70-350 Implementing Microsoft Internet Security and Acceleration (ISA) Server 2004 Exam Review

Demo Question 20.

You work as the network administrator at EliteCertify.com. The EliteCertify.com network consist of a single Active Directory domain named EliteCertify.com. Your duties include administering an ISA Server 2004 computer named EliteCertify -SR15. EliteCertify -SR15 allows outgoing connections to the Internet. A network rule defines a network address translation (NAT) relationship between the Internal network and the Internet. EliteCertify.com consists of a Finance department. The users in this department require access to PPTP and L2TP over IPSec VPN servers on the Internet. You then configure all network computers, with the exception of EliteCertify -SSR15, as both Web Proxy and Firewall clients and create access rules on EliteCertify -SR15 to allow outbound connections to the Internet by using PPTP Client, IPSec NAT Traversal (NAT-T) Client, and IKE Client protocols. One morning you have received complains that the users in the Finance department cannot connect to Internet PPTP and L2TP over IPSec VPN servers. You need to ensure that users can connect to PPTP and L2TP over IPSec VPN servers on the Internet. What should you do?

A. You need to disable the Web Proxy client configuration on the network computers.
B. You need to disable the Firewall client configuration on the network computers.
C. You need to configure the network computers as SecureNAT clients.
D. You need to configure the network computers to use IPSec tunnel mode.


Display Answer

Answer: C

Explanation: You can configure the ISA firewall to allow outbound access to VPN servers on the Internet. The ISA firewall supports all true VPN protocols, including PPTP, L2TP/IPSec, and IPSec NAT Traversal (NAT-T). Although ISA Server supports PPTP passthrough out of the box, there is no built-in support for IPSec passthrough. The reason for this is that the IPSec protocols are not NAPT (Network Address & Port Translation) compatible. The IPSec protocols are designed to authenticate and/or encrypt information in the packet. When a NAPT device (i.e. an ISA server) tries to change the information in the packet, it will either cause the packet to be considered invalid by an IPSec protocol, or it will be unable to perform the translation because information the NAPT device needs to access is encrypted. The IPSec Working Group has worked out a solution called NAT Traversal or in short NAT-T. To make NAT-T work on the ISA Server we need to create an access rule that uses the IPSec IKE Clients protocol and the IPSec NAT-T protocol. Because the PPTP VPN protocol requires GRE (an IP level protocol that does not use TCP or UDP as a transport), machines configured as only Firewall and/or Web Proxy clients will not be able to connect to Internet VPN servers using PPTP. The machine must also be configured as a SecureNAT client to successfully complete the PPTP connection.