Ensurepass

Juniper Enterprise Content Management Sales Mastery Test v3

 

QUESTION 41

You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office consists of a pair of SRX650s in a chassis cluster. Which two statements about the deployment are true? (Choose two.)

 

A.

The SRX650s must be separated as standalone devices to support the dynamic VPNs.

B.

The remote clients must install client software to establish a tunnel with the corporate network.

C.

The remote clients must reside behind an SRX device configured as the local tunnel endpoint.

D.

The SRX650 must have HTTP or HTTPS enabled to aid in the client software distribution process.

 

Correct Answer: BD

Explanation:

http://www.juniper.net/us/en/local/pdf/app-notes/3
500201-en.pdf

 

 

QUESTION 42

You are asked to deploy dynamic VPNs between the corporate office and remote employees that work from home. The gateway device at the corporate office is a chassis cluster formed from two SRX240s. Which two statements about this deployment are true? (Choose two.)

 

A.

You must remove the SRX240s from the chassis cluster before enabling the dynamic VPNs.

B.

The remote clients can run Windows XP, Windows Vista, Windows 7, or OS X operating systems.

C.

If more than two dynamic VPN tunnels are required, you must purchase and install a new license.

D.

The remote users can be authenticated by the SRX240s or a configured RADIUS server.

 

Correct Answer: CD

Explanation:

http://www.juniper.net/us/en/local/pdf/app-notes/3500201-en.pdf

 

 

QUESTION 43

You are asked to implement IPsec tunnels between your SRX devices located at various locations. You will use the public key infrastructure (PKI) to verify the identification of the endpoints. What are two certificate enrollment options available for this deployment? (Choose two.)

 

A.

Manually generating a PKCS10 request and submitting it to an authorized CA.

B.

Dynamically generating and sending a certificate request to an authorized CA using OCSP.

C.

Manually generating a CRL request and submitting that request to an authorized CA.

D.

Dynamically generating and sending a certificate request to an authorized CA using SCEP.

 

Correct Answer: AD

Explanation:

Reference: Page 9

http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/pki-conf-trouble/configuring-and-troubleshooting-public-key-infrastructure.pdf

 

 

QUESTION 44

Which statement is true regarding the dynamic VPN feature for Junos devices?

 

 

Correct Answer: C

Explanation:

http://www.juniper.net/techpubs/en_US/junos12.1×45/information-products/pathway-pages/security/security-vpn-dynamic.pdf

 

 

QUESTION 45

You are asked to design a solution to verify IPsec peer reachability with data path forwarding. Which feature would meet the design requirements?

 

A.

Only route-based VPNs are supported.

B.

Aggressive mode is not supported.

C.

Preshared keys for Phase 1 must be used.

D.

It is supported on all SRX devices.

A.

DPD over Phase 1 SA

B.

DPD over Phase 2 SA

C.

VPN monitoring over Phase 1 SA

D.

VPN monitoring over Phase 2 SA

 

Correct Answer: D

Explanation:

http://forums.juniper.net/t5/SRX-Services-Gateway/dead-peer-detection-VS-VPN-monitor-in-IPSEC/td-p/176671

 

 

QUESTION 46

What are three advantages of group VPNs? (Choose three.)

 

A.

Supports any-to-any member connectivity.

B.

Provides redundancy with cooperative key servers.

C.

Eliminates the need for full mesh VPNs.

D.

Supports translating private to public IP addresses.

E.

Preserves original IP source and destination addresses.

 

Correct Answer: ACE

Explanation:

http://www.thomas-krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Configuring_Group_VPN_Juniper_SRX.pdf

 

 

QUESTION 47

You have been asked to establish a dynamic IPsec VPN between your SRX device and a remote user. Regarding this scenario, which three statements are correct? (Choose three.)

 

A.

You must use preshared keys.

B.

IKE aggressive mode must be used.

C.

Only predefined proposal sets can be used.

D.

Only policy-based VPNs are supported.

E.

You can use all methods of encryption.

 

Correct Answer: ABD

Explanation:

http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/dynamic-vpn-appnote-v12.pdf

 

 

QUESTION 48

You want to implement an IPsec VPN on an SRX device using PKI certificates for authentication. As part of the implementation, you are required to ensure that the certificate submission, renewal, and retrieval processes are handled automatically from the certificate authority. Regarding this scenario, which statement is correct?

 

A.

You can use SCEP to accomplish this behavior.

B.

You can use OCSP to accomplish this behavior.

C.

You can use CRL to accomplish this behavior.

D.

You can use SPKI to accomplish this behavior.

 

Correct Answer: A

Explanation:

Reference: Page 9

http://www.juniper.net/techpubs/en_US/junos/information-products/topic-collections/nce/pki-conf- trouble/configuring-and-troubleshooting-public-key-infrastructure.pdf

 

 

QUESTION 49

You have a group IPsec VPN established with a single key server and five client devices. Regarding this scenario, which statement is correct?

 

A.< /font>

There is one unique Phase 1 security association and five unique Phase 2 security associations used for this group.

B.

There is one unique Phase 1 security association and one unique Phase 2 security association used for this group.

C.

There are five unique Phase 1 security associations and five unique Phase 2 security associations used for this group.

D.

There are five unique Phase 1 security associations and one unique Phase 2 security association used for this group.

 

Correct Answer: D

Explanation:

http://www.thomas-krenn.com/redx/tools/mb_download.php/mid.x6d7672335147784949386f3d/Manual_Configuring_Group_VPN_Juniper_SRX.pdf

 

 

QUESTION 50

You are asked to implement an IPsec VPN between your main office and a new remote office. The remote office receives its IKE gateway address from their ISP dynamically. Regarding this scenario, which statement is correct?

 

A.

Configure a fully qualified domain name (FQDN) as the IKE identity.

B.

Configure the dynamic-host-address option as the IKE identity.

C.

Configure the unnumbered option as the IKE identity.

D.

Configure a dynamic host configuration name (DHCN) as the IKE identity.

 

Correct Answer: A

 

Free VCE & PDF File for Juniper JN0-633 Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.