Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
64 Cards in this Set
- Front
- Back
|
Describe how the SSL VPN works.
|
The SSL VPN intercepts client/server connections and transforms the data for them.
|
|
|
Where does the SSL VPN fit in the network?
|
The SSL VPN resides behind the firewall.
|
|
|
What are the key differentiators for the SA Series devices?
|
The key differentiators for the SA devices are the number of users supported and the multi-unit clustering options for the SA6500.
|
|
|
Do you need to purchase a license to support Network Connect?
|
If you have software release 6.1 or higher, you do not need to purchase a specific license.
|
|
|
Does SSL use symmetric or asymmetric encryption?
|
SSL uses both symmetric and asymmetric encryption. The session key is symmetric, but the key exchange uses asymmetric encryption.
|
|
|
Why would you need to grant Network Layer access to a remote user?
|
One example of why you would need to grate Network Layer access to a remote user is UDP-based applications. Network Layer access is also required for server-initiated connections.
|
|
|
Briefly describe the three components of the SSL VPN.
|
The secure content server intercepts connections, the Intermediation Engine transforms secured data into backend formats, and the protocol connectors send data to backend servers.
|
|
|
List the five elements of an authentication realm.
|
The five elements of an authentication realm are the application server, the authorization server, the authentication policy, role mapping, and the accounting server.
|
|
|
What is the purpose of the self-signed certificate?
|
The self-signed certificate is used to establish the administrator SSL session. It is used for all SSL if no CA-generated certificate is loaded.
|
|
|
What happens if you leave off the "/admin" from the URL you use to access the SSL VPN?
|
If you leave off the "/admin" portion of the URL you use to access the SSL VPN, you will inadvertently access the user login screen.
|
|
|
Name the two pieces of information that are necessary to license your SSL VPN?
|
The two pieces of information that are necessary to license your SSL VPN are the hardware ID and authorization code.
|
|
|
Where in the administrative UI do you configure an authentication realm?
|
You configure an authentication realm at Users > Authentication.
|
|
|
What does a user role define?
|
A user role defines the types of potential services, bookmarks, and session and UI options.
|
|
|
What controls access to user bookmarks?
|
Access to user bookmarks is controlled by resource policy, not user role.
|
|
|
What do we mean by permissive merge when applying roles to user sessions?
|
When applying roles to user sessions, permissive merge means that if one assigned role grants access and another denies it, access will be granted. Think of it as a logical OR operations where 1=on and 0=off.
|
|
|
What must you enable to display a customized user bookmark page?
|
UI options in the user role must be enabled to display a customized user bookmark page.
|
|
|
If you are having a problem with the SSL VPN, where should you look first?
|
The log files are the first place to look if you are having trouble with the SSL VPN.
|
|
|
Why might you not want to log everything?
|
Logging everything leaves you with too much information: everything is logged, but you might not want to view it all.
|
|
|
A user is not getting access to the resources the user should. Which tool would you use to troubleshoot this problem?
|
User the policy trace tool to troubleshoot a user's access problem.
|
|
|
A user is not getting access to the resources the user should, and you can't work with the user directly to troubleshoot. Can you still troubleshoot the problem?
|
Yes. You can still troubleshoot the user's access problem using the policy simulation.
|
|
|
When are resource policies enforced?
|
Resource policies are enforced when the resource is accessed.
|
|
|
Resource policies are evaluated in order much like firewall rules. What happens once a match occurs?
|
When the first resource policy match occurs, the device applies the action and evaluates no further policies.
|
|
|
What is the difference between the following two Web access resource specifications?
intranet.golf.local intranet.golf.local:80,443/* |
No difference exists between the two Web access resource specifications.
|
|
|
Several resource policies have the option to perform "IP based matching for Hostname based policy resources." Why might you want to enable this?
|
The resource policy allows users flexibility---users can enter a hostname or an IP address and the policy ensures that rules apply. Otherwise, the administrator would need to write separate policy rules.
|
|
|
Which types of authentication servers can also be used as authorization servers?
|
LDAP with anything, Active Directory/Windows NT with Active Directory/Windows NT, Certificate Server, and RADIUS are all valid options for authorization servers
|
|
|
Describe the advantages of dynamic policy evaluation.
|
The advantages of dynamic policy evaluation include changes to authentication policies and role restrictions that can be applied to active sessions.
|
|
|
Which attributes can you use for role mapping if you are using and Active Directory/Windows NT server? An LDAP server? A RADIUS server?
|
You can user username groups and user attributes for role mapping if you are using and Active Directory/Windows NT server, LDAP server, or RADIUS server.
|
|
|
Can you use the same sign-in page for more than one realm? How?
|
Yes, you can user the same sign-in page for more than one realm by either creating multiple sign-in policies (for example, multiple URLs), or by having multiple realms listed on a single sign-in page.
|
|
|
Compare and contrast JSAM and WSAM.
|
WSAM is for Windows only and uses native redirect, whereas JSAM is multiplatform and uses loopback for redirect.
|
|
|
You have an application that uses UDP. Which services on the SSL VPN supports this application?
|
Network Connect and Junos Pulse support UDP.
|
|
|
What is required on the SSL VPN to support split tunneling?
|
Split tunneling requires the following settings on the SSL VPN: enable NC or Junos Pulse, enable split tunnel, configure NC connection profile, and configure list of tunneled networks.
|
|
|
You want to ensure that no data is left behind when your users access the SSL VPN from a kiosk. Using Cache Cleaner seems reasonable. Why might this approach be a problem?
|
Cache Cleaner might not remove all the data.
|
|
|
How do you configure Host Checker to see if your users have the latest antivirus definitions?
|
Configure virus signature version monitoring. Ensure the SSL VPN downloads the newest virus signature version from the Juniper Networks website.
|
|
|
Why might you want to implement Host Checker as an authentication policy instead of a role restriction?
|
If you implement Host Checker as an authentication policy, it performs its checks before the user accesses any resource.
|
|
|
Even if you are not using two-factor authentication in your environment, why might you still want to use multiple sign-in credentials?
|
You have two authentication systems---one for remote access (that is, RADIUS), and another for internal access (that is, LDAP). These two systems might not share authentication information.
|
|
|
What happens if you configure a sign-in policy with two realms, one of which uses anonymous authentication, and have users pick the realm they will use?
|
Users will be authenticated anonymously. Anonymous authentication must have its own URL.
|
|
|
Why would you want to check the box "End session if authentication against this server fails?"
|
The additional authentication server credentials are typically used for access to internal resources. If authentication against this server fails, then all internal access will fail, so it is appropriate to end the session.
|
|
|
What is the purpose of the CRL?
|
The CRL removes invalid certificates from use providing extra security by disabling accounts.
|
|
|
Why is a separate URL recommended for certificate-based authentication?
|
THe user does not enter credentials, so the user never views the sign-in page. Therefore, multiple authentication realms do not work with certificate-based authentication.
|
|
|
If you fail to load a trusted client CA certificate into the SSL VPN, what will happen if you try to sign in with a client certificate?
|
You will get a certificate missing error and will not be able to sign in.
|
|
|
What is required to support multiple server certificates?
|
Supporting multiple server certificates requires multiple certificates, virtual ports, and separate sign-in URLs.
|
|
|
How do you write a resource policy based on several conditions chained together with an OR?
|
You must use a detailed that allows you to specify many different conditions.
|
|
|
How do you write a resource policy based on several conditions chained together with an AND?
|
This approach is the normal mode of operations---resource policies are chained together with an AND by default.
|
|
|
What happens if a user does not match any detailed rules in a resource policy?
|
The user is denied access.
|
|
|
Would using the installer service help you with JSAM administrator rights issues?
|
No. Installer applies only to Win32 applications---JSAM is Java.
|
|
|
You want to duplicate an SSL VPN configuration from one device to another. Describe some methods for performing this configuration.
|
You can use the following methods: cluster, pushing the configuration, XML export, and saving the configuration externally.
|
|
|
What is the point of verifying the certificates presented by backend SSL-enabled servers?
|
Verifying the certificates presented by the backend SSL-enabled servers makes the SSL VPN act just like your browser and warns you when something goes wrong.
|
|
|
Can you delegate the ability to shut down and reboot the SSL VPN? Why or why not?
|
You can delegate these functions because you can delegate the Maintenance > System functions.
|
|
|
List the three options for externally saving log files.
|
The three options for externally saving log files: syslog, local save, and FTP.
|
|
|
List the Endpoint Security components.
|
Endpoint Security components are Host Checker, Cache Cleaner, Host Checker Client Interface, and Host Checker Server Integration Interface. Secure Virtual Workspace and Enhanced Endpoint Security are also included.
|
|
|
List four places where you can implement Host Checker policies.
|
Host Checker policies can be implemented in the following places: authentication policies, role mapping rules, role restrictions, and resource policies.
|
|
|
Compare the Host Checker Client Interface and Host Checker Server Integration Interface.
|
The Host Checker Client Interface is a simple policy with no log; the DLL must reside on the client. The Host Checker Server is a complex policy with logging; the DLL is installed dynamically from the SSL VPN.
|
|
|
List the differences between virtual appliances and IVS.
|
IVS provides virtualization on physical SA devices; virtual appliances provide virtualization hosted on blade servers running VMware.
|
|
|
What is the difference between using vsys and using multiple sign-in URLs?
|
Vsys use separate outbound ports VLAN tags; vsys hasve separate administration.
|
|
|
Name three functions a vsys admin cannot perform.
|
A vsys admin cannot access network settings, SSL VPN certificates, ping, (or other network-level troubleshooting).
|
|
|
Can you use overlapping addresses in each vsys? Why or why not?
|
You can use overlapping addresses in each vsys; tagging keeps traffic separate. (You will need NAT upstream.)
|
|
|
Name three factors that can contribute to performance issues on the SSL VPN.
|
Factors such as client side issues, networking issues, AAA issues, and backend server issues can all cause issues on the SSL VPN.
|
|
|
What benefit does Session Recording provide when troubleshooting CIE issues?
|
Session Recording allows you to examine the original and rewritten requests, as well as the original and rewritten responses that are handled by the CIE.
|
|
|
What information must you provide when submitting a case to JTAC?
|
You must provide detailed information, such as the relevant logs and troubleshooting data that reflect the issue, when submitting a case to JTAC.
|
|
|
If you use round-robin DNS as your load-balancing method for an active/active cluster pair, what happens if one of the cluster members fails?
|
Potentially half of the users would not be able to get service. Round-robin DNS has no way to check the status of the IP addresses it distributes.
|
|
|
If you have a 500-user active/active cluster pair and you add two more cluster members, how many users can you support now?
|
You can still support 500. The number of cluster members and the number of users supported by these members are not related. The number of concurrent users is a licensing issue.
|
|
|
You want to deploy an active/passive cluster pair in your New York data center and another in your Los Angeles data center. Can you then cluster the clusters together?
|
No. This technique is equivalent to a multiunit cluster, which requires all members to be active.
|
|
|
What must you configure on the SSL VPN to enable the Secure Meeting feature?
|
You must configure the license and the enable the role for the meeting.
|
|
|
List the three roles available within the Secure Meeting client and their responsibilities.
|
Conductor: Meeting setup, teardown, and role delegation.
Presenter: Shares applications and desktop, and determines controller. Controller: Current owner of mouse and keyboard in the shared space. |
