Re: Which one is correct?

From: mcsems (mcsems.165yht_at_mail.mcse.ms)
Date: 05/12/04


Date: Wed, 12 May 2004 08:34:30 -0500


You are responsible for Public Key Infrastructure (PKI) management for
your network at TestKing Inc. The network consists of a Windows 2000
Active Directory domain. The network contains a Microsoft Internet
Security and Acceleration (ISA) Server computer that accepts virtual
private network (VPN) connections. The network also contains a Windows
2000 Server named TestKing1, which runs Internet Information Services
(IIS). TestKing1 is accessible from the Internet.

The written security policy for TestKing requires L2TP/IPSec
connections. To distribute the required certificates for L2TP
connections, you deploy the
Certification Authority (CA) hierarchy shown in the exhibit.

http://www.myimgs.com/data/fmh002/exhibit.gif

RootCA and PolicyCA use stand-alone CA policies and are removed from
the network. IssuingCA issues the IPSec certificates. IPSec
certificates are successfully issued to all remote client computers and
the ISA Server.

The Certificate Revocation Lists (CRL) for RootCA, PolicyCA, and
IssuingCA are published to Active Directory. The CRL Distribution Point
(CDP) extensions are modified to reference the Active Directory
location of all three CAs.

When remote client computers attempts to connect to the ISA Server,
their connection attempts fail. At all remote client computers, this
error message appears: "The client was unable to verify the identity of
the server."

You must ensure that the remote client computers can connect to the ISA
Server with an L2TP/IPSec VPN connection.

What should you do?

A. Modify the CDP extension on IssuingCA to include an HTTP URL that
references TestKing1.
Manually publish the CRL to the referenced CDP URLs at TestKing1.
Renew the IssuingCA certificate.

B. Modify the CDP extension on RootCA, PolicyCA, and IssuingCA to
include an HTTP URL that references TestKing1.
Manually publish the CRLs to the references CDP URLs at TestKing1.
Renew the RootCA, PolicyCA, and IssuingCA certificates.

C. Modify the CDP extension on IssuingCA to include an HTTP URL that
references TestKing1.
Manually publish the CRL to the referenced CDP URLs at TestKing1.
Revoke all currently issued certificates.
Reissue the IPSec certificates to the ISA Server and the remote client
computers.

D. Modify the CDP extensions on RootCA, PolicyCA, and IssuingCA to
include an HTTP URL that references TestKing1.
Manually publish the CRLs to the referenced CDP URLs at TestKing1.
Revoke all currently issued certificates.
Reissue the IPSec certificates to the ISA Server and the remote client
computers.

--
mcsems
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message665101.html
 


Relevant Pages

  • Re: Which one is correct?
    ... The network consists of a Windows 2000 ... To distribute the required certificates for L2TP ... > Manually publish the CRL to the referenced CDP URLs at TestKing1. ...
    (microsoft.public.cert.exam.mcsa)
  • Re: Which one is correct?
    ... TestKing1 is accessible from the Internet. ... To distribute the required certificates for L2TP ... IssuingCA issues the IPSec certificates. ... > Manually publish the CRL to the referenced CDP URLs at TestKing1. ...
    (microsoft.public.cert.exam.mcsa)