Chapter 5: Planning, Implementing, and Maintaining an Internet Connectivity Strategy

1.

You have five Windows XP clients on a network with a Windows Server 2003 server. The server has an always-on Internet connection with an ISP. What service can you install on the server to allow the clients to access the Internet, without requiring you to obtain additional IP addresses from your ISP?

1. PPTP

2. NAT

3. DHCP

4. DNS

2.

You are configuring a simple network with two computers, both running Windows Server 2003. Both will be used as Web servers and must be accessible over the Internet. You have chosen to assign an Internet IP address to each machine, and you want to configure a single Internet connection for use by both machines. Which of the following is the best strategy?

1. Use a routed connection.

2. Use NAT.

3. Use ICS.

4. Two separate connections are required.

3.

Your network includes a Windows Server 2003 computer and several workstations running Windows 2000 and Windows XP. You need to configure the server to provide shared Internet access to all machines on the network. The server will also act as a Web server. In addition, one of the workstations is providing an FTP service and requires its own Internet IP address. Which solution will address all of these requirements?

1. ICS

2. A hardware router

3. NAT

4. IAS

4.

You have a DHCP server on the network that automatically assigns IP addresses to clients. You are configuring a NAT server to provide shared Internet access. You want clients to use internal addresses from the same pool, whether or not they are using the Internet. What is the most efficient way to do this?

1. Divide the address pool between the NAT server and the DHCP server.

2. Define identical address pools on the NAT server and the DHCP server.

3. Configure NAT to forward IP addressing requests to the DHCP server.

4. Remove the DHCP server from the network and use NAT exclusively.

1.

B. The Network Address Translation (NAT) service allows multiple clients on a LAN to share an existing Internet connection through a single IP address.

A, C, D. Answer A is incorrect because the Point-to-Point Tunneling Protocol (PPTP) is a VPN protocol. Answer C is incorrect because, although the Dynamic Host Configuration Protocol (DHCP) is one of the functions provided by the NAT service, it is not a complete solution for sharing an Internet connection. Answer D is incorrect because although a Domain Name System (DNS) proxy service is provided by the NAT service, DNS is not a service for sharing Internet connections.

2.

A. A router provides a simple way to connect both machines to the Internet. Each will require an IP address.

B, C, D. Answer B is incorrect because NAT is unnecessary for a simple network where all machines will have an Internet IP address. Answer C is incorrect because Internet Connection Sharing (ICS) provides the same service as NAT, and connection sharing is not required in this case. Answer D is incorrect because a single connection can be used, although two separate public IP addresses will be required.

3.

C. The NAT service can provide a shared Internet connection for all workstations and allow more than one computer to have an IP address accessible to the Internet.

A, B, D. Answer A is incorrect because ICS does provide shared Internet connections, but does not allow more than one Internet IP address. Answer B is incorrect because a hardware router does not provide address translation or connection sharing. Answer D is incorrect because Internet Authentication Service (IAS) provides authentication for users, not shared Internet access.

4.

C. NAT can forward addressing requests to the existing DHCP server. This way, the NAT server does not need its own address pool.

A, B, D. Answer A is incorrect because dividing the address pool would cause either the DHCP or NAT server to run out of IP addresses sooner than necessary. Answer B is incorrect because using the same address pool on both servers could create conflicts. Answer D is incorrect because there is no need to remove the already functioning DHCP server in favor of the limited addressing abilities of the NAT service.

5.

You are planning a VPN to allow traveling employees to access the network from remote locations. Employees will be using a variety of ISPs to connect to the Internet. You want to ensure that the VPN offers end-to-end encryption between the VPN client and server for maximum security. Which VPN protocol should you use?

1. PPTP

2. L2TP only

3. L2TP and IPSec

4. PPP

6.

You have configured a VPN server running RRAS under Windows Server 2003. A number of remote workstations are able to access the network by connecting to the Internet using local access methods and establishing a VPN connection. Which of the following terms describes this type of VPN?

1. Router-to-router

2. Point-to-point

3. Internet-based

4. One-way

7.

You have configured a router-to-router VPN using two Windows Server 2003 computers as VPN servers, each with a local Internet connection. You have configured the VPN servers at each end of the VPN to use the PPTP protocol. Which of the following types of encryption will the VPN use in this configuration?

1. L2TP

2. MPPE

3. IPSec

4. EAP

8.

You need to configure a VPN connection between the local network and a remote branch. The remote branch has access to a dial-up ISP and will be billed by the hour by the ISP for the time spent online. Which of the following is the best strategy to configure the VPN?

1. Use a demand-dial connection.

2. Use a persistent connection.

3. Use dial-up access via RRAS.

4. Create a dedicated WAN link.

5.

C. L2TP and IPSec provide VPN connectivity with end-to-end encryption.

A, B, D. Answer A is incorrect because PPTP does not support end-to-end encryption. Answer B is incorrect because L2TP does not provide encryption, but requires the use of IPSec. Answer D is incorrect because PPP is a dial-up protocol, not a VPN protocol.

6.

C. This type of VPN is called an Internet-based (or client-server) VPN.

A, B, D. Answer A is incorrect because a router-to-router VPN connects two networks, rather than offering remote access to clients. Answer B is incorrect because point-to-point is not a type of VPN. Answer D is incorrect because one-way is a type of initiation for router-to-router VPNs.

7.

B. MPPE is used to encrypt VPN traffic when PPTP is used.

A, C, D. Answer A is incorrect because L2TP is a tunneling protocol and does not provide encryption. Answer C is incorrect because IPSec encryption is used with L2TP and not with PPTP. Answer D is incorrect because EAP is an authentication protocol and does not provide encryption.

8.

A. A demand-dial VPN can provide connectivity to the remote branch while minimizing the expense of the dial-up ISP.

B, C, D. Answer B is incorrect because a persistent connection cannot be used with a dial-up connection. Answer C is incorrect because using dial-up access via RRAS would require a long-distance call and would not take advantage of VPN features. Answer D is incorrect because a dedicated WAN link is not part of a VPN solution.

9.

You have three RRAS servers configured for VPN access for remote clients. The servers are currently using Windows authentication, and you wish to use IAS for centralized authentication. You have installed the IAS component on a Windows Server 2003 computer. What additional task is necessary to enable IAS authentication?

1. Install IAS on all RRAS server computers.

2. Configure each RRAS server to use RADIUS authentication.

3. Install a RADIUS client.

4. Choose authentication protocols.

10.

You have installed the IAS component on a Windows Server 2003 server. You are planning the authentication strategy for the IAS server and have configured the IAS server to use EAP for authentication. Which of the following protocols are supported by EAP? (Select all that apply.)

1. MD5 CHAP

2. PAP

3. SPAP

4. EAP-TLS

11.

You have an IAS server running Windows Server 2003. It supports a group of RRAS servers used to manage VPN connections for clients. You are configuring the authentication methods for the IAS server and want to allow the clients to use smart cards for secure and convenient authentication. Which of the following authentication protocols should you select?

1. MS-CHAP

2. EAP-TLS

3. MD5 CHAP

4. MS-CHAP v2

12.

You have configured an RRAS server on one Windows Server 2003 computer and an IAS server on another, and configured the RRAS server to use the IAS server for authentication. In RADIUS terminology, which computer(s) are referred to as network access servers?

1. The IAS server

2. The RRAS servers

3. The clients of the RRAS server

4. Both the IAS and RRAS servers

13.

During a security audit, you are monitoring network traffic and notice that plaintext versions of passwords are passing through the network. You are using an IAS server to handle authentication. Which protocol do you need to disable at the IAS server to prevent this security risk?

1. MS-CHAP

2. PAP

3. EAP-TLS

4. CHAP

14.

You have an IAS server running Windows Server 2003. You need to enable and configure EAP to support clients that use EAP authentication. In the IAS MMC snap-in, where do you find the options for configuring EAP?

1. Properties

2. Remote Access Policies

3. Protocols

4. Connection Request Processing

15.

You wish to create client software for VPN clients to connect to the network so that clients do not need to manually specify the VPN server, tunneling protocol, and other settings. Which program allows you to customize the client software?

1. Connection Manager

2. Connection Manager Administration Kit

3. RRAS MMC snap-in

4. IAS MMC snap-in

9.

B. You need to configure each RRAS server to use the RADIUS (IAS) server for authentication.

A, C, D. Answer A is incorrect because IAS needs to be installed on only one computer. Answer C is incorrect because the existing RRAS servers will act as RADIUS clients. Answer D is incorrect because the default authentication protocols will be used if you do not choose protocols.

10.

A, D. EAP supports the MD5 CHAP and EAP-TLS authentication types.

B, C. Answer B is incorrect because PAP is a basic authentication method and is not part of EAP. Answer C is incorrect because SPAP is not supported by EAP.

11.

B. The EAP-TLS protocol supports smart card authentication.

A, C, D. Answer A is incorrect because MS-CHAP is a password authentication method and does not support smart cards. Answer C is incorrect because MD5 CHAP is an implementation of the same CHAP protocol under EAP. Answer D is incorrect because MS-CHAP v2 is also a password authentication protocol.

12.

B. The RRAS server is the network access server (NAS).

A, C, D. Answer A is incorrect because the IAS server is the RADIUS server, not the access server. Answer C is incorrect because the clients do not communicate with the IAS server. Answer D is incorrect because only the RRAS server is a network access server.

13.

B. PAP uses plaintext passwords and should be disabled unless required for legacy clients.

A, C, D. Answer A is incorrect because MS-CHAP uses a challenge-response system and does not transmit passwords across the network. Answer C is incorrect because EAP-TLS is an encrypted protocol. Answer D is incorrect because CHAP, like MS-CHAP, does not transmit plaintext passwords.

14.

B. The options for EAP are configured under Remote Access Policies.

A, C, D. Answer A is incorrect because the Properties dialog box does not include authentication options. Answer C is incorrect because there is no Protocols section or dialog box. Answer D is incorrect because the Connection Request Processing options relate to forwarding requests to external RADIUS servers.

15.

B. The Connection Manager Administration Kit (CMAK) allows you to create custom client software.

A, C, D. Answer A is incorrect because Connection Manager is the actual client software, not the customization program. Answer C is incorrect because the RRAS MMC snap-in configures the RRAS server, not clients. Answer D is incorrect because the IAS MMC snap-in configures an IAS server.