Where does the administrator configure this?

An administrator desires that when work laptops are not connected to the corporate network,
they should automatically initiate an AnyConnect VPN tunnel back to headquarters. Where
does the administrator configure this?

An administrator desires that when work laptops are not connected to the corporate network,
they should automatically initiate an AnyConnect VPN tunnel back to headquarters. Where
does the administrator configure this?

A.
Via the svc trusted-network command under the group-policy sub-configuration mode on the
ASA

B.
Under the “Automatic VPN Policy” section inside the Anyconnect Profile Editor within ASDM

C.
Under the TNDPolicy XML section within the Local Preferences file on the client computer

D.
Via the svc trusted-network command under the global webvpn sub-configuration mode on
the ASA

Show Hint

Leave a Reply 4

Your email address will not be published. Required fields are marked *

2 × 5 =

Ace

Ace

“Under the TNDPolicy XML section within the Local Preferences file on the client computer”

That doesn’t seem very scalable or enforceable solution. How would you audit that its in place? This seems like a bad security practice. Is there no other way to enforce this via anyconnect profile, GPO, etc? Is the question poorly worded and they intend to enact these settings as a one-off, exception, rather than across a whole fleet of endpoints?

Points awarded to whomever can explain this.

Reply

ZeroC00l

ZeroC00l

in my opinion the answer is poorly worded. it is correct that you can configure this in the XML File which is downloaded to the local maschine.

But you configure this with the anyconnect profile editor on the ASA so the xml gets pushed down to the client

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html#34783

(Step 1: Launch the Profile Editor from ASDM)

Moreover the TDN Policy is Part of the Automatic VPN Policy (see Step 3 from the Configuration Guide) so Answer B would be correct too (it is not as correct as answer C so…)

fun fact if you go and alter this on the local maschine when the maschine connects back to the ASA the Profile will be overwriten by the ASA so it makes no sense to chance this file on a local maschine at all if it is not already configured the same way on the ASA

Anyway i would still go with answer C because A and D are clearly wrong and answer B is not as correct as answer C (C is more specific cause they ask for a TND Feature and the only answer which reference TND is C)

Reply

Hashiru Dris

Hashiru Dris

New 300-209 Exam Questions Updated Recently (4/July/2017):

NEW QUESTION 294
Refer to the exhibit, which result of this command is true?

A. Makes the router generate a certificate signing request
B. Generates an RSA key called TRIALFOUR
C. It displays the RSA public keys of the router
D. It specifies self- signed enrollment for a trust point

Answer: A

NEW QUESTION 295
An engineer is attempting to establish a new site-to-site VPN connection. The tunnel terminates on an ASA 5506-X which is behind an ASA 5515-X. The engineer notices that the tunnel is not establishing. Which option is a potential cause?

A. Certificates were not configured
B. Diffie – Helman Group is not set
C. Access lists were not applied
D. NAT – traversal is not configured

Answer: D

NEW QUESTION 296
Which algorithm does ISAKMP use to securely derive encryption and integrity keys?

A. Diffie – Hellman
B. AES
C. ECDSA
D. RSA
E. 3DES

Answer: D

NEW QUESTION 297
Which purpose of configuring perfect Forward secret is true?

A. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 2 keys.
B. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 1 keys.
C. For every negotiation of a new phase 1 SA, the two gateways generate a new set of phase 1 keys.
D. For every negotiation of a new phase 2 SA, the two gateways generate a new set of phase 2 keys.

Answer: A

NEW QUESTION 298
An engineer has successfully established a phase 1 tunnel, but notices that no packets are decrypted on the head end side of the tunnel. What is a potential cause for this issue?

A. different phase 2 encryption
B. misconfigured DH group
C. disabled PFS
D. firewall blocking Phase 2 ESP or AH

Answer: A

NEW QUESTION 299
Which option describes traffic that will initiate a VPN connection?

A. trusted
B. external
C. internal
D. interesting

Answer: D

NEW QUESTION 300
……

P.S. These New 300-209 Exam Questions Were Just Updated From The Real 300-209 Exam, You Can Get The Newest 300-209 Dumps In PDF And VCE From — http://www.passleader.com/300-209.html (307q VCE and PDF)

Good Luck!

Reply