151.You are the network administrator for the Baldwin Museum of Science. Your network includes a member server named Inet1, which is connected to the Internet. Inet1 runs Windows 2000 server.
Your institution sponsors joint research projects with Trey Research, whose main laboratory is located in another city. The Trey Research network includes a PPTP server named Trey3. You need to create a demand-dial router connection to this server.
You create a virtual private network demand-dial interface on Inet1. You use a domain account to configure the dial-out credentials, accepting default settings. However, you change the VPN server type
from automatic to PPTP.
When you try to connect to Trey3, you receive an error message stating that access is denied. How should you correct this problem?
A. Change the tunnel type to L2TP/IPSec. Configure an IPSec policy on Inet1 and Trey3 for pre-shared key uthentication.
B. Ensure that a new user account is created on Trey3. Change the dial-out credentials on Inet1 to use the new account
C. For the dial-out account on Inet1, obtain a certificate from a commercial certificate provider trusted by the Trey Research domain.
D. Ensure that the default remote access policy is removed from Trey3. On Inet1, change the VPN server type to automatic.
Answer: C
Explanation: Three authentication methods are available when forming a VPN: Kerberos 5, certificates and preshared secret key. The two most scalable methods, Kerberos and certificates, require Active Directory.
Certificate authentication also requires access to a CA (certificate authority). If the two computers are in the same domain or in a trusted domain, you can use Kerberos authentication. By obtaining a certificate from a commercial certificate provider trusted by the Trey Research domain Inet1 would be able to authenticated by Trey3.
Incorrect Answers:
A: To use pre-shared key authentication L2TP/IPSec tunnel type must be used, the registry must be edited, and the IPSec Policy must configured for the pre-shared key. The registry has not been edited.
Note: To implement the Pre-shared Key authentication method for use with a L2TP/IPSec connection we must add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers. We must then
manually configure an IPSec policy before a L2TP/IPSec connection can be established between two Windows 2000-based computers.
B: Inet1 and Trey3 do not belong to the same domain. Therefore Kerberos authentication is not possible.
D: Removing that the default remote access policy from Trey3 would make it harder to get remote access.
My doubt : The question says "use PPTP". It seems to me that
the 3 authentication methods (kerberos, pre-shared key, and
certificates) mentioned in the explaination are used with IPsec, PPTP does not directly use kerberos, certificates, etc. PPTP uses MS-CHAP, EAP-TLS, etc. Can anybody elaborate on the explaination ?
Ans C says "obtain an certicate", does it imply using MS-CHAP, EAP, etc. ?
Your institution sponsors joint research projects with Trey Research, whose main laboratory is located in another city. The Trey Research network includes a PPTP server named Trey3. You need to create a demand-dial router connection to this server.
You create a virtual private network demand-dial interface on Inet1. You use a domain account to configure the dial-out credentials, accepting default settings. However, you change the VPN server type
from automatic to PPTP.
When you try to connect to Trey3, you receive an error message stating that access is denied. How should you correct this problem?
A. Change the tunnel type to L2TP/IPSec. Configure an IPSec policy on Inet1 and Trey3 for pre-shared key uthentication.
B. Ensure that a new user account is created on Trey3. Change the dial-out credentials on Inet1 to use the new account
C. For the dial-out account on Inet1, obtain a certificate from a commercial certificate provider trusted by the Trey Research domain.
D. Ensure that the default remote access policy is removed from Trey3. On Inet1, change the VPN server type to automatic.
Answer: C
Explanation: Three authentication methods are available when forming a VPN: Kerberos 5, certificates and preshared secret key. The two most scalable methods, Kerberos and certificates, require Active Directory.
Certificate authentication also requires access to a CA (certificate authority). If the two computers are in the same domain or in a trusted domain, you can use Kerberos authentication. By obtaining a certificate from a commercial certificate provider trusted by the Trey Research domain Inet1 would be able to authenticated by Trey3.
Incorrect Answers:
A: To use pre-shared key authentication L2TP/IPSec tunnel type must be used, the registry must be edited, and the IPSec Policy must configured for the pre-shared key. The registry has not been edited.
Note: To implement the Pre-shared Key authentication method for use with a L2TP/IPSec connection we must add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers. We must then
manually configure an IPSec policy before a L2TP/IPSec connection can be established between two Windows 2000-based computers.
B: Inet1 and Trey3 do not belong to the same domain. Therefore Kerberos authentication is not possible.
D: Removing that the default remote access policy from Trey3 would make it harder to get remote access.
My doubt : The question says "use PPTP". It seems to me that
the 3 authentication methods (kerberos, pre-shared key, and
certificates) mentioned in the explaination are used with IPsec, PPTP does not directly use kerberos, certificates, etc. PPTP uses MS-CHAP, EAP-TLS, etc. Can anybody elaborate on the explaination ?
Ans C says "obtain an certicate", does it imply using MS-CHAP, EAP, etc. ?