PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year
Exam : 1Y0-351 Title : Citrix NetScaler 10.5 Essentials and Networking Vendor : Citrix Version : DEMO 1
NO.1 Scenario: A network engineer is going to roll out an upgrade from a 9.x version on a standalone NetScaler appliance using the command-line interface. Which two items does the engineer need to download before proceeding with the upgrade? (Choose two.) A. SSL Certificates Files B. NetScaler Firmware File C. NetScaler Configuration file D. NetScaler Documentation File Answer: B,D NO.2 When would it be necessary to configure Failover Interface Set (FIS) in an environment that has two NetScaler appliances in high availability (HA) mode? A. Link redundancy is required. B. Route monitors are required. C. HA monitor is disabled in some interfaces. D. The NetScaler appliances are configured on different networks. NO.3 Which tool could a NetScaler Engineer use to monitor client-side rendering times for a Web application that is load-balanced by NetScaler? A. Tcpdump B. Insight Center C. Command Center D. NetScaler Dashboard NO.4 Scenario: A NetScaler Engineer is using the DataStream feature. The NetScaler appliance is located in front of a MySQL Database server in the network topology. The engineer would like to block requests that would drop a database. The engineer comes up with the expression MYSQL.REQ.QUERY.TEXT.CONTAINS("drop database"). The engineer should configure the expression with the feature to block these requests. (Choose the correct option to complete the sentence.) A. Responder B. Rate Limiting C. Content Filtering D. Access Control List NO.5 Scenario: A call center has deployed Access Gateway Enterprise to provide its employees with access to work resources from home. Due to the number of available licenses, only selected employees should access the environment remotely based on their user account information. How could the engineer configure access to meet the needs of this scenario? A. Configure a Pre-authentication Policy. B. Configure an Authentication Server using a search filter. 2
C. Configure an Authentication Policy using Client based expressions. D. Add the selected employee accounts to the Local Authentication policy. Answer: B Explanation: http://support.citrix.com/article/ctx111079 When you type log in credentials on the log in page of the NetScaler VPN and press Enter, the credentials are sent to the Active Directory for validation. If the user name and password are valid, then the Active Directory sends the user attributes to the NetScaler appliance. The memberof attribute is one of the attributes that the Active Directory sends to the NetScaler appliance. This attribute contains the group name of which you are defined as a member in the Active Directory. If you are a member of more than one Active Directory group, then multiple memberof attributes are sent to the NetScaler appliance. The NetScaler appliance then parses this information to determine if the memberof attribute matches the Search filter parameter set on the appliance. If attribute matches, then you are allowed to log in to the network. The following are the sample attributes that the Active Directory can send to NetScaler appliance: dn: CN=johnd,CN=Users,DC=citrix,DC=com changetype: add memberof: CN=VPNAllowed,OU=support,DC=citrix,DC=com cn: johnd givenname: john objectclass: user samaccountname: johnd Configuring a NetScaler Appliance to Extract the Active Directory Group To configure a NetScaler appliance to extract the Active Directory group and enable clients to access the NetScaler VPN based on the Active Directory groups by using the Lightweight Directory Access Protocol (LDAP) authentication, compete the following procedure: Determine the Active Directory Group that has access permission. To configure the NetScaler appliance for Group Extraction, you must define the group a user needs to be a member of to allow access to the network resources. Note: To determine that exact syntax, you might need to refer to the Troubleshooting Group Extraction on the NetScaler appliance section. Determine the Search Filter syntax. Enter the appropriate syntax in the Search Filter field of the Create Authentication Server dialog box, as shown in the following sample screenshot: 3
Note: Ensure that you start the value to the Search Filter filed with memberof= and do not have any embedded spaces in the value. To configure the LDAP authentication with Group Extractions from the command line interface of the NetScaler appliance with the values similar to the ones in the preceding screenshot, run the following command: add authentication ldapaction LDAP-Authentication -serverip 10.3.4.15 -ldapbase "CN=Users,DC=citrix,DC=com" -ldapbinddn "CN=administrator,CN=Users,DC=citrix,DC=com" -ldapbinddnpassword..dd2604527edf70 -ldaploginname samaccountname -searchfilter "memberof=cn=vpnallowed,ou=support,dc=citrix,dc=com" - groupattrname memberof -subattributename CN Note: Ensure that you set the subattributename parameter to CN. Troubleshooting Group Extraction on the NetScaler appliance To troubleshoot group extraction on the NetScaler appliance, consider the following points: If the LDAP policy fails after configuring it for Group Extraction, it is best to create a policy that does not have the group extraction configured to ensure that LDAP is configured appropriately. You might need to use the LDAP Data Interchange Format Data Exchange (LDIFDE) utility from Microsoft that extracts the attributes from the Active Directory server to determine the exact content of the memberof group. You need to run this utility on the Active Directory server. The following is the syntax for the 4
command to run the LDIFDE utility: ldifde -f <File_Name> -s <AD_Server_Name> -d "dc=<domain_name>,dc=com" -p subtree -r "(&(objectcategory=person)(objectclass=user)(givenname=*))" -l "cn,givenname,objectclass,samaccountname,memberof" When you run the preceding command, a text file, with the name you specified for File_Name parameter, is created. This file contains all objects from the Active Directory. The following is an example from a text file so created: dn: CN=johnd,CN=Users,DC=citrix,DC=com changetype: add memberof: CN=VPNAllowed,OU=support,DC=citrix,DC=com cn: johnd givenname: john objectclass: user samaccountname: johnd NO.6 Scenario: A NetScaler Engineer has configured a virtual server as follows: set lb vserver web_vserver -redirecturl http://www.external.hosting.com -backupvserver maint_vserver. The virtual server web_vserver is marked as DOWN; maint_vserver is marked as UP. The following request is sent to the web_vserver: GET /path/query HTTP/1.1 What would happen to this request? A. Redirected to http://www.external.hosting.com B. Forwarded to the backup server, ignoring the query C. Forwarded to the backup server, preserving the query D. Redirected to http://www.external.hosting.com/path/query Answer: C NO.7 A network engineer has enabled BGP routing. Which two additional features should the network engineer enable for BGP routing to function? (Choose two.) A. Layer 2 mode B. Layer 3 mode C. Dynamic routing D. MAC based forwarding Answer: B,C NO.8 A network engineer should use a HTTP-ECV monitor type to control the status of a load balanced web server resource when. (Choose the correct option to complete the sentence.) A. checking for multiple HTTP response codes B. wanting to use a customized HTTP Request C. checking for a specific pattern in the HTTP Response body D. checking for a specific pattern in the HTTP Response header Answer: C 5
NO.9 A network engineer has noted that the primary node in an HA pair has been alternating as many as three times a day due to intermittent issues. What should the engineer configure to ensure that HA failures are alerted? A. LACP B. SNMP C. Route monitors D. Failover Interface Set Answer: B NO.10 Scenario: A NetScaler Engineer has discovered that the object home.php is NOT found in the cache on the system. Below is the relevant configuration: add cache contentgroup cache_content_group_1 -relexpiry 0 add cache policy cache_pol_1 -rule "http.req.url.contains(\"home.php\")" -action MAY_CACHE - storeingroup cache_content_group_1 add cache policy cache_pol_2 -rule "http.req.method.eq(\"get\")" -action NOCACHE add cache policy cache_pol_3 -rule "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS" -action CACHE bind cache global cache_pol_1 -priority 90 -gotopriorityexpression END -type REQ_OVERRIDE bind cache global cache_pol_2 -priority 100 - gotopriorityexpression END -type REQ_OVERRIDE bind cache global cache_pol_3 -priority 100 - gotopriorityexpression END -type RES_OVERRIDE The data from the client and the server are as following: GET /home.php HTTP/1.1 Host: www.website.com User-Agent: Mozilla Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: enus,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Date: Thu, 09 Oct 2014 18:25:00 GMT Cookie: sessionid=100xyz HTTP/1.1 200 OK Date: Thu, 09 Oct 2014 18:25:00 GMT Server: Apache/2.2.3 (Fedora) Last-Modified: Wed, 09 Jul 2014 21:55:36 GMT ETag: "27db3c-12ce-5e52a600" Accept-Ranges: bytes Cache-Control: private, max-age=0 Set-Cookie: sessionid=100xyz; expires=thu, 09-Oct-2014 18:30:00 GMT; path=/ Content-Length: 119 Connection: close Content-Type: text/html; charset=utf-8 Why does the object NOT persist in the cache? A. The request is a GET request. B. The response has Set-Cookie. 6
C. The content group is missing a cache selector. D. The content group has been configured with relexpiry 0. Answer: D NO.11 Which two virtual server types could have a compression policy bound to them? (Choose two.) A. SSL B. DNS C. HTTP D. SSL_TCP,C NO.12 Scenario: GSLB has been configured for use within a multisite environment. The MEP status is reported as down on all GSLB appliances. The appliances have been configured for unsecured MEP exchange. Which port must the network engineer ensure is open between the NetScaler appliances? A. TCP 3011 B. UDP 3011 C. TCP 3012 D. UDP 3012 NO.13 A network engineer selected the option on a SSL certificate to provide notification upon expiration of the certificate; however when a certificate expires, NO notification is sent to the engineer. Which step could the engineer take to enable notification? A. Configure SNMP. B. Create a SSL policy. C. Enable the SSL offload feature. D. Ensure that the certificate is linked to a Root certificate. NO.14 Scenario: An engineer has configured a virtual server that users access using HTTP port 80. The web application also uses TCP port 81 and 8080 for non-user access. The engineer would like to prevent users from connecting to web servers if any of the ports go down. How should the engineer set this configuration to ensure service availability? A. Increase the monitor threshold. B. Lower the server timeout value. C. Create additional virtual servers for ports 81 and 8080. D. Create monitors for ports 81 and 8080, and bind to the service or service group. Answer: D NO.15 An environment network has: - High bandwidth - Low packet loss 7
- High Round-Trip Time (RTT) Which TCP profile should an engineer configure for the environment described? A. Nstcp_default_profile B. Nstcp_default_tcp_lfp C. Nstcp_default_tcp_lnp D. Nstcp_default_tcp_lan Answer: B 8