Answers to UAG SP1 DirectAccess Contest Quiz Four - Round One
Let’s first get to the answers for Quiz 4 and then we’ll look at the leaderboard and the assignment of points for the round.
When a DirectAccess client is directly connected to the Internet and is assigned a public IP address, the only IPv6 transition technology the DirectAccess client can use to connect to the UAG DirectAccess server is 6to4.
The answer to question 1 is B.
A DirectAccess client can use one of three IPv6 transition technologies to tunnel IPv6 messages over an IPv4 Internet. You have probably read that when the DirectAccess client is on the Internet and assigned a public IP address, it will use 6to4 as its IPv6 transition technology. While that is true, that doesn’t mean that the DirectAccess client is limited to using 6to4 when assigned a public IP address. While the algorithm for determining which IPv6 transition technology will be used at any point in time, when the DirectAccess client is assigned a public IP address it will try to activate its 6to4 adapter. However, if the 6to4 adapter fails to initiate, the DirectAccess client can attempt to enable its Teredo or IP-HTTPS adapters. Several people have noticed that when a DirectAccess client is connected to some wireless carriers, the 6to4 adapter fails to start and Teredo is used in its place. While we’re not sure what the root cause of this situation is in all instances, there is a chance that the wireless carriers are blocking IP Protocol 41 somewhere between the DirectAccess client and DirectAccess server.
You can find more information on how the DirectAccess client choose an IPv6 transition technology to use at http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/09/the-mystery-of-the-ip-https-listener-an-outlook-client-and-an-ipv4-only-network.aspx
Which of the following UAG DirectAccess component technologies require certificates and PKI?
A. IP-HTTPS Listener
B. Infrastructure tunnel
C. Intranet tunnel
D. Network Location Server
E. Client authentication for IP-HTTPS
F. All of the above
G. None of the above
The answer to question 2 is F.
Certificates and PKI are used in a number of places in the DirectAccess solution architecture. The IP-HTTPS listener requires a certificate bound to it so that an SSL session can be established between the DirectAccess client and server.
The infrastructure tunnel is an IPsec tunnel that allows the DirectAccess client access to management servers on the intranet. The intranet tunnel is an IPsec tunnel that allows the DirectAccess client access to all other resources on the intranet. Both IPsec tunnels require that the DirectAccess client and DirectAccess server have computer certificates to enable both authentication and encryption for both of the IPsec tunnels.
The Network Location Server is used to help the DirectAccess client determine if it is currently on or off the intranet. If the DirectAccess client can establish an HTTPS connection to the Network Location Server, the Name Resolution Policy Table will be disabled and the DirectAccess client will use the DNS server configured on its local NIC for name resolution. A certificate is required on the Network Location Server’s web site so that the SSL session can be established.
When a DirectAccess client uses IP-HTTPS to connect to the DirectAccess server, the DirectAccess client uses client certificate authentication to authenticate itself before successful establishment of the IP-HTTPS tunnel. In the case of IP-HTTPS, certificates are used by the IP-HTTPS listener and by the client to authenticate before the IP-HTTPS tunnel is established.
In order to support DirectAccess client access to the intranet tunnel using NAP, you must deploy at least one Windows-based CA.
The answer to question 3 is A.
When the DirectAccess client starts, it automatically negotiates the infrastructure DirectAccess tunnel. The infrastructure tunnel enables the DirectAccess client access to key management servers on the intranet, such as domain controllers, DNS servers, and management servers that are used by IT to command and control DirectAccess clients. The second DirectAccess tunnel, called the intranet tunnel, allows the DirectAccess client to connect to all other resources on the intranet. Normally, the DirectAccess client uses computer certificate authentication and Kerberos (user) authentication to start the intranet tunnel.
However, you can improve the level of security applied to enabling the intranet tunnel by requiring the DirectAccess client to pass NAP inspection. However, in order to deploy NAP-based access control over the intranet tunnel, you must have at least one Windows-based CA on the intranet to support NAP.
For more information on DirectAccess with NAP requirements, check out http://technet.microsoft.com/en-us/library/gg315299.aspx
Here are the results of Round 1:
Winner – christophf (5 points)
2nd – mika (3 points)
jasonj (3 points)
oblaba (3 points)
3rd - olivier (1 point)
Point assignment is based on the rules described on Quiz 1 Round 1 at http://blogs.technet.com/b/tomshinder/archive/2010/12/02/uag-sp1-directaccess-contest-quiz-one-round-one.aspx
Next week we begin Round 2. There will be 4 quizzes in Round 2.
Now for those of you who think you’re out of the running – don’t give up! Even if you’re mathematically out of the running for this contest (which ends with the end of round 2), there will be another contest where round 2 of this contest (which starts with the next quiz) will be round 1 of contest 2! So – keep playing!
Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder