• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/38

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

38 Cards in this Set

  • Front
  • Back

What does the Getting Started Wizard prevent you from configuring.

DirectAccess capability for Windows 7 clients




Two-Factor Authentication




Force Tunnel Mode

When you configure DirectAccess using the Remote Access Setup Wizard, several requirements are different. What are those?

PKI is a requirement with this method




Windows 7 clients are supported




Forced Tunnel Mode is supported but not with KerbProxy Auth

Thought Experiment: You have been tasked with briefing management on the options available forimproving your corporate remote access solution. Of specific importance are thesecurity and manageability of remote clients. Management also wants to know thebest method for migrating from the existing DirectAccess solution on a ForefrontUAG server.




One of the questions presented to you by corporate management has to dowith the requirements for managing remote clients through DirectAccess. Canremote management through DirectAccess be enabled without permittingremote access to resources in the corporate network? How would you configureDirectAccess for only remote management?


DirectAccess can be configured for remote access and remote management, or just forremote management.
Thought Experiment: You have been tasked with briefing management on the options available for improving your corporate remote access solution. Of specific importance are the security and manageability of remote clients. Management also wants to know the best method for migrating from the existing DirectAccess solution on a Forefront UAG server.



A key requirement of any remote access solution is the ability to limit the clientsthat can connect remotely as well as the application servers that they can accessremotely. Are these options configurable using DirectAccess in Windows Server2012 R2?
The DirectAccess Client Setup Wizard allows you to select security groups containingusers that should be allowed to connect remotely, whereas the DirectAccessApplication Server Setup page is used to select security groups containing applicationservers to which these users should be allowed to connect.
Thought Experiment: You have been tasked with briefing management on the options available for improving your corporate remote access solution. Of specific importance are the security and manageability of remote clients. Management also wants to know the best method for migrating from the existing DirectAccess solution on a Forefront UAG server.



What options are available for migrating from the Forefront UAG DirectAccessserver? Are there any benefits of using one method over the other? Whatsimilarities are there in the two procedures?
Migration from Forefront UAG DirectAccess to Windows Server 2012 DirectAccess can be accomplished side-by-side or in offline mode. A side-by-side migration allows you to continue to service DirectAccess clients throughout the process, but requires some duplication of DNS records and IP addresses during the migration. Both methods require configuration of the new remote access server and relevant GPOs

What is the difference between Side-by-Side migration & Offline Migration?
  • A side-by-side migration eliminates downtime due to the migration, but requires duplication of FQDNs and IP addresses.
  • An offline migration provides a simplified deployment, but requires some downtime.
Which of the following remote access configuration options is used to enable placement of the DirectAccess server behind a NAT device?
  • The option for behind an edge device (with two network adapters) can be used when a NAT device is used on the network.
  • When a NAT device is providing address translation, the option for behind an edge device (with one network adapter) can be used
Which options are not available when DirectAccess is configured using the GettingStarted Wizard?
  • Force tunnel mode requires configuration using the Remote Access SetupWizard.
  • Two-factor authentication is not supported when DirectAccess isconfigured using the Getting Started Wizard.
Which of the following is a newly supported method of authentication for DirectAccessin Windows Server 2012?
  • OTP is a new feature for authentication in DirectAccess on WindowsServer 2012.
  • Using Trusted Platform Modules, Virtual Smart Cards are a new feature inDirectAccess for Windows Server 2012.
What prerequisite must be met before migrating from a Forefront UAG DirectAccessserver to one based on Windows Server 2012?
Forefront UAG SP1 must be installed before migration of DirectAccesscan occur.
What benefit is provided by performing a side-by-side migration from Forefront UAGDirectAccess to Windows Server 2012?
No downtime is required in a side-by-side DirectAccess migration from Forefront UAG to Windows Server 2012.
What requirement must be met for Windows 7 clients to use OTP for authentication toDirectAccess?
The DirectAccess Connectivity Assistant 2.0 is required for Windows 7clients to use OTP for DirectAccess authentication.
Which of the following certificate requirements is best served by a certificate issued from a public CA?
It is recommended to use an SSL certificate from a public CA for theIP-HTTPS server because some remote access clients might not be domain joined.

What is Web Application Proxy?


  • A new feature in Windows Server 2012 R2 that allows us to provide access to web applications within our internal network through the use of a reverse proxy.
  • Authentication requests can be passed from the Web Application Proxy tointernal web applications to provide access to client devices

What is the process of making web applications available through Web application proxy known as?

Publishing





  • Published applications can be accessed by remote clients using a number of different methods, including a standard web browser, office applications, or windows store app.
  • Unlike traditional VPN solutions, when you publish applications through Web Application Proxy end users can gain access only to applications that you publish.

What is the primary role of the Web Application Proxy?

To facilitate authentication between the remote client and the application.

What is used to perform the authentication process for Web Application Proxy?

Active Directory Federation Services (ADFS)

Preauthentication in Web Application Proxy comes in two forms:
  1. ADFS Pre-Authentication
  2. Pass-Through Authentication

What is AD FS pre-authentication?
a user is required to authenticate in some way prior to accessing the application, ensuring that only authorized users can reach the application.




  • AD FS preauthentication is required for applications to make use of Workplace Join and multifactor authentication,

What is Pass-Through authentication?

Pass-Through Authentication doesn't require any user interaction before being directed to the application.



  • Is typically used when application are performing authentication and authorization.

What is Workplace join?

Allows devices to be regsitered with ADDS using the Device Registration Services (DRS) with ADFS

What is the DRS (Device Registration Service) prerequisites?

2012 FFL

What CMDlet shas to be ran from the federation server for the forest?

Initialize-ADDeviceRegistration


Enable-ADFSDeviceRegistration





  • The DRS is automatically published to theWeb Application Proxy when the proxy is deployed to make it available to external users.

What CMDlet can be ran after the Web Application Proxy has been deployed, to publish the DRS to make it available to external users?

Update-WebApplicationProxyDeviceRegistration

How can ADFS pre-auth utilize multifactor access control?

It use device, location, or authentication data to allow users to gain access to applications through the Web App Proxy.

How can Web App Proxy using SSO?

Only is the Web App Proxy is a member of a AD domain.





  • After a user authenticates to the Web App Proxy, AD FS attaches a SSO cookie to futher requests, ensuring the that the user continues to have access to published applications.

What type of certificates does Web App Proxy use?

Web App Proxy relies heavily on SSL certificates, and the certificates used are issues by external CAs

Thought experiment: Your company is considering allowing users to access web applications hosted withinthe corporate network using devices they have available.




Is there a way to allow access to internal web applications from devices that arenot domain joined, but still require a device registration process? What limitationsshould be in place if you implement such a solution?
Workplace Join allows you to support Web Application Proxy while still requiring adevice registration process. Workplace Join is supported only on Windows 8.1 and iOSdevices at this time.

Thought experiment: Your company is considering allowing users to access web applications hosted within the corporate network using devices they have available.




Passwords and other authentication methods can be problematic andawkward on tablet devices. We certainly want users to authenticate to ourweb applications, but allowing them to authenticate once and then access anyapplication they have access to would be the best solution. Are there capabilitiesto do this using Web Application Proxy? What requirements would have to bemet for SSO?
Although SSO is supported with Web Application Proxy, it requires AD FS
Thought experiment: Your company is considering allowing users to access web applications hosted within the corporate network using devices they have available.



What certificate needs are introduced by implementing Web Application Proxy?Can these needs be met using an internal CA?
Certificates from a public CA are required for both the Web Application Proxyand AD FS.
Which service does Web Application Proxy interact with to perform authentication?
Web Application Proxy requires an AD FS server, and uses AD FS heavily for authentication and authorization
What is required of a device to access an application through a Web ApplicationProxy?
Web Application Proxy supports clients that have a web browser,Microsoft Office application, or compatible Windows 8.1 app.
Which of the following relies exclusively on the application to authenticate users?
Pass-through authentication forwards users to the application they have requestedwithout performing any authentication at the Web Application Proxy level.
What benefits are offered by using Workplace Join as an authentication method for aWeb Application Proxy?
  • Workplace Join allows supported nondomain devices to be registeredwith the AD DS using the DRS within AD FS.
  • Registration with AD DS is required for Workplace Join.
Which operating systems support Workplace Join?
  • Devices using iOS support Workplace Join.
  • Windows 8.1 clients can be registered using Workplace Join
What allows you to require members of a specific group to authenticate using asmart card?
Multifactor access control allows you to create rules for authentication,including the ability to require smart cards for certain groups of users.
What are the requirements to use SSO with Web Application Proxy?
The Web Application Proxy must be domain joined to support SSO.
What aspect of Web Application Proxy allows both internal and external clients toaccess applications using the same URL?
URL translation, which is part of the application publishing process inWeb Application Proxy, allows both internal and external clients to use the sameURL to access applications.