TK Question

[robori]

Barak is a Security Administrator for an organization that has two sites using pre-shared secrets in its VPN. The two sites are Oslo and London. Barak has just been informed that a new office is opening in Madrid, and he must enable all three sites to connect via the VPN to each other.
Three Security Gateways are managed by the same SmartCenter Server, behind the Oslo Security Gateway. Barak decides to switch from pre-shared secrets to Certificates issued by the Internal Certificate Authority (ICA). After creating the Madrid gateway object with the proper VPN
Domain, what are Barak's remaining steps?

1. Disable "Pre-Shared Secret" on the London and Oslo gateway objects.
2. Add the Madrid gateway object into the Oslo and London's mesh VPN
Community.
3. Generate ICA Certificates for all three Security Gateways.
4. Configure "Traditional mode VPN configuration" in the Madrid gateway object's
VPN screen.
5. Reinstall the Security Policy on all three Security Gateways.

A. 1, 2, 3, 4
B. 1, 2, 5
C. 1, 2, 3, 5
D. 1, 3, 4, 5
E. 1, 2, 3, 4, 5

TK says "E" is correct, but I think I'd would go with "C" because there's no need to configure "Traditional Mode" if you had completed step 2 (Add Madrid gateway in the VPN MESH community).

Am I right ?

Thanks again!

[godspeedcapri]

I guess 'E' would be right. Performing step 2 just adds the Madrid object to the mesh community. You would need to perform step 4 for configuring the Madrid VPN properties. Traditional mode gives more granular control over the type of encryption to use,keys and certificates.

Checkout Chapter 11 VPN, Pg 381, CCSA NGX Syngress Guide.

[cyberbastion]

I guess the ans is 'E' as well.. Traditional mode can implement security rules and specifying actions of Encrypt or Decrypt. But why it's only configure on Madrid gateway.. didn't it should be on all gateways ?

[godspeedcapri]

Yup it should be configured on all gateways as we are moving from preshared keys to certificates. :)

[robori]

Quote:

Originally Posted by godspeedcapri

I guess 'E' would be right. Performing step 2 just adds the Madrid object to the mesh community. You would need to perform step 4 for configuring the Madrid VPN properties. Traditional mode gives more granular control over the type of encryption to use,keys and certificates.

Checkout Chapter 11 VPN, Pg 381, CCSA NGX Syngress Guide.

Good!! I'm reading this chapter right now and it states "The primary difference between the two approaches is that instead of the gateway deriving all of its encryption settings from the VPN community it belongs to, they are specified in the properties of each gateway object".

So it's not required all the times, but you may want to do so to have more granular control, as you said.

If the question had said that Barak had already configured the Settings on the VPN Community , then it would be just a matter of adding Madrid's gateway on this community.
As the question don't mention nothing about this, I agree we would have to configure the Traditional Mode in Madrid gateway. But anyway, as you guys have already said, this should be configured on all 3 gateways...


Do you think the problem is that the question is missing some information ? :P

Thanks a lot for your posts!!!

Robori

[godspeedcapri]

The question does say "he must enable all three sites to connect via the VPN to each other. "

Ofcourse he is expected to configure the properties for all three gateways at this stage.

Anyone of you guys,planning on giving the exam soon(as in 3-4 weeks). Does anyone have the latest copy of TK(ver18)??

[cyberbastion]

I think the testking is very similar to the actual test 147 (ver 11/06)
from the testking website the nearly version updated on 11/19/2006

in addition, i plan to take the exam 2 weeks later. if I'm earlier then u guys, i will let u guys know what going on there...

[robori]

I'm planning to take the CCSA exam in two weeks or so. But I only have Actual Tests 147 q's and TK v16.1.

[godspeedcapri]

Good luck guys... Keep us updated as to how it went...

[Dinesh]

hi guys,
there are a lot of new questions, NAT,SmartDashboard, and all, so dont stick with TK or actualtests, i failed on 17th Jan. i will do the exam next week again, prepare well and go... pls keep update the forums....

regards
Dinesh

[godspeedcapri]

Guyz...I guess it is wise to wait for a while before attempting the new exam questions until TK updates the question bank...

[cyberbastion]

Quote:

Originally Posted by Dinesh

hi guys,
there are a lot of new questions, NAT,SmartDashboard, and all, so dont stick with TK or actualtests, i failed on 17th Jan. i will do the exam next week again, prepare well and go... pls keep update the forums....

regards
Dinesh

good luck.
btw, what did you study before?
for moment, i feel official R61 (or the new R62) doc is content much information relate to exam then Syngress book.

[Dinesh]

Quote:

Originally Posted by cyberbastion

good luck.
btw, what did you study before?
for moment, i feel official R61 (or the new R62) doc is content much information relate to exam then Syngress book.

i have studied the CP R60 official materials and Actualtests 147Q
but no hope, again i am attempting this 3rd feb

i hope this time i can go

[cp-nimzo]

you should really look at the nimzo document to get and understanding why the answers are what they are. checkout the nimzo offering thread.

[robori]

Good luck Dinesh!