You work as an IT professional in an international corporation named Wiikigo. In the company, your job is to configure Microsoft Internet Security and Acceleration Server 2006. And you are experienced in performing and managing networks and operational systems. In addition, you are skilled at deploying ISA Server 2006, configuring firewall settings, and optimizing performance of the ISA Server 2006 cache. An ISA Server 2006 computer is contained by your network and the computer is named ISA01. The ISA Server 2006 which serves as a remote access VPN server for the network is a member of a workgroup. The company configures ISA01 so that only EAP authentication is accepted for VPN clients. User certificates are assigned to all VPN clients, and the user certificates are from the corporate enterprise certification authority (CA). It is reported that the network is not available to the users. The following error message is received by them. Error 691 Access was denied for the username and/or password was invalid for the domain. You are required to make sure that the network is available for VPN users. Which action should be performed?

You network contains an ISA Server 2006 computer named ISA1. You use Network Monitor to capture and analyze inbound traffic from the Internet to ISA1. You notice a high volume of TCP traffic that is sent in quick succession to random TCP ports on ISA1.
The flag settings of the traffic are shown in the following example.
TCP: Flags = 0x00:……….
TCP: ..0……=No urgent data
TCP: …0…..=Ackonwledgement field not significant TCP: ….0….=No Push function
TCP: …..0…=No Reset
TCP: ……0..=No Fin
This traffic slows the performance of ISA1.
You want to be able to create a custom alert that is triggered whenever ISA1 experiences traffic that uses invalid flag settings to discover open ports. You do not want the alert to be triggered by traffic that uses valid flag settings in an attempt to discover open ports. You want to accomplish this goal by selecting only the minimum number of options in the Intrusion Detection dialog box.
exhibit What should you do?
To answer, configure the appropriate option or options in the dialog box in the answer area.

Your network is configured as shown in the exhibit.
You are upgrading the Routing and Remote Access servers to ISA Server 2006.
You need to configure the Internal network.
Which three IP address ranges should you include? (Each correct answer presents part of the solution. Choose three.)

Your network contains an ISA Server 2006 computer named ISA1, which controls access between three segments on the network. The network is configured as shown in the exhibit.
A network address translation (NAT) relationship exists from the Internal network to the perimeter network. A Windows Server 2003 computer named DNS1 functions as a DNS server.
Web Proxy clients can access Web sites on the Internet. However, when SecureNAT clients try to access hosts on the Internet, they receive the following error message: Cannot find server or DNS error.
You need to ensure that SecureNAT clients can perform DNS name resolution correctly for hosts on the Internet. You also need to ensure that DNS name resolution is optimized for Active Directory.
First, from a SecureNAT client, you run the nslookup command and set the default server to 172.16.0.11.
From the Nslookup console, you are able to query name server (NS) resource records on the Internet.
What should you do next?

Your company has a main office and one branch office. You want to connect the main office to the branch office by using a site-to-site VPN connection. The main office has an ISA Server 2006 computer named ISA1. The branch office has an ISA Server 2006 computer named ISA2. The relevant portion of the network is configured as shown in the exhibit.
The main office network includes two network IDs: 192.168.1.0/24 and 192.168.2.0/24. The 192.168.1.0/24 network is directly connected to ISA1 and is configured as the default Internal network. The 192.168.2.0/24 network is connected to the 192.168.1.0/24 network by a router on the main office Internal network. You create two subnet network objects in the ISA Server Management console: one network for the 192.168.1.0/24 network and one for the 192.168.2.0/24 network.
The internal network adapter on ISA2 is on network ID 10.0.0.0/24. You create an access rule on ISA1 and on ISA2 to allow all traffic to and from the main office and branch office networks. You create an access rule on ISA1 to allow all traffic between the default Internal network and the branch office network. Users on network ID 192.168.2.0/24 report that they cannot connect to computers at the branch office.
You need to ensure that all users at the main office can connect to resources located on the branch office network.
What should you do?

Your network contains an ISA Server 2006 computer named ISA1, which functions as a remote access VPN server for the network. ISA1 is a member of a workgroup. ISA1 is configured to accept only EAP authentication for VPN clients. All VPN clients have been assigned user certificates from the corporate enterprise certification authority (CA). Users report that they cannot connect to the network. They state that they receive the following error message: Error 691:
Access was denied because the username and/or password was invalid for the domain. You need to ensure that VPN users can connect to the network. What should you do?

Your company has a main office and is adding a branch office. The main office and the new branch each have an ISA Server 2006 computer. You want to connect the main office and the branch office networks by using a site-to-site VPN. You create a site-to-site VPN connection that connects the office networks by using the L2TP over IPSec VPN protocol. Computer certificates are installed on the ISA Server computer at each office. When you create the remote site network on each ISA Server computer, you configure it to use certificates and a preshared key. At each office, the preshared key is configured as the office name on the ISA Server computer at that office.
From the ISA Server computer at the main office, you repeatedly run the ping command to a host on the branch office network. The site-to-site VPN fails. You open the Routing and Remote Access console and manually dial the demand-dial interface. You receive the following error message: The last connection attempt failed because: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
You need to enable the site-to-site VPN connection by using the most secure IPSec authentication method possible.
What should you do?

Your network contains an ISA Server 2006 computer named ISA1. The relevant portion of the network is configured as shown in the exhibit.
When you installed ISA Server 2006 on ISA1, you defined the Internal network address range as 10.0.1.0 through 10.0.1.255.
You create an access rule to allow all traffic from the Internal network to the External network. Users are not required to be authenticated to use this rule. Users on network IDs 10.0.2.0/24 and 10.0.3.0/24 report that they cannot connect to the Internet.
You examine the routing tables on the router and on ISA1 and confirm that they are correctly configured.
You need to ensure that users on network IDs 10.0.2.0/24 and 10.0.3.0/24 can connect to the Internet.
What should you do?

Your network contains an ISA Server 2006 computer named ISA1, which runs Windows Server 2003. ISA1 has three network adapters. Each adapter is connected to one of the following:
Internal network, perimeter network, and Internet. All administrative hosts exist in the Internal network.
You create a file named C:AlertsNetworkAlert.cmd. The NetworkAlert.cmd uses net.exe to send the following message to all administrative computers: Problem with network connectivity on ISA1.
You enable the default Network configuration changed alert. You add a custom alert named Network Connectivity. The properties of the Network Connectivity alert are configured as shown in the Alert Events exhibit and the Alert Actions exhibit.
You test the Network Connectivity alert by disabling the ISA1 network adapter that is connected to the perimeter network. You see the corresponding alert in both the Alerts view and the application log of Event Viewer. However, the message is not received on any of the administrative computers.
You need to ensure that the administrative computers receive the text message when the Network Connectivity alert is triggered. You also need to be able to test the alert by disabling the perimeter network adapter on ISA1.
What should you do?

You are the administrator of an ISA Server 2006 computer named ISA1. ISA1 is configured to publish two Web sites named www.fabrikam.com and www.contoso.com. Both Web sites are located on a Windows Server 2003 computer named Server1. The IP address of Server1 is 10.0.0.2.
The Web publishing rules are configured as shown in the following display.
Both the www.fabrikam.com/info and www.contoso.com/info virtual directories point to a common file share.
The default log view does not allow you to easily distinguish between requests for www.fabrikam.com/info and requests for www.contoso.com/info. A sample of the log with the relevant entries is shown in the following table.
You need to ensure that the log viewer displays the fully qualified domain names (FQDNs) for the Web site requests. In addition, you need to filter the log viewer to display only the requests for both the www.contoso.com/info and the www.fabrikam.com/info virtual subdirectories.
What should you do?