PrepAway - Latest Free Exam Questions & Answers

What should you recommend for each certificate?

HOTSPOT
You deploy an Exchange Server 2016 organization. The organization contains two servers. The servers are
configured as shown in the following table.

The default self-signed certificates are installed on both servers.
All of the users in the organization work from home and from customer locations.
You purchase a Layer 7 hardware-based load balancer. You configure SSL bridging without session affinity for
Outlook on the web connections. The load balancer has an internal fully qualified domain name (FQDN) of
lb1.contoso.local.
DNS servers are configured to resolve mail.contoso.com names to the external IP address of the load
balancer.
You need to recommend which names must be included in the certificates installed on the load balancers and
the Exchange servers.
What should you recommend for each certificate? To answer, select the appropriate options in the answer
area.
Hot Area:

PrepAway - Latest Free Exam Questions & Answers

Answer:

12 Comments on “What should you recommend for each certificate?

  2. stillme says:

    change of heart.

    mail.contoso.com
    ex01.contoso.com
    ex02.contoso.com

    .local will cause issues with attempting to get a cert from a global provider. It does not mention that we have a CA organization, which you could in fact create a cert for a .local host




    0



    3
    2. hakim ms says:

      1. SSL Bridging means that the load balancer only load balancing trafic, doesn’t encrypt/decrypt so no certificate for it (check SSL Bridg vs SSL Terminaison vs SSL Offloading for more understanding).

      2. The encryption/decryption is done by servers who handle certificate, so they need to have they fqdn mail.contoso.com

      2. At any moment they say that certificate is Provided by a Public CA (so certificate with .local is possible).

      The provided answers are true ..

      Here the scenario:

      I connect from my Home Computer , the flow goes to the FW that handles the Public IP @ , which redirects to the load balancer with its local FQDN (since the certificate includes loadbalancer .local FQDN it works smoothjly with no warning).
      Arriving to the the LB, it redirects to one of the servers .

      The servers handles the mail.contoso.com certificate so it’s OK.

      Note: you may wonder the used CA is internal because is includes .local , so My workgoup home computer doesn’t trust it it’ can’t work,

      Well , it’s works but we just have a red warning in the browser, and to resolve this, insert the Internal Root CA in your Home computer Trusted Root CA




      2



      0
  4. tmkreddy55 says:

    Its confusing.. 🙁

    We can’t assume ex01/ex02.contoso.com so the options are ruled out so as LB1.contoso.com

    I’ll also go for:
    mail.contoso.com
    ex01.contoso.local
    ex02.contoso.local




    3



    0
  5. NoBox says:

    mail.contoso.com
    ex01.contoso.local
    ex02.contoso.local

    Stated in the technet article: SSL should terminate at the load balancer as this offers a centralized place to correct SSL attacks. So a certificate is not needed from a global provider for the Exchange servers.

    First answer is mail.contoso.com

    The question states The default self-signed certificates are installed on both servers.
    So not needing SSL on the servers because the Layer 7 load balancer handles all SSL request and the servers have the default self-signed certificates.

    ex01.contoso.local
    ex02.contoso.local

    https://technet.microsoft.com/en-us/library/jj898588(v=exchg.160)




    11



    0
    2. kanew says:

      Agree. It’s another complete fail for whoever provided the test answers. The worst exam I have seen for this. I expect to have to research the answers to understand the technology but it would be good to have a little confidence in the answers provided!




      0



      0

Leave a Reply