70-413: Designing and Implementing a Server Infrastructure

Your network contains an Active Directory domain named contoso.com. The domain contains multiple sites.

You plan to deploy DirectAccess.

The network security policy states that when client computers connect to the corporate network from the Internet, all of the traffic destined for the Internet must be routed through the corporate network.

You need to recommend a solution for the planned DirectAccess deployment that meets the security policy requirement

Solution: You set the ISATAP State to state disabled.

Does this meet the goal?

Yes
No

Correct answer: B

Explanation:

With NAT64 and DNS64, the DirectAccess server now has the ability to take those client IPv6 packets and spin them down into IPv4 packets, so you can simply leave your internal network all IPv4. So back in the beginning it was standard practice to enable ISATAP globally. Today, because of the known issues, it is recommended not to use ISATAP at all, unless you have a specific reason for needing itNote: ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4.

With NAT64 and DNS64, the DirectAccess server now has the ability to take those client IPv6 packets and spin them down into IPv4 packets, so you can simply leave your internal network all IPv4. So back in the beginning it was standard practice to enable ISATAP globally. Today, because of the known issues, it is recommended not to use ISATAP at all, unless you have a specific reason for needing it

Note: ISATAP defines a method for generating a link-local IPv6 address from an IPv4 address, and a mechanism to perform Neighbor Discovery on top of IPv4.

Your network contains an Active Directory domain named contoso.com. The domain contains multiple sites.

You plan to deploy DirectAccess.

The network security policy states that when client computers connect to the corporate network from the Internet, all of the traffic destined for the Internet must be routed through the corporate network.

You need to recommend a solution for the planned DirectAccess deployment that meets the security policy requirement.

Solution: You enable split tunneling.

Does this meet the goal?

Yes
No

Correct answer: B

Explanation:

DirectAccess by default enables split tunneling. All traffic destined to the corpnet is sent over the DA IPsec tunnels, and all traffic destined for the Internet is sent directly to the Internet over the local interface. This prevents DA clients from bringing the corporate Internet connection to its knees.Is DA split tunneling really a problem? The answer is no.Why? Because the risks that exist with VPNs, where the machine can act as a router between the Internet and the corporate network is not valid with DirectAccess. IPsec rules on the UAG server require that traffic be from an authenticated source, and all traffic between the DA client and server is protected with IPsec.Thus, in the scenario where the DA client might be configured as a router, the source of the traffic isn’t going to be the DA client, and authentication will fail – hence preventing the type of routing that VPN admins are concerned about.

DirectAccess by default enables split tunneling. All traffic destined to the corpnet is sent over the DA IPsec tunnels, and all traffic destined for the Internet is sent directly to the Internet over the local interface. This prevents DA clients from bringing the corporate Internet connection to its knees.

Is DA split tunneling really a problem? The answer is no.

Why? Because the risks that exist with VPNs, where the machine can act as a router between the Internet and the corporate network is not valid with DirectAccess. IPsec rules on the UAG server require that traffic be from an authenticated source, and all traffic between the DA client and server is protected with IPsec.

Thus, in the scenario where the DA client might be configured as a router, the source of the traffic isn’t going to be the DA client, and authentication will fail – hence preventing the type of routing that VPN admins are concerned about.

Your network contains an Active Directory domain named contoso.com. The domain contains three VLANs. The VLANs are configured as shown in the following table.

All client computers run either Windows 7 or Windows 8.

Goal: You need to implement a solution to ensure that only the client computers that have all of the required security updates installed can connect to VLAN 1. The solution must ensure that all other client computers connect to VLAN 3.

Solution: You implement the 802.1x Network Access Protection (NAP) enforcement method.

Does this meet the goal?

Yes
No

Correct answer: A

Explanation:

NAP supports a variety of what we call enforcement methods. In the NAP space, and enforcement method is simply a term that defines the way a machine connects to a network. In NAP, these are DHCP, 802.1x (wired or wireless), VPN, IPsec, or via a Terminal Services Gateway.

Your network contains an Active Directory domain named contoso.com. The domain contains three VLANs. The VLANs are configured as shown in the following table.

All client computers run either Windows 7 or Windows 8.

The corporate security policy states that all of the client computers must have the latest security updates installed.

You need to implement a solution to ensure that only the client computers that have all of the required security updates installed can connect to VLAN 1. The solution must ensure that all other client computers connect to VLAN 3.

Solution: You implement the VPN enforcement method.

Does this meet the goal?

Yes
No

Correct answer: B

Explanation:

VPN Enforcement needs to be setup in connection with NAP (Network Access Protection).

Your network contains an Active Directory domain named contoso.com. The domain contains three VLANs. The VLANs are configured as shown in the following table.

All client computers run either Windows 7 or Windows 8.

The corporate security policy states that all of the client computers must have the latest security updates installed.

You need to implement a solution to ensure that only the client computers that have all of the required security updates installed can connect to VLAN 1. The solution must ensure that all other client computers connect to VLAN 3.

Solution: You implement the DHCP Network Access Protection (NAP) enforcement method.

Does this meet the goal?

Yes
No

Correct answer: A

Explanation:

Implementing DHCP NAP to Enforce WSUS Updates

Your network contains a server named Server1 that runs Windows Server 2012. Server1 has the Network Policy Server server role installed.

You configure Server1 as part of a Network Access Protection (NAP) solution that uses the 802.lx enforcement method,

You add a new switch to the network and you configure the switch to use 802.lx authentication.

You need to ensure that only compliant client computers can access network resources through the new switch.

What should you do on Server1?

Add the IP address of each new switch to a remediation server group.
Add the IP address of each new switch to the list of RADIUS clients.
Add the IP address of each new switch to a connection request policy as an Access Client IPv4 Address.
Add the IP address of each new switch to a remote RADIUS server group.

Correct answer: B

Explanation:

802.1X and RADIUS-compliant APs (Acess Points), when they are deployed in a RADIUS infrastructure with a RADIUS server such as an NPS server, are called RADIUS clients.

Your network contains an Active Directory domain named contoso.com.

Your company has 100 users in the sales department. Each sales user has a domain-joined laptop computer that runs either Windows 7 or Windows 8. The sales users rarely travel to the company's offices to connect directly to the corporate network.

You need to recommend a solution to ensure that you can manage the sales users' laptop computers when the users are working remotely.

What solution should you include in the recommendation?

Deploy the Remote Access server role on a server on the internal network.
Deploy the Network Policy and Access Services server role on a server on the internal network.
Deploy a Microsoft System Center 2012 Service Manager infrastructure.
Deploy a Microsoft System Center 2012 Operations Manager infrastructure.

Correct answer: A

Explanation:

The question is asking what you should INCLUDE in your recommendation; it is not asking for the complete solution.

Your network contains an Active Directory domain named contoso.com.

The domain has a certification authority (CA). You create four certificate templates. The templates are configured as shown in the following table:

You install the Remote Access server role in the domain.

You need to configure DirectAccess to use one-time password (OTP) authentication.

What should you do? To answer, select the appropriate options in the answer area.

Correct answer: To work with this question, an Exam Simulator is required.

Your company plans to deploy a remote access solution to meet the following requirements:

Ensure that client computers that are connected to the Internet can be managed remotely without requiring that the user log on.
Ensure that client computers that run Windows Vista or earlier can connect remotely.
Ensure that non-domain-joined computers can connect remotely by using TCP port 443.

You need to identify which remote access solutions meet the requirements.

Which solutions should you identify?

To answer, drag the appropriate solution to the correct requirement in the answer area. Each solution may be used once, more than once, or not at all. Additionally, you may need to drag the split bar between panes or scroll to view content.

Correct answer: To work with this question, an Exam Simulator is required.

Explanation:

Note:Direct is supported in Windows 7 and newer so second answer is not correct it should be L2TP VPN.DirectAccess, introduced in the Windows 7 and Windows Server 2008 R2 operating systems, allows remote users to securely access enterprise shares, web sites, and applications without connecting to a virtual private network (VPN).Both L2TP and IPsec must be supported by both the VPN client and the VPN server. Client support for L2TP is built in to the Windows Vista® and Windows XP remote access clients, and VPN server support for L2TP is built in to members of the Windows Server® 2008 and Windows Server 2003 family.Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.

Note:

Direct is supported in Windows 7 and newer so second answer is not correct it should be L2TP VPN.
DirectAccess, introduced in the Windows 7 and Windows Server 2008 R2 operating systems, allows remote users to securely access enterprise shares, web sites, and applications without connecting to a virtual private network (VPN).
Both L2TP and IPsec must be supported by both the VPN client and the VPN server. Client support for L2TP is built in to the Windows Vista® and Windows XP remote access clients, and VPN server support for L2TP is built in to members of the Windows Server® 2008 and Windows Server 2003 family.
Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.

Your network contains an Active Directory domain named contoso.com. The domain contains five servers. The servers are configured as shown in the following table.

You plan to implement Network Access Protection (NAP) with IPSec enforcement on all client computers.

You need to identify on which servers you must perform the configurations for the NAP deployment.

Which servers should you identify? To answer, drag the appropriate servers to the correct actions. Each server may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.)

Correct answer: To work with this question, an Exam Simulator is required.

Explanation:

Explanation:* Network Policy Server (Server3)/ You configure remediation server groups on the Network Policy Server./ To create the System Health Validator health policies for just Configuration Manager, follow these procedures:Load the Network Policy Server console.* Domain Controller (Server1)This feature is installed automatically on a domain controller running Windows Server 2008 and Windows Server 2008 R2. This feature can be installed on a member server running Windows Server 2008 or Windows Server 2008 R2. You can use Group Policy to configure NAP settings on NAP clients running Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows 7, and Windows XP SP3.

Explanation:

* Network Policy Server (Server3)

/ You configure remediation server groups on the Network Policy Server.

/ To create the System Health Validator health policies for just Configuration Manager, follow these procedures:

Load the Network Policy Server console.

* Domain Controller (Server1)

This feature is installed automatically on a domain controller running Windows Server 2008 and Windows Server 2008 R2. This feature can be installed on a member server running Windows Server 2008 or Windows Server 2008 R2. You can use Group Policy to configure NAP settings on NAP clients running Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows 7, and Windows XP SP3.