Ensurepass

 

QUESTION 61

A network engineer is investigating a recent failure of NetScaler high availability and confirms that some recent changes were made to the configuration. What is a likely cause of the failure?

 

A.

Load balancing virtual server marked DOWN.

B.

SNIP has had management access removed.

C.

RPC node password changed on an appliance.

D.

The network command policy has been modified.

 

Correct Answer: C

 

 

QUESTION 62

Scenario: A network engineer has bound four policies to an HTTP virtual server as follows:

 

PolicyA is bound with a priority of 10 and has the following expression: REQ.IP.SOURCEIP == 10.10.10.0

 

PolicyB is bound with a priority of 15 and has the following expression: REQ.IP.SOURCEIP != 10.10.11.0

 

PolicyC is bound with a priority of 20 and has the following expression: REQ.IP.SOURCEIP == 10.10.12.0

 

PolicyD is bound with a priority of 25 and has the following expression: REQ.IP.SOURCEIP != 10.10.13.0

 

When a connection is made from a PC with an IP address of 10.10.12.15, which policy will be applied?

 

A.

PolicyA

B.

PolicyB

C.

PolicyC

D.

PolicyD

 

Correct Answer: B

Explanation:

Don’t be fooled by this as the first policy to match will be used, in this case 10.10.12.15 is not 10.10.11.0 hence it statisfies policyB.

 

 

QUESTION 63

In order to create a three-node NetScaler cluster, all nodes must __________ and __________. (Choose the two correct options to complete the sentence.)

 

A.

be physical appliances

B.

have Platinum licensing

C.

be using the same build

D.

be the same platform model

 

Correct Answer: CD

 

 

QUESTION 64

Which type of authentication server could an engineer configure in order to provide the use of RSA token authentication as a permitted authentication method to access a AAA Virtual Server?

 

A.

LDAP

B.

SAML

C.

RADIUS

D.

Negotiate

 

Correct Answer: C

Explanation:

http://support.citrix.com/article/CTX127543

 

This document describes how to configure Access Gateway 5.0 for authentication against an RSA SecurID Authentication server. It describes the configuration required in both the Access Gateway and the RSA server for various deployment topologies.

 

clip_image001

 

Within the RSA Authentication Manager console, choose Agent Host > Generate Configuration

Files and select for One Agent Host, and choose the Agent Host created in step 1 and save the generated sdconf.rec file.

 

clip_image003

 

If using RSA 7.1

Open the RSA Security Console and navigate to Access > Authentication Agents > Add New.

Enter the name and IP Address of the Access Gateway, and set Agent type to Standard Agent. Save this new agent.

 

clip_image005

 

Select Access > Authentication Agents > Generate Configuration File and generate the configuration file. There is no option to generate a configuration file for a single host in RSA 7.1. Save and extract the sdconf.rec from the generated zip file.

 

clip_image006

 

Log on to the Access Gateway AdminLogonPoint and go to Authentication Profiles to create an RSA authentication profile. Browse to the generated sdconf.rec file on your computer to upload it on the Appliance, and save the profile.

 

clip_image008

 

Additional Notes for Creating the Agent Record in RSA. The details entered into the Agent Host configuration are specific, and depend on the deployment configuration of your Access Gateway. The following are the different deployment methods and the associated configuration within the RSA Agent:

Access Gateway is a non-HA deployment in one-arm mode.

Network Address: IP address of Access Gateway

Access Gateway is a non-HA deployment in two-arm mode, traffic to the RSA server is through the interface with the Internal role

Network Address: IP address of the interface with the Internal role Access Gateway is a non-HA deployment in two-arm mode, traffic to the RSA server is through the interface with the External role

Network Address: IP address of the interface with the Internal role Secondary Nodes: IP address of the interface with the External role Access Gateway is in an HA deployment in one-arm mode Network Address: The HA Virtual IP address

Secondary Nodes: The physical IP addresses of both Access Gateways Access Gateway is in an HA deployment in two-arm mode, traffic to the RSA server is through the interface marked as INTERNAL

Network Address: The HA Internal virtual IP address Secondary Nodes: The physical IP addresses of the interfaces with the Internal role on both Access Gateways

Access Gateway is in an HA deployment in two-arm mode, traffic to the RSA server is through the interface marked as EXTERNAL

Network Address: The HA Internal virtual IP address Secondary Nodes: The physical IP addresses of the interfaces with the External role on both Access Gateways

*In RSA 7.1 Secondary Nodes have been renamed to Alternate IP Addresses in the Authentication Agent configuration.

 

 

QUESTION 65

On which two types of virtual servers is the SOURCEIP persistence type supported? (Choose two.)

 

 

Correct Answer: AC

 

 

QUESTION 66

Which public IP address must a NetScaler Engineer set on a NetScaler appliance to allow for client connections?

 

A.

HTTPS

B.

RTSP

C.

SSL_Bridge

D.

SIP_UDP

A.

NSIP

B.

SNIP

C.

VIP

D.

USNIP

 

Correct Answer: C

< p style="line-height: normal; margin: 0cm 0cm 0pt; text-autospace: ; cursor: auto; mso-layout-grid-align: none" class="MsoNormal" align="left"> 

 

QUESTION 67

Scenario: A NetScaler Engineer has received complaints from some users stating that their business applications are running slow. The engineer analyzes the application servers and sees the following CPU utilization:

 

ServerA is utilizing 20% CPU

 

ServerB is utilizing 20% CPU

 

ServerC is utilizing 100% CPU

 

The engineer had set the load-balancing method to round robin but decided to change the load-balancing configuration for the business applications.

 

Which load-balancing method could the engineer use to address this issue?

 

A.

Custom Load

B.

Least Packets

C.

Least Connections

D.

Least Response time

 

Correct Answer: A

 

 

QUESTION 68

Scenario: A network engineer needs to re-configure the NetScaler to utilize two new VLANs – VLAN2 and VLAN3. VLAN2 is an untagged VLAN and VLAN3 will require a .1q compliant tag. Interface 1/1 is the only interface that will be used on the NetScaler. How could the engineer configure the NetScaler so that it can communicate with both networks?

 

A.

Change the NSVLAN to 3

Add VLAN 2 and bind interface 1/1 as untagged

B.

Enable the Tag all VLANs option on interface 1/1.

C.

Add VLAN2 and bind interface 1/1 as untagged

Add VLAN3 and bind interface 1/1 as tagged

D.

Add a SNIP for each VLAN

Enable management access on the SNIP for VLAN3

 

Correct Answer: C

 

 

QUESTION 69

The network engineer would like all HTTP and HTTPS requests that travel through the NetScaler to have an HTTP header added with the source IP address for logging on the web servers. How should the network engineer accomplish this?

 

A.

Enable Web Logging

B.

Enable the client IP option

C.

Configure the TCP Parameters

D.

Enable the ‘Use Source IP mode’

 

Correct Answer: B

Explanation:

clip_image009

 

Enabling Use Source IP Mode

When the NetScaler appliance communicates with the physical servers or peer devices, by default, it uses one of its own IP addresses as the source IP. The appliance maintains a pool of mapped IP addresses (MIPs) and subnet IP addresses (SNIPs), and selects an IP address from this pool to use as the source IP address for a connection to the physical server. The decision of whether to select a MIP or a SNIP depends on the subnet in which the physical server resides.

If necessary, you can configure the NetScaler appliance to use the client’s IP address as source IP. Some applications need the actual IP address of the client. The following use cases are a few examples:

Client’s IP address in the web access log is used for billing purposes or usage analysis. Client’s IP address is used to determine the country of origin of the client or the originating ISP of the client. For example, many search engines such as Goggle provide content relevant to the location to which the user belongs. The application must know the client’s IP address to verify that the request is from a trustworthy source.

Sometimes, even though an application server does not need the client’s IP address, a firewall placed between the application server and the NetScaler may need the client’s IP address for filtering the traffic.

Enable Use Source IP mode (USIP) mode if you want NetScaler to use the client’s IP address for communication with the servers. By default, USIP mode is disabled. USIP mode can be enabled globally on the NetScaler or on a specific service. If you enable it globally, USIP is enabled by default for all subsequently created services. If you enable USIP for a specific service, the client’s IP address is used only for the traffic directed to that service.

As an alternative to USIP mode, you have the option of
inserting the client’s IP address (CIP) in the request header of the server-side connection for an application server that needs the client’s IP address.

In earlier NetScaler releases, USIP mode had the following source-port options for server- side connections:

Use the client’s port. With this option, connections cannot be reused. For every request from the client, a new connection is made with the physical server. Use proxy port. With this option, connection reuse is possible for all requests from the same client. Before NetScaler release 8.1 this option imposed a limit of 64000 concurrent connections for all server-side connections.

In the later NetScaler releases , if USIP is enabled, the default is to use a proxy port for server-side connections and not reuse connections. Not reusing connections may not affect the speed of establishing connections.

By default, the Use Proxy Port option is enabled if the USIP mode is enabled. For more information about the Use Proxy Port option, see Using the Client Port When Connecting to the Server.

Note: If you enable the USIP mode, it is recommended to enable the Use Proxy Port option.

The following figure shows how the NetScaler uses IP addresses in USIP mode.

 

IP Addressing in USIP Mode

Free VCE & PDF File for Citrix 1Y0-351 Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

 

Recommended Usage

Enable USIP in the following situations:

Load balancing of Intrusion Detection System (IDS) servers Stateless connection failover

Sessionless load balancing

If you use the Direct Server Return (DSR) mode

Note: When USIP is required in the one-arm mode installation of the NetScaler appliance, make sure that the server’s gateway is one of the IP addresses owned by the NetScaler. For more information about NetScaler owned IP addresses, see Configuring NetScaler owned IP addresses.

If you enable USIP, set the idle timeout for server connections to a value lower than the default value, so that idle connections are cleared quickly on the server side.

For more information about setting an idle time-out value, see “Load Balancing” chapter of the Citrix NetScaler.

Traffic Management Guide at http://support.citrix.com/article/CTX132359.

For transparent cache redirection, if you enable USIP, enable L2CONN also.

Because HTTP connections are not reused when USIP is enabled, a large number of server-side connections may accumulate. Idle server connections can block connections for other clients. Therefore, set limits on maximum number of connections to a service. Citrix also recommends setting the HTTP server time-out value, for a service on which USIP is enabled, to a value lower than the default, so that idle connections are cleared quickly on the server side.

To globally enable or disable USIP mode by using the NetScaler command line

At the NetScaler command prompt, type one of the following commands:

Enable ns mode usip

Disable ns mode usip

To enable USIP mode for a service by using the NetScaler command line

At the NetScaler command prompt, type:

Set service <ServiceName> -usip (YES | NO)

Example

Set service Service-HTTP-1 -usip YES

To globally enable or disable USIP mode by using the configuration utility

In the navigation pane, expand System and click Settings.

On the Settings page, under Modes and Features, click Configure modes.

In the Configure Modes dialog box, do one of the following:

To enable Use Source IP mode, select the Use Source IP check box.

To disable Use Source IP mode, clear the Use Source IP check box.

Click OK.

In the Enable/Disable Feature(s)? dialog box, click Yes.

To enable USIP mode for a service by using the configuration utility

In the navigation pane, expand Load Balancing, and then click Services.

In the details pane, select the service for which you want to enable the USIP mode, and then click Open.

In the Configure Service dialog box, click the Advanced tab.

Under Settings, select the Use Source IP check box.

Click OK

 

 

QUESTION 70

A NetScaler Engineer is required to use SNMP v3 on a NetScaler instance and needs to use authentication and encryption for all SNMP v3 communication. What are two places where the engineer could set mandatory authentication and encryption? (Choose two.)

 

A.

SNMP trap properties

B.

SNMP user properties

C.

SNMP group properties

D.

SNMP manager properties

 

Correct Answer: BC

 

Comments are closed.