Questions

1. You are the administrator of a network that includes Windows 2000 computers, Windows Millennium Edition (ME) computers, Windows XP Professional computers, UNIX computers and Linux computers. The UNIX and Linux computers are running Web browsers that support Hypertext Transfer Protocol (HTTP) 1.1 and Web proxies. The Windows computers are running the latest version of Internet Explorer (IE).

You have installed an Internet Security and Acceleration (ISA) Server 2000 computer between your internal network and the Internet in order to provide secure Internet access for computers on your network. You must configure the computers on your network as clients of the ISA Server computer. You should configure the client computers to support all ISA Server-supported protocols. You need to ensure that you implement the same ISA Server-client configuration on all computers, regardless of operating system. You also want to configure the clients to support authentication of Internet requests and Web caching, if possible.

How should you configure the computers on your network?

a. Configure all computers as SecureNAT clients.
b. Configure all computers as Web Proxy clients.
c. Configure all computers as Firewall clients.
d. Configure all computers as SecureNAT and Web Proxy clients.
e. Configure all computers as Firewall and Web Proxy clients.
f. Configure all Windows computers as Firewall and Web Proxy clients. Configure all UNIX and Linux computers as SecureNAT and Web Proxy clients.

2. You are the administrator of your company's Internet Security and Acceleration (ISA) Server 2000 computer. You want to configure the ISA Server computer to store Web Proxy logs in a Microsoft SQL Server database.

Which of the following sample scripts should you use to create a table for the Web Proxy logs?

a. PF.SQL from the ISA Server computer's \Program Files\Microsoft ISA Server\ODBC folder
b. ISA.SQL from the ISA Server computer's \Program Files\Microsoft ISA Server folder
c. FWSRV.SQL from the ISA Server CD
d. W3PROXY.SQL from the ISA Server CD

3. You are the administrator of your company's Internet Security and Acceleration (ISA) Server 2000 computer. You want to use the MS_FWC.MSI file and Group Policies to automatically install the Firewall Client software to all of the Windows 2000 and Windows XP computers on your network. You want to ensure that the package is installed on all computers, regardless of which users log on to which computers.

Which of the following actions should you perform?

a. Publish MS_FWC.MSI to all computers.
b. Publish MS_FWC.MSI to all users.
c. Assign MS_FWC.MSI to all computers.
d. Assign MS_FWC.MSI to all users.

4. You have installed an Internet Security and Acceleration (ISA) Server 2000 computer between your internal network and the Internet. The ISA Server computer provides firewall and Web caching services for your network. You have configured the computers on your internal network as SecureNAT and Web Proxy clients of the ISA Server computer. You have configured protocol rules and site and content rules that allow anyone on the internal network to access any external destination at any time using any protocol.

Users have reported problems connecting to certain Web sites at certain times. You are unable to reproduce the problems consistently. You want to use the Web browser on the ISA Server computer to attempt to connect to the problematic sites, and you want to bypass the ISA Server computer's Web cache. You do not want to use unnecessary effort.

Which of the following actions should you perform?

a. Configure the ISA Server computer's internal address as the default gateway for the ISA Server computer's internal interface.
b. Configure the ISA Server computer's external address as the default gateway for the ISA Server computer's internal interface.
c. Configure the ISA Server computer's Web browser as a Web Proxy client; use the ISA Server computer's external IP address as the Web browser's proxy address.
d. Configure the ISA Server computer's Web browser as a Web Proxy client; use the ISA Server computer's internal IP address as the Web browser's proxy address.
e. Configure an IP packet filter for HTTP traffic; configure the filter to apply to only the ISA Server computer's internal IP address.
f. Configure a new protocol rule for HTTP traffic; configure the rule to apply to only the ISA Server computer's internal IP address.

5. You are the administrator of your company's stand-alone Internet Security and Acceleration (ISA) Server 2000 computer. You have configured the ISA Server computer to allow any request for access to any Internet site using any protocol at any time. Users have reported that Internet access is slow. Based on information obtained from the ISA Server computer Traffic and Utilization Reports, you increase the size of the ISA Server computer's disk cache. Several days after making the change, users are still reporting slow Internet access.

Which of the following actions should you perform to resolve the problem?

a. Restart the Web Proxy service.
b. Restart the Firewall service.
c. Enable ICS.
d. Disable CARP.

 

6. You have acquired five new computers with identical hardware configurations. Two of these new computers will be configured as public Web servers and will be placed on your internal network. These Web servers will contain identical content. The other three computers will be configured as Internet Security and Acceleration (ISA) Server 2000 computers. The three ISA Server computers will be configured as an array. The array will be used to shield your internal network from the Internet, but users on your internal network should be able to access the Internet.

You perform the following actions:

1. Install an additional network interface card (NIC) in each of the computers that will run ISA Server.
2. Install Windows 2000 Advanced Server on all five computers.
3. Connect each computer to the internal network and configure IP appropriately.
4. Connect the second NIC in the ISA Server computers to the Internet and configure IP appropriately.
5. Configure Internet Information Services (IIS) on the Web server computers.
6. Copy the Web server content to the appropriate location on each Web server.
7. Run the Enterprise Initialization Tool.
8. Install ISA Server on the array computers.
9. Configure the ISA Server computers as members of the same array.
10. Create the appropriate site and content, protocol and publishing rules on the array.
11. Configure internal client computers as Web Proxy clients.

Which of the following actions should you perform next in order to complete your objectives?

a. Extend the Active Directory schema to support ISA Server.
b. Configure NLB for the ISA Server array computers.
c. Configure NLB for the Web servers.
d. Configure a unique load factor on each ISA Server computer.
e. Configure an external IP address for intra-array communication on each ISA Server computer.

7. You are the administrator who is responsible for your company's connection to the Internet. You have installed an Internet Security and Acceleration (ISA) Server 2000 computer between the Internet and your company's network. The ISA Server computer is configured as a single-server array.

In order to improve Internet access for your users, you have decided to install a second ISA Server computer. You want the same set of access rules to apply to both servers. After installing the new ISA Server computer and connecting it to both the Internet and the internal network, you find that the computers on the internal network are unable to connect to the Internet by using the new ISA Server computer. When you examine the new ISA Server computer's configuration, you find that no access rules have been configured on the new server.

Which of the following actions should you perform in order the resolve the problem by using the least amount of administrative effort?

a. Reinstall the new ISA Server computer as a member of the first server's array.
b. Rebuild the array as an enterprise array.
c. Recreate the rules from the first server on the new server.
d. Add the address of the Internet-connected interface to the LAT of the new ISA Server computer.

Answers:

1) Choice d is correct. You should configure all computers as SecureNAT and Web Proxy clients. ISA Server supports three types of clients: SecureNAT clients, Web Proxy clients and Firewall clients. The Firewall Client software offers the most complete and thorough support of ISA Server. However, the Firewall Client software does not support non-Windows computers. Therefore, you cannot configure your UNIX and Linux computers as Firewall clients. In this scenario, you need to ensure that you implement the same ISA Server client configuration on all computers; therefore, you should not configure your Windows computers as Firewall clients, either.

In order to provide support for the widest variety of protocols, you should configure all computers as SecureNAT clients. SecureNAT clients are not ISA Server-aware. Instead, network routing is configured to forward all requests destined for the Internet to the ISA Server computer. Because the SecureNAT clients are not aware of the ISA Server computer, you may need to configure application filters for certain types of connections. Additionally, SecureNAT clients cannot take advantage of authentication or Web caching.

Because your UNIX and Linux computers are running Web browsers that support HTTP 1.1 and Web proxies, and because your Windows computers are running the latest version of IE, all of your computers can be configured as Web Proxy clients in addition to being configured as SecureNAT clients. In order to configure computers as Web Proxy clients, you should configure the computers' Web browsers to direct Internet requests to the ISA Server computer. Web Proxy clients support authentication and Web caching. Web Proxy clients support only Hypertext Transfer Protocol (HTTP), HTTP Secure (HTTPS), File Transfer Protocol (FTP) and Gopher. Therefore, you should configure your computers as both SecureNAT clients and Web Proxy clients in order to take advantage of authentication, Web caching and the greatest number of protocols.

Reference: www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/M_P_C_WebProxy.asp ISAOH, Contents, "Concepts," "Understanding ISA Server," "ISA Server services," "Web Proxy service." www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/CMT_PlanClient.asp ISAOH, Contents, "Concepts," "Understanding ISA Server," "ISA Server Clients (entire section)." ISASG, Chapter 6, Supported Client Types, pp. 316-322.

2) Choice d is correct. In order to create a table for the Web Proxy logs, you should use the W3PROXY.SQL file from the ISA Server CD. The W3PROXY.SQL file is a sample script that can be used to create the WebProxyLog table. The file can be found in both the \ISA folder on the ISA Server CD and the \Program Files\Microsoft ISA Server folder on the ISA Server computer, as can the other .SQL sample scripts.

The PF.SQL file is a sample script that can be used to create the PacketFilterLog table. The FWSRV.SQL file is a sample script that can be used to create the FirewallLog table. An ISA.SQL sample script is not included with ISA Server.

Reference: www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/CMT_Log2DB.asp ISAOH, Contents, "Concepts," "Using ISA Server," "Monitoring and Reporting," "Logging," "Logging to a database."

3) Choice c is correct. In this scenario, you should assign MS_FWC.MSI to all computers. The MS_FWC.MSI file is a software package file that enables the Windows Installer to install the Firewall Client software on Windows 2000 and Windows XP computers. You can use Group Policies to publish or assign software packages. Published packages are available for installation; assigned packages are installed automatically. In this scenario, you want the Firewall Client software to be installed automatically, not upon request. Therefore, you should assign the package, not publish it. Because you want the Firewall Client software installed on computers regardless of who logs on to them, you should assign the package to all computers, not to all users.

Reference: www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/CMT_DeployFW.asp ISAOH, Contents, "Concepts," "Using ISA Server," "Installing and Configuring ISA Server Clients," "Installing and Configuring Firewall Client Software," "Deploying groups of Firewall clients."

4) Only choices d and e are correct. To configure the ISA Server computer's Web browser to bypass the Web cache when connecting to Internet sites, you should perform the following actions:

• Configure the ISA Server computer's Web browser as a Web Proxy client, and use the ISA Server computer's internal IP address as the Web browser's proxy address.
• Configure an IP packet filter for HTTP traffic, and configure the filter to apply to only the ISA Server computer's internal IP address.

If you do not configure the ISA Server computer's Web browser as a Web Proxy client, then you will be unable to access Internet sites. When configuring an ISA Server computer's Web browser as a Web Proxy client, you must use the ISA Server computer's internal IP address as the Web browser's proxy address. If you use the computer name, host name or external IP address of the ISA Server computer, then requests will be interpreted as originating from the external side of the ISA Server computer and those requests will be denied. In order to bypass the ISA Server computer's Web cache, you should configure an IP packet filter that uses local fixed port 80 and any remote port, and you should configure the filter to apply to only the ISA Server computer's internal address. If you were to configure the filter to apply to all requests, then all Web requests from internal clients would bypass the ISA Server computer's Web cache.

You should not configure a default gateway for the ISA Server computer's internal interface. Doing so could inhibit the ISA Server computer's ability to properly route requests. You should not configure a new protocol rule because the existing protocol rules already allow all internal clients to use any protocols at any time.

Reference: www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/M_P_C_ConfigScript.asp ISAOH, Contents, "Concepts," "Using ISA Server," "Installing and Configuring ISA Server Clients," "Configuring Web Proxy clients." www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/M_P_C_AllowBlock.asp ISAOH, Contents, "Concepts," "Using ISA Server," "Using Packet Filtering," "IP packet filters."

5) Choice a is correct. Of the available choices, you should restart the Web Proxy service. After you change the size of the cache or change the disks that are used for caching, you should restart the Web Proxy service in order to activate the configuration change. Restarting the Firewall service is not required to activate configuration changes to the ISA Server cache. Internet Connection Sharing (ICS) should not be enabled on an ISA Server computer. Cache Array Routing Protocol (CARP) is used only in arrays; enabling or disabling CARP on a stand-alone ISA Server computer has no effect.

Reference: www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/CMT_SvcRestart.asp ISAOH, Contents, "Concepts," "Understanding ISA Server," "ISA Server services," "Restarting services after configuration changes."

6) Choice c is correct. You should configure Network Load Balancing (NLB) on the Web servers. NLB enables multiple Windows 2000 Advanced Server computers to be clustered by using a single IP address. Although each member of the cluster also has a unique IP address, requests that are addressed to the shared IP address are redirected in order to balance requests between the servers. In this scenario, using NLB on the Web servers allows the Web servers to be configured as a load-balanced cluster. Because the Web servers contain identical content, NLB optimizes the Web server configuration.

In this scenario, using NLB on the ISA Server array computers offers no discernable benefit. NLB can be configured on the internal NICs on ISA Server computers in order to provide better support for SecureNAT clients. However, because you are configuring the internal computers as Web Proxy clients, Cache Array Routing Protocol (CARP) should be enabled on the array for outbound Web requests. CARP enables the ISA Server array computers' caches to function as a single logical cache. By default, CARP is enabled for outbound requests. Because you are using the ISA Server array to publish your Web servers, you should enable CARP for incoming Web requests, as well.

You should not configure a unique load factor for each ISA Server computer in this scenario. Load factor, which is an aspect of CARP configuration, determines the relative load on a member of an ISA Server array. In this scenario, all of the ISA Server computers are identically configured and should, therefore, be equally equipped to handle requests. Thus, configuring unequal load factors on the ISA Server array computers would be inappropriate.

You should not configure an external IP address for intra-array communication on each ISA Server computer. The IP address used for intra-array communication should be an internal IP address; a unique intra-array address is required for each array member.

Extending the Active Directory schema is performed by running the Enterprise Initialization Tool; arrays cannot be installed in a forest until the forest's schema has been extended by the Enterprise Initialization Tool. In this scenario, you have already run the Enterprise Initialization Tool and configured the ISA Server computers in an array. Therefore, the Active Directory schema has already been extended to support ISA Server.

Reference: www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/CMT_ReverseConfig.asp ISAOH, Contents, "Concepts," "Using ISA Server," "Setting Network Configuration," "Configuring incoming Web request properties." www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/CMT_NLBFault.asp ISAOH, Contents, "Concepts," "Using ISA Server," "Deployment Scenarios," "Grouping ISA Server computers for fault tolerance," "Using Network Load Balancing."

7) Choice a is correct. You should reinstall the second ISA Server computer as a member of the array. When you install ISA Server, you must choose whether to create a stand-alone server or install the new server into an array. If you add the new server to an array, then the array configuration, including access rules, are applied to the new server. In this scenario, the new ISA Server computer was probably installed as a stand-alone server; if the new server had been installed into the array, then the array access rules should have been automatically applied. In order to correct the situation, you should reinstall the ISA Server computer as an array member. To reinstall, first open Control Panel and double-click Add/Remove Programs. Then, from the Currently installed programs: list, select Microsoft ISA Server and click Change. When the ISA Server Setup program starts, select Reinstall and select the appropriate options for the reinstall.

You should not add the external interface address to the local address table (LAT); the LAT should include only the address ranges that are used on your internal network. Rebuilding the array as an enterprise array is unnecessary in this scenario. Creating an enterprise array is appropriate when you want to apply enterprise-wide policies to a number of ISA Server arrays that are independently managed. In this scenario, you are configuring a pair of parallel ISA Server computers that protect the internal network at the same Internet connection point. Therefore, implementing an enterprise array is unnecessary and requires additional effort beyond reinstalling the new ISA Server computer. Recreating the existing rules on the new ISA Server computer would probably require more administrative effort than reinstalling the ISA Server computer as an array member. Additionally, recreating the existing rules on the new server, technically, does not meet the scenario requirement that the same set of rules apply to both servers. Furthermore, if you were to recreate the existing rules rather than reinstall the server into the array, then you would be required to duplicate each future rule change, which would increase the amount of administrative effort required.

Reference: www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/M_P_P_ReinstallControlPnl.asp ISAOH, Contents, "How To...," "Install, Reinstall, and Uninstall ISA Server," "Reinstall or uninstall server software." www.microsoft.com/technet/prodtechnol/isa/proddocs/isadocs/CMT_AdministerArray.asp ISAOH, Contents, "Concepts," "Using ISA Server," "Administering ISA Server," "Administering stand-alone servers, arrays, and the enterprise."

These questions and answers are provided by Transcender LLC. Order the full version of this exam simulation online at www.transcender.com, phone 615-726-8779, 8 a.m. - 6 p.m., (CST), M - F, fax 615-726-8884, or mail to or mail to Transcender LLC, 565 Marriott Drive, Suite 300, Nashville, TN 37214.

For more CertCities.com pop quizzes, click here. To access our list of free, non-braindump practice exams from across the Web, click here.

More Pop Quiz:

• Cisco Exam #642-871: ARCH Exam (MeasureUp, set 2)
• Cisco Exam #642-811: BCMSN Exam (Whizlabs, set 2)
• Cisco Exam #642-811: BCMSN Exam (Whizlabs, set 1)
• Cisco Exam #642-871: ARCH Exam (MeasureUp, set 1)