Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2008 R2.
The network contains 100 servers and 5,000 client computers. The client computers run either Windows XP
SP1 or Windows 7.
You need to plan a VPN solution that meets the following requirements:
Stores VPN passwords as encrypted text.
Supports Suite B cryptographic algorithms.
Supports automatic enrollment of certificates.
Supports client computers that are configured as members of a workgroup.
What should you include in your plan?
A.
Upgrade the client computers to Windows XP Service Pack 3. Implement a standalone certification
authority (CA). Implement an IPsec VPN that uses certificate based authentication.
B.
Upgrade the client computers to Windows XP Service Pack 3. Implement an enterprise certification
authority (CA) that is based on Windows Server 2008R2. Implement an IPsec VPN that uses Kerberos
authentication.
C.
Upgrade the client computers to Windows 7. Implement an enterprise certification authority (CA) thatis
based on Windows Server 2008 R2. Implement an IPsecVPN that uses preshared keys.
D.
Upgrade the client computers to Windows 7. Implement an enterprise certification authority (CA) thatis
based on Windows Server 2008 R2. Implement an IPsecVPN that uses certificate based authentication.
Explanation:
Options A & B (Windows XP SP3) are excluded becausesuite B algorithms such as ECC are supported only
on the Windows Vista or later, and Windows Server 2008 or later.
A certificate infrastructure is a requirement for VPN connections based on Layer Two Tunneling Protocol over
Internet Protocol security (L2TP/IPsec), Secure Socket Tunneling Protocol (SSTP), or Extensible Authentication
Protocol-Transport Layer Security (EAP-TLS). Certificates provide stronger authentication security than
password-based authentication does. Hence, option D(certification-based authentication) is superior than
option C (preshared keys) in term of security. And automatic enrollment of certification is supported in this
situation.
http://technet.microsoft.com/en-us/library/cc730763(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/ff687804(v=ws.10).aspx
Answer D does not address the requirement of a workgroup.
0
0
Ed, you’r right answer A should be the correct one.
0
0
“Supports automatic enrollment of certificates.”
Need Enterprise CA therefore answer D can be correct.
0
0