1. | An associate has offered to complete the configuration of a MetaFrame Presentation Server that you have just finished installing. He asks you what user account he should use to log on to the MetaFrame Presentation Server 3.0 Management Console. From the following list, choose the response that best answers your associate's question. | -
Use the account that was defined during the installation of the last MetaFrame server in your farm. | | -
Use the account that was defined during the installation of the first MetaFrame server in your farm. | | -
Use the local administrator account on the MetaFrame server. This account always has access to log on to the Management Console. | | -
Before you can log on to the Management Console, you must create the local group called MetaFrame Administrators and assign the desired users. | |
A1: | Answer B is correct. When the first MetaFrame server is installed, the data store is also created. At this time, you're prompted to provide the name and domain of a user who will have full authority within the Management Console for MPS. Without knowing this account, you cannot log on to the Management Console. Answer A is incorrect. After the farm is created, you are never again asked to provide the administrative account during the MetaFrame installation. Answer C is also incorrect. No user or group is automatically assigned access to the Management Console. You must define the desired users who will have access. Answer D is incorrect because the Management Console has no fixed dependency on a local group. You could define such a group if you want, but until you create the group and assign the privileges, it would not allow access to the Management Console. |
2. | You're going away on a well-deserved vacation and want to delegate limited access to another administrator who will be covering for you while you're gone. Which of the following options could you employ to ensure that she cannot modify the access of other administrators while you're away? (Select all that apply.) | -
Assign her the View Only privilege type. | | -
Assign her the Full Administration privilege type and then remove her access to View MetaFrame Administrators. | | -
Assign her the Custom privilege type and then define all the desired privileges you want her to have. | | -
Assign her the Custom privilege type but ensure that the Edit MetaFrame Administrators permission has been disabled. | |
A2: | Both answers A and C ensure that the temporary administrator cannot modify the settings for other administrators. Answer A may be too restrictive , but it would still achieve the desired goal of limiting account access. Answer C satisfies this question simply because assigning anything other than the Full Administration privilege prevents the affected administrator from modifying other admin settings. There is no way to explicitly assign the modify administrator privilege without assigning the user full control. Answer B is incorrect because after you have assigned Full Administration privileges, you cannot modify individual user properties. This can be done only through the Custom type. Answer D is also incorrect because the permission Edit MetaFrame Administrators does not exist. |
3. | You have MetaFrame servers from the same farm deployed across three geographically disperse regions: North America, Europe, and Asia. You want to delegate administrative access to users in these different regions . Which of the following solutions would best accomplish what you are trying to do? | -
Create subfolders under Servers corresponding to each of the regions you want managed. Place the corresponding servers into their correct region folder and then delegate the desired privileges to the administrators corresponding to the appropriate folder. | | -
Create three separate server farms, one for each of the regions, and then delegate authority to the administrators in each farm. | | -
Ensure that each region has a single zone within which all the servers in that region reside. For each zone, check the Enable Per-Zone Security setting. You then can delegate the desired permissions to the users in each zone. | | -
Create subfolders under the MetaFrame Administrators node corresponding to each of the regions you want to manage. Group the administrators into the appropriate folders, and then assign them permissions to the servers that belong to their region. | |
A3: | Answer A is correct. Conceptually, this is identical to the example discussed in which access was delegated based on the different zones in the farm. The concept of subfolders can be a very useful tool for segregating access between different applications or servers. Answer B, while not technically incorrect, is not necessary to achieve the access delegation desired. Because the servers in the three regions are already in the same farm, it would not be desirable to divide them into different farms for this purpose. It would also mean that they could not all be managed through a single Management Console. You would need to run one for each region. Answer C is incorrect because there is no such thing as the Enable Per-Zone Security setting. Zones themselves are not an integrated component of administrative delegation. Answer D is also incorrect. You cannot create subfolders under the MetaFrame Administrators node. Only the Applications and Servers nodes allow you to create subfolders. |
4. | A client is attempting to connect to a published application in your server farm and keeps receiving an error message that says "You do not have the proper encryption level to access this Session." From the following list of options, which ones are valid reasons for the issue to exist? (Select all that apply.) | -
The minimum required encryption setting for the published application is set higher than the encryption setting configured on the client. | | -
The minimum required encryption setting for the ICA connection is set higher than the encryption level configured on the client. | | -
A MetaFrame user policy applies to this client, and the minimum required encryption level is higher than the encryption level configured on the client. | | -
The minimum required encryption setting for the server farm is set higher than the encryption level configured on the client. | |
A4: | Answers A, B, and C are correct. Each represents one area in the server farm that must be checked to ensure that the client has been configured properly with the minimum required encryption level. In most cases, if the user is receiving such an error message, it is likely that 128-bit encryption is being enforced and the client has been configured with the default Basic encryption level. Answer D is incorrect. There is no such global encryption setting within the properties of the server farm. |
5. | Kerberos authentication is a new feature supported in MetaFrame Presentation Server 3.0. Select from the list the entry that best describes Kerberos client authentication. (Choose only one.) | -
Kerberos allows you to encrypt communications between the MPS client and the MetaFrame server and is Citrix's replacement for SecureICA encryption. | | -
Kerberos is an industry-standard network authentication system that can be implemented in a MetaFrame environment to ensure that all MetaFrame servers are properly authenticated within the server farm. This protects against unauthorized MetaFrame servers being added to the server farm. | | -
Kerberos authentication is supported only within a Windows 2000 or 2003 domain, with version 8.x of the Win32 MPS client. Kerberos is an industry-standard network authentication system that protects against eavesdropping and man-in-the-middle attacks. | | -
Kerberos is an extension to the SecureICA encryption standard, providing secure authentication between the MetaFrame client and server. Kerberos is supported only on Windows 2000 or 2003 servers with version 8.x of the Win32 MPS client. With Kerberos, SecureICA is protected against eavesdropping and man-in-the-middle attacks. | |
A5: | Answer C is correct. Answer A is incorrect because Kerberos does not encrypt the entire data stream, but instead manages securing only the authentication process. Kerberos is not a replacement for SecureICA. Answer B is also incorrect. Kerberos has not been implemented to ensure authentication of the MetaFrame servers within the farm. Kerberos deals only with the authentication of the 8.x (or newer ) Win32 client. Answer D is incorrect because Kerberos is not an extension to SecureICA and does not integrate with Citrix's protocol encryption in any way. Kerberos deals with user authentication, while SecureICA is responsible for encrypting the data stream that runs between the client and server. |
6. | When you are using application sets (in Program Neighborhood) or the Program Neighborhood Agent and you want to employ Kerberos authentication, what must you use? | -
Kerberos authentication without pass-through authentication | | -
Kerberos authentication with pass-through authentication | | -
ICA connection encryption | | -
Windows Server 2003 servers only | |
A6: | Answer B is correct. Program Neighborhood application sets and the Program Neighborhood agent do not support the use of Kerberos without pass-through authentication. Because of this, Answer A is incorrect. Answer C is incorrect because ICA connection encryption has nothing to do with Kerberos authentication. Answer D is incorrect. Kerberos authentication is supported on either Windows 2000 or Windows 2003. |
7. | Which of the following best describes the Citrix SSL Relay security component? | -
Citrix SSL Relay enables users to connect to the MetaFrame server farm via a web page using the HTTPS secure protocol. | | -
Citrix SSL Relay provides full encryption for the server farm authentication process, ensuring that logon information cannot be intercepted via eavesdropping or man-in-the-middle attacks. | | -
Citrix SSL Relay provides encryption support for the ICA protocol. With SSL Relay, the ICA data is securely encrypted. The level of encryption used depends on the minimum required encryption setting found in the connection configuration, the published application configuration or the MetaFrame user policies. | | -
Citrix SSL Relay provides full encryption support for the ICA data stream between the MPS client and the MetaFrame Presentation Server. SSL Relay encapsulates the client data using the industrial standard SSL or TLS secure protocols. | |
A7: | Answer D is correct. Citrix SSL Relay allows the MPS client to establish an SSL/TLS connection with the MetaFrame server, transmitting data fully encrypted and validated using security certificates. The full data stream is encrypted and authenticated, not just the logon credentials. Answer A is incorrect. SSL Relay itself does not provide any form of web-based access to the MetaFrame server farm. This function is performed using the Web Interface, which in turn can have its data safely encrypted using SSL Relay. Answer B is only partially correct, although more than just the session authentication is encrypted with SSL Relay. Answer C is incorrect because SSL Relay does not provide the encryption support for ICA. ICA connection encryption and SSL/TLS connectivity are two different things. The ICA data stream is actually encapsulated and encrypted within the SSL/TLS session, but they do not directly interact in any way. |
8. | For a client to be able to employ SSL Relay, it must have a root certificate installed locally. What is the function of the root certificate? | -
The root certificate provides the information required to validate the identity of the client to the server. When the client connects, the root certificate is passed to the MetaFrame server, where it is validated before allowing the client session to initiate. | | -
The root certificate provides the second half of the encryption key stored in the server certificate, which is installed on the MetaFrame server. When the client connects, the root certificate is combined with the server certificate and the full key is then used to establish the connection. | | -
The root certificate is required to activate the SSL Relay service in the Active Directory. Without the root certificate, this service cannot properly initialize because no certificate requests can be processed in the Active Directory. | | -
The root certificate is used to verify the certificate authority that signed the server certificate. If the root certificate exists on the client, the client is assumed to trust that CA, which in turn means that any server certificates issued by that CA are also trusted by the client. | |
A8: | Answer D correctly describes the function of a root certificate. Many servers today maintain a large list of root certificates corresponding to trusted authorities who issue certificates that verify the identity of a server or person. Without a valid root certificate on the client, the client cannot trust that the host server is actually who it says it is. Only when a server certificate is issued from a less-known CA does a corresponding root certificate have to be installed on the server. Answer A is incorrect. The root certificate does not contain validation information of the host it exists on. If a server required validation of a client's identity, a corresponding server certificate would be required, and the server would also be required to have the root certificate of the CA that issued the certificate to the client. Answer B is incorrect. The server and root certificates do not represent a key that can be combined and then directly used to access the server. |
9. | The Citrix SSL Relay service listens on port _____ by default. |
A9: | Answer C is correct. The standard port for all SSL/TLS communications is TCP/IP port 443. Answer A is incorrect. Port 80 is the standard HTTP port for unsecured web data. It is also the default port for the Citrix XML service. Answer B is incorrect. Port 1494 is the ICA listening port when session reliability is not being used. Answer D is also incorrect. Port 8080 is a common alternative HTTP port instead of port 80. No Citrix services employ port 8080. |
10. | You can add a server certificate to a MetaFrame server using either the IIS Web Server Certificate Wizard or the ____________ if you are not running IIS on your MetaFrame server. | -
SSL Relay Certificate Import Wizard | | -
The Certificates MMC snap-in | | -
The SSL Relay Certificates MMC snap-in | | -
The Import Certificates Tool | |
A10: | Answer B is correct. SSL Relay leverages the certificates store built into Windows Server. Certificates are imported and managed using the Certificates MMC snap-in. Answers A, C, and D are all incorrect. None of these tools actually exist. |