Self Test

1. 

Mary is configuring her first Windows 2000 RRAS server and wants to use strong authentication protocols to keep her network secure. Which protocol(s) should she use?

1. L2TP/IPSec

2. PAP

3. EAP

4. CHAP

5. MS-CHAPv2

2. 

Jim is the security administrator for his company's legal department. The network and remote access solutions are based on Windows 2000 Server, and Legal just purchased smartcards for the entire department so that they can use secure dial-in access. Jim knows he needs to configure EAP-TLS, but he isn't sure where to configure it. He also only wants to change this setting for the legal department, not for all users. Where is this protocol configured?

1. In the Dial-in profile for the Legal remote access policy

2. In the Modem Pool Properties dialog box, under the Legal profile

3. Under the Security tab of the Routing and Remote Access server properties

4. In the legal department's remote access policy, on the Authentication tab

3. 

Jim's manager has asked him to configure the company Windows 2000 VPN server to allow for the use of smartcards for remote access authentication. What protocol does Jim need to use for this?

1. PPTP

2. EAP-TLS

3. L2TP

4. MS-CHAP v2

5. PPP

1. 

þ C, E. EAP provides the ability to use smartcards for authentication and provides a strong authentication solution. MS-CHAPv2 provides the strongest authentication available for use with user ID and password.

ý A, B, D. L2TP/IPSec is not an authentication protocol. Both PAP and CHAP are older protocols and provide either no protection or very weak protection of the information being passed.

2. 

þ A. If you want to configure specific conditions for a group of users, including the authentication protocol, you use a remote access policy. The specific location in the policy in this case is in the profile.

ý , B, C, D. There is no Modem Pool in the Windows 2000 RRAS. Changing the RRAS server properties would impact the entire server, not just the legal department, although you can set the protocol there as well. There is no Authentication tab under the remote access policy; it is in the remote access profile.

3. 

þ B. EAP-TLS is the protocol needed for smartcard deployments.

ý A, C, D, E. PPTP and L2TP are VPN protocols and do not apply to authentication. MS-CHAP v2 is an authentication protocol but does not support smartcards, and PPP is a transport protocol.

4. 

Mary maintains the remote access infrastructure for her company. Previously, Mary maintained a single Windows 2000 RAS server, but over the weekend she added another Windows 2000 RAS server for higher capacity. The two servers are in the same native-mode Active Directory domain, but during testing Mary cannot dial into the new server using her Windows 2000 credentials. What is the most likely problem?

1. The Windows 2000 RRAS service is not installed on the new server.

2. The Windows 2000 RRAS service needs to be enabled in the Active Directory

3. The Remote Access Profiles are not shared, and need to be recreated on the new server.

4. Installing more than one Windows 2000 RRAS server into the same Active Directory domain is not permitted.

4. 

þ C. Profiles are stored locally and need to be recreated on the new server before users will be able to authenticate.

ý A, B, D. RRAS is installed automatically as part of Windows 2000 Server. It does not need to be enabled in the Active Directory, and you can have more than one Windows 2000 RRAS server in the same domain.

5. 

Andrea is responsible for her company's Windows 2000 RRAS server, which has been running as an RAS server for several months. She just manually added services to the server so that the 120 sales representatives could connect to the network using VPN instead of modems. All the sales reps are using PPTP. The first five VPN users connect without issue, but then the server denies access to additional VPN users. RAS users seem to be unaffected by the issue. What is the most likely problem?

1. The server doesn't have enough VPN client licenses for more than five concurrent users.

2. The DHCP server is only providing five IP addresses.

3. When you configure the Routing and Remote Access Service for dial-in, it only creates five PPTP ports.

4. Windows 2000 will only support five VPN connections at a time.

6. 

June is trying to get a job as a network administrator, and she is being quizzed by the department manager on her knowledge of protocols. Her manager is particularly interested in her background in IPSec, so he has asked her to list the protocols used by IPSec. Which of the following are protocols used by IPSec?

1. ESP

2. AH

3. PPTP

4. L2F

5. ISAKMP

5. 

þ C. When you use the Dial-In wizard to configure the RRAS server, it will only create five PPTP and five L2TP ports. If the server had been configured for VPN the first time, 128 ports would have been configured.

ý A, B, D. Windows 2000 doesn't require licenses for VPN connections. The DHCP server issue would impact VPN and RAS users.

6. 

þ A, B, E. ESP, AH, and ISAKMP are all protocols used by IPSec.

ý C, D. PPTP and L2F, although tunneling protocols, are not used by IPSec.

7. 

Tom is the administrator of a Windows 2000 RAS server that's being used for dial-in connections to the corporate network. He needs to be sure that no one is connecting to the server from 1:00 a.m. until 2:00 a.m. while the server is being backed up. Tom is using one policy to permit access for all users. What is the easiest way to add this restriction for all users?

1. Create a new Remote Access policy containing the restriction, and make sure it is processed before the default policy.

2. Add a deny access condition to the existing remote access profile.

3. Add a deny access condition to the existing remote access policy.

4. Create a new Remote Access profile containing the restriction, and make sure it is processed before the default policy.

8. 

Stacey is the system administrator of a Windows 2000 Routing and Remote Access server that permits the use of the Multilink protocol to allow users to connect with multiple dial-up lines. To configure this setup to work as efficiently as possible, Stacey needs to automatically drop a line from the Multilink connection when it's not being used. What protocol would need to be enabled to accomplish this task?

1. EAP-TLS

2. PAP

3. PPP

4. Multilink

5. BAP

7. 

þ C. You can easily add the deny access restriction to the policy by editing the policy properties and adding the condition.

ý A, B, D. Answer A would work, but it would not be the easiest way to do it. You cannot add a deny access condition to a remote access profile. A remote access profile is part of the remote access policy and cannot be used on its own this way.

8. 

þ E. Bandwidth Allocation Protocol (BAP) monitors the utilization on a multilink connection and dynamically reduces the number of connected lines if the user's utilization drops below a certain amount.

ý A, B, C, D. EAP-TLS, PAP, and PPP do not apply to the Multilink connections. Multilink is used to support the multiple connections, but it doesn't monitor utilization.

9. 

Tammy is responsible for setting up a new VPN server using Windows 2000 and the Routing and Remote Access Service. She wants to limit access to the VPN by creating a Remote Access Users group in the Active Directory running in native mode, so she creates the group, puts users in it, and creates a Remote Access Policy called VPN User Access. To be sure this is the only way to access the server, she deletes the default remote access policy. Under the Dial-In tab of each user, she sets the Remote Access Permissions to "Control access through Remote Access Policy." What is the last thing Tammy needs to do to limit access to this policy to users in the VPN User Access group?

1. Edit the VPN User Access policy and add the condition Windows-Groups, selecting the Remote Access Users group as the group for the condition.

2. Edit the IPSec ports to allow access by the Remote Access Users group.

3. Edit the VPN User Access policy and limit the protocol to PPTP, and then grant user access to the Remote Access Users group.

4. Edit the VPN User Access policy and set the permissions on the policy so that the Remote Access Users group has read access. Then delete the Everyone group from the permissions.

10. 

Jim is the remote access administrator for a medium-sized manufacturing company. He is in the process of rolling out a new Windows 2000 RRAS server, but he knows that the local telephone area code will be changing in six months. He would like to be able to automatically update the users' phone books with the new numbers, so he uses the Connection Manager Administration Kit to create a service profile for the end users. He is putting the new phone book on a server on the internal network. What protocol will be used by the users to get the new phone book?

1. HTTP

2. HTTPS

3. Telnet

4. FTP

11. 

June is a network administrator supporting 500 mobile users who dial into the company network using several Windows 2000 RAS servers located throughout the country. She is planning to add between 5 and 10 new RAS servers in other offices in the company, so she has created a dynamic phone book using the Phone Book Administrator utility. Now she wants to publish the phone book so she can create a service profile for her users. What is the easiest way for her to create this phone book?

1. Save the phone book to her local drive and FTP the resulting files to an FTP server running IIS 4.0 or later.

2. Save the phone book to her local drive and copy the resulting files to a Web server running IIS 4.0 or later.

3. From the Publish Phone Book screen, select a directory on an FTP server running IIS 4.0 or later, and select Post.

4. From the Publish Phone Book screen, select a directory on an FTP server running IIS 4.0 or later, and select Publish.

9. 

þ A. Access by group is controlled by setting the Windows-Groups condition in the policy.

ý B, C, D. You cannot tie ports to groups. You don't need to limit access to PPTP for this question, and you can't grant access through the group without using the Windows-Groups condition. You cannot set permissions as described in D.

10. 

þ D. The automatic phone book update tool uses the FTP protocol to update the phone books.

ý A, B, D. None of these protocols can be used by the update tool.

11. 

þ C. The Phone Book Administration utility allows you to post phone books to the appropriate server using the Post command in the Publish Phone Book screen.

ý A, B, D. While A would allow remote users to download this directory, maintaining a manual process like this is much more difficult than the correct answer. B wouldn't work, since the service profile uses FTP to download files. D is not correct because there is not a Publish option available from that menu.

12. 

Joan is a help desk specialist for a small manufacturing company that uses a Windows 2000 server for VPN services. Melissa, a sales engineer, is on a sales call and needs to access the company intranet to get some pricing information. Melissa is using a PPTP connection to access the company VPN, and it worked fine from the hotel last night from a dial-up ISP service. She is trying to connect from the customer network, but she's unable to establish a connection, so she has placed a call to Joan to see what's wrong. Which of the following is a possible reason for this problem?

1. The local network is using NAT.

2. The company's firewall does not permit the GRE protocol.

3. The company's firewall does not permit the ESP protocol.

4. The company's firewall does not use a proxy server.

13. 

Ted is a help desk specialist for a small printer manufacturing company that uses a Windows 2000 server for VPN services. Jack, a sales engineer, is on a service call and needs to order parts on the company intranet. Jack is using an L2TP/IPSec connection to access the company VPN, and it works fine from Jack's home office, which connects to the Internet through a broadband connection. Unfortunately, Jack cannot connect from the customer's Ethernet network, and he has placed a help desk call for assistance. Which of the following is a possible reason for this problem?

1. The local network is using NAT.

2. The company's firewall does not permit the GRE protocol.

3. The company's firewall does not permit the PPP protocol.

4. The company's firewall does not support certificates.

14. 

Tony is the administrator for his company's Windows 2000 RAS server, which uses the corporate Active Directory service for authentication. Joan, an end user in accounting, is trying to connect to the RAS server but keeps getting the message that she is not an authorized user. She can log into the Active Directory without issue when she is connected to the LAN. What might be causing the problem?

1. The server needs additional PPTP ports configured.

2. Joan is not using the correct password.

3. Joan is trying to use her LAN network account instead of her dial-in account.

4. The user is not using an ID that is authorized to use the dial-in server.

15. 

Mary is a help desk technician supporting remote users connecting to the company's Windows 2000 RRAS server. She just got a call from Tony, who is using his company laptop and accessing the RRAS server through a PPTP VPN connection. Last week the connection worked fine, but today it is not connecting. When Mary asks if anything has changed, Tony reluctantly admits that his neighbor just installed a freeware encryption application on the system. What is the first step Mary should recommend to address this issue?

1. Reinstall the VPN client to replace any files that might have been overwritten, and reboot the system.

2. Reinstall the client operating system to ensure that the system is installed and configured cleanly.

3. Update the system virus protection and scan the system for viruses.

4. Remove the new application and reboot the system.

12. 

þ B. In order for a client to communicate with the Windows 2000 VPN server using PPTP, it must be able to connect using the GRE protocol. This protocol is frequently blocked on corporate firewalls.

ý A, C, D. PPTP will work across a NAT network. The ESP protocol is used in L2TP/IPSec, not PPTP. A proxy server is not needed for a successful VPN connection.

13. 

þ A. The IPSec portion of the L2TP/IPSec protocol will not support NAT.

ý B, C, D. The GRE protocol is not used in conjunction with L2TP/IPSec. The PPP protocol is not used on an Ethernet network. Certificate support is not needed on the local firewall.

14. 

þ D. Before an account can be used to connect to the RAS server, it needs to be authorized through a combination of remote access policy and/or account permissions.

ý A, B, C. PPTP ports are not used with RAS. Since the RAS server uses Active Directory for authentication, an incorrect password would prevent Joan from logging in at work. This also means that her network account is the same as her RAS account-they are both her Active Directory account.

15. 

þ D. The first thing that should be tried is undoing the changes made between the time the VPN worked and now-especially if the application is loaded on a company system and is not a standard application.

ý A, B, C. Reinstalling the VPN client shouldn't be the first step; you should remove the application first. There are several other steps that should be taken before resorting to a complete system rebuild. There is no indication that this issue is virus-related. Updating virus protection is never a bad idea, but it will probably not address this issue.