microsoft’s recommendation, you should ask yourself the following questions before deciding which client to use: Do you want to avoid the deployment of client software or configuration of client computers? If the answer is YES, you should choose the SecureNAT client, as it does not require any software or specific configuration. Do you plan to use ISA Server only for forward caching of Web objects? If so, that you should use SecureNAT client so that client requests are transparently passed to the ISA Server Firewall service and then on to the Web Proxy service for caching. Do you want to allow access only for authenticated clients? If so, you should use Firewall client so that you can configure user-based access policy rules. In contrast, SecureNAT client does not support user-based authentication. Do you plan to publish servers that are located on your internal network? If so, go ahead with SecureNAT client. You can publish internal servers as SecureNAT clients to eliminate the need for creating special configuration files on the publishing server. All that you need to do is to create a server-publishing rule on the ISA Server.

The Client Computer 179 1. There is an ISA server computer in your network. You want to use the ISA Server caching feature. What is the minimum drive space you should maintain for use with caching?


2. There is an ISA Server computer in your network. Y ou want to use the ISA Server caching feature. What is the minimum drive space you should maintain for supporting 100 web proxy clients at reasonable performance?


180 Chapter 4 1. There is an ISA server computer in your network. You want to use the ISA Server caching feature. What is the minimum drive space you should maintain for use with caching?

A. 1MB *B. 5MB C. 10MB D. 100MB E. 500MB Explanation: When configuring the cache drives, at a minimum you must, allocate at least one drive and five MB for caching. However, it is recommended that you allocate at least 100 MB and add 0.5 MB for each Web Proxy client, rounded up to the nearest full megabyte.

2. There is an ISA Server computer in your network. Y ou want to use the ISA Server caching feature. What is the minimum drive space you should maintain for supporting 100 web proxy clients at reasonable performance?

A. 1MB B. 5MB C. 10MB D. 100MB *E. 150MB Explanation: When configuring the cache drives, at a minimum you must, allocate at least one drive and five MB for caching. However, it is recommended that you allocate at least 100 MB and add 0.5 MB for each Web Proxy client, rounded up to the nearest full megabyte.

The Client Computer 181 3. You want to install ISA server in order to protect your network. You also need to support up to 450 web clients for performance maximization. Which of the following correctly describe the CPU requirements?

A. Single ISA Server computer with Pentium II, 300 MHz processor B. Single ISA Server computer with dual Pentium III 550 MHz processor C. Two ISA Server computers, each with Pentium III, 550 MHz processors D. Four ISA Server computers, each with Pentium III, 550 MHz processors

4. You want to install ISA server in order to protect your network. You also need to support up to 750 web clients for performance maximization. Which of the following correctly describe the CPU requirements?


182 Chapter 4 3. You want to install ISA server in order to protect your network. You also need to support up to 450 web clients for performance maximization. Which of the following correctly describe the CPU requirements?

*A. Single ISA Server computer with Pentium II, 300 MHz processor B. Single ISA Server computer with dual Pentium III 550 MHz processor C. Two ISA Server computers, each with Pentium III, 550 MHz processors D. Four ISA Server computers, each with Pentium III, 550 MHz processors Explanation: ISA Server can be deployed as a forward caching server, maintaining a centralized cache of frequently requested Internet objects that can be accessed by any Web browser client. In this case, consider how many Web browser clients will be accessing the Internet.

4. You want to install ISA server in order to protect your network. You also need to support up to 750 web clients for performance maximization. Which of the following correctly describe the CPU requirements?

A. Single ISA Server computer with Pentium II, 300 MHz processor *B. Single ISA Server computer with dual Pentium III 550 MHz processor C. Two ISA Server computers, each with Pentium III, 550 MHz processors D. Four ISA Server computers, each with Pentium III, 550 MHz processors Explanation: ISA Server can be deployed as a forward caching server, maintaining a centralized cache of frequently requested Internet objects that can be accessed by any Web browser client. In this case, consider how many Web browser clients will be accessing the Internet.

The Client Computer 183 5. You are the enterprise security administrator for your company's network. You install an ISA Servers to protect your network. You also need to support up to 750 web clients for performance maximization. Which of the following correctly describe the disk space requirements for caching?

A. 1GB free per server. B. 4 GB free per server. C. 10GB free per server. D. 20GB free per server

6. Your boss asks you to install an ISA server for his company. You also need to support up to 475 web clients for performance maximization. Which of the following correctly describe the disk space requirements for caching?

A. 1GB free per server. B. 4 GB free per server. C. 10GB free per server. D. 20GB free per server

184 Chapter 4 5. You are the enterprise security administrator for your company's network. You install an ISA Servers to protect your network. You also need to support up to 750 web clients for performance maximization. Which of the following correctly describe the disk space requirements for caching?

A. 1GB free per server. B. 4 GB free per server. *C. 10GB free per server. D. 20GB free per server Explanation: ISA Server can be deployed as a forward caching server, maintaining a centralized cache of frequently requested Internet objects that can be accessed by any Web browser client. In this case, consider how many Web browser clients will be accessing the Internet.

6. Your boss asks you to install an ISA server for his company. You also need to support up to 475 web clients for performance maximization. Which of the following correctly describe the disk space requirements for caching?

A. 1GB free per server. *B. 4 GB free per server. C. 10GB free per server. D. 20GB free per server Explanation: ISA Server can be deployed as a forward caching server, maintaining a centralized cache of frequently requested Internet objects that can be accessed by any Web browser client. In this case, consider how many Web browser clients will be accessing the Internet.

The Client Computer 185 7. Your boss asks you to install an ISA server for his company. You also need to support up to 1150 web clients for performance maximization. Which of the following correctly describe the CPU requirements?


8. You are configuring the clients for your ISA server security solutions. Which of the following user level authentication types does the SecureNAT Client support?

A. By name B. By domain C. By IP address D. By port number

186 Chapter 4 7. Your boss asks you to install an ISA server for his company. You also need to support up to 1150 web clients for performance maximization. Which of the following correctly describe the CPU requirements?

A. Single ISA Server computer with Pentium II, 300 MHz processor B. Single ISA Server computer with dual Pentium III 550 MHz processor *C. Two ISA Server computers, each with Pentium III, 550 MHz processors D. Four ISA Server computers, each with Pentium III, 550 MHz processors Explanation: ISA Server can be deployed as a forward caching server, maintaining a centralized cache of frequently requested Internet objects that can be accessed by any Web browser client. In this case, consider how many Web browser clients will be accessing the Internet.

8. You are configuring the clients for your ISA server security solutions. Which of the following user level authentication types does the SecureNAT Client support? A. By name B. By domain *C. By IP address D. By port number Explanation: ISA Server supports the following clients: 1. Web Proxy clients 2. Secure network address translation clients 3. Firewall clients

The Client Computer 187 9. View the Graphic to answer this question: You are the enterprise security administrator for your company's network. You install An ISA Servers to protect your network. You also need to support up to 1450 web clients for performance maximization. Why is it beneficial for you to deploy the ISA server edition as shown in the graphic rather than the standard edition?

A. Lower cost. B. Faster speed. C. The capability to deploy array. D. The capability to support caching. E. The capability to support cluster service.

188 Chapter 4 9. View the Graphic to answer this question: You are the enterprise security administrator for your company's network. You install An ISA Servers to protect your network. You also need to support up to 1450 web clients for performance maximization. Why is it beneficial for you to deploy the ISA server edition as shown in the graphic rather than the standard edition?

A. Lower cost. B. Faster speed. *C. The capability to deploy array. D. The capability to support caching. E. The capability to support cluster service. Explanation: When you set up more than one ISA Server computer, consider upgrading to ISA Server, Enterprise Edition, so that you can group the computers in arrays.

The Client Computer 189 10. You are the enterprise security administrator for your company's network. There is a new ISA server company in your company's network. You want to provide caching for external users requesting data. Which of the following features can be deployed to achieve this?

A. Outgoing access policy. B. Intrusion detection. C. System Security Wizard. D. Application filters. E. Reverse caching.

11. You are the network administrator of your company. You are configuring the clients for your ISA server security solutions. Which of the following are the valid client types?

A. Web Proxy clients B. SecureNAT clients C. Firewall clients D. Web Proxy clients

190 Chapter 4 10. You are the enterprise security administrator for your company's network. There is a new ISA server company in your company's network. You want to provide caching for external users requesting data. Which of the following features can be deployed to achieve this?

A. Outgoing access policy. B. Intrusion detection. C. System Security Wizard. D. Application filters. *E. Reverse caching. Explanation: ISA Server can provide caching for external users requesting data. For example, it can be deployed between the Internet and an organization's Web server that is hosting a commercial Web business or providing access to business partners.

11. You are the network administrator of your company. You are configuring the clients for your ISA server security solutions. Which of the following are the valid client types?

*A. Web Proxy clients *B. SecureNAT clients *C. Firewall clients D. Web Proxy clients Explanation: ISA Server supports the following clients: 1. Web Proxy clients 2. Secure network address translation clients 3. Firewall clients

The Client Computer 191 12. You are the network administrator of your company. You are configuring the clients for your ISA server security solutions. Which of the following client types require installation?


13. You are configuring the clients for your ISA server security solutions. Which of the following client types require configuration changes but not installation?


192 Chapter 4 12. You are the network administrator of your company. You are configuring the clients for your ISA server security solutions. Which of the following client types require installation?

A. Web Proxy clients B. SecureNAT clients *C. Firewall clients D. Web Proxy clients Explanation: ISA Server supports the following clients: 1. Web Proxy clients 2. Secure network address translation clients 3. Firewall clients

13. You are configuring the clients for your ISA server security solutions. Which of the following client types require configuration changes but not installation?

*A. Web Proxy clients *B. SecureNAT clients C. Firewall clients D. Web Proxy clients Explanation: ISA Server supports the following clients: 1. Web Proxy clients 2. Secure network address translation clients 3. Firewall clients

The Client Computer 193 14. Which of the following ISA client types require Windows platforms?


15. You are configuring Web Proxy Clients for your company's ISA server. Which of the following protocol types does the Web Proxy Client support?

A. HTTP B. HTTPS C. FTP D. H.323

194 Chapter 4 14. Which of the following ISA client types require Windows platforms?

*A. Web Proxy clients B. SecureNAT clients C. Firewall clients D. Web Proxy clients Explanation: ISA Server supports the following clients: 1. Web Proxy clients 2. Secure network address translation clients 3. Firewall clients

15. You are configuring Web Proxy Clients for your company's ISA server. Which of the following protocol types does the Web Proxy Client support?

*A. HTTP *B. HTTPS *C. FTP D. H.323 Explanation: ISA Server supports the following clients: 1. Web Proxy clients 2. Secure network address translation clients 3. Firewall clients

The Client Computer 195 16. View the Graphic to answer this question: You are configuring the clients for your ISA server security solutions. Which of the following client types support server publishing as shown in the graphic?

A. Web Proxy clients B. SecureNAT clients C. Firewall clients D. Caching clients

196 Chapter 4 16. View the Graphic to answer this question: You are configuring the clients for your ISA server security solutions. Which of the following client types support server publishing as shown in the graphic?

A. Web Proxy clients *B. SecureNAT clients *C. Firewall clients D. Caching clients Explanation: ISA Server supports the following clients: 1. Web Proxy clients 2. Secure network address translation clients 3. Firewall clients

The Client Computer 197 17. You are configuring the clients for your ISA server security solutions. Which of the following correctly describe the coexistence between the different client types?

A. Firewall client computers might also be Web Proxy clients. B. SecureNAT client computers might also be Web Proxy clients. C. Firewall client computers might not be Web Proxy clients. D. SecureNAT client computers might not be Web Proxy clients. E. Firewall client computers might also be both Web Proxy clients and SecureNAT clients.

18. You are using ISA server to protect your network. Most of your web clients are equipped with browser helper applications including streaming media clients. Which of the following should be done so that these clients can connect to the Internet via the ISA server?

A. Use the SecureNAT client or the Firewall client in addition to the Web Proxy client. B. Modify the registry. C. Update the metadata. D. Modify the browser configuration settings. E. Modify the connection settings.

198 Chapter 4 17. You are configuring the clients for your ISA server security solutions. Which of the following correctly describe the coexistence between the different client types?

*A. Firewall client computers might also be Web Proxy clients. *B. SecureNAT client computers might also be Web Proxy clients. C. Firewall client computers might not be Web Proxy clients. D. SecureNAT client computers might not be Web Proxy clients. E. Firewall client computers might also be both Web Proxy clients and SecureNAT clients. Explanation: Both Firewall client computers and SecureNAT client computers might also be Web Proxy clients. If the Web application on the computer is configured explicitly to use ISA Server, then all Web requests (HTTP, FTP, and HTTPS) are sent directly to the Web Proxy service. All other requests are handled first by the Firewall service.

18. You are using ISA server to protect your network. Most of your web clients are equipped with browser helper applications including streaming media clients. Which of the following should be done so that these clients can connect to the Internet via the ISA server?

*A. Use the SecureNAT client or the Firewall client in addition to the Web Proxy client. B. Modify the registry. C. Update the metadata. D. Modify the browser configuration settings. E. Modify the connection settings. Explanation: To allow these applications to connect to the Web, use the SecureNAT client or the Firewall client in addition to the Web Proxy client.

The Client Computer 199 19. You are using ISA server to protect your network. Users complain that access to the local servers is very slow. Which of the following can you do to increase local access performance?

A. Configure the browser clients to "Bypass proxy server for local addresses" B. Use the SecureNAT client or the Firewall client in addition to the Web Proxy client. C. Modify the registry. D. Update the metadata. E. Modify the browser configuration settings.

20. You are a network administrator. You are configuring the SecureNAT Clients. Which of the following correctly describe a simple network topology?

A. It does not have any routers configured between the SecureNAT client and the ISA Server computer. B. It has one router configured between the SecureNAT client and the ISA Server computer. C. It has at least two routers connecting multiple subnets that are configured between a SecureNAT client and the Browser client. D. It has one or more routers connecting multiple subnets that are configured between a SecureNAT client and the ISA Server computer.

200 Chapter 4 19. You are using ISA server to protect your network. Users complain that access to the local servers is very slow. Which of the following can you do to increase local access performance?

*A. Configure the browser clients to "Bypass proxy server for local addresses" B. Use the SecureNAT client or the Firewall client in addition to the Web Proxy client. C. Modify the registry. D. Update the metadata. E. Modify the browser configuration settings. Explanation: Start Internet Explorer 5, and on the Tools menu, click Internet Options, click the Connections tab, and then click LAN Settings. In Local Area Network (LAN) Settings, select the Use a proxy server check box. In the Address box, type the path to the ISA Server computer. In Port, type the port number that ISA Server uses for client connections in Port. If you want your browser to bypass ISA Server when connecting to local computers, select the Bypass proxy server for local addresses check box. Bypassing the ISA Server for local computers may improve performance.

20. You are a network administrator. You are configuring the SecureNAT Clients. Which of the following correctly describe a simple network topology? *A. It does not have any routers configured between the SecureNAT client and the ISA Server computer. B. It has one router configured between the SecureNAT client and the ISA Server computer. C. It has at least two routers connecting multiple subnets that are configured between a SecureNAT client and the Browser client. D. It has one or more routers connecting multiple subnets that are configured between a SecureNAT client and the ISA Server computer. Explanation: A simple network does not have any routers configured between the SecureNAT client and the ISA Server computer.

The Client Computer 201 21. You are configuring the SecureNAT Clients in your network. Which of the following correctly describe a complex network topology?

A. It does not have any routers configured between the SecureNAT client and the ISA Server computer. B. It has one router configured between the SecureNAT client and the ISA Server computer. C. It has at least two routers connecting multiple subnets that are configured between a SecureNAT client and the Browser client. D. It has one or more routers connecting multiple subnets that are configured between a SecureNAT client and the ISA Server computer.

22. As an ISA server engineer certified by Microsoft, you are configuring the clients for your ISA server security solutions. You are configuring the SecureNAT Clients. How do you configure SecureNAT clients on a simple network?

A. Set the SecureNAT client's Internet Protocol default gateway settings to the IP address of the ISA Server computer's external network address card manually. B. Set the SecureNAT client's Internet Protocol default gateway settings to the IP address of the ISA Server computer's external network address card via DHCP. C. Set the SecureNAT client's Internet Protocol default gateway settings to the IP address of the ISA Server computer's internal network address card manually. D. Set the SecureNAT client's Internet Protocol default gateway settings to the IP address of the ISA Server computer's internal network address card via DHCP.

202 Chapter 4 21. You are configuring the SecureNAT Clients in your network. Which of the following correctly describe a complex network topology? A. It does not have any routers configured between the SecureNAT client and the ISA Server computer. B. It has one router configured between the SecureNAT client and the ISA Server computer. C. It has at least two routers connecting multiple subnets that are configured between a SecureNAT client and the Browser client. *D. It has one or more routers connecting multiple subnets that are configured between a SecureNAT client and the ISA Server computer. Explanation: A complex network topology has one or more routers connecting multiple subnets that are configured between a SecureNAT client and the ISA Server computer.

22. As an ISA server engineer certified by Microsoft, you are configuring the clients for your ISA server security solutions. You are configuring the SecureNAT Clients. How do you configure SecureNAT clients on a simple network? A. Set the SecureNAT client's Internet Protocol default gateway settings to the IP address of the ISA Server computer's external network address card manually. B. Set the SecureNAT client's Internet Protocol default gateway settings to the IP address of the ISA Server computer's external network address card via DHCP. *C. Set the SecureNAT client's Internet Protocol default gateway settings to the IP address of the ISA Server computer's internal network address card manually. *D. Set the SecureNAT client's Internet Protocol default gateway settings to the IP address of the ISA Server computer's internal network address card via DHCP. Explanation: To configure SecureNAT clients on a simple network, you should set the SecureNAT client's Internet Protocol (IP) default gateway settings to the IP address of the ISA Server computer's internal network address card. You can set this manually, using the TCP/IP network control panel settings on the client. Alternatively, you can configure these settings automatically for the client using DHCP.

The Client Computer 203 23. As an ISA server engineer certified by Microsoft, you are configuring the SecureNAT Clients. How do you configure SecureNAT clients on a complex network?

A. Set the default gateway settings to the router on the remote segment. B. Ensure that the router routes traffic destined for the Internet correctly to the ISA server's external interface. C. Set the default gateway settings to the router on the client's local segment. D. Ensure that the router routes traffic destined for the Internet correctly to the ISA server's internal interface.

24. You are configuring the SecureNAT Clients. Which of the following correctly describe how you should configure the clients with the DNS service in your network?

A. The client must be configured to use DNS servers that can resolve names for only the external hosts. B. The client must be configured to use DNS servers that can resolve names for only the internal hosts. C. The client must be configured to use DNS servers that can resolve names both for external and internal hosts. D. The client must be configured to use DNS servers that can resolve names for Internet users.

204 Chapter 4 23. As an ISA server engineer certified by Microsoft, you are configuring the SecureNAT Clients. How do you configure SecureNAT clients on a complex network?

A. Set the default gateway settings to the router on the remote segment. B. Ensure that the router routes traffic destined for the Internet correctly to the ISA server's external interface. *C. Set the default gateway settings to the router on the client's local segment. *D. Ensure that the router routes traffic destined for the Internet correctly to the ISA server's internal interface. Explanation: To configure SecureNAT clients on a complex network, you should set the default gateway settings to the router on the client's local segment and make sure that the router routes traffic destined for the Internet correctly to the ISA server's internal interface.

24. You are configuring the SecureNAT Clients. Which of the following correctly describe how you should configure the clients with the DNS service in your network?

A. The client must be configured to use DNS servers that can resolve names for only the external hosts. B. The client must be configured to use DNS servers that can resolve names for only the internal hosts. *C. The client must be configured to use DNS servers that can resolve names both for external and internal hosts. D. The client must be configured to use DNS servers that can resolve names for Internet users. Explanation: SecureNAT clients will probably request objects both from computers in the local network and from the Internet. Thus, SecureNAT must be configured to use DNS servers that can resolve names both for external and internal hosts.

The Client Computer 205 25. You are the ISA server administrator. You are configuring the SecureNAT Clients to access the Internet. Which of the following settings should you use for the TCP/IP settings?

A. Use DNS servers on the Internet. B. Create a protocol rule that allows the SecureNAT clients to connect to a DNS server on the Internet. C. The protocol rule should use the predefined DNS Query (client) protocol. D. Create an IP packet filter to filter all TCP packets.

26. You are the ISA server administrator. You are configuring the SecureNAT Clients to access the Internet. The DNS server used by the clients is located on the internal network. To enable client access to the Internet, which of the following should be done?

A. Create a policy that allows two-way traffic. B. Create a protocol rule that allows DNS queries from the DNS server to reach external DNS servers. C. Create a protocol rule that allows DNS queries from the DNS server to reach the Internet root servers. D. Create a protocol rule that denies DNS queries from the DNS server to reach the Internet root servers.

206 Chapter 4 25. You are the ISA server administrator. You are configuring the SecureNAT Clients to access the Internet. Which of the following settings should you use for the TCP/IP settings? *A. Use DNS servers on the Internet. *B. Create a protocol rule that allows the SecureNAT clients to connect to a DNS server on the Internet. *C. The protocol rule should use the predefined DNS Query (client) protocol. D. Create an IP packet filter to filter all TCP packets. Explanation: For Internet access only, the SecureNAT clients should be configured with TCP/IP settings that use the DNS servers on the Internet. You should create a protocol rule that allows the SecureNAT clients to connect to a DNS server on the Internet. This protocol rule should use the predefined DNS Query (client) protocol.

26. You are the ISA server administrator. You are configuring the SecureNAT Clients to access the Internet. The DNS server used by the clients is located on the internal network. To enable client access to the Internet, which of the following should be done? *A. Create a policy that allows two-way traffic. *B. Create a protocol rule that allows DNS queries from the DNS server to reach external DNS servers. *C. Create a protocol rule that allows DNS queries from the DNS server to reach the Internet root servers. D. Create a protocol rule that denies DNS queries from the DNS server to reach the Internet root servers. Explanation: If the DNS server is located on the internal network, then you will need to create a policy that allows two-way traffic. That is, you will create a protocol rule that allows DNS queries from the DNS server to reach external DNS servers, including the Internet root servers.

The Client Computer 207 27. You are the ISA server administrator. You are configuring the clients for your ISA server security solutions. Which of the following are the Firewall client components?

A. Mspclnt.ini B. Msplat.txt C. The Firewall Client application. D. The firewall server. E. The Web proxy server.

28. Which of the following correctly describe the Mspclnt.ini file?

A. It is a shared file. B. It is maintained by the ISA Server. C. It is maintained by the client. D. It contains client configuration information. E. It contains installation error messages.

208 Chapter 4 27. You are the ISA server administrator. You are configuring the clients for your ISA server security solutions. Which of the following are the Firewall client components?

*A. Mspclnt.ini *B. Msplat.txt *C. The Firewall Client application. D. The firewall server. E. The Web proxy server. Explanation: ISA Server installs the following components on the client computer during client setup: Mspclnt.ini is a shared client configuration file, maintained by ISA Server / Msplat.txt includes a shared client local address table and the local domain table, maintained by ISA Server / The Firewall Client application.

28. Which of the following correctly describe the Mspclnt.ini file?

*A. It is a shared file.

*B. It is maintained by the ISA Server.

C. It is maintained by the client. *D. It contains client configuration information. E. It contains installation error messages. Explanation: ISA Server installs the following components on the client computer during client setup: Mspclnt.ini is a shared client configuration file, maintained by ISA Server / Msplat.txt includes a shared client local address table and the local domain table, maintained by ISA Server / The Firewall Client application.

The Client Computer 209 29. Which of the following correctly describe the Msplat.txt file?

A. It is a shared file. B. It is maintained by the ISA Server. C. It is maintained by the client. D. It contains client local address table. E. It contains server local domain table.

30. Which of the following commands can you use to install the Firewall client software?

A. Setup B. I386 C. Clientconfig D. Fcsetup

210 Chapter 4 29. Which of the following correctly describe the Msplat.txt file?

*A. It is a shared file.

*B. It is maintained by the ISA Server.

C. It is maintained by the client. *D. It contains client local address table. E. It contains server local domain table. Explanation: ISA Server installs the following components on the client computer during client setup: Mspclnt.ini is a shared client configuration file, maintained by ISA Server / Msplat.txt includes a shared client local address table and the local domain table, maintained by ISA Server / The Firewall Client application.

30. Which of the following commands can you use to install the Firewall client software?

*A. Setup B. I386 C. Clientconfig D. Fcsetup Explanation: To Install Firewall Client Software, at a command prompt, type Path\Setup where Path is the path to the shared ISA Server client installation files. Typically, these files are located in Systemroot\Program Files\Microsoft ISA Server\Clients on the ISA Server computer and shared as MSPclnt.

The Client Computer 211 31. You are the ISA server administrator. You are configuring the clients for your ISA server security solutions.

Requests from SecureNAT clients are essentially handled by which of the following services?

A. The Firewall service B. The Winsock Proxy service C. The Web Proxy service D. The Sock Proxy service

32. Which of the following correctly describe the nature of Firewall clients?

A. They run Winsock applications that use the Firewall service of Microsoft Internet Security and Acceleration Server. B. They run Sock applications that use the Firewall service of Microsoft Internet Security and Acceleration Server. C. They run Web Proxy applications that use the Firewall service of Microsoft Internet Security and Acceleration Server. D. They run Firewall applications that use the Firewall service of Microsoft Internet Security and Acceleration Server.

212 Chapter 4 31. You are the ISA server administrator. You are configuring the clients for your ISA server security solutions. Requests from SecureNAT clients are essentially handled by which of the following services? *A. The Firewall service B. The Winsock Proxy service C. The Web Proxy service D. The Sock Proxy service Explanation: Since requests from SecureNAT clients are essentially handled by the Firewall service, SecureNAT clients benefit from the following security features: Application filters can modify the protocol stream to allow handling of complex protocols. In Windows 2000 NAT, this mechanism is accomplished using NAT editors that are written as kernel mode NAT editor drivers in Windows NT. The Firewall service can pass all HTTP requests to the Web Proxy service, which handles caching and ensures that site and content rules are applied appropriately.

32. Which of the following correctly describe the nature of Firewall clients? *A. They run Winsock applications that use the Firewall service of Microsoft Internet Security and Acceleration Server. B. They run Sock applications that use the Firewall service of Microsoft Internet Security and Acceleration Server. C. They run Web Proxy applications that use the Firewall service of Microsoft Internet Security and Acceleration Server. D. They run Firewall applications that use the Firewall service of Microsoft Internet Security and Acceleration Server. Explanation: A Firewall client is a computer with Firewall client software installed and enabled. The Firewall client runs Winsock applications that use the Firewall service of Microsoft Internet Security and Acceleration (ISA) Server.

The Client Computer 213 33. You are the ISA server administrator. You are configuring the clients for your ISA server security solutions. How do you enable Web browser configuration during client setup?

A. In the console tree of ISA Management, click Client Configuration. In the details pane, right-click Web Browser and then click Properties. On the General tab, if clients should be automatically configured when they are set up, select Configure Web browser during Firewall Client setup. Verify that the ISA Server/Array and Port parameters are correct and modify them, if necessary. B. In the console tree of ISA Management, click Proxy Configuration. In the details pane, right-click Web Browser and then click Properties. On the Advanced tab, if clients should be automatically configured when they are set up, select Configure Web browser during Firewall Client setup. Verify that the ISA Server/Array and Port parameters are correct and modify them, if necessary. C. In the console tree of ISA Management, click Client Configuration. In the details pane, right-click Web Browser and then click Properties. On the Setup tab, if clients should be automatically configured when they are set up, select Enable Web browser during Firewall Client setup. Verify that the ISA Server/Array and Port parameters are correct and modify them, if necessary. D. In the console tree of ISA Management, click Client Configuration. In the details pane, right-click Web Browser and then click Properties. On the Setup tab, if clients should be automatically configured when they are set up, select Disable Web browser during Firewall Client setup. Verify that the ISA Server/Array and Port parameters are correct and modify them, if necessary.

214 Chapter 4 33. You are the ISA server administrator. You are configuring the clients for your ISA server security solutions. How do you enable Web browser configuration during client setup?

*A. In the console tree of ISA Management, click Client Configuration. In the details pane, right-click Web Browser and then click Properties. On the General tab, if clients should be automatically configured when they are set up, select Configure Web browser during Firewall Client setup. Verify that the ISA Server/Array and Port parameters are correct and modify them, if necessary. B. In the console tree of ISA Management, click Proxy Configuration. In the details pane, right-click Web Browser and then click Properties. On the Advanced tab, if clients should be automatically configured when they are set up, select Configure Web browser during Firewall Client setup. Verify that the ISA Server/Array and Port parameters are correct and modify them, if necessary. C. In the console tree of ISA Management, click Client Configuration. In the details pane, right-click Web Browser and then click Properties. On the Setup tab, if clients should be automatically configured when they are set up, select Enable Web browser during Firewall Client setup. Verify that the ISA Server/Array and Port parameters are correct and modify them, if necessary. D. In the console tree of ISA Management, click Client Configuration. In the details pane, right-click Web Browser and then click Properties. On the Setup tab, if clients should be automatically configured when they are set up, select Disable Web browser during Firewall Client setup. Verify that the ISA Server/Array and Port parameters are correct and modify them, if necessary. Explanation: To open ISA Management, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.

The Client Computer 215 34. You are the ISA server administrator. How do you configure the Web browser without installing the Firewall client?

A. Open Microsoft Internet Explorer. On the Tools menu, click Internet Options. On the Connections tab, click LAN Settings. Select Use a proxy server. In Address, type the name of an ISA Server computer or array, and then in Port, type a valid port number. B. Open Microsoft Internet Explorer. On the Tools menu, click Internet Options. On the Connections tab, click LAN Settings. Deselect Use a proxy server. C. Open Microsoft Internet Explorer. On the Tools menu, click Internet Options. On the Connections tab, click LAN Settings. Select Use a proxy server. In Address, type the name of the ISA Server computer's default gateway. D. Open Microsoft Internet Explorer. On the Tools menu, click Internet Options. On the Connections tab, click LAN Settings. Select Use a proxy server. In Address, type the name of the ISA array's first server.

216 Chapter 4 34. You are the ISA server administrator. How do you configure the Web browser without installing the Firewall client?

*A. Open Microsoft Internet Explorer. On the Tools menu, click Internet Options. On the Connections tab, click LAN Settings. Select Use a proxy server. In Address, type the name of an ISA Server computer or array, and then in Port, type a valid port number. B. Open Microsoft Internet Explorer. On the Tools menu, click Internet Options. On the Connections tab, click LAN Settings. Deselect Use a proxy server. C. Open Microsoft Internet Explorer. On the Tools menu, click Internet Options. On the Connections tab, click LAN Settings. Select Use a proxy server. In Address, type the name of the ISA Server computer's default gateway. D. Open Microsoft Internet Explorer. On the Tools menu, click Internet Options. On the Connections tab, click LAN Settings. Select Use a proxy server. In Address, type the name of the ISA array's first server. Explanation: A Web Proxy client is a client computer that has a Web browser application, which complies with HTTP 1.1, and which is configured to use the Web Proxy service of ISA Server.

The Client Computer 217 35. Which of the following client OSs are supported for access ISA Server?

A. Windows ME B. Windows 95 C. Windows 98 D. Windows NT 4.0 E. Windows 2000

36. You're setting the web proxy service for a client computer. For a browser to use the web proxy service, it must support:

A. HTTP 1.0 B. HTTP 1.1 C. VBScript D. Challenge and Response authentication E. H.323 Gatekeeper

218 Chapter 4 35. Which of the following client OSs are supported for access ISA Server?

*A. Windows ME *B. Windows 95 *C. Windows 98 *D. Windows NT 4.0 *E. Windows 2000 Explanation: You can install Firewall Client software on client computers that run Windows ME, Windows 95, Windows 98, Windows NT 4.0, or Windows 2000.

36. You're setting the web proxy service for a client computer. For a browser to use the web proxy service, it must support:

A. HTTP 1.0 *B. HTTP 1.1 C. VBScript D. Challenge and Response authentication E. H.323 Gatekeeper Explanation: A Web Proxy client is a client computer that has a Web browser application, which complies with HTTP 1.1, and which is configured to use the Web Proxy service of ISA Server.

Notes:

Using ISA Server 221

Chapter 5: Using ISA Server The objective of this chapter is to provide the reader with an understanding of the following: 1.

Monitor security and network usage by using logging and alerting.

2.

Configure intrusion detection.

3.

Configure an alert to send an e-mail message to an administrator.

4.

Automate alert configuration.

5.

Monitor alert status.

6.

Troubleshoot problems with security and network usage.

7.

Detect connections by using Netstat.

8.

Test the status of external ports by using Telnet or Network Monitor.

9.

Analyze the performance of ISA Server by using reports. Report types include summary, Web usage, application usage, traffic and utilization, and security.

10. Optimize the performance of the ISA Server computer. Considerations include capacity planning, allocation priorities, and trend analysis. 11. Analyze the performance of the ISA Server computer by using Performance Monitor. 12. Analyze the performance of the ISA Server computer by using reporting and logging. 13. Control the total RAM used by ISA Server for caching

222 Chapter 5

Introduction In this chapter we look at the monitoring and reporting strategy for our ISA solutions. You should plan for and document your strategy.

Using ISA Server 223 1. You are the enterprise security administrator for your company's network. You want to provide caching in ISA. You also want to ensure top performance. Which of the following steps should you take?

A. Install 4 drives onto the server. Drive 1 holds Windows 2000. Drive 2 holds ISA Drive 3 holds the cache data. Drive 4 holds the swap space. B. Install 4 drives onto the server. Drive 1 holds Windows 2000. Drive 2 holds ISA and the cache data. Drive 3 and 4 hold the swap space. C. Install 3 drives onto the server. Drive 1 holds Windows 2000 and ISA Drive 2 holds the rules. Drive 3 holds the swap space. D. Install 3 drives onto the server. Drive 1 holds Windows 2000. Drive 2 holds ISA and the cache data. Drive 3 holds the swap space.

2. You are configuring the ISA server to u se caching. How do you modify the "Percentage of available memory to use for caching" setting?

A. In the console tree of ISA Management, right-click Cache Configuration and then click Properties. Go to the Advanced Tab. B. In the console tree of ISA Management, right-click Cache Configuration and then click Cache Properties. Go to the Ratio Tab. C. In the console tree of Active Directory Users and Computers, right-click Cache Configuration and then click Cache Properties. Go to the Advanced Tab. D. In the console tree of MMC, right-click Cache Configuration and then click Cache Properties. Go to Ratio Tab.

224 Chapter 5 1. You are the enterprise security administrator for your company's network. You want to provide caching in ISA. You also want to ensure top performance. Which of the following steps should you take? *A. Install 4 drives onto the server. Drive 1 holds Windows 2000. Drive 2 holds ISA Drive 3 holds the cache data. Drive 4 holds the swap space. B. Install 4 drives onto the server. Drive 1 holds Windows 2000. Drive 2 holds ISA and the cache data. Drive 3 and 4 hold the swap space. C. Install 3 drives onto the server. Drive 1 holds Windows 2000 and ISA Drive 2 holds the rules. Drive 3 holds the swap space. D. Install 3 drives onto the server. Drive 1 holds Windows 2000. Drive 2 holds ISA and the cache data. Drive 3 holds the swap space. Explanation: The best performance is obtained if you use a drive different from the one on which the main Microsoft Internet Security and Acceleration (ISA) Server system and the Windows 2000 operating system are installed.

2. You are configuring the ISA server to u se caching. How do you modify the "Percentage of available memory to use for caching" setting? *A. In the console tree of ISA Management, right-click Cache Configuration and then click Properties. Go to the Advanced Tab. B. In the console tree of ISA Management, right-click Cache Configuration and then click Cache Properties. Go to the Ratio Tab. C. In the console tree of Active Directory Users and Computers, right-click Cache Configuration and then click Cache Properties. Go to the Advanced Tab. D. In the console tree of MMC, right-click Cache Configuration and then click Cache Properties. Go to Ratio Tab. Explanation: On the Advanced tab in Percentage of available memory to use for caching, type a number between 1 and 100 specifying the maximum percentage of memory that should be allocated for caching.

Using ISA Server 225 3. You are the administrator for your company's network. You install ISA Server to protect your network. You configure the server to use caching. What is the valid value range for the "Percentage of available memory to use for caching" setting?

A. 0 - 99 B. 0 - 100 C. 1 - 100 D. 1 - 50 E. 1 - 99

4. You are considering the deployment of ISA server to protect your network. According to the default settings, which of the following is true regarding routing?

A. All Web Proxy client requests are retrieved directly from the Internet. B. All Web Proxy client requests are retrieved directly from the LAN. C. All Web Proxy client requests are discarded. D. All Web Proxy client requests are retrieved indirectly via the DHCP server. E. All web Proxy client requests are retrieved indirectly via the DHCP relay agent.

226 Chapter 5 3. You are the administrator for your company's network. You install ISA Server to protect your network. You configure the server to use caching. What is the valid value range for the "Percentage of available memory to use for caching" setting?

A. 0 - 99 B. 0 - 100 *C. 1 - 100 D. 1 - 50 E. 1 - 99 Explanation: On the Advanced tab in Percentage of available memory to use for caching, type a number between 1 and 100 specifying the maximum percentage of memory that should be allocated for caching.

4. You are considering the deployment of ISA server to protect your network. According to the default settings, which of the following is true regarding routing?

*A. All Web Proxy client requests are retrieved directly from the Internet. B. All Web Proxy client requests are retrieved directly from the LAN. C. All Web Proxy client requests are discarded. D. All Web Proxy client requests are retrieved indirectly via the DHCP server. E. All web Proxy client requests are retrieved indirectly via the DHCP relay agent. Explanation: All Web Proxy client requests are retrieved directly from the Internet.

Using ISA Server 227 5. According to the default alert settings, which of the following alerts are inactive?

A. All port scan attack B. Dropped packets C. Protocol violation D. UDP bomb attack E. TCP bomb attack

6. Which of the following correctly describe an ISA server array?

A. It is a group of ISA Server computers that can be managed as a single, physical entity. B. It is a group of ISA Server computers that can be managed as a single, logical entity. C. It is a group of ISA Server computers that can be run on the same LAN. D. It is a group of ISA Server computers that can be managed on the same subnet. E. It is a group of ISA server computers that can be managed on two different subnets.

228 Chapter 5 5. According to the default alert settings, which of the following alerts are inactive?

*A. All port scan attack *B. Dropped packets *C. Protocol violation *D. UDP bomb attack E. TCP bomb attack Explanation: All alerts except the following are active: All port scan attack, Dropped packets, Protocol violation, and UDP bomb attack.

6. Which of the following correctly describe an ISA server array?

A. It is a group of ISA Server computers that can be managed as a single, physical entity. *B. It is a group of ISA Server computers that can be managed as a single, logical entity. C. It is a group of ISA Server computers that can be run on the same LAN. D. It is a group of ISA Server computers that can be managed on the same subnet. E. It is a group of ISA server computers that can be managed on two different subnets. Explanation: ISA Server computers can be grouped together in arrays. An array is a group of ISA Server computers used to provide fault tolerance, load balancing, and distributed caching. Arrays allow a group of ISA Server computers to be treated and managed as a single, logical entity.

Using ISA Server 229 7. You are setting up an ISA server array. What advantages can be provided by the array for performance maximization?

A. Distributed caching B. Centralized caching C. Aggregated network throughout D. Distributed network throughout

8. Which of the following are the firewall and security features included in ISA?

A. Outgoing access policy. B. Intrusion detection. C. System Security Wizard. D. Application filters. E. VPN support.

230 Chapter 5 7. You are setting up an ISA server array. What advantages can be provided by the array for performance maximization?

*A. Distributed caching B. Centralized caching C. Aggregated network throughout D. Distributed network throughout Explanation: ISA Server computers can be grouped together in arrays. An array is a group of ISA Server computers used to provide fault tolerance, load balancing, and distributed caching. Arrays allow a group of ISA Server computers to be treated and managed as a single, logical entity.

8. Which of the following are the firewall and security features included in ISA?

*A. Outgoing access policy.

*B. Intrusion detection.

*C. System Security Wizard.

*D. Application filters.

*E. VPN support.

Explanation: ISA Server presents you with a comprehensive solution for securing network access.

Using ISA Server 231 9. You are the enterprise security administrator for your company's network. You install An ISA Servers to protect your network. Under which of the following conditions will two network adapters be required?

A. When you are using ISA Server in firewall mode. B. When you are using ISA Server in integrated mode. C. When you are using ISA Server in cache mode. D. When you are using ISA Server on a domain controller.

10. You are installing ISA Servers to protect your network. You want to use the LAT created by ISA. By default, what is this LAT based on?

A. Manual entries. B. Windows 2000 routing table. C. Protocol patterns. D. Packet flow. E. Auto detection.

232 Chapter 5 9. You are the enterprise security administrator for your company's network. You install An ISA Servers to protect your network. Under which of the following conditions will two network adapters be required?

*A. When you are using ISA Server in firewall mode. *B. When you are using ISA Server in integrated mode. C. When you are using ISA Server in cache mode. D. When you are using ISA Server on a domain controller. Explanation: When you are using ISA Server in firewall or integrated mode, two network adapters are required.

10. You are installing ISA Servers to protect your network. You want to use the LAT created by ISA. By default, what is this LAT based on?

A. Manual entries. *B. Windows 2000 routing table. C. Protocol patterns. D. Packet flow. E. Auto detection. Explanation: ISA Server can construct the LAT, based on your Windows 2000 routing table.

Using ISA Server 233 11. View the Graphic to answer this question: You are installing ISA Servers to protect your network. You want to configure LAT as shown in the graphic. Which of the following addresses should be excluded?

A. Internal private addresses. B. External public addresses. C. ISA external interface address. D. External DNS provider address.

234 Chapter 5 11. View the Graphic to answer this question: You are installing ISA Servers to protect your network. You want to configure LAT as shown in the graphic. Which of the following addresses should be excluded?

A. Internal private addresses. *B. External public addresses.

*C. ISA external interface address.

*D. External DNS provider address.

Explanation: When creating an LAT, you should only include addresses on the private network. This means that you should not add the external interface of the ISA Server computer, any Internet sites, or any other external addresses including the DNS server at your Internet service provider, and so forth. An incorrect configuration of the LAT could make your network vulnerable to attacks.

Using ISA Server 235 12. View the Graphic to answer this question: You are installing ISA Servers to protect your network. You want to configure LAT as shown in the graphic. Where are the LAT settings maintained?

A. ISA server B. Active Directory C. Firewall Clients D. Domain Controller

236 Chapter 5 12. View the Graphic to answer this question: You are installing ISA Servers to protect your network. You want to configure LAT as shown in the graphic. Where are the LAT settings maintained?

*A. ISA server B. Active Directory C. Firewall Clients D. Domain Controller Explanation: LAT is maintained centrally at the ISA Server computer. Firewall clients automatically download and receive LAT updates at preset, regular intervals.

Using ISA Server 237 13. Which of the following tools can you use to set up a local ISA Server virtual private network?

A. VPN Wizard B. VPNSet.exe C. Config /vpn D. ISA Configuration Wizard

14. You need to configure and maintain the ISA server services. You want to deploy VPN Setup Wizard. Which of the following are the valid steps you must take?

A. In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up Local ISA VPN Computer. B. In the console tree of ISA Management, click VPN. In the details pane, right-click the applicable server and then click Set up ISA VPN Computer. C. In the console tree of ISA Management, click VPN Servers. In the details pane, rightclick the applicable server and then click Set up Local ISA Computer. - VPN. D. In the console tree of ISA Management, click VPN Servers. In the details pane, rightclick the applicable server and then click Set up Remote ISA Computer - VPN.

238 Chapter 5 13. Which of the following tools can you use to set up a local ISA Server virtual private network? *A. VPN Wizard B. VPNSet.exe C. Config /vpn D. ISA Configuration Wizard Explanation: In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up Local ISA VPN Computer. Follow the directions in the ISA VPN Setup Wizard.

14. You need to configure and maintain the ISA server services. You want to deploy VPN Setup Wizard. Which of the following are the valid steps you must take? *A. In the console tree of ISA Management, click Servers. In the details pane, rightclick the applicable server and then click Set up Local ISA VPN Computer. B. In the console tree of ISA Management, click VPN. In the details pane, rightclick the applicable server and then click Set up ISA VPN Computer. C. In the console tree of ISA Management, click VPN Servers. In the details pane, right-click the applicable server and then click Set up Local ISA Computer. VPN. D. In the console tree of ISA Management, click VPN Servers. In the details pane, right-click the applicable server and then click Set up Remote ISA Computer VPN. Explanation: In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up Local ISA VPN Computer. Follow the directions in the ISA VPN Setup Wizard.

Using ISA Server 239 15. View the Graphic to answer this question: You are implementing VPN on your ISA server computer. You start a wizard as shown in the graphic. You will be prompted to provide which of the following pieces of information?

A. The domain name of the local server B. The computer name of the local server C. The IP address of the router D. The domain or computer name of the remote server

240 Chapter 5 15. View the Graphic to answer this question: You are implementing VPN on your ISA server computer. You start a wizard as shown in the graphic. You will be prompted to provide which of the following pieces of information?

A. The domain name of the local server B. The computer name of the local server C. The IP address of the router *D. The domain or computer name of the remote server Explanation: As part of the Local ISA VPN Setup Wizard, you will be prompted to type the domain or computer name of the remote server, on which the user account for the VPN connection will be created. If the computer is a domain controller, type its domain controller name. Otherwise, type the computer's NetBIOS name.

Using ISA Server 241 16. View the Graphic to answer this question: You are implementing ISA server. The second menu item as shown in the graphic will invoke which of the following?

A. the VPN Wizard B. the Remote VPN Tools C. Config /r /vpn D. ISA Remote Configuration Wizard

242 Chapter 5 16. View the Graphic to answer this question: You are implementing ISA server. The second menu item as shown in the graphic will invoke which of the following?

*A. the VPN Wizard B. the Remote VPN Tools C. Config /r /vpn D. ISA Remote Configuration Wizard Explanation: In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up Remote ISA VPN Computer. Follow the directions in the ISA VPN Wizard.

Using ISA Server 243 17. You are going to configure ISA server services. What steps would you take to proceed with the configuration?

A. In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up Remote ISA VPN Computer. B. In the console tree of ISA Management, click Remote Servers. In the details pane, right-click the applicable server and then click Set up ISA VPN Computer. C. In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up ISA VPN Computer - Remote. D. In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up ISA VPN Computer - Local.

244 Chapter 5 17. You are going to configure ISA server services. What steps would you take to proceed with the configuration?

*A. In the console tree of ISA Management, click Servers. In the details pane, rightclick the applicable server and then click Set up Remote ISA VPN Computer. B. In the console tree of ISA Management, click Remote Servers. In the details pane, right-click the applicable server and then click Set up ISA VPN Computer. C. In the console tree of ISA Management, click Servers. In the details pane, rightclick the applicable server and then click Set up ISA VPN Computer - Remote. D. In the console tree of ISA Management, click Servers. In the details pane, rightclick the applicable server and then click Set up ISA VPN Computer - Local. Explanation: In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up Remote ISA VPN Computer. Follow the directions in the ISA VPN Wizard.

Using ISA Server 245 18. View the Graphic to answer this question: You are implementing ISA server. You need to configure and maintain the ISA server services.

You reside in LAN A.

To configure a VPN, which of the following components will you need?

A. The local VPN wizard B. An ISA Server on the local network C. Internet Service Provider D. The remote VPN wizard E. An ISA Server on the remote network

246 Chapter 5 18. View the Graphic to answer this question: You are implementing ISA server. You need to configure and maintain the ISA server services.

You reside in LAN A.

To configure a VPN, which of the following components will you need?

*A. The local VPN wizard B. An ISA Server on the local network C. Internet Service Provider D. The remote VPN wizard E. An ISA Server on the remote network Explanation: The local VPN wizard runs on ISA Server on the local network. The local ISA VPN computer connects to its Internet Service Provider (ISP). The remote VPN wizard runs on the ISA Server on the remote network. The remote ISA VPN computer connects to its ISP. When a computer on the local network communicates with a computer on the remote network, data is encapsulated and sent through the VPN tunnel. A tunneling protocol (PPTP or L2TP) is used to manage tunnels and encapsulate private data. Data that is tunneled must also be encrypted to be a VPN connection.

Using ISA Server 247 19. You are implementing ISA server. You need to configure and maintain the ISA server services.

You reside in LAN A. To configure a VPN, which of the following indicates the appropriate service placement?

A. The local VPN wizard - LAN A B. The local VPN wizard - ISP C. The local VPN wizard - LAN B D. The remote VPN wizard - LAN B E. The remote VPN wizard - LAN A

248 Chapter 5 19. You are implementing ISA server. You need to configure and maintain the ISA server services.

You reside in LAN A. To configure a VPN, which of the following indicates the appropriate service placement?

*A. The local VPN wizard - LAN A B. The local VPN wizard - ISP C. The local VPN wizard - LAN B *D. The remote VPN wizard - LAN B E. The remote VPN wizard - LAN A Explanation: The local VPN wizard runs on ISA Server on the local network. The local ISA VPN computer connects to its Internet Service Provider (ISP). The remote VPN wizard runs on the ISA Server on the remote network. The remote ISA VPN computer connects to its ISP. When a computer on the local network communicates with a computer on the remote network, data is encapsulated and sent through the VPN tunnel. A tunneling protocol (PPTP or L2TP) is used to manage tunnels and encapsulate private data. Data that is tunneled must also be encrypted to be a VPN connection.

Using ISA Server 249 20. You are implementing ISA server. You need to configure and maintain the ISA server services.

You reside in LAN A. You are configuring a VPN. Which of the following is true?

A. Data that is tunneled does not need to be encrypted for performance reason. B. Data that is tunneled must be encrypted. C. Data must be tunneled. D. Data must be encrypted but tunneling is optional.

250 Chapter 5 20. You are implementing ISA server. You need to configure and maintain the ISA server services.

You reside in LAN A. You are configuring a VPN. Which of the following is true?

A. Data that is tunneled does not need to be encrypted for performance reason. *B. Data that is tunneled must be encrypted. *C. Data must be tunneled. D. Data must be encrypted but tunneling is optional. Explanation: A tunneling protocol (PPTP or L2TP) is used to manage tunnels and encapsulate private data. Data that is tunneled must also be encrypted to be a VPN connection.

Using ISA Server 251 21. You are implementing ISA server. How do you set up ISA Server to accept clientside VPN requests?

A. Via the VPN Wizard B. Via the Client VPN Tools C. Config /c /vpn D. ISA Client Configuration Wizard E. Via the VPN Configuration Wizard

252 Chapter 5 21. You are implementing ISA server. How do you set up ISA Server to accept clientside VPN requests?

*A. Via the VPN Wizard B. Via the Client VPN Tools C. Config /c /vpn D. ISA Client Configuration Wizard E. Via the VPN Configuration Wizard Explanation: In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up Clients to ISA Server VPN.

Using ISA Server 253 22. View the Graphic to answer this question: You are the network administrator of your company. You want to set up ISA Server to accept client-side VPN requests. However, you are unable to set it up via the method shown in the graphic. What are the steps to take in order to set up ISA Server to accept client-side VPN requests?

A. In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up Clients to ISA Server VPN. B. In the console tree of ISA Management, click Clients. In the details pane, right-click the applicable server and then click Set up Clients to ISA Server VPN. C. In the console tree of ISA Management, click VPN Clients. In the details pane, rightclick the applicable server and then click Set up Clients to ISA Server. D. In the console tree of ISA Management, click VPN Clients. In the details pane, rightclick the applicable server and then click Configure Clients to ISA Server VPN.

254 Chapter 5 22. View the Graphic to answer this question: You are the network administrator of your company. You want to set up ISA Server to accept client-side VPN requests. However, you are unable to set it up via the method shown in the graphic. What are the steps to take in order to set up ISA Server to accept client-side VPN requests?

*A. In the console tree of ISA Management, click Servers. In the details pane, rightclick the applicable server and then click Set up Clients to ISA Server VPN. B. In the console tree of ISA Management, click Clients. In the details pane, rightclick the applicable server and then click Set up Clients to ISA Server VPN. C. In the console tree of ISA Management, click VPN Clients. In the details pane, right-click the applicable server and then click Set up Clients to ISA Server. D. In the console tree of ISA Management, click VPN Clients. In the details pane, right-click the applicable server and then click Configure Clients to ISA Server VPN. Explanation: In the console tree of ISA Management, click Servers. In the details pane, right-click the applicable server and then click Set up Clients to ISA Server VPN.

Using ISA Server 255 23. As the ISA specialist, you need to configure and maintain the ISA server services. How do you configure a new routing rule?

A. In the console tree of ISA Management, right-click Routing, point to New, and then click Rule. B. In the console tree of ISA Management, right-click RRAS, point to New, and then click Rule. C. In the console tree of ISA Management, right-click Routing, point to Define, and then click Routing Rule. D. In the console tree of ISA Management, right-click Routing, point to New, and then click New rule.

24. You are busy configuring ISA server services. Which of the following are the valid destination sets to which routing rules can apply?

A. All destinations B. All external destinations C. All internal destinations D. Selected destination set E. All destinations except selected set

256 Chapter 5 23. As the ISA specialist, you need to configure and maintain the ISA server services. How do you configure a new routing rule?

*A. In the console tree of ISA Management, right-click Routing, point to New, and then click Rule. B. In the console tree of ISA Management, right-click RRAS, point to New, and then click Rule. C. In the console tree of ISA Management, right-click Routing, point to Define, and then click Routing Rule. D. In the console tree of ISA Management, right-click Routing, point to New, and then click New rule. Explanation: To define a routing rule, in the console tree of ISA Management, rightclick Routing, point to New, and then click Rule.

24. You are busy configuring ISA server services. Which of the following are the valid destination sets to which routing rules can apply?

*A. All destinations *B. All external destinations *C. All internal destinations *D. Selected destination set *E. All destinations except selected set Explanation: The valid destination sets, which can be applied to routing rules, include all external, internal, selected or unselected destinations set.

Using ISA Server 257 25. You are implementing ISA server. The destination set that you want to specify does not exist. Which of the following can you do?

A. Use an existing set. B. Modify an existing set. C. Create a new set and then select to use it. D. Create a new set only.

26. You are setting routing rules for your ISA server. Which of the following is true when you configure routing rules?

A. You can only specify array-level destination sets for the routing rules. B. You can specify destination sets of all levels for the routing rules. C. You can only specify array-level destination sets for the routing rules if the keyword destset is set to 3. D. You can only specify array-level destination sets for the routing rules if the keyword destset is set to True.

258 Chapter 5 25. You are implementing ISA server. The destination set that you want to specify does not exist. Which of the following can you do?

A. Use an existing set. B. Modify an existing set. *C. Create a new set and then select to use it. D. Create a new set only. Explanation: You can click New to create a new set and then select it in the list.

26. You are setting routing rules for your ISA server. Which of the following is true when you configure routing rules?

*A. You can only specify array-level destination sets for the routing rules. B. You can specify destination sets of all levels for the routing rules. C. You can only specify array-level destination sets for the routing rules if the keyword destset is set to 3. D. You can only specify array-level destination sets for the routing rules if the keyword destset is set to True. Explanation: You can only specify array-level destination sets for the routing rules.

Using ISA Server 259 27. View the Graphic to answer this question:

Which of the following correctly describe a destination in the rule shown in the picture?

A. A destination is a computer name, IP address, or IP range. B. A destination is a computer name. C. A destination can include a cached entry. D. A destination can include a path. E. A destination can include a file.

260 Chapter 5 27. View the Graphic to answer this question:

Which of the following correctly describe a destination in the rule shown in the picture?

*A. A destination is a computer name, IP address, or IP range. B. A destination is a computer name. C. A destination can include a cached entry. *D. A destination can include a path. E. A destination can include a file. Explanation: A destination is a computer name, IP address, or IP range, and can include a path. Destination sets include one or more computers or folders on specific computers.

Using ISA Server 261 28. Which of the following correctly describe a destination set in the ISA routing rule?

A. A destination set is an IP range. B. A destination set is a computer group name. C. A destination set includes one or more computers. D. A destination set includes one or more folders on specific computers. E. A destination set includes one or more client IPs.

262 Chapter 5 28. Which of the following correctly describe a destination set in the ISA routing rule?

A. A destination set is an IP range. B. A destination set is a computer group name. *C. A destination set includes one or more computers.

*D. A destination set includes one or more folders on specific computers.

E. A destination set includes one or more client IPs. Explanation: A destination is a computer name, IP address, or IP range, and can include a path. Destination sets include one or more computers or folders on specific computers.

Using ISA Server 263 29. You are configuring and maintaining the ISA server services. When you specify a destination, which of the following formats will you use to include a specific directory in the destination set?

A. /dir B. /dir/* C. /dir/filename D. /dir/! E. /dir/:

30. You are setting up an ISA Server computer for your company's network. When you specify a destination, which of the following formats will you use to include all the files in a directory?


264 Chapter 5 29. You are configuring and maintaining the ISA server services. When you specify a destination, which of the following formats will you use to include a specific directory in the destination set?

*A. /dir B. /dir/* C. /dir/filename D. /dir/! E. /dir/: Explanation: Use this format when you specify a destination: To include a specific directory in the destination set, use this format /dir.

30. You are setting up an ISA Server computer for your company's network. When you specify a destination, which of the following formats will you use to include all the files in a directory?

A. /dir *B. /dir/* C. /dir/filename D. /dir/! E. /dir/: Explanation: Use this format when you specify a destination: To include all the files in a directory, use this format /dir/*.

Using ISA Server 265 31. You are the ISA server administrator of your company. You are setting up an ISA Server computer for your company's network. When you specify a destination, which of the following formats will you use to select a specific file in a directory?


32. You are the ISA server administrator of your company. You need to configure and maintain the ISA server services. Which of the following rules can be used to specify destination sets?

A. Site and content rules. B. Bandwidth rules. C. Web publishing rules. D. Routing rules. E. Server Publishing rules.

266 Chapter 5 31. You are the ISA server administrator of your company. You are setting up an ISA Server computer for your company's network. When you specify a destination, which of the following formats will you use to select a specific file in a directory?

A. /dir B. /dir/* *C. /dir/filename D. /dir/! E. /dir/: Explanation: Use this format when you specify a destination: To select a specific file in a directory, use this format /dir/filename.

32. You are the ISA server administrator of your company. You need to configure and maintain the ISA server services. Which of the following rules can be used to specify destination sets?

*A. Site and content rules.

*B. Bandwidth rules.

*C. Web publishing rules.

*D. Routing rules.

E. Server Publishing rules. Explanation: The following rules can specify destination sets: Site and content rules / Bandwidth rules / Web publishing rules / Routing rules.

Using ISA Server 267 33. View the Graphic to answer this question: As the ISA server administrator, you are setting up an ISA Server computer for your company's network. In which of the following rules will non-internal computers usually be included in the destination sets as shown in the graphic?

A. Site and content rules. B. Bandwidth rules. C. Web publishing rules. D. Routing rules. E. Server publishing rules.

268 Chapter 5 33. View the Graphic to answer this question: As the ISA server administrator, you are setting up an ISA Server computer for your company's network. In which of the following rules will non-internal computers usually be included in the destination sets as shown in the graphic?

*A. Site and content rules. *B. Bandwidth rules. C. Web publishing rules. D. Routing rules. E. Server publishing rules. Explanation: The following rules can specify destination sets: Site and content rules / Bandwidth rules / Web publishing rules / Routing rules. For site and content rules and bandwidth rules, destination sets usually include computers that are not on your internal network. For Web publishing rules, destination sets usually include computers on your internal network. For routing rules, destination sets include external computers (on the Internet). For rules that route outgoing Web requests Routing rules that route incoming Web requests include internal computers.

Using ISA Server 269 34. As the ISA server administrator, you need to configure and maintain the ISA server services. In which of the following rules will external computers usually be excluded in the destination sets?

A. Site and content rules. B. Bandwidth rules. C. Web publishing rules. D. Routing rules. E. Server publishing rules.

270 Chapter 5 34. As the ISA server administrator, you need to configure and maintain the ISA server services. In which of the following rules will external computers usually be excluded in the destination sets?

A. Site and content rules. B. Bandwidth rules. *C. Web publishing rules. D. Routing rules. E. Server publishing rules. Explanation: For site and content rules and bandwidth rules, destination sets usually include computers that are not on your internal network. For Web publishing rules, destination sets usually include computers on your internal network. For routing rules, destination sets include external computers (on the Internet). For rules that route outgoing Web requests. For Routing, rules that route incoming Web requests include internal computers.

Using ISA Server 271 35. You are the ISA server administrator of your company. You are configuring client address sets for your ISA server. Which of the following correctly describe the client address sets?

A. They include one or more computers. B. They include one or more user groups. C. They include one or more users. D. They include one or more subnets.

36. As the ISA server administrator, you are setting up an ISA Server computer for your company's network. Which of the following are the valid client address sets in which rules can be applied?

A. Specific client address set. B. All addresses except specified address sets. C. One or more users. D. All subnets.

272 Chapter 5 35. You are the ISA server administrator of your company. You are configuring client address sets for your ISA server. Which of the following correctly describe the client address sets?

*A. They include one or more computers. B. They include one or more user groups. C. They include one or more users. D. They include one or more subnets. Explanation: You can apply rules to one or more specific client address set or to all addresses except the specified client address sets.

36. As the ISA server administrator, you are setting up an ISA Server computer for your company's network. Which of the following are the valid client address sets in which rules can be applied?

*A. Specific client address set.

*B. All addresses except specified address sets.

C. One or more users. D. All subnets. Explanation: You can apply rules to one or more specific client address set or to all addresses except the specified client address sets.

Using ISA Server 273 37. As the ISA server administrator, you are setting up an ISA Server computer for your company's network. Which of the following rules can specify client address sets?

A. Site and content rules. B. Protocol rules. C. Bandwidth rules. D. Server publishing rules. E. Web publishing rules.

38. You are the server security specialist. You are setting up an ISA Server computer for your company's network. You need to create rules for use with client address sets. In the rules, how can clients be specified?

A. User name B. Community C. Domain D. IP address E. Windows 2000 group

274 Chapter 5 37. As the ISA server administrator, you are setting up an ISA Server computer for your company's network. Which of the following rules can specify client address sets? *A. Site and content rules.

*B. Protocol rules.

*C. Bandwidth rules.

*D. Server publishing rules.

*E. Web publishing rules.

Explanation: Client address sets include one or more computers. You can apply rules to

one or more specific client address set or to all addresses except the specified client address sets. The following rules can specify client address sets: Site and content rules / Protocol rules / Bandwidth rules / Server publishing rules / Web publishing rules.

38. You are the server security specialist. You are setting up an ISA Server computer for your company's network. You need to create rules for use with client address sets. In the rules, how can clients be specified?

*A. User name B. Community C. Domain *D. IP address E. Windows 2000 group Explanation: When you create rules, you can specify to which internal clients the rule is applied. Clients can be specified either by user name or by Internet protocol (IP) address. For secure network address translation (SecureNAT) clients, you must specify clients by IP address. You can create client address sets, which group client computers by IP address. For Firewall clients, when you specify clients by user name, you can use the Windows 2000 groups.

Using ISA Server 275 39. You are the server security specialist. You are configuring SecureNAT settings. Using the rules, SecureNAT clients can be specified by which of the following?

A. User name B. Community C. Domain D. IP address E. Windows 2000 group

276 Chapter 5 39. You are the server security specialist. You are configuring SecureNAT settings. Using the rules, SecureNAT clients can be specified by which of the following?

A. User name B. Community C. Domain *D. IP address E. Windows 2000 group Explanation: When you create rules, you can specify to which internal clients the rule is applied. Clients can be specified either by user name or by Internet protocol (IP) address. For secure network address translation (SecureNAT) clients, you must specify clients by IP address. You can create client address sets, which group client computers by IP address. For Firewall clients, when you specify clients by user name, you can use the Windows 2000 groups.

Using ISA Server 277 40. View the Graphic to answer this question: As the ISA server administrator, you are configuring rules settings. You need to create rules for use with the item shown in the graphic. In the rules, how are Firewall clients specified?

A. User name B. Community C. Domain D. Windows 2000 group E. Windows 2000 groups

278 Chapter 5 40. View the Graphic to answer this question: As the ISA server administrator, you are configuring rules settings. You need to create rules for use with the item shown in the graphic. In the rules, how are Firewall clients specified?

*A. User name B. Community C. Domain *D. Windows 2000 group E. Windows 2000 groups Explanation: When you create rules, you can specify to which internal clients the rule is applied. Clients can be specified either by user name or by Internet protocol (IP) address. For secure network address translation (SecureNAT) clients, you must specify clients by IP address. You can create client address sets, which group client computers by IP address. For Firewall clients, when you specify clients by user name, you can use the Windows 2000 groups.

Using ISA Server 279 41. View the Graphic to answer this question: As the ISA server administrator, you need to configure and maintain the ISA server services. You need to configure the options as shown in the graphic. Which of the following are the valid steps to take?

A. Enable fast kernel mode. B. Create a DNS Service location (SRV) resource record on your external DNS server so that proxies outside of your organization can locate your ISA Server computer. C. Enable H.323 protocol access. D. Specify when the H.323 protocol can be accessed. E. Add H.323 Gatekeeper to your ISA Server computer.

280 Chapter 5 41. View the Graphic to answer this question: As the ISA server administrator, you need to configure and maintain the ISA server services. You need to configure the options as shown in the graphic. Which of the following are the valid steps to take?

*A. Enable fast kernel mode. *B. Create a DNS Service location (SRV) resource record on your external DNS server so that proxies outside of your organization can locate your ISA Server computer. *C. Enable H.323 protocol access. *D. Specify when the H.323 protocol can be accessed. *E. Add H.323 Gatekeeper to your ISA Server computer. Explanation: You need to first enable fast kernel mode, then enable H.323 protocol access, specify when it can be accessed, and finally add the H.323 Gatekeeper to your ISA Server computer.

Using ISA Server 281 42. You are the ISA server administrator of your company. You need to configure and maintain the ISA server services. You need to configure the H323 Gatekeeper. Which of the following is the FIRST step to take?

A. Enable H.323 protocol access. B. Specify when the H.323 protocol can be accessed. C. Create a DNS Service location (SRV) resource record on your external DNS server so that proxies outside of your organization can locate your ISA Server computer. D. Add H.323 Gatekeeper to your ISA Server computer. E. Enable fast kernel mode.

282 Chapter 5 42. You are the ISA server administrator of your company. You need to configure and maintain the ISA server services. You need to configure the H323 Gatekeeper. Which of the following is the FIRST step to take?

*A. Enable H.323 protocol access. B. Specify when the H.323 protocol can be accessed. C. Create a DNS Service location (SRV) resource record on your external DNS server so that proxies outside of your organization can locate your ISA Server computer. D. Add H.323 Gatekeeper to your ISA Server computer. E. Enable fast kernel mode. Explanation: All the choices in the question are the valid steps for setting up a H323 Gatekeeper.

Using ISA Server 283 43. You are the server security specialist. You need to configure and maintain the ISA server services. You need to configure the H323 Gatekeeper. Which of the following is the LAST step to take?

A. Enable H.323 protocol access. B. Specify when the H.323 protocol can be accessed. C. Create a DNS Service location (SRV) resource record on your external DNS server so that proxies outside of your organization can locate your ISA Server computer. D. Enable fast kernel mode. E. Add H.323 Gatekeeper to your ISA Server computer.

44. You are the server security specialist. How do you configure the DNS server so that proxies outside of your organization can locate your ISA Server computer?

A. Create a DNS Service location (SRV) resource record on your external DNS server B. Create a DNS PTR record on your external DNS server C. Create a DNS Service location (SRV) resource record on your internal DNS server D. Create a DNS RPTR resource record on your internal DNS server E. Create a DNS a resource record (A Record) on your internal DNS server

284 Chapter 5 43. You are the server security specialist. You need to configure and maintain the ISA server services. You need to configure the H323 Gatekeeper. Which of the following is the LAST step to take?

A. Enable H.323 protocol access. B. Specify when the H.323 protocol can be accessed. C. Create a DNS Service location (SRV) resource record on your external DNS server so that proxies outside of your organization can locate your ISA Server computer. *D. Enable fast kernel mode. E. Add H.323 Gatekeeper to your ISA Server computer. Explanation: All the choices in the question are the valid steps for setting up a H323 Gatekeeper.

44. You are the server security specialist. How do you configure the DNS server so that proxies outside of your organization can locate your ISA Server computer?

*A. Create a DNS Service location (SRV) resource record on your external DNS server B. Create a DNS PTR record on your external DNS server C. Create a DNS Service location (SRV) resource record on your internal DNS server D. Create a DNS RPTR resource record on your internal DNS server E. Create a DNS a resource record (A Record) on your internal DNS server Explanation: The keywords here are SRV and EXTERNAL. A SRV record is needed for ISA

Using ISA Server 285 45. View the Graphic to answer this question: You are the server security specialist. You need to configure and maintain the ISA server services. How do you enable the protocol rule for the protocol filter shown in the graphic?

A. Via the ISA Administration Tool. B. Via the H323 Wizard C. Via the H323 Protocol Tools D. Config /r /vpn

286 Chapter 5 45. View the Graphic to answer this question: You are the server security specialist. You need to configure and maintain the ISA server services. How do you enable the protocol rule for the protocol filter shown in the graphic?

*A. Via the ISA Administration Tool. B. Via the H323 Wizard C. Via the H323 Protocol Tools D. Config /r /vpn Explanation: To enable the H.323 protocol rule, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Administration Tool.

Using ISA Server 287 46. You are the ISA server administrator. You need to configure and maintain the ISA server services. How do you control access to the H323 protocol rule?

A. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Administration Tool. In the console tree, double-click Arrays, double-click the applicable server, double-click Extensions, and then click Firewall Filters. In the details pane, right-click H.323 Filter, and then click Properties. On the General tab, select the Enable this filter check box. B. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Administration Tool. In the console tree, double-click Arrays, double-click the applicable server, double-click Filters. In the details pane, right-click H.323 Filter, and then click Properties. On the Filter tab, select the Enable this filter check box. C. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Administration Tool. In the console tree, double-click Arrays, double-click the applicable server, double-click Extensions, and then click Firewall Filters. In the details pane, right-click H.323 Filter, and then click Settings. On the Common tab, select the Enable this filter check box. D. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management Tool. In the console tree, double-click Arrays, double-click the applicable server, double-click Extensions, and then click Firewall Filters. In the details pane, right-click H.323 Filter, and then click Settings. On the Common tab, select the Enable this filter check box.

288 Chapter 5 46. You are the ISA server administrator. You need to configure and maintain the ISA server services. How do you control access to the H323 protocol rule?

*A. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Administration Tool. In the console tree, double-click Arrays, double-click the applicable server, double-click Extensions, and then click Firewall Filters. In the details pane, right-click H.323 Filter, and then click Properties. On the General tab, select the Enable this filter check box. B. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Administration Tool. In the console tree, double-click Arrays, double-click the applicable server, double-click Filters. In the details pane, right-click H.323 Filter, and then click Properties. On the Filter tab, select the Enable this filter check box. C. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Administration Tool. In the console tree, double-click Arrays, double-click the applicable server, double-click Extensions, and then click Firewall Filters. In the details pane, right-click H.323 Filter, and then click Settings. On the Common tab, select the Enable this filter check box. D. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management Tool. In the console tree, double-click Arrays, double-click the applicable server, double-click Extensions, and then click Firewall Filters. In the details pane, right-click H.323 Filter, and then click Settings. On the Common tab, select the Enable this filter check box. Explanation: Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Administration Tool. In the console tree, double-click Arrays, double-click the applicable server, double-click Extensions, and then click Firewall Filters. In the details pane, right-click H.323 Filter, and then click Properties. On the General tab, select the Enable this filter check box.

Using ISA Server 289 47. You are the server security specialist. You are configuring access control to the H323 protocol rule. Which of the following options can be permitted given appropriate configurations?

A. DNS gatekeeper lookup B. Audio calls C. Video calls D. T.120 data sharing E. T.120 application sharing

48. You are the ISA server administrator of your company. You are configuring ISA server services. How do you create a phone number call routing rule?

A. Via the ISA Administration Tool's Add Routing Rule wizard B. Via the H323 Wizard's Add Routing Rule tool C. Via the H323 Protocol Tools D. Config /route add

290 Chapter 5 47. You are the server security specialist. You are configuring access control to the H323 protocol rule. Which of the following options can be permitted given appropriate configurations?

*A. DNS gatekeeper lookup *B. Audio calls *C. Video calls *D. T.120 data sharing *E. T.120 application sharing Explanation: To enable DNS gatekeeper lookup, click Use DNS gatekeeper lookup and LRQs for alias resolution. To permit audio calls, click Allow audio. To permit video calls, click Allow video. To permit T.120 data and application sharing, click Allow T120 and application sharing.

48. You are the ISA server administrator of your company. You are configuring ISA server services. How do you create a phone number call routing rule?

*A. Via the ISA Administration Tool's Add Routing Rule wizard B. Via the H323 Wizard's Add Routing Rule tool C. Via the H323 Protocol Tools D. Config /route add Explanation: Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Administration Tool. In the console tree, double-click H323 Gatekeepers, double-click the applicable server, and then double-click Call routing. Right-click Phone number rules, and then click Add routing rule.

Using ISA Server 291 49. You are a network security administrator. You are configuring ISA server services. To allow for full Netmeeting capability, which of the following services / facilities are needed by ISA?

A. H.323 Gatekeeper B. H.323 protocol filter C. RRAS D. Remote Access Manager E. RAS

50. You are a network security administrator. You are configuring ISA server services. To allow for full Netmeeting capability, which of components need to be installed given the fact that you have completed a full installation of ISA?

A. H.323 Gatekeeper B. H.323 Driver C. RRAS D. Remote Access Manager E. None of the choices

292 Chapter 5 49. You are a network security administrator. You are configuring ISA server services. To allow for full Netmeeting capability, which of the following services / facilities are needed by ISA? *A. H.323 Gatekeeper *B. H.323 protocol filter C. RRAS D. Remote Access Manager E. RAS Explanation: H.323 Gatekeeper works together with the H.323 protocol filter to support full communications capabilities when using applications that are compliant with H.323 Gatekeeper such as NetMeeting 3.0 or higher. H.323 Gatekeeper provides directory and call-routing services to registered H.323 clients. You can use H.323 Gatekeeper to register clients in a registration database, allowing clients to use wellknown aliases while using connections compliant with the H.323 standard, including NetMeeting 3.0 or higher. All inbound calls to a registered H.323 client's wellknown alias require the H.323 Gatekeeper service. Outbound calls that need translation services require H.323 Gatekeeper.

50. You are a network security administrator. You are configuring ISA server services. To allow for full Netmeeting capability, which of components need to be installed given the fact that you have completed a full installation of ISA? A. H.323 Gatekeeper B. H.323 Driver C. RRAS D. Remote Access Manager *E. None of the choices Explanation: If you choose Full Installation when installing Microsoft Internet Security and Acceleration (ISA) Server, H.323 Gatekeeper is automatically installed.

Using ISA Server 293 51. How do you setup ISA to allow for full Netmeeting capability, given the fact that you want to proceed with a custom installation of ISA?

A. Select the Proxy Service Add-in Services check box and the Administration Tools check box to be able to administer H.323 Gatekeeper. B. Highlight Administration Tools and select the Change Option. C. Select the Administration Tools check box and the H.323 Gatekeeper Administration Tool check box. D. Select the Management Tools check box and the H.323 Gatekeeper Administration Tool check box.

52. You are a network security administrator. You are configuring ISA server services. Which of the following tools can you use to stop or start the H.323 Gatekeeper service?

A. H323 Wizard B. H323 Management Console C. ISA Management D. Net H323 start and Net H323 stop E. Net H323 stop and Net H323 start

294 Chapter 5 51. How do you setup ISA to allow for full Netmeeting capability, given the fact that you want to proceed with a custom installation of ISA?

*A. Select the Proxy Service Add-in Services check box and the Administration Tools check box to be able to administer H.323 Gatekeeper. *B. Highlight Administration Tools and select the Change Option. *C. Select the Administration Tools check box and the H.323 Gatekeeper Administration Tool check box. D. Select the Management Tools check box and the H.323 Gatekeeper

Administration Tool check box.

Explanation: If you choose Custom Installation, you must select the Proxy Service Addin Services check box and the Administration Tools check box to be able to administer H.323 Gatekeeper. You will need to highlight Administration Tools and select the Change Option. Be certain to select the Administration Tools check box and the H.323 Gatekeeper Administration Tool check box.

52. You are a network security administrator. You are configuring ISA server services. Which of the following tools can you use to stop or start the H.323 Gatekeeper service?

A. H323 Wizard B. H323 Management Console *C. ISA Management D. Net H323 start and Net H323 stop E. Net H323 stop and Net H323 start Explanation: You can use ISA Management to monitor H.323 Gatekeeper service status. Similarly, you can use ISA Management to stop or start the H.323 Gatekeeper service.

Using ISA Server 295 53. Which of the following are the endpoints of a H323 transaction?

A. H.323 client B. Proxy server C. ISA Server computer D. Gateway E. Gatekeeper

54. You are a network security administrator. You need to configure and maintain the H.323 Gatekeeper. H323 endpoints typically register with the H.323 Gatekeeper uses which of the following methods?

A. H323 Wizard B. H323 Management Console C. ISA Management D. H323 RAS

296 Chapter 5 53. Which of the following are the endpoints of a H323 transaction?

*A. H.323 client *B. Proxy server *C. ISA Server computer *D. Gateway E. Gatekeeper Explanation: Every H.323 transaction has two endpoints, an origination endpoint and a destination endpoint. An endpoint can be an H.323 client (for example, a terminal running NetMeeting), a proxy server (such as an ISA Server computer), or a gateway.

54. You are a network security administrator. You need to configure and maintain the H.323 Gatekeeper. H323 endpoints typically register with the H.323 Gatekeeper uses which of the following methods?

A. H323 Wizard B. H323 Management Console C. ISA Management *D. H323 RAS Explanation: Endpoints typically register with the H.323 Gatekeeper using H.323 Registration, Admission, and Status (H.323 RAS). You can use the H.323 Gatekeeper snap-in to add a static registration to endpoints that do not support H.323 RAS registration.

Using ISA Server 297 55. You are the ISA server administrator of your company. You need to configure and maintain the H.323 Gatekeeper. Which of the following tools do you use to add a static registration to endpoints that do not support H.323 RAS registration?

A. H323 Wizard B. H323 Management Console C. ISA Management D. H323 RAS E. H.323 Gatekeeper snap-in

298 Chapter 5 55. You are the ISA server administrator of your company. You need to configure and maintain the H.323 Gatekeeper. Which of the following tools do you use to add a static registration to endpoints that do not support H.323 RAS registration?

A. H323 Wizard B. H323 Management Console C. ISA Management D. H323 RAS *E. H.323 Gatekeeper snap-in Explanation: Endpoints typically register with the H.323 Gatekeeper using H.323 Registration, Admission, and Status (H.323 RAS). You can use the H.323 Gatekeeper snap-in to add a static registration to endpoints that do not support H.323 RAS registration.

Using ISA Server 299 56. View the Graphic to answer this question: You are the ISA server administrator of your company. You are configuring some ISA Server options as shown in the graphic. Which of the following are the valid endpoint attributes for this type of protocol?

A. List of Q931 addresses for the endpoint B. List of H.323 RAS addresses for the endpoint C. List of Aliases D. List of Alias names

300 Chapter 5 56. View the Graphic to answer this question: You are the ISA server administrator of your company. You are configuring some ISA Server options as shown in the graphic. Which of the following are the valid endpoint attributes for this type of protocol?

*A. List of Q931 addresses for the endpoint *B. List of H.323 RAS addresses for the endpoint *C. List of Aliases D. List of Alias names Explanation: When you register an endpoint using H.323 RAS, the following attributes are specified: List of Q931 addresses for the endpoint, List of H.323 RAS addresses for the endpoint, and List of Aliases.

Using ISA Server 301 57. You are a network security administrator. You need to configure and maintain the H.323 Gatekeeper. Which of the following are the valid fields of a H323 endpoint alias?

A. Type B. Name C. Source D. Destination E. IP

58. You are troubleshooting the ISA server c onfiguration and deployment for your company. The ISA server cannot allocate the required ports. Which of the following are the likely causes?

A. Port allocation conflict B. More than one service has requested to bind with a specific port on the external interface C. Memory limitation D. Resource low E. IRQ conflicts

302 Chapter 5 57. You are a network security administrator. You need to configure and maintain the H.323 Gatekeeper. Which of the following are the valid fields of a H323 endpoint alias?

*A. Type *B. Name C. Source D. Destination E. IP Explanation: An alias consists of two fields, a type and a name, where the type would be E164, H.323-ID or E-Mail-ID

58. You are troubleshooting the ISA server c onfiguration and deployment for your company. The ISA server cannot allocate the required ports. Which of the following are the likely causes?

*A. Port allocation conflict *B. More than one service has requested to bind with a specific port on the external interface C. Memory limitation D. Resource low E. IRQ conflicts Explanation: There is an allocation conflict for a port - more than one service on the Microsoft Internet Security and Acceleration (ISA) Server computer, possibly including ISA Server itself, requested to bind with a specific port on the external interface.

Using ISA Server 303 59. You are troubleshooting the ISA server c onfiguration and deployment for your company. The server cannot allocate the required ports for use by ISA.

How would you avoid the problem?

A. Stop additional services on the primary firewall. B. Bind the competing server to the internal interface. C. Ensure that only ISA Server listens on the external interface. D. Ensure that only ISA Server listens on the internal interface.

60. You're troubleshooting the connections of the SecureNAT clients. The connections are VERY slow. How do you resolve the problem?

A. Remove any filter. B. Enable IP packet forwarding. C. Enable dynamic packet filtering. D. Restart the server and clear the cache. E. Reset the TTL value.

304 Chapter 5 59. You are troubleshooting the ISA server c onfiguration and deployment for your company. The server cannot allocate the required ports for use by ISA.

How would you avoid the problem?

*A. Stop additional services on the primary firewall.

*B. Bind the competing server to the internal interface.

*C. Ensure that only ISA Server listens on the external interface.

D. Ensure that only ISA Server listens on the internal interface. Explanation: There is an allocation conflict for a port - more than one service on the Microsoft Internet Security and Acceleration (ISA) Server computer, possibly including ISA Server itself, requested to bind with a specific port on the external interface.

60. You're troubleshooting the connections of the SecureNAT clients. The connections are VERY slow. How do you resolve the problem?

A. Remove any filter. *B. Enable IP packet forwarding. *C. Enable dynamic packet filtering. D. Restart the server and clear the cache. E. Reset the TTL value. Explanation: You should enable IP packet forwarding. When IP forwarding is available, you should also make dynamic packet filtering available.

Using ISA Server 305 61. View the Graphic to answer this question: You are troubleshooting the ISA server configuration and deployment for your company. The ISA clients shown in the graphic cannot dial out to the Internet via the modems. How do you fix the problem?

A. Remove the firewall client. B. Reinstall the firewall client. C. Disable all filtering. D. Enable modem auto detection. E. Enable modem autodial.

306 Chapter 5 61. View the Graphic to answer this question: You are troubleshooting the ISA server configuration and deployment for your company. The ISA clients shown in the graphic cannot dial out to the Internet via the modems. How do you fix the problem?

*A. Remove the firewall client. B. Reinstall the firewall client. C. Disable all filtering. D. Enable modem auto detection. E. Enable modem autodial. Explanation: If the Firewall Client is available, then the Firewall client will not be able to dial out directly to the Internet.

Using ISA Server 307 62. You are managing the deployment of ISA server in your network. Somehow, the internal connections are very slow for the firewall clients. Which of the following is the likely cause?

A. Clients are unable to resolve local names using an external DNS server because the external DNS server may not have the correct records needed. B. The default gateway is over utilized. C. The firewall clients have incorrect TTL settings. D. The firewall clients have incorrect subnet mask settings. E. The firewall clients have incorrect default gateway settings.

308 Chapter 5 62. You are managing the deployment of ISA server in your network. Somehow, the internal connections are very slow for the firewall clients. Which of the following is the likely cause?

*A. Clients are unable to resolve local names using an external DNS server because the external DNS server may not have the correct records needed. B. The default gateway is over utilized. C. The firewall clients have incorrect TTL settings. D. The firewall clients have incorrect subnet mask settings. E. The firewall clients have incorrect default gateway settings. Explanation: The client must waste time waiting for the queries to the DNS server to time out before trying other methods of name resolution.

Using ISA Server 309 63. You are an ISA server administrator. The internal connections are very slow for the firewall clients. Which of the following are valid measures to fix the problem?

A. Configure an internal DNS server with the names and addresses of all internal hosts. B. Clients using the Firewall service should not be configured with a DNS server address. C. Create an IP packet filter that uses DNS Lookup to allow the ISA Server computer to send out DNS name queries for Internet names. D. Create an IP packet filter that uses DNS lookup to deny the ISA Server computer to send out DNS name queries for Internet names.

64. You are managing the deployment of ISA server in your network. Your assistant reports that the SecureNAT clients fail to connect to the Internet. How would you solve the problem?

A. Configure the default gateway. B. Configure the DNS server. C. Configure the IP address mask. D. Configure the packet filter rule.

310 Chapter 5 63. You are an ISA server administrator. The internal connections are very slow for the firewall clients. Which of the following are valid measures to fix the problem? *A. Configure an internal DNS server with the names and addresses of all internal hosts. *B. Clients using the Firewall service should not be configured with a DNS server address. *C. Create an IP packet filter that uses DNS Lookup to allow the ISA Server computer to send out DNS name queries for Internet names. D. Create an IP packet filter that uses DNS lookup to deny the ISA Server computer to send out DNS name queries for Internet names. Explanation: An internal DNS server should be configured with the names and addresses of all internal hosts. The clients using the Firewall service should not be configured with a DNS server address. All client name resolution requests are automatically handled by the ISA Server computer. In addition, if packet filtering is operating, create an IP packet filter that uses DNS Lookup (a predefined filter) to allow the ISA Server computer to send out DNS name queries for Internet names.

64. You are managing the deployment of ISA server in your network. Your assistant reports that the SecureNAT clients fail to connect to the Internet. How would you solve the problem? *A. Configure the default gateway. *B. Configure the DNS server. C. Configure the IP address mask. D. Configure the packet filter rule. Explanation: If SecureNAT clients are not configured properly, then the ISA Server will not be able to connect them to the Internet. The Solutions: Configure the default gateway and configure the DNS server.

Using ISA Server 311 65. You are the ISA server administrator of your company. One of your clients fails to connect to a SSL site on the Internet. Which of the following is likely the cause?

A. The client attempts to connect to a secure site that is running on port 443. B. The client attempts to connect to a secure site that is running on port 563. C. The client attempts to connect to a secure site that is running on a port other the 443. D. The client attempts to connect to a secure site that is running on a port other the 563.

66. You are managing the deployment of ISA server in your network. One of the clients fails to connect to a SSL site on the Internet. Connections to other sites are working fine. You can connect to the same site if bypassing ISA. How would you solve the problem?

A. Modify the ISA Administration COM object ProxyTunnelPort to allow tunneling on additional ports. B. Modify the ISA Administration COMobject FPCProxyTunnelPortRange to allow tunneling on additional ports. C. Restart the ISA server. D. Clear the ISA server cache. E. Reconfigure the client's subnet mask.

312 Chapter 5 65. You are the ISA server administrator of your company. One of your clients fails to connect to a SSL site on the Internet. Which of the following is likely the cause? A. The client attempts to connect to a secure site that is running on port 443. B. The client attempts to connect to a secure site that is running on port 563. *C. The client attempts to connect to a secure site that is running on a port other the 443. *D. The client attempts to connect to a secure site that is running on a port other the 563. Explanation: When a client connects through the Web Proxy service to a secure Web site (HTTPS), ISA Server must open a tunnel for the traffic, since the traffic is encrypted end-to-end. By default, ISA Server only allows tunnel connections to ports 443 (HTTPS) and 563 (Secure-News). If a client attempts to connect to a secure site that is running on a port other the 443 or 563, the connection fails.

66. You are managing the deployment of ISA server in your network. One of the clients fails to connect to a SSL site on the Internet. Connections to other sites are working fine. You can connect to the same site if bypassing ISA. How would you solve the problem? A. Modify the ISA Administration COM object ProxyTunnelPort to allow tunneling on additional ports. *B. Modify the ISA Administration COMobject FPCProxyTunnelPortRange to allow tunneling on additional ports. C. Restart the ISA server. D. Clear the ISA server cache. E. Reconfigure the client's subnet mask. Explanation: When a client connects through the Web Proxy service to a secure Web site (HTTPS), ISA Server must open a tunnel for the traffic, since the traffic is encrypted end-to-end. By default, ISA Server only allows tunnel connections to ports 443 (HTTPS) and 563 (Secure-News). If a client attempts to connect to a secure site that is running on a port other the 443 or 563, the connection fails.

Using ISA Server 313 67. You are the ISA server administrator of your company. The SecureNAT connections work when the client specifies IP addresses but not when the client specifies computer names. You further confirmed that the DNS server used by the client is an internal DNS server. How would you solve the problem?

A. Configure the DNS server to forward the request to an external DNS server. B. Configure the DNS server to forward the request to another internal DNS server. C. Configure the DNS server to become caching only. D. Reconfigure the client's name resolution method. E. Reset the TTL values.

68. You are managing the deployment of ISA server in your network. Under which of the following conditions will you consider the deployment of CARP?

A. When you are supporting a large user base. B. When you are using multiple ISA Server computers arrayed as a single logical cache. C. When you want to increase the bandwidth. D. When you want to increase the security.

314 Chapter 5 67. You are the ISA server administrator of your company. The SecureNAT connections work when the client specifies IP addresses but not when the client specifies computer names. You further confirmed that the DNS server used by the client is an internal DNS server. How would you solve the problem?

*A. Configure the DNS server to forward the request to an external DNS server. B. Configure the DNS server to forward the request to another internal DNS server. C. Configure the DNS server to become caching only. D. Reconfigure the client's name resolution method. E. Reset the TTL values. Explanation: As an alternative, you may configure the clients to use a DNS server that forwards name resolution requests to an external DNS server.

68. You are managing the deployment of ISA server in your network. Under which of the following conditions will you consider the deployment of CARP?

*A. When you are supporting a large user base. *B. When you are using multiple ISA Server computers arrayed as a single logical cache. C. When you want to increase the bandwidth. D. When you want to increase the security. Explanation: Microsoft Internet Security and Acceleration (ISA) Server uses the Cache Array Routing Protocol (CARP) to provide seamless scaling and extreme efficiency when using multiple ISA Server computers arrayed as a single logical cache. CARP uses hash-based routing to provide a deterministic "request resolution path" through an array.

Using ISA Server 315 69. Which of the following correctly describe CARP?

A. It uses hash-based routing. B. For any given URL request, the browser or downstream proxy server will know exactly where in the array the information will be stored. C. For any given URL request, the browser or downstream proxy server will know exactly where in the array the information will be stored only if the information is already cached from a previous request. D. For any given URL request, the browser or downstream proxy server will know exactly where in the array the information will be stored only if you are making a first Internet hit for delivery and caching. E. For any given URL request, the browser or upstream proxy server will know exactly where in the array the information will be stored only if you are making a first Internet hit for delivery and caching.

70. You are managing the deployment of ISA server in your network. You are deleting an ISA server from the CARP array. Which of the following adjustment must be made for the new settings to work?

A. Reset the CARP membership IDs. B. Re-adjust the CARP time out value. C. Reduce the ISA internal cache keep alive time. D. Reset the client gateway configuration. E. None of the choices

316 Chapter 5 69. Which of the following correctly describe CARP? *A. It uses hash-based routing. *B. For any given URL request, the browser or downstream proxy server will know exactly where in the array the information will be stored. C. For any given URL request, the browser or downstream proxy server will know exactly where in the array the information will be stored only if the information is already cached from a previous request. D. For any given URL request, the browser or downstream proxy server will know exactly where in the array the information will be stored only if you are making a first Internet hit for delivery and caching. E. For any given URL request, the browser or upstream proxy server will know exactly where in the array the information will be stored only if you are making a first Internet hit for delivery and caching. Explanation: Because CARP provides a deterministic request resolution path, there is none of the query messaging between proxy servers that are found with conventional Internet Cache Protocol (ICP) networks, a process that creates a heavier congestion of queries the greater the number of servers.

70. You are managing the deployment of ISA server in your network. You are deleting an ISA server from the CARP array. Which of the following adjustment must be made for the new settings to work? A. Reset the CARP membership IDs. B. Re-adjust the CARP time out value. C. Reduce the ISA internal cache keep alive time. D. Reset the client gateway configuration. *E. None of the choices Explanation: CARP automatically adjusts to additions or deletions of servers in the array. The hashed-based routing means that when a server is either taken off line or added, only minimal reassignment of URL cache locations is required.

Using ISA Server 317 71. With ISA Server, how are cache objects stored in CARP?

A. Evenly distributed. B. Determined by the load factor of each server. C. Round Robin. D. Based on hop count.

72. You are configuring the ISA CARP server services. Which of the following correctly describe how CARP handles web requests?

A. CARP is configurable for incoming Web requests. B. CARP is configurable for outgoing Web requests. C. CARP is configurable for either incoming or outgoing Web requests but not both at the same time. D. CARP is configurable for none of the web request.

318 Chapter 5 71. With ISA Server, how are cache objects stored in CARP?

*A. Evenly distributed.

*B. Determined by the load factor of each server.

C. Round Robin. D. Based on hop count. Explanation: CARP ensures that the cache objects are stored with even distribution between all servers in the array, or as specified by the load factor you configure for each server.

72. You are configuring the ISA CARP server services. Which of the following correctly describe how CARP handles web requests?

*A. CARP is configurable for incoming Web requests. *B. CARP is configurable for outgoing Web requests. C. CARP is configurable for either incoming or outgoing Web requests but not both at the same time. D. CARP is configurable for none of the web request. Explanation: CARP can be enabled for all outgoing Web requests, and disabled for all incoming Web requests.

Using ISA Server 319 73. You need to configure and maintain the ISA CARP server services. Which of the following correctly describe the default CARP settings?

A. CARP is enabled for all the servers in the array for outgoing Web requests. B. CARP is disabled for all incoming Web requests. C. CARP is disabled for all the servers in the array for outgoing Web requests. D. CARP is enabled for all incoming Web requests.

74. You need to configure and maintain the ISA server array. How do you configure TCP port for incoming web request?

A. In the console tree of ISA Management, right-click the applicable array. Select the Incoming Web request tab. In TCP port, type the port number on which the ISA Server should listen for Web requests. B. In the console tree of ISA Management, right-click the applicable array. Select the Web request section - Incoming tab. In Port Assignment, type the port number on which the ISA Server should listen for Web requests. C. In the console tree of ISA Management, right-click the applicable array. Select the Incoming request port number tab. Type the port number on which the ISA Server should listen for Web requests. D. In the console tree of ISA Management, right-click the applicable array. Select the out coming request port number tab. Type the port number on which the ISA Server should listen for Web requests.

320 Chapter 5 73. You need to configure and maintain the ISA CARP server services. Which of the following correctly describe the default CARP settings? *A. CARP is enabled for all the servers in the array for outgoing Web requests. *B. CARP is disabled for all incoming Web requests. C. CARP is disabled for all the servers in the array for outgoing Web requests. D. CARP is enabled for all incoming Web requests. Explanation: By default, CARP is enabled for all the servers in the array, for outgoing Web requests. That is, the CARP algorithm will randomly store objects in any one of the member servers cache. By default, CARP is disabled for all incoming Web requests. That is, objects will be cached in each of the member servers in the array.

74. You need to configure and maintain the ISA server array. How do you configure TCP port for incoming web request? *A. In the console tree of ISA Management, right-click the applicable array. Select the Incoming Web request tab. In TCP port, type the port number on which the ISA Server should listen for Web requests. B. In the console tree of ISA Management, right-click the applicable array. Select the Web request section - Incoming tab. In Port Assignment, type the port number on which the ISA Server should listen for Web requests. C. In the console tree of ISA Management, right-click the applicable array. Select the Incoming request port number tab. Type the port number on which the ISA Server should listen for Web requests. D. In the console tree of ISA Management, right-click the applicable array. Select the out coming request port number tab. Type the port number on which the ISA Server should listen for Web requests. Explanation: To configure TCP port, in the console tree of ISA Management, rightclick the applicable array. Select the Incoming Web request tab, or on the Outgoing Web request tab. In TCP port, type the port number on which the ISA Server should listen for Web requests.

Using ISA Server 321 75. View the Graphic to answer this question:

What type of ISA Server items are shown on the graphic?

A. Access policy B. User permission policy C. Admin permission policy D. Remote policy

322 Chapter 5 75. View the Graphic to answer this question:

What type of ISA Server items are shown on the graphic?

*A. Access policy B. User permission policy C. Admin permission policy D. Remote policy

Using ISA Server 323 76. You need to configure and maintain the ISA server array. How do you configure the load factor?

A. In the console tree of ISA Management, click Array. In the details pane, right-click the applicable server and then click Advanced Properties. On the Array Membership tab, type the load factor in the Load Factor text box. B. In the console tree of ISA Management, click Server Array. In the details pane, rightclick the applicable server and then click Load Properties. On the Array Membership tab, type the load factor in the Loading text box. C. In the console tree of ISA Management, click Array. In the details pane, right-click the applicable server and then click Member Properties. On the Array Membership tab, type the load factor in the Load Factor popup menu. D. In the console tree of ISA Management, click Array settings. In the details pane, rightclick the applicable server and then click Member Properties. On the Array Membership tab, type the load factor in the Load Factor popup menu.

324 Chapter 5 76. You need to configure and maintain the ISA server array. How do you configure the load factor?

A. In the console tree of ISA Management, click Array. In the details pane, rightclick the applicable server and then click Advanced Properties. On the Array Membership tab, type the load factor in the Load Factor text box. B. In the console tree of ISA Management, click Server Array. In the details pane, right-click the applicable server and then click Load Properties. On the Array Membership tab, type the load factor in the Loading text box. C. In the console tree of ISA Management, click Array. In the details pane, rightclick the applicable server and then click Member Properties. On the Array Membership tab, type the load factor in the Load Factor popup menu. *D. In the console tree of ISA Management, click Array settings. In the details pane, right-click the applicable server and then click Member Properties. On the Array Membership tab, type the load factor in the Load Factor popup menu. Explanation: To configure the load factor, in the console tree of ISA Management you click Server. In the details pane, right-click the applicable server and then click Properties. On the Array Membership tab, type the load factor in the Load Factor text box.

Using ISA Server 325 77. You are managing the deployment of ISA server in your network. You need to configure and maintain the ISA server array. Why do you have to be extremely careful when configuring the load factor?

A. The load factor determines how to divide the load among members of an array. B. The load factor determines the round robin timeout values among members of an array. C. Changing this value may increase the load on an ISA Server computer. D. Changing this value may decrease the load on an ISA Server computer.

78. You are managing the deployment of ISA server in your network. You want to link your ISA server computers as a chain. How do you configure ISA server chaining?

A. By linking multiple ISA Server arrays in a prioritized chain. B. By linking individual ISA server into a bus topology. C. By linking individual ISA server into a ring topology. D. By linking individual ISA server into a star topology. E. By linking individual ISA server in a prioritized chain.

326 Chapter 5 77. You are managing the deployment of ISA server in your network. You need to configure and maintain the ISA server array. Why do you have to be extremely careful when configuring the load factor?

*A. The load factor determines how to divide the load among members of an array. B. The load factor determines the round robin timeout values among members of an array. *C. Changing this value may increase the load on an ISA Server computer. *D. Changing this value may decrease the load on an ISA Server computer. Explanation: The load factor determines how to divide the load among members of an array. Changing this value increases or decreases the load on an ISA Server computer.

78. You are managing the deployment of ISA server in your network. You want to link your ISA server computers as a chain. How do you configure ISA server chaining?

*A. By linking multiple ISA Server arrays in a prioritized chain. B. By linking individual ISA server into a bus topology. C. By linking individual ISA server into a ring topology. D. By linking individual ISA server into a star topology. E. By linking individual ISA server in a prioritized chain. Explanation: Chaining involves linking multiple ISA Server arrays in a prioritized chain.

Using ISA Server 327 79. You are the network administrator of your company. You wish to test and analyze the traffic on the external ports of your Server computer. What program should you run?

A. Performance Monitor B. Network Monitor C. System Monitor D. Testing Monitor E. Network Load Balancing Monitor

328 Chapter 5 79. You are the network administrator of your company. You wish to test and analyze the traffic on the external ports of your Server computer. What program should you run?

A. Performance Monitor *B. Network Monitor C. System Monitor D. Testing Monitor E. Network Load Balancing Monitor Explanation: It allows you to capture packets for further inspection. It also gives you the ability to automatically begin capturing network information upon starting particular application.

Using ISA Server 329 80. View the Graphic to answer this question: You are the network administrator of your company. You want to use an utility to verify that the computer is configured to permit connections on some particular ports. What tool should you use?

A. Network Monitor B. Talent C. Telnet D. Performance Monitor

330 Chapter 5 80. View the Graphic to answer this question: You are the network administrator of your company. You want to use an utility to verify that the computer is configured to permit connections on some particular ports. What tool should you use?

A. Network Monitor B. Talent *C. Telnet D. Performance Monitor Explanation: You may use the Telnet tool to verify that the computer is configured to permit connections on the particular ports. To do so, type the following command: telnet <port>.

Using ISA Server 331 81. View the Graphic to answer this question: You want to capture network information via the tool shown in the graphic. Why do you choose this tool?

A. The ability to automatically begin capturing network information upon starting particular application. B. The ability to find out if there is an attack. C. The ability to filter packets. D. The ability to prevent clients connect to your network.

332 Chapter 5 81. View the Graphic to answer this question: You want to capture network information via the tool shown in the graphic. Why do you choose this tool?

*A. The ability to automatically begin capturing network information upon starting particular application. *B. The ability to find out if there is an attack. C. The ability to filter packets. D. The ability to prevent clients connect to your network. Explanation: There is a valuable tool you can use is Network Monitor. It allows you to capture packets for further inspection. It also gives you the ability to automatically begin capturing network information upon starting particular application. From within the data captured you may be able to find out if there is an attack, or if there is traffic towards particular ports.

Using ISA Server 333 82. View the Graphic to answer this question: You are the network administrator of your company. You want to use a powerful tool to test the networking performance and verify the security between your network and the Internet. You found that the tool shown in the graphic is not good enough for your purpose. What tool should you use?

A. Network Monitor from Systems Management Server. B. Performance Monitor from Systems Management Server. C. Advanced Network Monitor from Windows 2000 Datacenter Server. D. Advanced Performance Monitor from Windows 2000 Datacenter Server.

334 Chapter 5 82. View the Graphic to answer this question: You are the network administrator of your company. You want to use a powerful tool to test the networking performance and verify the security between your network and the Internet. You found that the tool shown in the graphic is not good enough for your purpose. What tool should you use?

*A. Network Monitor from Systems Management Server. B. Performance Monitor from Systems Management Server. C. Advanced Network Monitor from Windows 2000 Datacenter Server. D. Advanced Performance Monitor from Windows 2000 Datacenter Server. Explanation: Network Monitor is an optional tool included with Windows 2000 Server. This, however, is only a limited version. Its full-featured version is included in the Systems Management Server, which must be purchased separately.

Using ISA Server 335 83. You are the network administrator of your company. You wish to set up a cluster for your company. What step or steps should you do?

A. Run the New Cluster Wizard. B. Run the Application Center New Cluster Wizard. C. Expand the cluster, add subsequent servers individually to the cluster using the Add Cluster Member Wizard. D. Expand the cluster, add subsequent servers individually to the cluster using the Application Center Add Cluster Member Wizard.

336 Chapter 5 83. You are the network administrator of your company. You wish to set up a cluster for your company. What step or steps should you do?

A. Run the New Cluster Wizard. *B. Run the Application Center New Cluster Wizard. *C. Expand the cluster, add subsequent servers individually to the cluster using the Add Cluster Member Wizard. D. Expand the cluster, add subsequent servers individually to the cluster using the Application Center Add Cluster Member Wizard. Explanation: To setup the cluster, you can use the Application Center New Cluster Wizard without any manual configuration tasks. If the default settings are not sufficient, you can modify them after creating the cluster with the Application Center user interface. According to Microsoft TechNet: "To create a cluster in Microsoft Application Center 2000 (Application Center), first you must create a cluster on one server and then, to expand the cluster, add subsequent servers individually. To create a cluster on one server, use the New Cluster Wizard. To add servers to a cluster or to join an existing cluster, use the Add Cluster Member Wizard.

Using ISA Server 337 84. You are the network administrator for your company. You want to set up a cluster for your company. Unfortunately, you are unable to run the installation wizard. What should you do?

A. Establish a connection with the server by using appropriate administrative credentials. B. Establish a connection with the server by using Virtual Private Network (VPN) connection. C. Ensure that all content exist on the controller before adding members. D. Ensure that all configurations exist on the controller before adding members. E. Ensure that all content and configuration exist on the controller before adding members.

338 Chapter 5 84. You are the network administrator for your company. You want to set up a cluster for your company. Unfortunately, you are unable to run the installation wizard. What should you do?

*A. Establish a connection with the server by using appropriate administrative credentials. B. Establish a connection with the server by using Virtual Private Network (VPN) connection. C. Ensure that all content exist on the controller before adding members. D. Ensure that all configurations exist on the controller before adding members. *E. Ensure that all content and configuration exist on the controller before adding members. Explanation: Before you can start either wizard, you must establish a connection with the server by using appropriate administrative credentials. Since all cluster members are synchronized with the cluster controller, you should ensure that all content and configuration exist on the controller before adding members. Unpredictable behavior might result if content or configuration on members is different from the controller". More information on this topic can be found from the documentation that comes with the Windows 2000 Advanced Server.

Using ISA Server 339

Note: The remaining questions in this chapter cover two pages each. Notes:

340 Chapter 5 85. View the Graphic to answer this question: You need to configure and maintain the ISA server. How do you configure the cache size on the server given the information presented in the graphic?

Using ISA Server 341 A. In the console tree of ISA Management, click Drives. In the details pane, right-click the applicable server and then click Properties. Click the desired drive. In Change cache file size on drive to, type the size of the drive. Click Set. B. In the console tree of ISA Management, click Cache. In the details pane, right-click the applicable server and then click Properties. Click the desired drive. In Change cache size on drive to, type the size of the drive. Click Change. C. In the console tree of ISA Management, click Cache Drives. In the details pane, rightclick the applicable server and then click Cache Size Properties. Click the desired drive. In Change cache file size on drive to, type the size of the drive. Click Set. D. In the console tree of ISA Management, click Cache Drives. In the details pane, rightclick the applicable server and then click Cache Size Properties. Click the desired drive. In Change cache file size on drive to, type the size of the drive. Click Apply.

342 Chapter 5 85. View the Graphic to answer this question: You need to configure and maintain the ISA server. How do you configure the cache size on the server given the information presented in the graphic?

Using ISA Server 343 *A. In the console tree of ISA Management, click Drives. In the details pane, rightclick the applicable server and then click Properties. Click the desired drive. In Change cache file size on drive to, type the size of the drive. Click Set. B. In the console tree of ISA Management, click Cache. In the details pane, rightclick the applicable server and then click Properties. Click the desired drive. In Change cache size on drive to, type the size of the drive. Click Change. C. In the console tree of ISA Management, click Cache Drives. In the details pane, right-click the applicable server and then click Cache Size Properties. Click the desired drive. In Change cache file size on drive to, type the size of the drive. Click Set. D. In the console tree of ISA Management, click Cache Drives. In the details pane, right-click the applicable server and then click Cache Size Properties. Click the desired drive. In Change cache file size on drive to, type the size of the drive. Click Apply. Explanation: To configure cache size on a server, in the console tree of ISA Management, click Drives. In the details pane, right-click the applicable server and then click Properties. Click the desired drive. In Change cache file size on drive to, type the size of the drive. Click Set.

Terminology 345

Chapter 6: Terminology 1. What is a list of SIDs and the associated access privileges assigned to each SID? Each object and network resource has one of these lists associated with it.

A.

2. What are individual NTFS permissions that are combined to form the standard NTFS permissions?

A.

346 Chapter 6 1. What is a list of SIDs and the associated access privileges assigned to each SID? Each object and network resource has one of these lists associated with it.

*A. Access Control List

Explanation: An access control list (ACL) is a list of SIDs and the associated access privileges assigned to each SID. Each object and network resource has an ACL associated with it.


*A. Advanced Permissions

Explanation: Advanced permissions (also called special permissions) are individual NTFS permissions that are combined to form the standard NTFS permissions. Advanced NTFS permissions are assigned by clicking the Advanced command button on the Security tab in a file or folder's Properties dialog box.

Terminology 347 3. What term refers to the specific properties of Windows 2000 files and folders?

A.

4. What is a Windows 2000 feature that, when enabled, allows you to collect securityrelated information concerning the success and failure of specified events, such as file access, printer access, logon and logoff, and security policy changes?

A.

348 Chapter 6 3. What term refers to the specific properties of Windows 2000 files and folders?

*A. Attributes

Explanation: Attributes are specific properties of Windows 2000 files and folders. Many attributes are assigned by administrators or users to protect files and folders. Other file and folder attributes are automatically applied to system files during the installation of Windows 2000. Many of these properties are assigned by administrators or users to protect files and folders and others are automatically applied to system files during the installation of Windows 2000.

4. What is a Windows 2000 feature that, when enabled, allows you to collect securityrelated information concerning the success and failure of specified events, such as file access, printer access, logon and logoff, and security policy changes?

*A. Auditing

Explanation: Auditing is a Windows 2000 feature that, when enabled, allows you to collect security-related information concerning the success and failure of specified events. These events include file access, printer access, logon and logoff, and security policy changes. Windows 2000 auditing is divided into two areas: system access auditing and object access auditing. Audited events are written to the Security Log in Event Viewer.

Terminology 349 5. What is a Windows NT Server computer that is configured to maintain a backup copy of the Windows NT Server domain directory database (SAM)?

A.

6. What term refers to the configuration of an object to not inherit permissions from its parent object?

A.

350 Chapter 6 5. What is a Windows NT Server computer that is configured to maintain a backup copy of the Windows NT Server domain directory database (SAM)?

*A. Backup Domain Controller

Explanation: A BDC is a Windows NT Server computer that is configured to maintain a backup copy of the Windows NT Server domain directory database (SAM). It receives updates to the domain directory database from the primary domain controller (PDC) via a process called synchronization.

6. What term refers to the configuration of an object to not inherit permissions from its parent object?

*A. Blocking Inheritance

Explanation: If you configure an object to not inherit permissions from its parent object, this is referred to as blocking inheritance.

Terminology 351 7. What term refers to groups that are automatically created during the installation of Windows 2000 with preset characteristics?

A.

8. What term refers to groups that have rights and permissions that enable their members to perform specific tasks on the local computer?

A.

352 Chapter 6 7. What term refers to groups that are automatically created during the installation of Windows 2000 with preset characteristics?

*A. Built-In Groups

Explanation: Built-in groups are groups with preset characteristics that are automatically created during the installation of Windows 2000.

8. What term refers to groups that have rights and permissions that enable their members to perform specific tasks on the local computer?

*A. Built-In Local Groups

Explanation: Built-in local groups are groups that have rights and permissions that enable their members to perform specific tasks on the local computer.

Terminology 353 9. What are groups that are created by Windows 2000 and are used for specific purposes by the operating system?

A.

10. What is a cryptographic tool used for encrypting and decrypting data, digitally signing files and other data, and performing user authentication?

A.

354 Chapter 6 9. What are groups that are created by Windows 2000 and are used for specific purposes by the operating system?

*A. Built-In Special Groups

Explanation: Built-in special groups are created by Windows 2000 and are used for specific purposes by the operating system. Special groups are sometimes called system groups.

10. What is a cryptographic tool used for encrypting and decrypting data, digitally signing files and other data, and performing user authentication?

*A. Certificate

Explanation: A certificate is a cryptographic tool used for encrypting and decrypting data, digitally signing files and other data, and performing user authentication. A certificate consists of two parts: a public key and a private key.

Terminology 355 11. What is an organization which uses a computer to create, issue and manage certificates?

A.

12. What is a Windows 2000 Server service used to create, issue, and manage certificates on a Windows 2000 network?

A.

356 Chapter 6 11. What is an organization which uses a computer to create, issue and manage certificates?

*A. Certificate Authority

Explanation: An organization that uses a computer to create, issue and manage certificates is called a certification authority (CA). It can also be the actual server that issues and manages certificates. In Windows 2000, the server on which Certificate Services is installed is a CA, and is also called a certificate server. The CA receives requests for certificates from other computers on the network, then verifies the credentials in the request, and finally creates and issues the certificate. It can also be the actual server that issues and manages certificates.

12. What is a Windows 2000 Server service used to create, issue, and manage certificates on a Windows 2000 network?

*A. Certificate Services

Explanation: Certificate Services is a Windows 2000 Server service used to create, issue, and manage certificates on a Windows 2000 network. If your network is connected to the Internet, you may need the encryption and other security features that can be provided by certificates and Certificate Services.

Terminology 357 13. What is created when a System Policy file is initially created?

A.

14. What is created when an Administrator initially creates a System Policy file?

A.

358 Chapter 6 13. What is created when a System Policy file is initially created?

*A. Default Computer Policy

Explanation: The Default Computer policy is created when a System Policy file is initially created. The Default Computer policy applies to a client computer only if the computer does not have an individual computer policy. It applies to a client computer only if the computer does not have an individual computer policy.

14. What is created when an Administrator initially creates a System Policy file?

*A. Default User policy

Explanation: The Default User policy is created when an Administrator initially creates a System Policy file. It doesn't contain any settings that restrict users when it is initially created. The Default User policy applies to a user only if the user does not have an individual user policy. When initially created, it doesn't contain any settings that restrict users. This policy applies to a user only if the user does not have an individual user policy.

Terminology 359 15. What is a tag appended to a file by its creator which consists of digitally coded information identifying the file's creator and enabling Windows 2000 to verify that the file has not been altered or corrupted (by a virus or other means) since it was created?

A.

16. What is the portion of a SID that identifies the domain in which the object is created?

A.

360 Chapter 6 15. What is a tag appended to a file by its creator which consists of digitally coded information identifying the file's creator and enabling Windows 2000 to verify that the file has not been altered or corrupted (by a virus or other means) since it was created?

*A. Digital Signature

Explanation: A digital signature is a tag appended to a file by its creator. This tag consists of digitally coded information that identifies the file's creator and enables Windows 2000 to verify that the file has not been altered or corrupted (by a virus or other means) since it was created.

16. What is the portion of a SID that identifies the domain in which the object is created?

*A. Domain SID

Explanation: The portion of a SID that identifies the domain in which the object is created is the domain SID.

Terminology 361 17. What is a floppy disk used to repair Windows 2000 system files that become accidentally corrupted or erased due to viruses or other causes?

A.

18. What enables you to store files on an NTFS volume in an encrypted format, so that if an unauthorized user removes a hard disk from your computer, that user will be unable to access the sensitive data contained in the encrypted files?

A.

362 Chapter 6 17. What is a floppy disk used to repair Windows 2000 system files that become accidentally corrupted or erased due to viruses or other causes?

*A. Emergency Repair Disk

Explanation: An Emergency Repair Disk, which you can create by using Backup, is a floppy disk used to repair Windows 2000 system files that become accidentally corrupted or erased due to viruses or other causes. An Emergency Repair Disk is primarily used to repair and restart a Windows 2000 computer that won't boot.

18. What enables you to store files on an NTFS volume in an encrypted format, so that if an unauthorized user removes a hard disk from your computer, that user will be unable to access the sensitive data contained in the encrypted files?

*A. Encrypting File System

Explanation: The Encrypting File System (EFS) enables you to store files on an NTFS volume in an encrypted format, so that if an unauthorized user removes a hard disk from your computer, that user will be unable to access the sensitive data contained in the encrypted files. EFS contains the Encrypt attribute.

Terminology 363 19. What is a permission that is directly assigned to an object instead of inherited by an object?

A.

20. What term refers to the ability of a computer or operating system to continue operations when a severe error or failure occurs, such as the loss of a hard disk or a power outage?

A.

364 Chapter 6 19. What is a permission that is directly assigned to an object instead of inherited by an object?

*A. Explicit Permission

Explanation: An explicit permission is a permission that is directly assigned to an object instead of inherited by an object.

20. What term refers to the ability of a computer or operating system to continue operations when a severe error or failure occurs, such as the loss of a hard disk or a power outage?

*A. Fault Tolerance

Explanation: Fault tolerance is the ability of a computer or operating system to continue operations when a severe error or failure occurs, such as the loss of a hard disk or a power outage.

Terminology 365 21. What are markers assigned to files that describe its properties and limit access to the file?

A.

22. What are groups that are created and maintained in Active Directory on Windows 2000 domain controllers and are primarily used to organize users that perform similar tasks or have similar network access requirements?

A.

366 Chapter 6 21. What are markers assigned to files that describe its properties and limit access to the file?

*A. File Attributes

Explanation: File attributes are markers assigned to files that describe its properties and limit access to the file. File attributes include Archive, Compress, Hidden, Readonly, and System.

22. What are groups that are created and maintained in Active Directory on Windows 2000 domain controllers and are primarily used to organize users that perform similar tasks or have similar network access requirements?

*A. Global Groups

Explanation: Global groups, like domain local groups, are groups that are created and maintained in Active Directory on Windows 2000 domain controllers and are primarily used to organize users that perform similar tasks or have similar network access requirements.

Terminology 367 23. What is a policy that contains rules and settings that are applied to Windows 2000 computers, their users, or both, that are located in a specific part of Active Directory?

A.

24. What is a policy that applies to a group of users that are members of a group (that has a group policy) and that do not have individual user policies?

A.

368 Chapter 6 23. What is a policy that contains rules and settings that are applied to Windows 2000 computers, their users, or both, that are located in a specific part of Active Directory?

*A. Group Policy

Explanation: Group Policy is a policy that contains rules and settings that are applied to Windows 2000 computers, their users, or both, that are located in a specific part of Active Directory. There are two kinds of Group Policy 1) Local Group Policy and 2) Group Policy. Group Policy consists of two components: an Active Directory object, called a Group Policy object (GPO), and a series of files and folders that are automatically created when the GPO is created. Each GPO is associated with a specific Active Directory container object, such as a site, a domain, or an organizational unit (OU).

24. What is a policy that applies to a group of users that are members of a group (that has a group policy) and that do not have individual user policies?

*A. Group System Policy

Explanation: A group system policy is a policy that applies to a group of users that are members of a group (that has a group policy) and that do not have individual user policies. Group system policies have the same configurable options as user system policies.

Terminology 369 25. What is a list of devices (and settings for each of these devices) that Windows 2000 implements when you boot your computer?

A.

26. What is created on a single, specific client computer when it requires a unique policy that is different from the Default Computer policy?

A.

370 Chapter 6 25. What is a list of devices (and settings for each of these devices) that Windows 2000 implements when you boot your computer?

*A. Hardware Profile

Explanation: A hardware profile is a list of devices (and settings for each of these devices) that Windows 2000 implements when you boot your computer. The primary reason for creating hardware profiles is to manage the different hardware configurations used by laptop computers.

26. What is created on a single, specific client computer when it requires a unique policy that is different from the Default Computer policy?

*A. Individual Computer Policy

Explanation: An individual computer policy applies to a single, specific client computer. Normally, this policy is created only when a client computer requires a unique policy that is different from the Default Computer policy.

Terminology 371 27. What is created for a single, specific user when he/she requires a unique policy that is different from any existing Default User or group system policy?

A.

28. What term refers to the permissions an object receives simply because it is contained in another object - in other words, because an object is a child (or grandchild) object of a particular parent object?

A.

372 Chapter 6 27. What is created for a single, specific user when he/she requires a unique policy that is different from any existing Default User or group system policy?

*A. Individual User Policy

Explanation: An individual user policy applies to a single, specific user. Normally, an individual user policy is created only when a user requires a unique policy that is different from any existing Default User or group system policy.

28. What term refers to the permissions an object receives simply because it is contained in another object - in other words, because an object is a child (or grandchild) object of a particular parent object?

*A. Inheritance

Explanation: The concept of inheritance applies to objects in Active Directory, and also to NTFS permissions set on files and folders. Inheritance refers to the permissions an object receives simply because it is contained in another object - in other words, because an object is a child (or grandchild) object of a particular parent object. When an object inherits permissions, it's not because the permissions have been applied specifically to the object in question, but rather because permissions have been set on the parent object that contains the object in question.

Terminology 373 29. What is the process of verifying a user's credentials in order to determine whether the user is permitted to log on to a local Windows 2000 computer?

A.

30. What permits other computers on your local area network to use a specific dial-up (or local area) connection on a computer to connect to the Internet?

A.

374 Chapter 6 29. What is the process of verifying a user's credentials in order to determine whether the user is permitted to log on to a local Windows 2000 computer?

*A. Interactive Logon Authentication

Explanation: Interactive logon authentication is the process of verifying a user's credentials in order to determine whether the user is permitted to log on to a local Windows 2000 computer.

30. What permits other computers on your local area network to use a specific dial-up (or local area) connection on a computer to connect to the Internet?

*A. Internet Connection Sharing

Explanation: Internet connection sharing permits other computers on your local area network to use a specific dial-up (or local area) connection on a computer to connect to the Internet. It is commonly used in a home or small-office network setting where a single Internet connection must be shared by multiple computers. Internet connection sharing should not be used on networks that have existing routers, DNS servers, or DHCP servers. This is commonly used in a home or small-office network setting where a single Internet connection must be shared by multiple computers.

Terminology 375 31. What is a high-speed network standard, based on Ethernet, that provides data transfer rates as high as 100 Mbps?

A.

32. What is a trust relationship between two domains that is bounded by the two domains, and does not extend beyond these two domains to other domains?

A.

376 Chapter 6 31. What is a high-speed network standard, based on Ethernet, that provides data transfer rates as high as 100 Mbps?

*A. 100BaseT

Explanation: An Ethernet network similar to 10BaseT, however it utilizes Category 5 cable (utilizing 2 pair, Cat 3 or 4 if 4 pair are available -- known as 100BaseT4), and can operate at 100 megabits a second. A.K.A Fast Ethernet.

32. What is a trust relationship between two domains that is bounded by the two domains, and does not extend beyond these two domains to other domains?

*A. Intransitive Trust

Explanation: An intransitive trust is a trust relationship between two domains that is bounded by the two domains, and does not extend beyond these two domains to other domains. It is a one-way trust. It is a one-way trust.

Terminology 377 33. What consists of a series of files and folders that are automatically created during the installation of Windows 2000 on the local computer?

A.

34. What is a collection of security protocols and cryptography services that encrypts TCP/IP traffic between two computers, thus preventing unauthorized users from viewing or modifying sensitive data?

A.

378 Chapter 6 33. What consists of a series of files and folders that are automatically created during the installation of Windows 2000 on the local computer?

*A. Local Group Policy

Explanation: Local Group Policy consists of a series of files and folders that are automatically created during the installation of Windows 2000 on the local computer? These files and folders are stored in the SystemRoot\System32GroupPolic folder. Local Group Policy applies to the local computer, and to users that log on to the local computer. These files and folders are stored in the SystemRoot\System32GroupPolic folder.

34. What is a collection of security protocols and cryptography services that encrypts TCP/IP traffic between two computers, thus preventing unauthorized users from viewing or modifying sensitive data?

*A. IPSec

Explanation: IPSec (which is short for Internet Protocol security) is a collection of security protocols and cryptography services that encrypts TCP/IP traffic between two computers, thus preventing unauthorized users from viewing or modifying sensitive data.

Terminology 379 35. What is an Internet standard authentication protocol which provides a higher level of security and faster, more efficient authentication than the Windows NT/LAN Manager protocol?

A.

36. What is a group of users that is assigned a specific number of licenses?

A.

380 Chapter 6 35. What is an Internet standard authentication protocol which provides a higher level of security and faster, more efficient authentication than the Windows NT/LAN Manager protocol?

*A. Kerberos Version 5 Protocol

Explanation: The Kerberos version 5 protocol is an Internet standard authentication protocol which provides a higher level of security and faster, more efficient authentication than the Windows NT/LAN Manager protocol.

36. What is a group of users that is assigned a specific number of licenses?

*A. License Group

Explanation: A license group is a group of users that is assigned a specific number of licenses. These groups enable Licensing to correctly track license usage when an organization uses the Per Seat licensing mode and has an unequal number of users and computers.

Terminology 381 37. What enables a user to log on to the local computer and to access that computer's resources?

A.

38. What are groups that are created and maintained on an individual Windows 2000 computer (that is not a domain controller)?

A.

382 Chapter 6 37. What enables a user to log on to the local computer and to access that computer's resources?

*A. Local User Account

Explanation: A local user account enables a user to log on to the local computer and to access that computer's resources.

38. What are groups that are created and maintained on an individual Windows 2000 computer (that is not a domain controller)?

*A. Local Groups

Explanation: Local groups are groups that are created and maintained on an individual Windows 2000 computer (that is not a domain controller). Local groups can be created by members of the Administrators, Power Users, and Users groups.

Terminology 383 39. What is a type of user rights that determines whether or not a user is permitted to authenticate (log on) to a Windows 2000 computer, and how that user is permitted to log on? A.

40. What is a user profile that, when assigned to a user, can't be changed by the user? A.

384 Chapter 6 39. What is a type of user rights that determines whether or not a user is permitted to authenticate (log on) to a Windows 2000 computer, and how that user is permitted to log on?

*A. Logon Rights

Explanation: Logon rights are a type of user right that determines whether or not a user is permitted to authenticate (log on) to a Windows 2000 computer, and how that user is permitted to log on.

40. What is a user profile that, when assigned to a user, can't be changed by the user?

*A. Mandatory User Profile

Explanation: A mandatory user profile is a user profile that, when assigned to a user, can't be changed by the user. A user can make changes to desktop and work environment settings during a single logon session, but these changes are not saved to the mandatory user profile when the user logs off. Each time the user logs on, the user's desktop and work environment settings revert to those contained in the mandatory user profile.

Terminology 385 41. What is the process of verifying a user's credentials in order to determine whether or not the user is permitted to access network resources, such as a shared folder, a shared printer, or a network service?

A.

42. What is a Windows 2000 Server administrative tool that makes it possible for a user to capture, view, and analyze network traffic (packets)?

A.

386 Chapter 6 41. What is the process of verifying a user's credentials in order to determine whether or not the user is permitted to access network resources, such as a shared folder, a shared printer, or a network service?

*A. Network Authentication

Explanation: Network authentication is the process of verifying a user's credentials in order to determine whether or not the user is permitted to access network resources, such as a shared folder, a shared printer, or a network service.

42. What is a Windows 2000 Server administrative tool that makes it possible for a user to capture, view, and analyze network traffic (packets)?

*A. Network Monitor

Explanation: Network Monitor is a Windows 2000 Server administrative tool that makes it possible for a user to capture, view, and analyze network traffic (packets). Network Monitor doesn't ship with Windows 2000 Professional.

Terminology 387 43. What are permissions assigned to individual files and folders on NTFS volumes which are used to control access to these files and folders?

A.

44. What term refers to a single trust relationship which exists between two domains?

A.

388 Chapter 6 43. What are permissions assigned to individual files and folders on NTFS volumes which are used to control access to these files and folders?

*A. NTFS Permissions

Explanation: NTFS permissions are permissions assigned to individual files and folders on NTFS volumes which are used to control access to these files and folders. These permissions apply to local users as well as to users who connect to a shared folder over the network. If NTFS permissions are more restrictive than share permissions, the NTFS permissions will be applied.

44. What term refers to a single trust relationship which exists between two domains?

*A. One-Way Trust

Explanation: A one-way trust refers to a single trust relationship which exists between two domains.

Terminology 389 45. What term describes the control of access to resources, such as shares, files, folders, and printers on a Windows NT computer?

A.

46. What is a Windows NT Server computer that is configured to maintain the primary copy of the Windows NT Server domain directory database (also called the SAM)?

A.

390 Chapter 6 45. What term describes the control of access to resources, such as shares, files, folders, and printers on a Windows NT computer?

*A. Permissions

Explanation: Permissions control the access to resources, such as shares, files, folders, and printers on a Windows NT computer.

46. What is a Windows NT Server computer that is configured to maintain the primary copy of the Windows NT Server domain directory database (also called the SAM)?

*A. Primary Domain Controller

Explanation: A primary domain controller is a Windows NT Server computer that is configured to maintain the primary copy of the Windows NT Server domain directory database (also called the SAM). It sends domain directory database updates to backup domain controllers (BDCs) via a process called synchronization.

Terminology 391 47. What is a partition on a basic disk that can be configured as the active partition and it can only be formatted as a single logical drive?

A.

48. What term refers to a type of user right which enables a user to perform specific tasks?

A.

392 Chapter 6 47. What is a partition on a basic disk that can be configured as the active partition and it can only be formatted as a single logical drive?

*A. Primary Partition

Explanation: A primary partition is a partition on a basic disk that can be configured as the active partition and it can only be formatted as a single logical drive.

48. What term refers to a type of user right which enables a user to perform specific tasks?

*A. Privileges

Explanation: Privileges are a type of user right which enables a user to perform specific tasks.

Terminology 393 49. What is a combination of conventions and rules for communicating on a network?

A.

50. What is a DNS request called?

A.

394 Chapter 6 49. What is a combination of conventions and rules for communicating on a network?

*A. Protocol

Explanation: A protocol is a combination of conventions and rules for communicating on a network.

50. What is a DNS request called?

*A. Query

Explanation: A query is a DNS request.

Terminology 395 51. What is a limited version of the Windows 2000 operating system that only has a command-line interface?

A.

52. What is a feature which enables client computers to use dial-up and VPN connections to connect to a remote access server?

A.

396 Chapter 6 51. What is a limited version of the Windows 2000 operating system that only has a command-line interface?

*A. Recovery Console

Explanation: The Recovery Console is a limited version of the Windows 2000 operating system that only has a command-line interface. It is helpful when you need to manually start or stop a service, repair the master boot record, or manually copy files from a floppy disk or compact disc to the computer's hard disk in order to restore a system.

52. What is a feature which enables client computers to use dial-up and VPN connections to connect to a remote access server?

*A. Remote Access

Explanation: Remote access is a feature that enables client computers to use dial-up and VPN connections to connect to a remote access server. Once a connection with the remote access server is established, the client computer has access to the network the remote access server is connected to. Remote access enables users of remote computers to use the network as though they were directly connected to it. Remote access is implemented in Windows 2000 by the Routing and Remote Access service.

Terminology 397 53. What term refers to the process of copying information and information updates from the Active Directory data store on one domain controller to other domain controllers?

A.

54. What is a Windows 2000 tool used to monitor and chart the performance of system components in a Windows 2000 computer?

A.

398 Chapter 6 53. What term refers to the process of copying information and information updates from the Active Directory data store on one domain controller to other domain controllers?

*A. Replication

Explanation: Replication, as applied to Active Directory, refers to the process of copying information and information updates from the Active Directory data store on one domain controller to other domain controllers. The purpose is to synchronize Active Directory data among the domain controllers in the domain and forest. The purpose is to synchronize Active Directory data among the domain controllers in the domain and forest.

54. What is a Windows 2000 tool used to monitor and chart the performance of system components in a Windows 2000 computer?

*A. System Monitor

Explanation: System Monitor System Monitor is a Windows 2000 tool used to monitor and chart the performance of system components in a Windows 2000 computer. System Monitor replaces Windows NT 4.0's Performance Monitor. It functions as an MMC snap-in.

Terminology 399 55. What is a user profile which is stored on a Windows 2000 Server computer?

A.

56. What is another name for shared folder permissions?

A.

400 Chapter 6 55. What is a user profile which is stored on a Windows 2000 Server computer?

*A. Roaming User Profile

Explanation: A roaming user profile is a user profile which is stored on a Windows 2000 Server computer. Because the profile is stored on a server instead of on the local computer, it is available to the user regardless of which Windows 2000 computer on the network the user logs on to.

Because the profile is stored on a server instead of on the local computer, it is available to the user regardless of which Windows 2000 computer on the network the user logs on to.

56. What is another name for shared folder permissions?

*A. Share Permissions

Explanation: Share permissions are another name for shared folder permissions.

Terminology 401 57. What is one of the two fundamental types of groups in Windows 2000 which is primarily used to assign permissions and user rights to multiple users?

A.

58. In Active Directory terminology, what includes users, groups, and computers?

A.

402 Chapter 6 57. What is one of the two fundamental types of groups in Windows 2000 which is primarily used to assign permissions and user rights to multiple users?

*A. Security Groups

Explanation: Security groups is one of the two fundamental types of groups in Windows 2000. The other is distribution groups. Security groups are primarily used to assign permissions and user rights to multiple users. In addition, security groups can be used by some e-mail programs to send messages to the list of users that are members of the group.

58. In Active Directory terminology, what includes users, groups, and computers?

*A. Security Principal Object

Explanation: In Active Directory terminology, security principal objects include users, groups, and computers.

Terminology 403 59. What is a user mode subsystem which supports the logon process and also supports and provides security for Active Directory?

A.

60. What is a text-based .i f file that contains predefined security settings which can be applied to one or more computers?

A.

404 Chapter 6 59. What is a user mode subsystem which supports the logon process and also supports and provides security for Active Directory?

*A. Security Subsystem

Explanation: The Security subsystem (sometimes called the Integral subsystem) is a user mode subsystem which supports the logon process and also supports and provides security for Active Directory. The Security subsystem obtains its user interface and screen functions from the Win32 subsystem, and requests Executive Services to perform all other functions for it.

60. What is a text-based .i f file that contains predefined security settings which can be applied to one or more computers?

*A. Security Template

Explanation: A security template is a text-based .i f file which contains predefined security settings that can be applied to one or more computers. It can also be used to compare a computer's existing security configuration against a predefined, standard security configuration. The Security Templates snap-in to the MMC is used to create, edit, and manage security templates. It can also be used to compare a computer's existing security configuration against a predefined, standard security configuration.

Terminology 405 61. What is a unique number created by the Windows 2000 Security subsystem which is assigned to security principal objects when they are created?

A.


A.

406 Chapter 6 61. What is a unique number created by the Windows 2000 Security subsystem which is assigned to security principal objects when they are created?

*A. Security Identifier

Explanation: Security identifier is abbreviated SID. It is a unique number created by the Windows 2000 Security subsystem which is assigned to security principal objects when they are created. A SID consists of two parts: a domain SID and a relative ID. Windows 2000 uses SIDs to grant or deny a security principal object access to other objects and network resources.


*A. Special Permissions

Explanation: Special permissions (also called advanced permissions) are individual NTFS permissions that are combined to form the standard NTFS permissions. These permissions are assigned by clicking the Advanced command button on the Security tab in a file or folder's Properties dialog box. They are assigned by clicking the Advanced command button on the Security tab in a file or folder's Properties dialog box.

Terminology 407 63. What is a Windows 2000 deployment tool designed for large organizations and OEMs?

A.

64. What is a collection of Administrator-created user, group, and computer system policies which enables an administrator to manage non-Windows 2000 client computers (and their users) on a Windows 2000 network?

A.

408 Chapter 6 63. What is a Windows 2000 deployment tool designed for large organizations and OEMs?

*A. Sysprep

Explanation: Sysprep (sysprep.exe) is a Windows 2000 deployment tool designed for large organizations and OEMs. It prepares a Windows 2000 computer's hard disk for duplication, thus making it possible for that computer's hard disk to be copied to other computers. Sysprep can be used on either Windows 2000 Professional or Windows 2000 Server computers, but can't be used on a Windows 2000 Server domain controller. It requires the use of third-party disk duplication software.

It prepares a Windows 2000 computer's hard disk for duplication, thus making it possible for that computer's hard disk to be copied to other computers.

64. What is a collection of Administrator-created user, group, and computer system policies which enables an administrator to manage non-Windows 2000 client computers (and their users) on a Windows 2000 network?

*A. System Policy

Explanation: System Policy is a collection of Administrator-created user, group, and computer system policies which enables an administrator to manage non-Windows 2000 client computers (and their users) on a Windows 2000 network.

Terminology 409 65. What are environment variables that apply to all users and to the operating system?

A.

66. What is another name for built-in special groups?

A.

410 Chapter 6 65. What are environment variables that apply to all users and to the operating system?

*A. System Environment Variables

Explanation: System environment variables are environment variables that apply to all users and to the operating system.

66. What is another name for built-in special groups?

*A. System Groups

Explanation: System groups is another name for built-in special groups.

Terminology 411 67. What is the only way you can change or assign permissions to a file or folder on an NTFS volume if you don't have the Full Control NTFS permission?

A.

68. What is a trust relationship between two Windows 2000 domains in the same domain tree (or forest) which can extend beyond these two domains to other trusted domains within the same domain tree (or forest)?

A.

412 Chapter 6 67. What is the only way you can change or assign permissions to a file or folder on an NTFS volume if you don't have the Full Control NTFS permission?

*A. Take Ownership

Explanation: Each file or folder on an NTFS volume has an owner. If you need to change or assign NTFS permissions to a file or folder, but don't have the Full Control NTFS permission (or the Change Permissions special NTFS permission) to the file or folder, the only way you can change or assign permissions is to take ownership of the file or folder. This is done by using Windows Explorer.

68. What is a trust relationship between two Windows 2000 domains in the same domain tree (or forest) which can extend beyond these two domains to other trusted domains within the same domain tree (or forest)?

*A. Transitive Trust

Explanation: A transitive trust is a trust relationship between two Windows 2000 domains in the same domain tree (or forest) which can extend beyond these two domains to other trusted domains within the same domain tree (or forest). It is always a two-way trust. By default, all Windows 2000 trusts within a domain tree (or forest) are transitive trusts.

Terminology 413 69. In what kind of relationship do two domains trust each other?

A.

70. What term describes an agreement between two domains that enables users in one domain to be authenticated by a domain controller in another domain, and therefore to access shared resources in the other domain?

A.

414 Chapter 6 69. In what kind of relationship do two domains trust each other?

*A. Two-Way Trust

Explanation: In a two-way trust relationship, two domains trust each other.

70. What term describes an agreement between two domains that enables users in one domain to be authenticated by a domain controller in another domain, and therefore to access shared resources in the other domain?

*A. Trust Relationship

Explanation: A trust relationship, or trust, is an agreement between two domains which enables users in one domain to be authenticated by a domain controller in another domain, and therefore to access shared resources in the other domain.

Terminology 415 71. What is the domain which contains the user accounts that want to access the shared resources in the trusting domain?

A.

72. What is the domain that has resources to share with users accounts in the trusted domain?

A.

416 Chapter 6 71. What is the domain which contains the user accounts that want to access the shared resources in the trusting domain?

*A. Trusted Domain

Explanation: The trusted domain is the domain that contains the user accounts that want to access the shared resources in the trusting domain. The trusted domain is trusted by the trusting domain.

72. What is the domain that has resources to share with users accounts in the trusted domain?

*A. Trusting Domain

Explanation: The trusting domain is the domain that has resources to share with users accounts in the trusted domain. It trusts the trusted domain.

It trusts the trusted domain.

Terminology 417 73. What is often used by protocols such as TCP/IP and IPX/SPX to determine the number of routers a packet can cross before it is discarded (killed)?.

A.

74. What are groups that are created and maintained in Active Directory on Windows 2000 domain controllers?

A.

418 Chapter 6 73. What is often used by protocols such as TCP/IP and IPX/SPX to determine the number of routers a packet can cross before it is discarded (killed)?.

*A. Time-To-Live

Explanation: Time-To-Live is abbreviated TTL. It is often used by protocols such as TCP/IP and IPX/SPX to determine the number of routers a packet can cross before it is discarded (killed).

74. What are groups that are created and maintained in Active Directory on Windows 2000 domain controllers?

*A. Universal Groups

Explanation: Universal groups, like domain local groups and global groups, are groups that are created and maintained in Active Directory on Windows 2000 domain controllers. Universal groups are used to organize users from multiple domains which perform similar job tasks or have similar network access requirements, or to control access to shared resources in multiple domains.

These groups are used to organize users from multiple domains which perform similar job tasks or have similar network access requirements, or to control access to shared resources in multiple domains.

Terminology 419 75. What term refers to the process of verifying a user's credentials for the purpose of determining whether or not the user is permitted to access a local computer or a network resource, such as a shared folder or shared printer?

A.

76. What term describes a folder containing a collection of settings, options, and files specifying a user's desktop and all other user-definable settings in his/her work environment?

A.

420 Chapter 6 75. What term refers to the process of verifying a user's credentials for the purpose of determining whether or not the user is permitted to access a local computer or a network resource, such as a shared folder or shared printer?

*A. User Authentication

Explanation: User authentication is the process of verifying a user's credentials for the purpose of determining whether or not the user is permitted to access a local computer or a network resource, such as a shared folder or shared printer. In Windows 2000, user authentication is performed by either the local computer (if the user logs on by using a local user account) or by a domain controller (if the user logs on by using a domain user account).

76. What term describes a folder containing a collection of settings, options, and files specifying a user's desktop and all other user-definable settings in his/her work environment?

*A. User Profile

Explanation: A user profile is a folder containing a collection of settings, options, and files specifying a user's desktop and all other user-definable settings for his/her work environment. You can use the User Profiles tab in the System application to copy, delete, and change the type of user profiles.

Terminology 421 77. What authorizes users and groups to perform specific tasks on a Windows 2000 computer or in a Windows 2000 domain?

A.

78. What term refers to a collection of settings which restrict a user's program and network options and can enforce a specified configuration on the user's work environment?

A.

422 Chapter 6 77. What authorizes users and groups to perform specific tasks on a Windows 2000 computer or in a Windows 2000 domain?

*A. User Rights

Explanation: User rights authorize users and groups to perform specific tasks on a Windows 2000 computer or in a Windows 2000 domain. User rights are not the same as permissions because user rights enable users to perform tasks, whereas permissions enable users to access objects, such as files, folders, printers, and Active Directory objects.

78. What term refers to a collection of settings which restrict a user's program and network options and can enforce a specified configuration on the user's work environment?

*A. User System Policy

Explanation: A user system policy is a collection of settings which restricts a user's program and network options and can enforce a specified configuration on the user's work environment. There are two types of user system policies: 1) an individual user policy and 2) the Default User policy.

Terminology 423 79. What is a private, encrypted connection between two computers (or networks) that can already communicate with each other by using TCP/IP?

A.

80. What is a Windows 2000 Server service which provides NetBIOS name resolution services to client computers?

A.

424 Chapter 6 79. What is a private, encrypted connection between two computers (or networks) that can already communicate with each other by using TCP/IP?

*A. Virtual Private Network

Explanation: Virtual private network is abbreviated VPN. It is a private, encrypted connection between two computers (or networks) that can already communicate with each other by using TCP/IP.

80. What is a Windows 2000 Server service which provides NetBIOS name resolution services to client computers?

*A. Windows Internet Name Service

Explanation: Windows Internet Name Service is a Windows 2000 Server service which provides NetBIOS name resolution services to client computers.

426 Other Microsoft Books

Other Microsoft Certification books by TotalRecall Publications InsideScoop to MCP / MCSE Certification: Exam 70-227 Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition ExamInsight For MCP / MCSE Certification: Exam 70-227 Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition ExamWise For MCP / MCSE Certification: Exam 70-210 Managing a Microsoft Windows 2000 Professional ExamWise For MCP / MCSE Certification: Exam 70-215 Managing a Microsoft Windows 2000 Server ExamWise For MCP / MCSE Certification: Exam 70-216 Implementing and Administering a Microsoft Windows 2000 Network Infrastructure ExamWise For MCP / MCSE Certification: Exam 70-217 Managing a Microsoft Directory Services Infrastructure ExamWise For MCP / MCSE Certification: Exam 70-219 Designing a Windows 2000 Directory Services Infrastructure ExamWise For MCP / MCSE Certification: Exam 70-220 Designing Security for a Microsoft Windows 2000 Network ExamWise For MCP / MCSE Certification: Exam 70-221 Designing a Microsoft Windows 2000 Network Infrastructure ExamWise For MCP / MCSE Certification: Microsoft Windows XP Professional

Exam 70-270

Guarantee 427

Money Back Book Guarantee This guarantee applies only to books published by TotalRecall Publications, Inc.!

We are so confident in our products, we are prepared to offer the following

guarantee to YOU our valued customer: If you do not pass your certification

exam after two attempts, we will give money back!

Visit http://www.totalrecallpress.com

Select “Money Back Book Guarantee” for details.

Registered book purchasers who qualify will receive

1. Receive a 50% cash refund of purchase price 2. Receive a free TotalRecall book of equal value. Note: you must pay for shipping and handling. To qualify for this TotalRecall Guarantee you must meet these requirements and perform the following tasks: 1. Register your purchase at the TotalRecall web site http://www.totalrecallpress.com 2. Fail the corresponding exam twice ( No time Limit ) 3. Contact TotalRecall for the RMA # and to claim this guarantee Send email to mailto:[email protected] Subject must contain your Membership # or Registration # Ship the following to claim your refund. 1. RMA # from returned email 2. Documents of exam scores for both failed attempts 3. Return the Book to the following address TotalRecall Publications, Inc.

Attn: Corby Tate 1103 Middlecreek Friendswood, TX 77546 888-992-3131 [email protected] 281-992-3131 281-482-5390 Fax http://www.bfq.com It's a Passing day here at the BeachFront. Thank you for using the TotalREcall Success Program. Bruce Moran President

428 Free Practice Exam Online

70-227 Free Practice Exam Online With the purchase of this book you qualify for a Free

Beachfront Quizzer, Inc. Online Practice exam.

Visit www.TotalRecallPress.com for details.

Register your book purchase at

www.TotalRecallPress.com Your Registration Code is: = EW-03227-0000 System Requirements: Internet connection:

Call: 281-992-3131

Good Luck with your certification!

Your Book Registration Number is EW-03227-0000

You cannot go wrong with this book because it is

GUARANTEED:

See details at www.TotalRecallPress.com

ExamWise For MCP MCSE Certification: Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition Exam 70-227 (With Online Exam)

ExamWise For Exam 1D0-470 CIW Security Professional Certification (With Online Exam) (Examwise S.)

Examinsight for Internet Security and Acceleration (ISA) Server 2000 Enterprise Edition: Examination 70-227, Installing Configuring, and Administering Microsoft Internet Security and Acceleration Server 2000, Enterprise Edition

ExamInsight For MCP MCSE Certification: Security for a Microsoft Windows 2000 Network Exam 70-220

Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed

MCSE Self-paced Training Kit (exam 70-350): Implementing Microsoft Internet Security and Acceleration Server 2004

ExamInsight For MCP MCSE Certification: Microsoft Windows 2000 Network Infrastructure Exam 70-221

ExamInsight For MCP MCSE Certification: Microsoft Windows 2000 Directory Services Infrastructure Exam 70-219

MCSE Self-Paced Training Kit (Exam 70-350): Implementing Microsoft Internet Security and Acceleration Server 2004: Implementing Microsoft(r) Internet ... Acceleration Server 2004 (Pro-Certification)

MCSE Self-Paced Training Kit (Exam 70-350): Implementing Microsoft Internet Security and Acceleration Server 2004: Implementing Microsoft(r) Internet ... Acceleration Server 2004 (Pro-Certification

Examwise for Installing, Configuring and Administering Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition: Examination 70-227

MCSE Windows 2000 Server Exam Cram2 (Exam 70-215)

ExamWise For Exam 1D0-420 CIW Site Designer Certification (With Online Exam)

ExamWise For Exam 1D0-460 CIW Internetworking Professional Certification (With Online Exam)

Microsoft Internet Security and Acceleration (ISA) Server 2000: Administrator's Pocket Consultant

MCSE Training Guide (70-227): Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000

MCSE: ISA Server 2000 Administration Study Guide: Exam 70 227 with CDROM

MCSE: ISA Server 2000 Administration Study Guide: Exam 70 227 with CDROM

MCSE: ISA Server 2000 Administration Study Guide: Exam 70 227 with CDROM

CCIE Security Exam Certification Guide

CCIE Security Exam Certification Guide

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: Windows 2000 Server Study Guide Exam 70-215

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

Server+ Certification Exam Cram 2 (Exam SKO-002)

MCSE: Windows 2000 Migration Exam Notes

MCSA MCSE Self-Paced Training Kit: Microsoft Windows 2000 Server, Exam 70-215, Second Edition

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

ExamWise For MCP MCSE Certification: Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition Exam 70-227 (With Online Exam)

ExamWise For Exam 1D0-470 CIW Security Professional Certification (With Online Exam) (Examwise S.)

Examinsight for Internet Security and Acceleration (ISA) Server 2000 Enterprise Edition: Examination 70-227, Installing Configuring, and Administering Microsoft Internet Security and Acceleration Server 2000, Enterprise Edition

ExamInsight For MCP MCSE Certification: Security for a Microsoft Windows 2000 Network Exam 70-220

Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed

MCSE Self-paced Training Kit (exam 70-350): Implementing Microsoft Internet Security and Acceleration Server 2004

ExamInsight For MCP MCSE Certification: Microsoft Windows 2000 Network Infrastructure Exam 70-221

ExamInsight For MCP MCSE Certification: Microsoft Windows 2000 Directory Services Infrastructure Exam 70-219

MCSE Self-Paced Training Kit (Exam 70-350): Implementing Microsoft Internet Security and Acceleration Server 2004: Implementing Microsoft(r) Internet ... Acceleration Server 2004 (Pro-Certification)

MCSE Self-Paced Training Kit (Exam 70-350): Implementing Microsoft Internet Security and Acceleration Server 2004: Implementing Microsoft(r) Internet ... Acceleration Server 2004 (Pro-Certification

Examwise for Installing, Configuring and Administering Microsoft Internet Security and Acceleration Server 2000 Enterprise Edition: Examination 70-227

MCSE Windows 2000 Server Exam Cram2 (Exam 70-215)

ExamWise For Exam 1D0-420 CIW Site Designer Certification (With Online Exam)

ExamWise For Exam 1D0-460 CIW Internetworking Professional Certification (With Online Exam)

Microsoft Internet Security and Acceleration (ISA) Server 2000: Administrator's Pocket Consultant

MCSE Training Guide (70-227): Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000

MCSE: ISA Server 2000 Administration Study Guide: Exam 70 227 with CDROM

MCSE: ISA Server 2000 Administration Study Guide: Exam 70 227 with CDROM

MCSE: ISA Server 2000 Administration Study Guide: Exam 70 227 with CDROM

CCIE Security Exam Certification Guide

CCIE Security Exam Certification Guide

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: Windows 2000 Server Study Guide Exam 70-215

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

MCSE: SQL Server 2000 Design Study Guide (Exam 70-229)

Server+ Certification Exam Cram 2 (Exam SKO-002)

MCSE: Windows 2000 Migration Exam Notes

MCSA MCSE Self-Paced Training Kit: Microsoft Windows 2000 Server, Exam 70-215, Second Edition

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

MCSE: Windows 2000 Network Security Design Exam Notes(tm)

Recommend Documents