You are the systems administrator of the branch office of the Nutex Corporation. The branch office network contains a Forefront Thread Management Gateway server named EBS-TMG2 that is configured as an Edge Firewall. All the client computers in the branch office run Windows XP Professional.
The main office network contains Forefront TMG server installed on the Security Server named EBS-TMG1 that is configured as a virtual private network (VPN) server. The VPN server is configured to use the Microsoft Point-to-Point Encryption (MPPE) protocol to protect data traversing through the VPN connections.
The users in the branch office regularly require access to resources in the main office. You are required to create an access rule that supports MPPE for the site-to-site VPN connection between EBS-TMG2 and EBS-TMG1. You decide to create an access rule that enabled outbound access.
Which client protocol should you use?
A.
the PAP client protocol
B.
the EAP client protocol
C.
the L2TP client protocol
D.
the PPTP client protocol
Explanation:
You should create an access rule to enable outbound access to the PPTP client protocol. VPN allows external users secure remote access to resources on an organization’s internal network. A VPN is a virtual network that enables communication either between a remote access client and computers on the internal network or between two remote sites separated by a public network, such as the Internet. Special tunneling protocols that are based on the TCP/IP protocol are used by a VPN client to connect to a virtual connection port on a VPN server.Forefront TMG supports Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol with Internet Protocol Security (L2TP/IPSec) to encrypt the information sent over the Internet. PPTP uses the MPPE protocol to protect data traversing the PPTP virtual networking connection. The L2TP/IPSec VPN protocol uses IPSec to encrypt data traversing the L2TP virtual network. The L2TP/IPSec VPN protocol requires either a certificate or a preshared key to authenticate the client computer. If a remote VPN server is not configured to support machine certificate authentication for VPN connections, you should create an access rule that allows outbound access to the PPTP Client protocol. In this scenario, the VPN server EBS-TMG1 is configured to use the MPPE protocol to protect data traversing through the VPN connections. Therefore, you should create an access rule to enable outbound access to the PPTP client protocol, because PPTP uses the MPPE protocol to protect data traversing the VPN connection.
You should not create an access rule to enable outbound access to the PAP client protocol. Password Authentication Protocol (PAP) uses plaintext passwords and is the least secure authentication protocol. PAP is typically used when a remote access client and a remote access server fail to negotiate a more secure form of authentication. In this situation, the VPN server is configured to use the MPPE protocol, and PAP does not use MPPE. Therefore, creating an access rule to enable outbound access to the PAP client protocol will not enable you to achieve the desired goal.
You should not create an access rule to enable outbound access to the EAP client protocol. Extensible Authentication Protocol (EAP) is the most secure remote authentication protocol. It uses certificates on both the client and the server to provide mutual authentication, data integrity, and data confidentiality. EAP is used by multi-factor authentication technologies, such as smart cards. In this situation, the VPN server is configured to use the MPPE protocol instead of certificates. Therefore, you cannot configure and use an access rule that allows outbound access to the EAP client protocol.
You should not create an access rule to enable outbound access to the L2TP client protocol. The L2TP/IPSec VPN protocol uses IPSec to encrypt data traversing the L2TP virtual network. L2TP/IPSec requires either a certificate or a preshared key to authenticate the client computer. In this situation, the VPN server is configured to use the MPPE protocol instead of certificates. Therefore, you cannot configure and use an access rule that allows outbound access to the L2TP client protocol.