70-350 Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004 Certification Exam

Demo Question 11.

You work as the network administrator at EliteCertify.com. The EliteCertify.com network consists of a single Active Directory domain named EliteCertify.com. The client computers at EliteCertify.com are running Windows XP Professional. EliteCertify.com consists of a Development department. The EliteCertify.com network contains an ISA Server 2004 computer named EliteCertify -SR12 which functions as a remote access VPN server for the network. EliteCertify -SR12 is configured to accept PPTP and L2TP over IPSec for remote access VPN clients to connect to. One morning you have received a compliant that the users cannot connect to the EliteCertify.com network. You then open the log file on EliteCertify -SR12 and notice that the users with failed connection attempts are all using L2TP over IPSec. You need to ensure that the users can connect to the network. What should you do?

A. You need to disable IP fragment blocking.
B. You need to disable IP routing.
C. You need to disable IP options filtering
D. You need to disable verification of incoming client certificates.


Display Answer

Answer: A

Explanation: You can also configure ISA Server to drop all IP fragments. If you enable this option, then all fragmented packets are dropped when ISA Server filters packet fragments. A common attack that uses IP fragments is the teardrop. The Layer Two Tunneling Protocol (L2TP) over IPSec connections may not be successfully established because packet fragmentation may take place during certificate exchange. This scenario has IP fragment blocking enabled; therefore you must disable it to allow L2TP over Ipsec communication.