Your network consists of a single Active Directory domain. All domain controllers run Windows
Server 2008 R2. The network contains 100 servers and 5,000 client computers. The client computers
run either Windows XP Service Pack 1 or Windows 7.
You need to plan a VPN solution that meets the following requirements:
·Stores VPN passwords as encrypted text
·Supports Suite B cryptographic algorithms
·Supports automatic enrollment of certificates
·Supports client computers that are configured as members of a workgroup
What should you include in your plan?
A.
Upgrade the client computers to Windows XP Service Pack 3. Implement a standalone certification
authority (CA). Implement an IPsec VPN that uses certificate based authentication.
B.
Upgrade the client computers to Windows XP Service Pack 3. Implement an enterprise
certification authority (CA) that is based on Windows Server?2008 R2. Implement an IPsec VPN that
uses Kerberos authentication.
C.
Upgrade the client computers to Windows 7. Implement an enterprise certification authority (CA)
that is based on Windows Server 2008 R2. Implement an IPsec VPN that uses preshared keys.
D.
Upgrade the client computers to Windows 7. Implement an enterprise certification authority (CA)
that is based on Windows Server 2008 R2. Implement an IPsec VPN that uses certificate based
authentication.
Explanation:
This is as close as I could get to an answer to this.
In essence, Enterprise CAs are fully integrated into a Windows Server 2008 environment. This type of
CA makes the issuing and management of certificates for Active Directory clients as simple as
possible.
Standalone CAs do not require Active Directory. When certificate requests are submitted to
Standalone CAs, the requestor must provide all relevant identifying information and manually
specify the type of certificate needed. This process occurs automatically with an Enterprise CA. By
default, Standalone CA requests require administrator approval. Administrator intervention is
necessary because there is no automated method of verifying a requestor’s credentials. Standalone
CAs do not use certificate templates, limiting the ability for administrators to customize certificates
for specific organizational needs.
■L2TP/IPsecL2TP connections use encryption provided by IPsec. L2TP/IPsec is the protocol that you
need to deploy if you are supporting Windows XP remote access clients, because these clients
cannot use SSTP. L2TP/IPsec provides per-packet data origin authentication, data integrity, replay
protection, and data confidentiality.
L2TP/IPsec connections use two levels of authentication. Computer-level authentication occurs
either using digital certificates issued by a CA trusted by the client and VPN server or through the
deployment of pre-shared keys. PPP authentication protocols are then used for user-level
authentication. L2TP/IPsec supports all of the
VPN authentication protocols available on Windows Server 2008.
Supports Suite B cryptographic algorithms
When using the Certificate Templates console, note that you cannot configure the autoenrollment
permission for a level 1 certificate template. Level 1 certificates have Windows 2000 as their
minimum supported CA. Level 2 certificate templates have Windows Server 2003 as a minimum
supported CA. Level 2 certificate templates are also the minimum level of certificate template that
supports autoenrollment. Level 3 certificates templates are supported only by client computers
running Windows Server 2008 or Windows Vista. Level 3 certificate templates allow administrators
to configure advanced Suite B cryptographic settings. These settings are not required to allow
certificate autoenrollment and most administrators find level 2 certificate templates are adequate
for their organizational needs.