Your network contains an Active Directory forest. The forest contains a member server named Server1 that runs Windows Server 2008 R2. You configure Server1 as a VPN server. You need to ensure that only client computers that have up-to-date virus definitions can establish VPN connections to Server1. Which server role, role service, or feature should you install?
A.
Simple TCP/IP Services
B.
Windows Internal Database
C.
Connection Manager Administration Kit (CMAK)
D.
File Server Resource Manager (FSRM)
E.
Windows Server Update Services (WSUS)
F.
Services for Network File System (NFS)
G.
Routing and Remote Access service (RRAS)
H.
Network Policy Server (NPS)
I.
Wireless LAN Service
J.
Group Policy Management
K.
Health Registration Authority (HRA)
L.
Windows System Resource Manager (WSRM)
M.
Network Load Balancing (NLB)
“pretty sure” that Health Registration Authority (HRA) is the correct answer… HRA is a component of Netowrk Access Protection (NAP)
http://technet.microsoft.com/en-us/library/cc732365.aspx
NAP is part of role NPS, so you can achieve NAP by installing NPS role
To me answer K seems like a good option as installing HRA would automatically install NPS.
http://technet.microsoft.com/en-us/library/cc735449(v=ws.10).aspx
– “HRA is installed on a computer that is also running Network Policy Server (NPS) and Internet Information Services (IIS). If they are not already installed, these services will be added when you install HRA.”
But the “Master” service in this case is the NPS role.
You guys have to pay attention to that.
I want to side with the guys that linked the Technet articles on this one. I get it that you need the “master” NPS role in place as well though. They really should take out one of those answers, because you need both for it to work and nothing in the question indicates that you may or may not already have one or the other installed.
In a question asking for a specific feature to function however, I would never answer the “master” role service, I would always answer the most specific service needed to achieve the end result. In this case, you need the HRA to evaluate the claims that clients provide to whether or not they have up to date antivirus, and issues certificates based on those claims allowing remote access. As Dude mentioned, if you try to install the HRA, NPS is a required role service and will install also. So by installing HRA, you are also installing NPS. Two birds, one stone.
M$ should really fix this question because you need both. I’m answering K if I see it on my test. Hopefully it isn’t the difference between pass/fail.
The thing I look at here, is that if I install NPS alone, can I solve the problem listed in the question? Will it ensure that only clients with up to date antivirus can connect? Don’t I have to also install the HRA in order to achieve the goal? If someone can explain how to achieve this goal by just installing NPS, and not installing HRA, that would be great. I don’t think you can do it though.
I’d choose H:
“System administrators define network health policies and create these policies by using NAP components that are provided in NPS…”
HRA does the checking, but the policy isn’t configured with it:
“Health Registration Authority (HRA) is responsible for validating client credentials and then forwarding a certificate request to a certification authority (CA) on behalf of Network Access Protection (NAP) clients. HRA validates certificate requests by checking with Network Policy Server (NPS) to determine if the NAP client is compliant with network health requirements. NAP clients use health certificates to communicate on an IPsec-protected network.”