citrix 1y0-351 : practice test - gratis exam...jun 05, 2015 · connections in any given second. a...

Citrix 1Y0-351 : Practice Test

Passing Score: 800Time Limit: 120 min

http://www.gratisexam.com/

Exam Code: 1Y0-351

Title : Citrix NetScaler 10.5 Essentials and Networking

Sections1. I&O&T Managed Services Traversing the Core

Exam A

QUESTION 1Scenario: An engineer is upgrading the NetScaler firmware from version 10.1 to 10.5 and has a high-availability (HA) setup of two NetScaler MPX appliances.

What is the best practice process to upgrade this HA pair?

A. Upgrade the primary unit, test on the new build, and then upgrade the secondary unit.B. Disable the secondary unit, upgrade the primary, test the new build and then upgrade the other unit.C. Upgrade the secondary unit, do the failover, test on the new build, and then upgrade the primary unit.D. Upgrade and restart both units at the same time and test on the new build after they both are running.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 2What is the purpose of binding Certificate Authority (CA) certificates to a virtual server?

A. For SSL OffloadB. To validate the server certificateC. For client certificate authenticationD. To provide intermediate certificates to the client



QUESTION 3Scenario: NetScaler is configured with a Subnet IP (SNIP) 192.168.1.10/24 on VLAN 1 and a SNIP172.168.1.50/24 on VLAN 100.

VLAN 100 has been properly associated with interface 1/1 and SNIP 172.168.1.50.

A user on VLAN 100 is attempting to access a virtual server on 192.168.1.25 and NOT getting a response.After troubleshooting the network, an engineer identifies that asymmetric packet flows are NOT using theright interfaces on the return path to the client.

Which NetScaler setting must be enabled to avoid this behavior?

A. Layer 3 ModeB. Layer 2 ModeC. Direct Route AdvertisementD. MAC-based forwarding (MBF)

Correct Answer: DSection: (none)Explanation


QUESTION 4What is the purpose of the SSL Certificate Authority (CA) root certificate during an SSL connection?

A. SSL Cipher ExchangeB. Session Key ExchangeC. Pre Shared Master Secret GenerationD. Server Certificate Signature Verification

Correct Answer: ASection: (none)Explanation


QUESTION 5Which two options could a NetScaler Engineer configure to ensure that a revoked client certificateCANNOT be used for a client certificate authentication? (Choose two.)


A. Server Name Indication (SNI)B. Certificate Revocation List (CRL)C. Certificate Signing Request (CSR)D. Online Certification Status Protocol (OCSP)

Correct Answer: BDSection: (none)Explanation


QUESTION 6Scenario: A NetScaler Engineer is using the DataStream feature. The NetScaler appliance is located infront of a MySQL Database server in the network topology.

The engineer would like to block requests that would drop a database. The engineer comes up with theexpression MYSQL.REQ.QUERY.TEXT.CONTAINS("drop database").

The engineer should configure the expression with the ___________ feature to block these requests.(Choose the option to complete the sentence.)

A. ResponderB. Rate LimitingC. Content FilteringD. Access Control List



QUESTION 7

A NetScaler Engineer has created a new custom user monitor script and needs to place it in the NetScalerfilesystem for use.

Where must the engineer place the custom script so that it is available for use?

A. /nsconfig/monitorsB. /netscaler/monitorsC. /var/nstemp/monitorsD. /netscaler/monitors/perl_mod



QUESTION 8Which setting would a NetScaler Engineer disable in order to stop the NetScaler from acting as a router fornon-NetScaler owned IP addresses or entities?

A. Layer 2 modeB. Layer 3 modeC. MAC-based forwardingD. Use Subnet IP (USNIP)



QUESTION 9Scenario: A NetScaler Engineer recently enabled the HTTP Compression feature. In reviewing the HTTPcompression statistics, the engineer notices that content from all HTTP virtual servers created prior toenabling the compression feature is NOT being compressed.

What should the engineer do to allow compression for any pre-existing HTTP virtual servers?

A. Recreate the HTTP virtual servers.B. Recreate any existing compression policies.C. Enable compression on the associated bound services.D. Ensure 'Allow Server side compression' is unchecked on the NetScaler.



QUESTION 10In a high-availability (HA) configuration, a NetScaler Engineer notices that the HA Synchronization statusshows as failed.

What could be causing the HA Synchronization to fail?

A. Port 3003 is being blockedB. Port 3009 is being blocked

C. The RPC passwords are incorrectD. The nsroot passwords are incorrect



QUESTION 11Scenario: An organization has a fair usage policy that limits each customer to a maximum of five activeconnections in any given second. A NetScaler Engineer is given the task of implementing the requirementsto enforce a policy using the Rate Limiting feature on NetScaler.

Which commands should the network engineer execute to create a proper selector and limit identifier thatfulfills the policy requirement?

A. add stream selector API_selector CLIENT.IP.SRCadd ns limitIdentifier API_limitidf -threshold 5 -mode CONNECTION -timeslice 1000 - selectorNameAPI_selector

B. add stream selector API_selector HTTP.REQ.URLadd ns limitIdentifier API_limitidf -threshold 5 -mode CONNECTION -timeslice 1000 - selectorNameAPI_selector

C. add stream selector API_selector HTTP.REQ.URLadd ns limitidentifier limit_req -mode request_rate -limitType smooth -timeslice 1000 - Threshold 5 -selectorName API_selector

D. add stream selector API_selector CLIENT.IP.SRCadd ns limitidentifier limit_req -mode request_rate -limitType smooth -timeslice 1000 - Threshold 5 -selectorName API_selector



QUESTION 12A network engineer needs to prevent too many simultaneous HTTP requests that can cause a Denial OfService (DDoS). What could the engineer enable to prevent too many simultaneous HTTP requests?

A. Rate LimitingB. SureConnectC. Priority QueuingD. Authorization Policy



QUESTION 13Scenario: A network engineer created an IPv6 virtual server on the NetScaler. The virtual server is using aservice group with two IPv4 servers bound to it. When testing access to the virtual server from a clientconfigured with an IPv6 address, he is unable to connect.

What could be the reason for this issue?

A. The NetScaler is disabled for NAT.B. IPv6 protocol translation is disabled.C. An IPv6 address on the NetScaler is not bound to the VLAN.D. The NetScaler does not have an INAT rule to convert IPv4 to IPv6 from the back-end servers.

Correct Answer: BSection: (none)Explanation


QUESTION 14What should a network engineer do to prevent unauthorized users from using the root user account?

A. Reset the nsroot account.B. Change the nsroot password.C. Create an authorization policy.D. Bind a policy to the root user account.


Explanation/Reference:Changing the Password of the Default User Account

The default user account provides complete access to all features of the Citrix SDX appliance. Therefore,to preserve security, the nsroot account should be used only when necessary, and only individuals whoseduties require full access should know the password for the nsroot account. Citrix recommends changingthe nsroot password frequently. If you lose the password, you can reset the password to the default byreverting the appliance settings to factory defaults.You can change the password of the default user account in the Users pane. In the Users pane, you canview the following details:Name Lists the user accounts configured on the SDX appliance. Permission Displays the permission levelassigned to the user account.To change the password of the default user account On the Configuration tab, in the navigation pane,expand System, and then click Users. In the Users pane, click the default user account, and then clickModify. In the Modify System User dialog box, in Password and Confirm Password, enter the password ofyour choice.Click OK.

QUESTION 15Scenario: A NetScaler Engineer connected a new NetScaler MPX appliance to the network. However,some of the interfaces were blocked on the uplink switch. The engineer needs to perform a network packettrace on the NetScaler appliance. For troubleshooting purposes, the engineer needs to separate trace filesfor each interface. The engineer executed the following command from the NetScaler CLI:

start nstrace -perNIC ENABLED

However, NetScaler created a single trace file.

What should the engineer do to produce separate trace files for each interface?

A. Specify the nodes parameter.B. Use the nsconmsg command.C. Specify the tcpdump parameter.D. Use the nstracemerge.sh command.

Correct Answer: CSection: (none)

Explanation


QUESTION 16Scenario: A NetScaler Engineer is configuring a new system with connected interfaces 10/1 - 10/4 and runsthe following commands:

add ip 10.10.10.1 255.255.255.0 -type snip

add vlan 10

bind vlan 10 -ifnum 10/1

On which interface(s) will subnet 10.10.10.1 respond to requests?

A. Only interface 10/1B. Interfaces on VLAN 10C. Only interfaces on VLAN 1D. Interfaces 10/1 through 10/4



QUESTION 17Which tool could a NetScaler Engineer use to monitor client-side rendering times for a Web application thatis load-balanced by NetScaler?

A. TcpdumpB. Insight CenterC. Command CenterD. NetScaler Dashboard



QUESTION 18A NetScaler Engineer needs to audit extended Access Control List (ACL) hits.

Which two areas would the engineer enable logging so that the ACL hits could be stored in the /var/log/ns.log? (Choose two.)

A. The ACLB. The syslogActionC. The nslog parametersD. The syslog parameters

Correct Answer: ADSection: (none)Explanation


QUESTION 19A NetScaler Engineer would like to direct identical requests for the same service to specific cache servers.Which load-balancing method should the engineer use?

A. URL HashB. Domain HashC. Source IP HashD. Source IP Destination IP Hash



QUESTION 20Scenario: A NetScaler Engineer is addressing an issue discovered during a vulnerability scan. The securityteam is requiring that the engineer disable specific SSL ciphers on the SSL VServer.

Which two methods could the engineer use to meet this requirement? (Choose two.)

A. Modify the list of ciphers in the Default cipher group.B. Change the list of bound ciphers on the VServer directly.C. Enable Cipher Redirect on the VServer and configure OCSP.D. Disable SSLv2 Redirect on the VServer and update the CRLs.E. Un-assign the default group, create a custom cipher group and assign it to the VServer.

Correct Answer: BESection: (none)Explanation


QUESTION 21Scenario: A network engineer needs to re-configure the NetScaler to utilize two new VLANs - VLAN2 andVLAN3. VLAN2 is an untagged VLAN and VLAN3 will require a .1q compliant tag. Interface 1/1 is the onlyinterface that will be used on the NetScaler.

How could the engineer configure the NetScaler so that it can communicate with both networks?

A. Change the NSVLAN to 3Add VLAN 2 and bind interface 1/1 as untagged

B. Enable the Tag all VLANs option on interface 1/1.C. Add VLAN2 and bind interface 1/1 as untagged

Add VLAN3 and bind interface 1/1 as taggedD. Add a SNIP for each VLAN

Enable management access on the SNIP for VLAN3



QUESTION 22

Which feature could a Network Engineer configure in order to restrict client connections to a specificbandwidth limit?

A. SpilloverB. Rate LimitingC. SureConnectD. Filter Policies



QUESTION 23Scenario: A NetScaler Engineer is working with a NetScaler appliance that has two network interface cards(NICs). The first NIC is placed on the DMZ network and the second NIC is on the internal network. Thedefault route is configured to the gateway on the internal network. A virtual server is configured on the DMZ-network and the firewall on the DMZ is using network address translation (NAT) to allow external traffic tothe virtual server.

When a user from the Internet attempts to connect to the NAT'd external address, the session neverestablishes. The engineer performs an nstrace and sees that the user's traffic hits the NetScaler. Theengineer then discovers that the problem is an asymmetrical packet flow.

Which two settings could the engineer configure to resolve the issue? (Choose two.)

A. Link load balancing (LLB)B. Policy-based routing (PBR)C. Extended access list (ACL)D. MAC-based forwarding (MBF)E. Reverse network address translation (RNAT)



QUESTION 24A company has an external-facing web application that requires end-to-end encryption and Layer-7functionality.

Which protocol type would an engineer choose for the virtual server and service?

A. SSLB. SSL_TCPC. SSL_PUSHD. SSL_BRIDGE



QUESTION 25

When configuring NetScaler authentication to access a web site, which two things should a networkengineer verify in the environment? (Choose two.)

A. AAA is enabled.B. One DNS server exists.C. A Keytab file is available.D. An authentication virtual server exists.E. A traffic management virtual server exists.



QUESTION 26Scenario: A NetScaler Engineer is viewing Authentication, Authorization and Access (AAA) events on theNetScaler appliance to determine why a user is unable to log on. The events below have been loggedduring this timeframe:

Fri Oct 17 18:17:16 2014/usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[40\]:start_ldap_auth attempting to

auth scottli @ 10.12.33.216

Fri Oct 17 18:17:18 2014

/usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[291\]:recieve_ldap_bind_event receive ldap bind event

Fri Oct 17 18:17:18 2014

/usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[326\]:

recieve_ldap_bind_event ldap_bind with binddn bindpw failed:Invalid credentials Fri Oct 1718:17:18 2014/usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1198\]:send_reject sending reject to kernel for : scottli

What is the root cause of this issue?

A. The LDAP Base DN is incorrect.B. The Bind DN credentials are invalid.C. The LDAP server is NOT responding.D. The user has entered an invalid password.



QUESTION 27Scenario: A NetScaler Engineer has created an SSL virtual server that utilizes SSL services. The engineerneeds to configure certificate authentication from the NetScaler to the backend web services.


What should the engineer do to meet the requirements outlined in the scenario?

A. Bind a CA Certificate to the SSL Services.B. Bind a Client Certificate to the SSL Services.C. Create an SSL policy to present the Client Certificate to the web services.D. Enable Client Authentication and set Client Certificate to mandatory on the virtual server.



QUESTION 28A NetScaler Engineer created an HTTP service and did NOT bind any monitors to the service.

Which monitor will the NetScaler automatically bind to the HTTP service?

A. tcpB. httpC. tcp-ecvD. http-ecvE. tcp-defaultF. ping-default

Correct Answer: ESection: (none)Explanation


QUESTION 29A NetScaler Engineer plans to deploy a third-party application that will perform scheduled configurationauditing by using NITRO API with a REST interface.

Which management protocol should the engineer enable to allow NITRO API access?

A. SSHB. HTTPC. TelnetD. SNMP



QUESTION 30

A NetScaler implementation is experiencing intermittent network issues, specifically regarding traffic to aback-end service associated with IP address 10.10.1.86. Which command should a network engineerexecute to generate diagnostic information to investigate this issue?

A. traceroute 10.10.1.86B. show run | grep 10.10.1.86C. nstcpdump.sh host 10.10.1.86D. show service 10.10.1.86 -summary


Explanation/Reference:In my labThe command must be performed from the shell

QUESTION 31A network engineer notes that a high availability pair (HA) is NOT synchronizing correctly and decides toopen a ticket with Citrix Support.

When opening the new ticket with Citrix Support, the engineer should run show __________ and__________. (Choose the set of options to complete the sentence.)

A. ha node; provide any public IP addresses listedB. ha node; provide the hello and dead interval dataC. techsupport on the primary device; send the output to Citrix SupportD. techsupport on both the primary and secondary devices; send the output to Citrix support



QUESTION 32Which troubleshooting tool will show policy hits and verify that a policy expression is being invoked?

A. nspepiB. nsapimgrC. nstrace.shD. nsconmsg



QUESTION 33Scenario: A NetScaler engineer configured a service and server for RADIUS authentication. To ensure thatthe RADIUS service is available and responding to authentication requests, the engineer has added theNetScaler built-in monitor to the service. On inspecting the RADIUS service the engineer notices it ismarked as DOWN.

What could be causing this issue?

A. The built-in monitor has been changed.B. RADIUS accounting must be enabled under the server.C. There is no built-in monitor available to monitor RADIUS.D. The NetScaler-owned IP address has not been added to the RADIUS database.



QUESTION 34Scenario: A NetScaler Engineer has configured COOKIEINSERT persistence with a timeout value of twominutes on an SSL LBvServer. The idle time requirement for the application itself CANNOT be determined.Users report connections are intermittent. Once a session is disconnected, a user must re-authenticate inorder to regain access. In order to this issue, the engineer should set persistence to __________ with atimeout of __________ minutes. (Choose the set of options to complete the sentence.)

A. SOURCEIP; twoB. SSLSESSION; tenC. SRCIPDESTIP; twoD. COOKIEINSERT; zero



QUESTION 35Which command must an engineer use to run a cluster with less than (n/2+1) number nodes online?

A. add cluster <node> -quorumType MajorityB. add cluster instance <name> -quorum NoneC. add cluster instance <clid> -quorumType NoneD. add cluster instance <clid> -quorumType Majority



QUESTION 36Scenario: A NetScaler Engineer has discovered that the object home.php is NOT found in the cache on thesystem.

Below is the relevant configuration:

add cache contentGroup cache_content_group_1 -relExpiry 0

add cache policy cache_pol_1 -rule "http.REQ.URL.CONTAINS(\"home.php\")" -action MAY_CACHE -storeInGroup cache_content_group_1

add cache policy cache_pol_2 -rule "http.REQ.METHOD.EQ(\"GET\")" -action NOCACHE

add cache policy cache_pol_3 -rule "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS" -action CACHEbind cache global cache_pol_1 -priority 90 -gotoPriorityExpression END -type REQ_OVERRIDE

bind cache global cache_pol_2 -priority 100 -gotoPriorityExpression END -type REQ_OVERRIDE

bind cache global cache_pol_3 -priority 100 -gotoPriorityExpression END -type RES_OVERRIDE

The data from the client and the server are as following:

GET /home.php HTTP/1.1

Host: www.website.com

User-Agent: Mozilla Firefox/3.0.3

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Date: Thu, 09 Oct 2014 18:25:00 GMT

Cookie: sessionid=100xyz

HTTP/1.1 200 OK

Date: Thu, 09 Oct 2014 18:25:00 GMT

Server: Apache/2.2.3 (Fedora)

Last-Modified: Wed, 09 Jul 2014 21:55:36 GMT

ETag: "27db3c-12ce-5e52a600"

Accept-Ranges: bytes

Cache-Control: private, max-age=0

Set-Cookie: sessionid=100xyz; expires=Thu, 09-Oct-2014 18:30:00 GMT; path=/ Content-Length: 119

Connection: close

Content-Type: text/html; charset=UTF-8

Why does the object NOT persist in the cache?

A. The request is a GET request.B. The response has Set-Cookie.C. The content group is missing a cache selector.D. The content group has been configured with relExpiry 0.



QUESTION 37A NetScaler Engineer created an SSL virtual server but the status is showing as state DOWN.

What could be causing the virtual server to show as state DOWN?

A. The virtual server is configured for port 444.B. HTTP services are used instead of HTTPS services.C. The SSL certificate is NOT bound to the virtual server.D. The certificate bound to the virtual server has a private key of 512-bits.



QUESTION 38Scenario: A NetScaler Engineer needs to enable access to a load-balancing virtual server from twocustomers that belong to different VLANs, VLAN500 and VLAN600. Each customer must access theservices and servers specific to their VLAN and should never be able to reach another customer service orservers.

Traffic Domain (TD) 1 has been created for VLAN500 and Traffic Domain (TD) 2 for VLAN600. Load-balancing services have also been created for each server on TD1 and TD2. The TD for the virtual server isTD 3 and IP address 172.10.0.30. In order to complete this setup, the engineer should create a load-balancing virtual server with IP 172.10.0.30 on TD 3 and use __________. (Choose the option to completethe sentence.)

A. TD2 services as a backup virtual serverB. TD1 and TD2 services on one virtual serverC. TD1 and TD2 services on two virtual serversD. TD1 on one virtual server and TD2 on second



QUESTION 39Scenario: A NetScaler Engineer has the following set in the Global Server Load Balancing (GSLB)configuration:

set gslb site SiteB -triggerMonitor MEPDOWN

How does this influence the default service monitoring behavior on the remote site?

A. The service monitor will take precedence over MEP.B. The state of the GSLB service will always be controlled by MEP.C. The service monitor is invoked only when MEP has marked the service as down for any reason.D. The service monitor is invoked only when MEP connectivity has been lost between SiteA and SiteB.



QUESTION 40Scenario: A NetScaler appliance currently has a manually configured channel containing four interfaces;however, the engineer has been told that the NetScaler must now only use a single interface for thisnetwork. The engineer removes the channel and immediately notices a decrease in network performance.

How could the engineer resolve this issue?

A. Reset the unused interfacesB. Disable the unused interfacesC. Enable flow control on all interfacesD. Disable HA monitoring on the three interfaces that are no longer required



QUESTION 41Which two of the listed statements are true about Access Control Lists (ACLs) on the NetScaler? (Choosetwo.)

A. Extended ACLs may BRIDGE traffic.B. Simple ACLs are bound on ALL interfaces.C. Extended ACLs are evaluated after creation.D. Simple ACLs are processed after Extended ACLs.

Correct Answer: ABSection: (none)Explanation


QUESTION 42Scenario: A NetScaler Engineer must implement load-balancing on a web server farm that serves videoclips to end users. Video clip files vary in size. The engineer needs to send traffic to the server with the leastamount of network utilization.

Which load-balancing method should the engineer use?

A. Least RequestB. Least BandwidthC. Least ConnectionD. Least Response Time



QUESTION 43Scenario: A Network Engineer needs to provide a solution for mobile users who use devices that do NOTsupport basic access authentication.

Which three steps should be included as part of the engineer's plan to implement this requirement usingNetScaler? (Choose three.)

A. Configure an OCSP responder.B. Create an authentication VServer.C. Configure a Pre-Authentication policy.D. Create an LDAP authentication policy and bind it to the authentication server.E. Enable and configure the authentication option on a VServer to use 401-based authentication.F. Enable and configure the Authentication option on a load balancing VServer to use form- based

authentication.

Correct Answer: BDFSection: (none)Explanation


QUESTION 44A network engineer wants to configure a NetScaler for load balancing Voice over IP traffic (VoIP).

Which hash method is the best fit for VoIP traffic?

A. Call IDB. Source IPC. Destination IPD. Domain name



QUESTION 45A company has a new CEO and wants to update their website with the new CEO's name.

What could the engineer do on the website while this modification is being made?

A. Insert the new name on the header requests using Rewrite policies.B. Hide the current name on the header request using Rewrite policies.

C. Delete the current name on the body response using Rewrite policies.D. Replace the current name on the body response using Rewrite policies.



QUESTION 46What is the key benefit to enabling Session Reuse on an SSL offload VServer?

A. The number of HTTP requests to the backend services are decreased.B. Resumed SSL sessions are more secure than sessions that require renegotiation.C. Reusing existing sessions decreases the number of TCP connections made to backend services.D. A partial SSL handshake is sent over the existing SSL connection, reducing CPU and bandwidth usage.




QUESTION 47A NetScaler Engineer needs an SNMP alert to be sent when CPU utilization is 90% or higher on aNetScaler instance.

Which two steps must the engineer take to configure the SNMP alert? (Choose two.)

A. Enable SNMP trap logging.B. Add an SNMP trap destination.C. Set an SNMP community string.D. Set the CPU-USAGE alarm thresholds.E. Add an SNMP manger to poll the instance.



QUESTION 48A network engineer might choose to use SSL_Bridge instead of a SSL virtual server in order to__________. (Choose the option to complete the sentence.)

A. be able to decrypt the SSL trafficB. enable use of OCSP for revoked certificatesC. pass user certificates to the back-end serversD. enable SSL server certificates on the service group



QUESTION 49Scenario: A company has three HTTP servers that are load balanced using NetScaler. When usersconnect to the HTTP application they often receive inconsistent data or are advised that they need to log onagain. Which step should the engineer take to correct this?

A. Remove Down State Flush.B. Change the idle timeout value for the service.C. Configure persistence with appropriate timeouts.D. Change the global TCP Client Idle Time-Out value.



QUESTION 50Scenario: A NetScaler Engineer is using the following policy to forward traffic when performing contentswitching:

add cs action cs1_act -targetVserverExpr "HTTP.REQ.HOSTNAME"

add cs policy cs1_switch_policy -rule true -action cs1_act

bind cs vserver CS1-VIP -policyName cs1_switch_policy -priority 10

In order to make sure the policy works correctly, the engineer must name the __________ to match thehostname. (Choose the option to complete the sentence.)

A. load-balancing serversB. load-balancing servicesC. load-balancing virtual serversD. content-switching virtual server



QUESTION 51Scenario: A NetScaler Engineer configures COOKIEINSERT persistence method for an HTTP VServernamed 'myApp'. Many clients do NOT allow the persistence cookie to be set and application sessions failas a result. All clients are behind a network address translation (NAT) gateway, which will insert the client IPaddress into an HTTP header called X-Forwarded-For.

Which command could the engineer execute to provide persistence for clients while still distributing therequests across the bound services?

A. set lb vserver myApp -persistenceType SOURCEIPB. set lb vserver myApp -persistenceType NONE -lbmethod SRCIPDESTIPHASH

C. set lb vserver myApp -persistenceType COOKIEINSERT -timeout 0 -cookieName X- Forwarded-ForD. set lb vserver myApp -persistenceType NONE -lb method TOKEN -rule "HTTP.REQ.HEADER(\"X-

Forwarded-For\").VALUE(0)



QUESTION 52A network engineer needs to upgrade both appliances of a High Availability (HA) pair.

In which order should the network engineer upgrade the appliances?

A. Disable high availability and upgrade one node at a time.B. Upgrade the primary node first without disabling high availability.C. Upgrade the secondary node first without disabling high availability.D. Perform the upgrade simultaneously without disabling high availability.



QUESTION 53In order to configure integrated cache, a NetScaler Engineer would need to reboot the NetScaler when theintegrated caching feature is __________ and cache memory limit is set to __________. (Choose the set ofoptions to complete the sentence.)

A. enabled; zeroB. disabled; zeroC. enabled; non-zeroD. disabled; non-zero



QUESTION 54Scenario: A NetScaler appliance currently has a manually configured channel containing four interfaces;however, the engineer has been told that the NetScaler must now only use a single interface for thisnetwork. The engineer removes the channel and immediately notices a decrease in network performance.

How could the engineer resolve this issue?

A. Reset the unused interfacesB. Disable the unused interfacesC. Enable flow control on all interfacesD. Disable HA monitoring on the three interfaces that are no longer required



QUESTION 55A NetScaler Engineer needs to gather information from a NetScaler VPX before allocating the platformlicense.

Which shell command could the engineer use to gather the needed information?

A. lmutil lmhostid -userB. lmutil lmhostid -etherC. lmutil lmhostid -internetD. lmutil lmhostid -hostname



QUESTION 56Scenario: A NetScaler Engineer has configured a virtual server as follows:

set lb vserver web_vserver -redirectURL http://www.external.hosting.com -backupVServer maint_vserver

The virtual server web_vserver is marked as DOWN; maint_vserver is marked as UP.

The following request is sent to the web_vserver:

GET /path/query HTTP/1.1

What would happen to this request?

A. Redirected to http://www.external.hosting.comB. Forwarded to the backup server, ignoring the queryC. Forwarded to the backup server, preserving the queryD. Redirected to http://www.external.hosting.com/path/query



QUESTION 57Scenario: A NetScaler Engineer is configuring LACP (Link Aggregation Configuration Protocol) on theNetScaler. The engineer adds interface 10/3 and 10/4 to LA/1 (which already contains interfaces 10/1 and10/2) and is configured for VLAN 500.

VLAN 100 is bound to interface 10/3 and VLAN 200 is bound to interface 10/4.

VLAN 500 is bound to channel LA/1.

Which VLAN is shown with a "show interface" command for interface 10/3?

A. 1B. 100C. 200

D. 500



QUESTION 58Scenario: The NetScaler has connections to a large number of VPNs. The network engineer wants tominimize the number of ARP requests.

Which feature should the network engineer enable to minimize ARP requests?

A. TCP BufferingB. Use Source IPC. Edge ConfigurationD. MAC based forwarding



QUESTION 59A NetScaler Engineer has installed Command Center, Insight Center, Web Logging and an IntegrationPack for System Center.

Which tool would be appropriate to see client-side rendering times?

A. Web LoggingB. Insight CenterC. Command CenterD. Integration Pack for System Center



QUESTION 60An engineer has two NetScaler devices in two different datacenters and wants to create a high availability(HA) pair with the two devices, even though they are on two different subnets.

How can the engineer configure the HA Pair between the two NetScaler devices?

A. Configure StaySecondary on the second datacenter appliance.B. Ensure that INC mode is enabled during the creation of the HA Pair.C. Enable the HAMonitors on all interfaces after the HA Pair has been created.D. Change the NSIP of the second appliance to be on the same subnet as the first appliance.



QUESTION 61Scenario: Users complain that they are NOT able to connect to a web site using the IP address. Therelevant portion of the configuration is shown below:

add ssl profile srv-web -sessReuse ENABLED -sessTimeout 120 -tls11 DISABLED -tls12 DISABLED -strictCAChecks YES

add service svc-web 192.168.1.3 HTTP 80

add lb vserver srv-web SSL 192.168.1.22 443 -persistenceType NONE -cltTimeout 180

bind lb vserver srv-web svc-web

set ssl vserver srv-web -eRSA DISABLED -clientAuth ENABLED -clientCert Optional -tls11 DISABLED -tls12 DISABLED -SNIEnable ENABLED

add ssl policy svc-web -rule true -action NOOP

bind ssl vserver srv-web -certkeyName WebCert -SNICert

bind ssl vserver srv-web -policyName svc-web -priority 100

What is the likely cause of the connectivity issue?

A. SSL policy is incorrect.B. Client Authentication is enabled.C. Server Name Indication is enabled.D. Load Balancing persistence is set to NONE.



QUESTION 62Which command would an engineer run to deny access to destination port 103 from a host with an IPaddress of 10.0.1.1?

A. add ns acl rule1 DENY -srcIP 10.0.1.1 -srcPort 103 -TTL 600B. add ns acl rule1 DENY -srcIP 10.0.1.1 -srcPort 103 -protocol TCPC. add ns acl rule1 DENY -srcport 103 -destIP 10.0.1.1 -protocol TCPD. add ns simpleacl rule1 DENY -srcIP 10.0.1.1 -destport 103 -protocol TCP



QUESTION 63A network engineer selected the option on a SSL certificate to provide notification upon expiration of thecertificate; however when a certificate expires, NO notification is sent to the engineer. Which step could theengineer take to enable notification?

A. Configure SNMP.

B. Create a SSL policy.C. Enable the SSL offload feature.D. Ensure that the certificate is linked to a Root certificate.



QUESTION 64An end user is receiving authentication errors when accessing a load-balancing virtual server that usesAuthentication, Authorization and Access (AAA)-TM.

Which shell command should a NetScaler Engineer execute to show AAA events in real time to helpdiagnose this issue?

A. tail /tmp/aaad.debugB. cat /tmp/aaad.debugC. grep aaa /tmp/nskrb.debugD. egrep aaa /tmp/pitboss.debug



QUESTION 65On a load-balancing virtual server with multiple bound services, Redirect URL will be invoked when__________. (Choose the phrase to complete the sentence.)

A. a backup virtual server has been configuredB. Health Based Spillover has been configuredC. one of the bound services is marked as DOWND. the load-balancing virtual server is marked as DOWN



QUESTION 66Which two authentication types on the NetScaler support password changes? (Choose two.)

A. TACACS+B. LDAP (TLS)C. LDAP (SSL)D. RADIUS (PAP)E. LDAP (PLAINTEXT)F. RADIUS (MSCHAPv2)

Correct Answer: BCSection: (none)Explanation


QUESTION 67Scenario: A NetScaler Engineer has a high-availability (HA) pair of NetScaler MPX devices (NS1 and NS2)connected on interfaces 0/1, 1/1 and 1/2. NS1 is currently the primary unit. Fail-safe mode is NOT enabled.High-availability monitor is enabled on all the connected interfaces. The engineer sees the following line inthe output of his "show node" command from the command-line interface:

Interfaces on which heartbeats are not seen: 1/1 1/2

Interfaces causing Partial Failure: None

What will happen if the 0/1 interface fails?

A. NS1 and NS2 will both become primary.B. NS2 will fail and NS1 will remain primary.C. NS1 will fail and NS2 will become primary.D. NS1 and NS2 will both fail and become secondary.



QUESTION 68Which command will allow an engineer to change the NetScaler IP (NSIP) from the command-lineinterface?

A. add ns ip 10.100.10.100 255.255.255.0 -type SNIPB. add ns ip 10.100.10.100 255.255.255.0 -type NSIPC. set ns config -ipaddress 10.100.10.100 -netmask 255.255.255.0D. set ns ip 10.100.10.100 -netmask 255.255.255.0 -mgmtaccess enabled



QUESTION 69The network engineer would like all HTTP and HTTPS requests that travel through the NetScaler to havean HTTP header added with the source IP address for logging on the web servers.

How should the network engineer accomplish this?

A. Enable Web LoggingB. Enable the client IP optionC. Configure the TCP ParametersD. Enable the 'Use Source IP mode'



Enabling Use Source IP ModeWhen the NetScaler appliance communicates with the physical servers or peer devices, by default, it usesone of its own IP addresses as the source IP. The appliance maintains a pool of mapped IP addresses(MIPs) and subnet IP addresses (SNIPs), and selects an IP address from this pool to use as the source IPaddress for a connection to the physical server. The decision of whether to select a MIP or a SNIP dependson the subnet in which the physical server resides.If necessary, you can configure the NetScaler appliance to use the client's IP address as source IP. Someapplications need the actual IP address of the client. The following use cases are a few examples:Client's IP address in the web access log is used for billing purposes or usage analysis. Client's IP addressis used to determine the country of origin of the client or the originating ISP of the client. For example, manysearch engines such as Goggle provide content relevant to the location to which the user belongs. Theapplication must know the client's IP address to verify that the request is from a trustworthy source.Sometimes, even though an application server does not need the client's IP address, a firewall placedbetween the application server and the NetScaler may need the client's IP address for filtering the traffic.Enable Use Source IP mode (USIP) mode if you want NetScaler to use the client's IP address forcommunication with the servers. By default, USIP mode is disabled. USIP mode can be enabled globally onthe NetScaler or on a specific service. If you enable it globally, USIP is enabled by default for allsubsequently created services. If you enable USIP for a specific service, the client's IP address is used onlyfor the traffic directed to that service.As an alternative to USIP mode, you have the option of inserting the client's IP address (CIP) in the requestheader of the server-side connection for an application server that needs the client's IP address.In earlier NetScaler releases, USIP mode had the following source-port options for server- sideconnections:Use the client's port. With this option, connections cannot be reused. For every request from the client, anew connection is made with the physical server. Use proxy port. With this option, connection reuse ispossible for all requests from the same client. Before NetScaler release 8.1 this option imposed a limit of64000 concurrent connections for all server-side connections.In the later NetScaler releases , if USIP is enabled, the default is to use a proxy port for server-sideconnections and not reuse connections. Not reusing connections may not affect the speed of establishingconnections.By default, the Use Proxy Port option is enabled if the USIP mode is enabled. For more information aboutthe Use Proxy Port option, see Using the Client Port When Connecting to the Server.Note: If you enable the USIP mode, it is recommended to enable the Use Proxy Port option.

The following figure shows how the NetScaler uses IP addresses in USIP mode.

IP Addressing in USIP Mode

Recommended UsageEnable USIP in the following situations:Load balancing of Intrusion Detection System (IDS) servers Stateless connection failoverSessionless load balancingIf you use the Direct Server Return (DSR) modeNote: When USIP is required in the one-arm mode installation of the NetScaler appliance, make sure thatthe server's gateway is one of the IP addresses owned by the NetScaler. For more information aboutNetScaler owned IP addresses, see Configuring NetScaler owned IP addresses.If you enable USIP, set the idle timeout for server connections to a value lower than the default value, sothat idle connections are cleared quickly on the server side. For more information about setting an idle time-out value, see "Load Balancing" chapter of the Citrix NetScalerTraffic Management Guide at http://support.citrix.com/article/CTX132359. For transparent cacheredirection, if you enable USIP, enable L2CONN also. Because HTTP connections are not reused whenUSIP is enabled, a large number of server-side connections may accumulate. Idle server connections canblock connections for other clients. Therefore, set limits on maximum number of connections to a service.Citrix also recommends setting the HTTP server time-out value, for a service on which USIP is enabled, toa value lower than the default, so that idle connections are cleared quickly on the server side.To globally enable or disable USIP mode by using the NetScaler command line At the NetScaler commandprompt, type one of the following commands:Enable ns mode usipDisable ns mode usipTo enable USIP mode for a service by using the NetScaler command line At the NetScaler commandprompt, type:Set service <ServiceName> -usip (YES | NO)ExampleSet service Service-HTTP-1 -usip YESTo globally enable or disable USIP mode by using the configuration utility In the navigation pane, expandSystem and click Settings. On the Settings page, under Modes and Features, click Configure modes. In theConfigure Modes dialog box, do one of the following:To enable Use Source IP mode, select the Use Source IP check box. To disable Use Source IP mode,clear the Use Source IP check box.Click OK.In the Enable/Disable Feature(s)? dialog box, click Yes. To enable USIP mode for a service by using theconfiguration utility In the navigation pane, expand Load Balancing, and then click Services. In the detailspane, select the service for which you want to enable the USIP mode, and then click Open.In the Configure Service dialog box, click the Advanced tab. Under Settings, select the Use Source IPcheck box.Click OK

QUESTION 70Scenario: A NetScaler Engineer has enabled the HTTP Compression feature on an existing productionNetScaler. The engineer is using the built-in policies. The engineer reviews the HTTP Compressionstatistics but does NOT see any compression statistic data.

What is the likely reason?

A. SSL protocol is being used for encryption.B. The Compression Policy engine is set to default.C. "Allow Server side compression" is checked on the NetScaler.D. Responses with the Content-Length or Chunked header are being sent from the server.



QUESTION 71Scenario: The marketing department would like a short URL to use for a product launch that will redirectusers to the product information page on the company's website. The marketing URL they require is http://www.turboappliances.com/prima. It should redirect the user to http://www.turboappliances.com/products/solutions/primaversion1234.html.

Which NetScaler command should a NetScaler Engineer run in order to meet the requirements of thescenario?

A. add responder action MarketingURL redirect"\"http://www.turboappliances.com/products/solutions/primaversion1234.html\""

B. add rewrite action MarketingURL4 replace_http_res "\"http://www.turboappliances.com/products/solutions/primaversion1234.html\""

C. add rewrite action MarketingURL1 insert_http_header Location "\"http://www.turboappliances.com/products/solutions/primaversion1234.html\""

D. add transform action MarketingURL2 -priority 100 -reqUrlFrom www.turboappliances.com/ -reqUrlInto"http://www.turboappliances.com/products/solutions/primaversion1234.html"



QUESTION 72Scenario: An application that uses HTTP for connections and other protocols for different types of contenthas been deployed. Load balancing virtual servers have been created for each protocol and the engineernow needs to ensure that once a load balancing decision has occurred, further requests for differentcontent are served from the same server.

How could the engineer achieve this?

A. Create a persistency group.B. Set the Spillover method to DYNAMICCONNECTION.C. Add a new virtual server for each protocol that is not directly addressable.D. Set each virtual server to use Source IP Hash as the load balancing method.


Explanation/Reference:SummaryA Web application may use HTTP and HTTPS in the same session. This article describes the configurationnecessary to ensure persistence is maintained across both HTTP and HTTPS connections.BackgroundThe NetScaler allows us to configure persistency groups to accommodate exactly such a need. A practicalexample of this might be a shopping cart where items are browsed over HTTP, but purchased over HTTPS.

If persistency were not maintained, it's possible the shopping cart might be lost, the user logged out, orother adverse actions. By using persistency groups, the HTTP and HTTPS vServers are grouped togetherinto one persistent entity.ProcedureFrom the GUI:1. Click and expand the Load Balancing node.2. Click Persistency Groups.3. Click Add.4. Populate the Group Name field.5. Choose between COOKIEINSERT, SOURCEIP or RULE from the Persistence dropdown and configurea timeout.6. Choose a backup persistence method if desired.7. Select the vServers to be grouped from the Available Virtual Servers list.8. Click Add to move the vServers from the available list to the configured list.From the command line interface (CLI):Issue the following commands:1. bind lb group <name of group> <vserver 1>2. bind lb group <name of group> <vserver 2>3. ....4. set lb group <name of group> -persistenceType <persistence method> - persistenceBackup <backuppersistence method>

QUESTION 73Scenario: A network engineer is going to roll out an upgrade from a 9.x version on a standalone NetScalerappliance using the command-line interface.

Which two items does the engineer need to download before proceeding with the upgrade? (Choose two.)

A. SSL Certificates FilesB. NetScaler Firmware FileC. NetScaler Configuration fileD. NetScaler Documentation File



QUESTION 74On a NetScaler system, the __________ timeout value will mark any session that has reached the idletimeout for cleanup. (Choose the option to complete the sentence.)

A. ClientB. ServerC. ZombieD. NATPCB



QUESTION 75Scenario: A NetScaler Engineer is troubleshooting a high-availability issue. The engineer needs todetermine if the port being used by the high-availability heartbeats is blocked.

Which port is used by high-availability heartbeats?

A. 3003B. 3008C. 3010D. 3011




QUESTION 76What is the default load-balancing method?

A. Round RobinB. Source IP HashC. Least ConnectionD. Least Response Time



QUESTION 77Which two NetScaler command-line interface commands could an engineer execute to change TCPWindow Scaling settings on the NetScaler? (Choose two.)

A. set netProfileB. add ns tcpProfileC. unset ns tcpParamD. set ns tcpbufParamE. add autoscale profile



QUESTION 78A NetScaler Engineer is reviewing the performance of a NetScaler appliance and notices that TCPmultiplexing (TCP connection reuse) appears to NOT be working for a virtual server.

What could be the cause of this issue?

A. Compression is enabled on the servicesB. Persistence is enabled on the virtual server

C. HTTP services are bound to the virtual serverD. The virtual server was created as type SSL_BRIDGE



QUESTION 79Which option needs to be set on the service in order to maintain the original client-IP to the backendservice?

A. -cka yesB. -usip yesC. -cip disabledD. -useproxyport yes



QUESTION 80Which type of authentication server could an engineer configure in order to provide the use of RSA tokenauthentication as a permitted authentication method to access a AAA Virtual Server?

A. LDAPB. SAMLC. RADIUSD. Negotiate


Explanation/Reference:http://support.citrix.com/article/CTX127543

This document describes how to configure Access Gateway 5.0 for authentication against an RSA SecurIDAuthentication server. It describes the configuration required in both the Access Gateway and the RSAserver for various deployment topologies.

Within the RSA Authentication Manager console, choose Agent Host > Generate ConfigurationFiles and select for One Agent Host, and choose the Agent Host created in step 1 and save the generatedsdconf.rec file.

If using RSA 7.1Open the RSA Security Console and navigate to Access > Authentication Agents > Add New.Enter the name and IP Address of the Access Gateway, and set Agent type to Standard Agent. Save thisnew agent.

Select Access > Authentication Agents > Generate Configuration File and generate the configuration file.There is no option to generate a configuration file for a single host in RSA 7.1. Save and extract thesdconf.rec from the generated zip file.

Log on to the Access Gateway AdminLogonPoint and go to Authentication Profiles to create an RSAauthentication profile. Browse to the generated sdconf.rec file on your computer to upload it on the

Appliance, and save the profile.

Additional Notes for Creating the Agent Record in RSA. The details entered into the Agent Hostconfiguration are specific, and depend on the deployment configuration of your Access Gateway. Thefollowing are the different deployment methods and the associated configuration within the RSA Agent:Access Gateway is a non-HA deployment in one-arm mode.Network Address: IP address of Access GatewayAccess Gateway is a non-HA deployment in two-arm mode, traffic to the RSA server is through theinterface with the Internal roleNetwork Address: IP address of the interface with the Internal role Access Gateway is a non-HAdeployment in two-arm mode, traffic to the RSA server is through the interface with the External roleNetwork Address: IP address of the interface with the Internal role Secondary Nodes: IP address of theinterface with the External role Access Gateway is in an HA deployment in one-arm mode NetworkAddress: The HA Virtual IP addressSecondary Nodes: The physical IP addresses of both Access Gateways Access Gateway is in an HAdeployment in two-arm mode, traffic to the RSA server is through the interface marked as INTERNALNetwork Address: The HA Internal virtual IP address Secondary Nodes: The physical IP addresses of theinterfaces with the Internal role on both Access GatewaysAccess Gateway is in an HA deployment in two-arm mode, traffic to the RSA server is through the interfacemarked as EXTERNALNetwork Address: The HA Internal virtual IP address Secondary Nodes: The physical IP addresses of theinterfaces with the External role on both Access Gateways*In RSA 7.1 Secondary Nodes have been renamed to Alternate IP Addresses in the Authentication Agentconfiguration.

QUESTION 81The upgrade script copies the updated NetScaler kernel file to the __________ NetScaler directory.(Choose the option to complete the sentence.)

A. /varB. /flashC. /nsconfigD. /flash/boot

Correct Answer: B

Section: (none)Explanation


QUESTION 82Scenario: A NetScaler Engineer is configuring a NetScaler that has three interfaces. The first interface isconnected to the internal network, the second interface is connected to the DMZ1-network, and the thirdinterface is connected to the DMZ2-network.

DMZ1 and DMZ2 networks are behind different firewalls, and both firewalls are sending traffic throughnetwork address translation (NAT) to the DMZ networks.

The default route is to the gateway on the DMZ1-network.

DMZ1: 10.10.10.0/24 (Gateway: 10.10.10.1)

DMZ2: 10.20.20.0/24 (Gateway: 10.20.20.1)Internal: 192.168.0.0/24 (Gateway: 192.168.0.1)

Internet traffic reaches the virtual servers located in DMZ1 but NOT the virtual servers located in DMZ2.

Which policy-based route (PBR) would resolve the issue?

A. add ns pbr PBR1 ALLOW -srcIP = 10.20.20.0-10.20.20.255 -destIP != 10.20.20.0- 10.20.20.255 -nextHop 10.10.10.1 -priority 10

B. add ns pbr PBR1 ALLOW -srcIP != 10.20.20.0-10.20.20.255 -destIP = 10.20.20.0- 10.20.20.255 -nextHop 10.20.20.1 -priority 10

C. add ns pbr PBR1 ALLOW -srcIP = 10.20.20.0-10.20.20.255 -destIP != 10.20.20.0- 10.20.20.255 -nextHop 10.20.20.1 -priority 10

D. add ns pbr PBR1 ALLOW -srcIP != 10.20.20.0-10.20.20.255 -destIP != 10.20.20.0- 10.20.20.255 -nextHop 10.10.10.1 -priority 10



QUESTION 83Server Name Indication (SNI) is required when __________. (Choose the option to complete the sentence.)

A. TLS 1.1/1.2 is enabled exclusivelyB. a SAN extension certificate is usedC. multiple certificates are used on multiple domains on the same VServerD. configuring a content switching SSL VServer with a single domain certificate



QUESTION 84Scenario: A NetScaler Engineer wants to make it easier for the help desk group to access the active nodein a high-availability pair. Members of the help desk group must be able to access the NetScaler in a secureway without being notified of warnings in their web browsers.

Which two of the listed steps must the engineer take to meet the requirements of the scenario? (Choose

two.)

A. Enable management access to the VIP.B. Enable management access to the SNIP.C. Bind a trusted certificate to the internal service.D. Bind the ns-server-certificate to the SNIP to the internal service.E. Create a self-signed certificate on the NetScaler and assign it to the internal service.



QUESTION 85What would a NetScaler Engineer configure to allow internal IPv4 servers on a private subnet access to theexternal Internet through the NetScaler?

A. Link Load Balancing (LLB)B. Network Address Translation 64 (NAT64)C. Inbound Network Address Translation (INAT)D. Reverse network address translation (RNAT)



QUESTION 86When a network engineer logs onto a new NetScaler device in the London datacenter, data output indicatesthat the device is NOT configured for the local time.

How can the network engineer synchronize the time with an NTP server in the local data center?

A. Configure the time from the GUI and restart.B. Modify the ntp.conf and rc.netscaler files and restart.C. Logon using the nsrecover/nsroot credentials and restart.D. Configure the NetScaler as a secondary NTP server and restart.



QUESTION 87A recent security audit has identified that NetScaler management is available on all Subnet IP (SNIP)adresses.

Which step could an engineer take to ensure that these services are only available through the NetScalerIP (NSIP)?

A. Unbind all SNIPs from the NSVLAN.B. Disable the 'GUI' option on all SNIPs.C. Enable the 'Restrict Access' option on all SNIPs.

D. Disable the 'Management Access' option on all SNIPs.



QUESTION 88Which connection state is included in the Current Server Connections parameter, but not affected by MaxClients?

A. OpenB. ListenC. ClosingD. Open Established



QUESTION 89Scenario: A NetScaler Engineer creates a new HTTP VServer using the following command:

add lb vserver lb_test HTTP 172.20.10.85 80 -lbMethod LEASTCONNECTION - persistencetypeCOOKIEINSERT -timeout 0 -authentication ON -cacheable YES

During testing, the engineer notices a cookie named NSC_iuuq2 with a value of:ffffffff020a1d1545525d5f4f58455e445a4a423660What is the purpose of this cookie?

A. It indicates that the client has been authenticated.B. It indicates that the client has NOT been authenticated.C. It is used for persistence, describing only the VServer ID and Service IP.D. It is used for persistence, describing the VServer ID, Service IP and Service Port.



QUESTION 90Scenario: A NetScaler Engineer is troubleshooting an issue and using /var/log/ns.log to view the errors.

The logs are being filled with messages like the ones below:

Oct 6 14:03:23 <local0.info> 192.168.10.50 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK4471 0 : Source 192.168.10.10:52187 - Vserver 192.168.10.50:80 - NatIP 192.168.10.10:52187 -Destination 192.168.10.50:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 -Total_bytes_recv 352

Oct 6 14:03:30 <local0.info> 192.168.10.50 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCPCONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341- Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 -Total_bytes_recv 1

Oct 6 14:03:30 <local0.info> 192.168.10.50 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCPCONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv1

Oct 6 14:03:30 <local0.info> 192.168.10.50 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCPCONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv1

Which option should the engineer modify to stop these types of messages from getting logged in /var/log/ns.log?

A. ACL logging in the nslog parametersB. ACL logging in the syslog parametersC. TCP logging in the nslog parametersD. TCP logging in the syslog parameters



QUESTION 91Which two are HTTP response codes from a successful cache hit by default? (Choose two.)

A. 304B. 500C. 200D. 401

Correct Answer: ACSection: (none)Explanation


QUESTION 92Which outcome does the minify JavaScript option of the Front End Optimization (FEO) feature provide?

A. It will replace characters with shorter names.B. It will change all uppercase letters to lowercase.C. It will remove all comments from the JavaScript.D. It will compress JavaScript with the GZIP algorithm.



QUESTION 93Scenario: A network engineer is managing a NetScaler environment that has two NetScaler devicesrunning as a high availability pair. The engineer must upgrade the current version from NetScaler 9 toNetScaler 10.5.

Which action must the engineer take?

A. Upgrade the primary node and perform HA sync.B. Upgrade the secondary node and then upgrade the primary node.C. Upgrade the primary node and then upgrade the secondary node.D. Break the high availability pair, upgrade each NetScaler device, and then reconfigure high availability.



QUESTION 94Scenario: NetScaler features are NOT licensed. A NetScaler Engineer has checked that the properplatform license file has been uploaded.

Why are the NetScaler features NOT licensed?

A. The features are NOT enabled.B. The NetScaler needs to be restarted.C. The NetScaler initial setup is NOT completed.D. There is no universal license on the NetScaler.



QUESTION 95A network engineer runs the following command:

nsconmsg -K /var/nslog/newnslog -s nsdebug_pe=1 -d oldconmsg

What is the engineer trying to check in the log?

A. Bandwidth informationB. Load-balancing informationC. Content-switching statisticsD. Memory utilization information


Explanation/Reference:http://www.netscalerkb.com/netscaler-tricks-and-guides/nsconmsg- examples/?wap2;PHPSESSID=6bab876c08055dc69f12fb005869478f

Paul B:Some of this probably duplicates my original post.... here's some bits stolen from the Netscaler Advancedcourse.....Enter the following command in the shell to trim a newnslog file:nsconmsg -K input_file -s time=DDMMMYYYY:HH:MM -k output_file -T seconds -d copy Commandexample:nsconmsg -K /var/nslog/newnslog -s time=19Jan2009:17:00 -k slice1_newnslog -T 3600 -d copyThis command writes newnslog entries from 5pm-6pm in the slice1_newnslog file. Enter the followingcommand in the shell to view the time span of the current newnslog file:nsconmsg -K /var/nslog/newnslog -d setime

Enter the following command in the shell to display event information, such as entity up/down, alerts andconfiguration saves:nsconmsg -K /var/nslog/newnslog -d eventEnter the following command in the shell to view console messages, which include IP address conflicts andduplex mismatch, in the current newnslog file:nsconmsg -K /var/nslog/newnslog -d consmsgEnter the following command in the shell to display memory utilization:nsconmsg -s -K /var/nslog/newnslogConMEM=1 -d oldconmsg Enter the following command in the shell todisplay bandwidth information:nsconmsg -K /var/nslog/newnslog -s nsdebug_pe=1 -d oldconmsg Enter the following command in the shellto display load-balancing information:nsconmsg -K /var/nslog/newnslog -s ConLb=1 -d oldconmsg Enter the following command in the shell toview SSL stats for front-end connections:nsconmsg -K /var/nslog/newnslog -s ConSSL=1 -d oldconmsg Enter the following command in the shell toview SSL stats for back-end connections:nsconmsg -K /var/nslog/newnslog -s ConSSL=2 -d oldconmsg Enter the following command in the shell toview SSL stats for front- and back-end connections:nsconmsg -K /var/nslog/newnslog -s ConSSL=3 -d oldconmsg Enter the following command in the shell todisplay monitoring statistics:nsconmsg -K /var/nslog/newnslog s ConMon=x d oldconmsg This command gives basic information whenx=1 and gives detailed information when x=2. Enter the following command in the shell to display contentswitching statistics:nsconmsg -K /var/nslog/newnslog s ConCSW=1 -d oldconmsg Enter the following command in the shell toview all non-zero totals in the current newnslog file:nsconmsg -K /var/nslog/newnslog -d statswt0 | more Enter the following command in the shell to view theaverage rates in the current newnslog file:nsconmsg -K /var/nslog/newnslog d current | more Use -g to grep for specific counters of interest. Forexample:nsconmsg -K /var/nslog/newnslog -g cpu -d statswt0 | more nsconmsg -K /var/nslog/newnslog -g arp dcurrent | more Enter following command in the shell to display CPU usage in the shell:nsconmsg -K /var/nslog/newnslog -s totalcount=200 -g cpu_use -d current Enter the following command inthe shell to display NIC information:nsconmsg -K /var/nslog/newnslog -g nic -d current And watch out for the parameters: a "-k" and a "-K" (lower- vs upper-case) have VERY different meanings!!!!For example the UPPERcase "-K" refers to an input file, whilst the lowercase "-k" refers to an output file.Getting them wring could mean over-writing your log file!!! Ooops!

QUESTION 96Scenario: A company is hosting an external, Internet-facing website that is load balanced by a NetScaler.The backend servers are on a 1 Gbps network and clients connect over 3G connections. The ServerAdministrator reviewed the performance metrics on the backend servers and noticed a lot of overallnetwork retirements and retransmissions.

Which NetScaler feature would help improve the network performance of the backend servers in thisscenario?

A. SureConnectB. CompressionC. TCP BufferingD. Surge Protection



QUESTION 97A network engineer needs to configure Citrix NetScaler to provide Access Gateway services to VLAN 2using interface 1/1 only, while also using interface 1/2 to provide load balancing services to VLAN 3.

How could this result be achieved?

A. Disable static route advertisement.B. Disable layer 2 mode

Create 2 untagged VLANs - VLAN 2 and VLAN 3Bind VLAN 2 to Interface 1/1Bind VLAN 3 to Interface 1/2

C. Enable Layer 3 modeCreate a Channel Interface using Interface 1/1 and 1/2 Create 2 VMACsBind a VMAC to interface 1/1 and 1/2

D. Configure policy-based routing using the Interface option as a filter.



QUESTION 98Scenario: A client connecting to an SSL virtual server receives the following error:

"Invalid Server Certificate The server certificate is invalid. Do you wish to accept this certificate and connectto the server anyway?"

What is a possible cause of this error message?

A. The private key is NOT password-protected.B. The certificate key pair is password-protected.C. The intermediate CA certificate is NOT linked to the server certificate.D. Certificate Revocation Lists (CRLs) have NOT been defined on the NetScaler.



QUESTION 99When would it be necessary to configure Failover Interface Set (FIS) in an environment that has twoNetScaler appliances in high availability (HA) mode?

A. Link redundancy is required.B. Route monitors are required.C. HA monitor is disabled in some interfaces.D. The NetScaler appliances are configured on different networks.



QUESTION 100What is the only input format supported by the NetScaler when using the NetScaler Certificate Importwizard within the configuration utility?

A. JKSB. PEM

C. DERD. PKCS#12



QUESTION 101What does the TCP Buffering feature on the NetScaler accomplish?

A. It enables the TCP options field syn-cookie.B. It optimizes the client and server TCP window size.C. It buffers incoming client connections on the NetScaler.D. It offloads the server response to the NetScaler before delivering it to the client.



QUESTION 102How could a NetScaler Engineer ensure that a content-switching virtual server is marked as DOWN if alltarget load-balancing servers show as DOWN?

A. Specify a monitorB. Enable State UpdateC. Specify a route monitorD. Configure a backup virtual server



QUESTION 103An engineer is checking that ports are configured correctly between the NetScaler system and a back-endweb server. Which command should the engineer use to test that the web server is responding on port 80?

A. telnet webA.example.com 80B. telnet webA.example.com:80C. telnet webA.example.com port=80D. telnet webA.example.com -port 80



QUESTION 104Which two certificate formats are supported when creating a certificate key pair on the NetScaler? (Choosetwo.)

A. PEMB. DERC. PKCS7D. PKCS12



QUESTION 105A network engineer has started at a new company and has been instructed to restrict access to an externalfacing VIP to selected third party clients, based on their source IP address range.

What could the engineer do to accomplish this task?

A. Enable USNIP mode on the Netscaler.B. Enable the host route option on the external VIP.C. Create an Extended ACL based on the source IP address.D. Create a SNIP address in the external VLAN limited to the source IP addresses.



QUESTION 106The Lazy Load action of Front End Optimization (FEO) improves the end-user experience by allowingimages to __________. (Choose the phrase to complete the sentence.)

A. load faster due to compressionB. load images from the bottom of the page and then upward to the topC. NOT load until a user scrolls the page to the location where they are displayedD. load from the local browser cache so it does NOT have to fetch them from the origin server



QUESTION 107Which protocol is responsible for exchanging site metric, network metric, and persistence informationbetween sites using Global Server Load Balancing (GSLB)?

A. SSHB. MEPC. RPCD. NITRO



QUESTION 108While performing some re-cabling, a NetScaler engineer noticed that a power supply unit failed on aNetScaler appliance. What should the engineer enable to receive notification of a future hardware failure?

A. SMTPB. SNMPC. Health monitoringD. EdgeSight monitoring



QUESTION 109Which service setting would a NetScaler Engineer use in the command-line interface to limit connections toserver resources?

A. -maxReqB. -maxClientC. -monThresholdD. -maxBandwidth



QUESTION 110Scenario: An engineer has been asked to implement load balancing of an existing unsecured webapplication. The engineer needs to ensure that users will access the web application using HTTPS, but nochanges can be made to the web servers hosting the web application.

In order to fulfill the requirements, the engineer must create an __________ service group and addmembers with port __________; and bind the service group to an __________ virtual server. (Choose theset of options to complete the sentence.)

A. SSL; 443; SSLB. HTTP; 80; SSLC. SSL; 80; HTTPD. HTTPS; 443; HTTP



QUESTION 111A network engineer has configured two NetScaler MPX appliances as a high availability (HA) pair.

What can the engineer configure to prevent failover if only a single interface fails?

A. FISB. PBRC. SNMPD. VMAC



QUESTION 112What are the supported protocols for management authentication?

A. LOCAL, LDAP, and SAMLB. RADIUS, LDAP and TACACS+C. CERTIFICATE, LDAP and SAMLD. RADIUS, TACACS+ and CERTIFICATE



QUESTION 113Which protocol can be monitored by Insight Center?

A. FTPB. HTTPC. RTSPD. RADIUS



QUESTION 114Which two encryption algorithms are supported on the NetScaler to store the encrypted SSL private keywith a password? (Choose two.)

A. AESB. RC4C. DESD. DES3

Correct Answer: CDSection: (none)Explanation


QUESTION 115Scenario: A pair of NetScaler devices have recently been installed into the corporate DMZ. The Netscalershave been installed in two-arm mode, with two interfaces in a Internet- facing VLAN and two interfaces inthe internal VLAN. A private management subnet also exists.

The NetScaler engineer would like to secure and restrict communication between the management subnetand the SNIP address on that subnet.

Which two actions could the engineer take to help with these goals? (Choose two.)

A. Apply an ACL on the specified SNIP.B. Remove the ACL list to the internal VLAN.C. Remove the NSIP address from the Netscaler.D. Configure the SNIP with the -gui SECUREONLY option.



QUESTION 116Which of the listed options is a simple Access Control List (ACL) attribute?

A. VLAN IDB. Source IP addressC. NetScaler interfaceD. Destination IP address



QUESTION 117A NetScaler Engineer is required to use SNMP v3 on a NetScaler instance and needs to use authenticationand encryption for all SNMP v3 communication.

What are two places where the engineer could set mandatory authentication and encryption? (Choose two.)

A. SNMP trap propertiesB. SNMP user propertiesC. SNMP group propertiesD. SNMP manager properties



QUESTION 118A NetScaler Engineer has created a new monitor using the following command:

add lb monitor mon_inline HTTP-INLINE -respCode 200 302 401 -httpRequest "HEAD /" - interval 10 -reverse YES -secure YES

This monitor adds an HTTP-INLINE monitor __________. (Choose the phrase to complete the sentence.)

A. whose success criteria is an HTTP response code of 200,302,401B. whose success criteria is any HTTP response code OTHER than 200,302,401C. that will probe the Service every 10 seconds over an SSL connection whose success criteria is an HTTP

response code of 200,302,401D. that will probe the Service every 10 seconds over an SSL connection whose success criteria is any

HTTP response code OTHER than 200,302,401



QUESTION 119Scenario: A call center has deployed Access Gateway Enterprise to provide its employees with access towork resources from home. Due to the number of available licenses, only selected employees shouldaccess the environment remotely based on their user account information.

How could the engineer configure access to meet the needs of this scenario?

A. Configure a Pre-authentication Policy.B. Configure an Authentication Server using a search filter.C. Configure an Authentication Policy using Client based expressions.D. Add the selected employee accounts to the Local Authentication policy.


Explanation/Reference:http://support.citrix.com/article/CTX111079

When you type log in credentials on the log in page of the NetScaler VPN and press Enter, the credentialsare sent to the Active Directory for validation. If the user name and password are valid, then the ActiveDirectory sends the user attributes to the NetScaler appliance.The memberOf attribute is one of the attributes that the Active Directory sends to the NetScaler appliance.This attribute contains the group name of which you are defined as a member in the Active Directory. If youare a member of more than one Active Directory group, then multiple memberOf attributes are sent to theNetScaler appliance. The NetScaler appliance then parses this information to determine if the memberOfattribute matches the Search filter parameter set on the appliance. If attribute matches, then you areallowed to log in to the network.The following are the sample attributes that the Active Directory can send to NetScaler appliance:dn: CN=johnd,CN=Users,DC=citrix,DC=comchangetype: addmemberOf: CN=VPNAllowed,OU=support,DC=citrix,DC=comcn: johndgivenName: johnobjectClass: usersAMAccountName: johnd

Configuring a NetScaler Appliance to Extract the Active Directory Group To configure a NetScalerappliance to extract the Active Directory group and enable clients to access the NetScaler VPN based onthe Active Directory groups by using the Lightweight Directory Access Protocol (LDAP) authentication,compete the following procedure:Determine the Active Directory Group that has access permission. To configure the NetScaler appliance forGroup Extraction, you must define the group a user needs to be a member of to allow access to thenetwork resources. Note: To determine that exact syntax, you might need to refer to the TroubleshootingGroup Extraction on the NetScaler appliance section.Determine the Search Filter syntax.

Enter the appropriate syntax in the Search Filter field of the Create Authentication Server dialog box, asshown in the following sample screenshot:

Note: Ensure that you start the value to the Search Filter filed with memberOf= and do not have anyembedded spaces in the value.To configure the LDAP authentication with Group Extractions from the command line interface of theNetScaler appliance with the values similar to the ones in the preceding screenshot, run the followingcommand:add authentication ldapaction LDAP-Authentication -serverip 10.3.4.15-ldapBase "CN=Users,DC=citrix,DC=com"-ldapBindDn "CN=administrator,CN=Users,DC=citrix,DC=com" -ldapBindDnPassword ..dd2604527edf70-ldapLoginName sAMAccountName-searchFilter "memberOf=CN=VPNAllowed,OU=support,DC=citrix,DC=com" -groupAttrName memberOf-subAttributeName CNNote: Ensure that you set the subAttributeName parameter to CN. Troubleshooting Group Extraction on theNetScaler appliance To troubleshoot group extraction on the NetScaler appliance, consider the followingpoints:If the LDAP policy fails after configuring it for Group Extraction, it is best to create a policy that does nothave the group extraction configured to ensure that LDAP is configured appropriately.You might need to use the LDAP Data Interchange Format Data Exchange (LDIFDE) utility from Microsoftthat extracts the attributes from the Active Directory server to determine the exact content of the memberOfgroup.You need to run this utility on the Active Directory server. The following is the syntax for the command torun the LDIFDE utility:ldifde -f <File_Name> -s <AD_Server_Name> -d "dc=<Domain_Name>,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l"cn,givenName,objectclass,samAccountName,memberOf" When you run the preceding command, a textfile, with the name you specified for File_Name parameter, is created. This file contains all objects from theActive Directory. The following is an example from a text file so created:dn: CN=johnd,CN=Users,DC=citrix,DC=comchangetype: addmemberOf: CN=VPNAllowed,OU=support,DC=citrix,DC=com

cn: johndgivenName: johnobjectClass: usersAMAccountName: johnd

QUESTION 120Company policy states that all passwords should travel the network in encrypted packets except SNMP.

Which command should the network engineer execute to comply with this policy?

A. set ns ip 10.20.30.40 -ssh disabled -telnet disabled -gui enabledB. set ns ip 10.20.30.40 -telnet disabled -gui secureonly -ftp disabledC. set ns ip 10.20.30.40 -mgmtaccess disabled -restrictaccess enabledD. set ns ip 10.20.30.40 -gui secureonly -ssh enabled -restrictaccess enabled



QUESTION 121Scenario: A web server needs to be load-balanced but the content for the web page is retrieved fromdifferent server pools. There is a server pool for images, another for text files, and another for documents.

Which NetScaler feature would allow a user to retrieve content from all pools through a single IP address byleveraging the ability of NetScaler to forward traffic based on the incoming request?

A. Load BalancingB. Content FilteringC. Content SwitchingD. Global Server Load Balancing



QUESTION 122On which two objects could a NetScaler Engineer bind cipher groups? (Choose two.)

A. ServerB. ServiceC. SSL policyD. SSL profileE. Virtual server

Correct Answer: BESection: (none)Explanation


QUESTION 123Scenario: When the NetScaler was set up, compression was enabled. The network engineer would like todisable compression ONLY for a particular virtual server.

How could the engineer accomplish this?

A. Uncheck Compression in the system basic features.B. Create a policy with a NOCOMPRESS action, bound to the global request point.C. Disable compression on the services or service groups bound to the virtual server.D. Create a policy with a NOCOMPRESS action, bound the virtual server Compression (request) point.



QUESTION 124A NetScaler engineer generates a techsupport archive to be sent to Technical Support.

Which three of the following pieces of information will be included in the archive file? (Choose three.)

A. Model NumberB. SSL Private KeysC. Old Configuration FilesD. Hardware Boot sequenceE. Webpage CustomizationsF. Certificate Revocation List

Correct Answer: ACDSection: (none)Explanation


QUESTION 125Scenario: An engineer executes the following commands:

add vlan 2

bind vlan 2 -ifnum 1/2

add ns ip 10.110.4.200 255.255.255.0

bind vlan 2 -IPAddress 10.110.4.200 255.255.255.0 What type of IP address has been added to theNetScaler?

A. VIP addressB. NSIP addressC. SNIP addressD. GSLB Site IP address



QUESTION 126A NetScaler Engineer has been given the task of protecting an internal web site by requiring users to enter

their credentials.

Which feature should the engineer configure?

A. AAAB. SSL OffloadingC. Content FilteringD. Application Firewall



QUESTION 127When using static proximity load-balancing method for a Global Server Load Balancing (GSLB) virtualserver, there must be a match between the IP addresses in the custom/static database to the IP address ofthe _________ so that it is associated with a given location. (Choose the option to complete the sentence.)

A. GSLB serviceB. ADNS serviceC. Load-balancing serverD. Client local DNS (LDNS)



QUESTION 128A network engineer needs to investigate why a few users have issues logging on to the NetScaler system.How can the engineer troubleshoot authentication issues on the NetScaler system?

A. Use ECV monitoring.B. Run a violations report in Reporting.C. Use the CAT aaad.debug command.D. Check the system-authentication setting in the GUI.


Explanation/Reference:drop the the shell and the file is located at:/tmp/aaad.debug

QUESTION 129What should an engineer configure in an environment where two NetScaler appliances are configured inhigh availability (HA) mode to prevent both nodes from reporting a state of NOT_UP at the same time?

A. Fail-Safe ModeB. Route MonitorsC. Command PropagationD. Configuration Synchronization



QUESTION 130Which SSL parameter should an engineer configure to bind multiple certificate key pairs to a virtual server?

A. SNI enableB. Session reuseC. Send close-notifyD. Client authentication



QUESTION 131Multiple Subnet IPs (SNIPs) are defined in the same network.

A NetScaler Engineer could specify the SNIP to use to communicate with servers on that network byconfiguring a __________. (Choose the option to complete the sentence.)

A. net profileB. listen policyC. traffic domainD. policy-based route



QUESTION 132Scenario: A NetScaler Engineer has been tasked with reconfiguring an existing NetScaler deployment. Theengineer is currently running a high-availability (HA) pair of NetScaler 10.5 appliances, but the VicePresident of IT has requested a more efficient way of preserving and balancing network resources andthroughput while having a single point of management for the NetScaler appliances.

What should the engineer configure to satisfy the requirements outlined by the Vice President of IT?

A. Switch from traditional HA to -INC mode HA.B. Break the HA pair and configure clustering instead.C. Break the HA pair and configure three standalone NetScaler nodes.D. Leave HA enabled and increase bandwidth to both NetScaler nodes.



QUESTION 133When binding a certificate to a virtual server, which two certificate formats are supported by NetScaler?(Choose two.)

A. P7BB. PFXC. PEMD. DER

Correct Answer: CDSection: (none)Explanation


QUESTION 134Traffic to which destination is sourced from the NetScaler IP (NSIP) by default?

A. NTP serversB. Clients on the InternetC. Load-balanced web servicesD. Load-balanced authentication services



QUESTION 135Scenario: A network engineer would like to prevent blacklisted remote clients from accessing NetScalerhosted application services. An IP address blacklist database is maintained by an external company andavailable to query over the Internet.

The engineer would like to reject any connections from IP addresses that are contained in the blacklist.What could the engineer configure to achieve this goal?

A. SSL offloadB. HTTP calloutC. URL transformationD. SSL certification revocation list check



QUESTION 136When a content-switching virtual server is used and idle client connections must stay established longerthan the default NetScaler value, in which two locations could an engineer adjust the client timeout setting?(Choose two.)

A. Global Timeout SettingsB. Load-balancing servicesC. Load-balancing virtual serverD. Content-switching virtual server




QUESTION 137Which client header indicates support for the type of compression the NetScaler may use?

A. AcceptB. User-AgentC. Content-TypeD. Accept-Encoding



QUESTION 138Scenario: A NetScaler Engineer is asked to interpret the following configuration:add audit syslogAction syslog_srv_1 192.168.0.1 -logLevel ERROR

add audit syslogAction syslog_srv_2 192.168.0.2 -logLevel WARNING

add audit syslogAction syslog_srv_3 192.168.0.3 -logLevel CRITICAL

add audit syslogAction syslog_srv_4 192.168.0.4 -logLevel ALERT

add audit syslogPolicy audit_pol_1 ns_true syslog_srv_1




bind system global audit_pol_1 -priority 100




add audit messageaction log-act1 CRITICAL '"Client:"+CLIENT.IP.SRC+" accessed "+HTTP.REQ.URL' -bypassSafetyCheck YES

add responder policy RP_pol http.REQ.IS_VALID NOOP -logAction log-act1

bind responder global RP_pol 100 END -type REQ_OVERRIDE

Which syslog server will receive log information?

A. syslog_srv_3B. syslog_srv_4C. syslog_srv_1D. syslog_srv_2



QUESTION 139Scenario: A NetScaler Engineer has received complaints from some users stating that their businessapplications are running slow. The engineer analyzes the application servers and sees the following CPUutilization:

ServerA is utilizing 20% CPU

ServerB is utilizing 20% CPU

ServerC is utilizing 100% CPU

The engineer had set the load-balancing method to round robin but decided to change the load-balancingconfiguration for the business applications.

Which load-balancing method could the engineer use to address this issue?

A. Custom LoadB. Least PacketsC. Least ConnectionsD. Least Response time



QUESTION 140Scenario: A network engineer has bound four policies to an HTTP virtual server as follows:

PolicyA is bound with a priority of 10 and has the following expression: REQ.IP.SOURCEIP == 10.10.10.0

PolicyB is bound with a priority of 15 and has the following expression: REQ.IP.SOURCEIP != 10.10.11.0

PolicyC is bound with a priority of 20 and has the following expression: REQ.IP.SOURCEIP == 10.10.12.0

PolicyD is bound with a priority of 25 and has the following expression: REQ.IP.SOURCEIP != 10.10.13.0

When a connection is made from a PC with an IP address of 10.10.12.15, which policy will be applied?

A. PolicyAB. PolicyBC. PolicyCD. PolicyD


Explanation/Reference:Don't be fooled by this as the first policy to match will be used, in this case 10.10.12.15 is not 10.10.11.0hence it statisfies policyB

QUESTION 141While binding a certificate key pair where the key is a 2048-bit, a NetScaler Engineer receives the followingerror message:

"Certificate with key size greater than RSA512 or DSA512 bits not supported"

What could be causing this error?

A. The certificate being used is invalid.B. The license file is saved in UTF-8 format.C. The NetScaler does NOT have an SSL offloading card.D. The NetScaler appliance does NOT have an appropriate license.



QUESTION 142In order to create a three-node NetScaler cluster, all nodes must __________ and __________. (Choosethe two options to complete the sentence.)

A. be physical appliancesB. have Platinum licensingC. be using the same buildD. be the same platform model

Correct Answer: CDSection: (none)

Explanation


QUESTION 143Which item needs to be configured to enable content prefetch in Integrated Caching on the NetScalerappliance?

A. Cache PolicyB. Cache ObjectC. Cache SelectorD. Cache Content Group



QUESTION 144Which IP address type should be bound to a VLAN in order to isolate traffic to backend services?

A. Virtual IP (VIP)B. Cluster IP (CLIP)C. Subnet IP (SNIP)D. NetScaler IP (NSIP)



QUESTION 145Scenario: The network engineer is setting up a new NetScaler using a direct connection. Three networksare connected to the NetScaler. After initial configuration and restart, the engineer would like to confirm therouting table entries.

From which location and which command should the engineer run to display the routing table?

A. From the shell 'netstat -r'B. From the shell 'route monitor'C. From the command-line interface 'show pbr'D. From the command-line interface 'show route'



QUESTION 146Scenario: A NetScaler Engineer retrieves the following configuration from support and enters it into thecommand-line interface:

add rewrite action remove_server_header delete_http_header Server

add rewrite policy RP_remove_srv_header "HTTP.REQ.IS_VALID && !CLIENT.IP.SRC.IN_SUBNET(172.16.0.0/16)" remove_server_header

bind lb vserver lb_vsrv -policyName RP_remove_srv_header -priority 100 - gotoPriorityExpression END -type REQUEST

The immediate effect of this configuration is that it will __________ the server header in the __________ ifthe request is coming from a network other than 172.16.0.0/16. (Choose the set of options to complete thesentence.)

A. keep; requestB. keep; responseC. remove; requestD. remove; response



QUESTION 147A NetScaler Engineer would like to encrypt the LDAP authentication traffic from a NetScaler to the internalLDAP servers.

Which type of load-balancing service should the engineer create?

A. SSLB. TCPC. RADIUSD. SSL_TCP



QUESTION 148Scenario: A NetScaler Engineer has created a local account for a user according to the below configuration:

add system user NSUser userpassword -timeout 900

add system group "NetScaler users" -timeout 900

add system cmdPolicy netscaler-users ALLOW"(^man.*)|(^show\\s+(?!system)(?!configstatus)(?!ns ns\\.conf)(?!ns savedconfig)(?!ns runningConfig)(?!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)"

bind system group "NetScaler users" -userName NSUser

bind system group "NetScaler users" -policyName netscaler-users 100

The user is able to log on but is NOT able to execute certain commands. The engineer goes back andlooks at the logs, and the following is displayed:

Oct 6 13:34:15 <local0.info> 192.168.10.50 10/06/2014:13:34:15 GMT ns1 0-PPE-0 : CLICMD_EXECUTED 4303 0 : User NSUser - Remote_ip 192.168.10.10 - Command "show ns runningConfig"- Status "ERROR: Not authorized to execute this command"

Why is the command NOT working for the user?

A. cmdPolicy is NOT configured to allow the commandB. cmdPolicy should be set to DENY, instead of ALLOWC. The user should be bound to the cmdPolicy netscaler-usersD. The priority of the cmdPolicy bound to the group "NetScaler users" should be higher



QUESTION 149Which setting must an engineer ensure is configured before a Subnet IP (SNIP) could be used tocommunicate with servers on the same network segment?

A. Static route is definedB. USIP mode is enabledC. USNIP mode is enabledD. Default gateway is defined



QUESTION 150As a result of connecting two NetScaler interfaces in the same L2 broadcast domain/VLAN (unless linkaggregation is configured), the NetScaler will __________. (Choose the correct option to complete thesentence.)

A. restartB. disable one interfaceC. cause a network loopD. disable both interfaces



QUESTION 151Which two of the following settings could be configured using a TCP profile that is bound to a service?(Choose two.)

A. TCP buffer sizeB. Window scalingC. TCP Server time-out valuesD. Source IP for specific subnetE. Allowed bandwidth throughputF. Number of max concurrent TCP connections



QUESTION 152Scenario: A NetScaler Engineer needs to perform a network packet trace on a NetScaler appliance. Fortroubleshooting purposes the engineer needs to capture traffic only from interfaces 1/3 and 1/4; traffic fromother interfaces should NOT be captured. The resulting file should be saved in NetScaler format.

What should the engineer do to accomplish this task?

A. Run the nstcpdump.sh command from the NetScaler shell and specify the interfaceB. Run the nstcpdump.sh command from the NetScaler shell and specify the filter parameterC. Run the start nstrace command from the NetScaler command-line interface and specify the filter

parameterD. Run the start nstrace command from the NetScaler command-line interface and specify the PerNIC

parameter



QUESTION 153Scenario: Users in an organization need to access several web applications daily. Management has askeda NetScaler Engineer to reduce the amount of times users have to enter credentials when accessing webapplications.

What should the engineer configure to meet this requirement?

A. A load-balancing VServer and an authorization policyB. An authentication VServer and an authorization policyC. An authentication VServer and an authentication policyD. A content switching VServer and an authentication profile



QUESTION 154A network engineer is investigating a recent failure of NetScaler high availability and confirms that somerecent changes were made to the configuration.

What is a likely cause of the failure?

A. Load balancing virtual server marked DOWN.B. SNIP has had management access removed.C. RPC node password changed on an appliance.D. The network command policy has been modified.



QUESTION 155What should a NetScaler Engineer configure to create load-balancing virtual servers and services on thesame VLAN with overlapping IP addresses?

A. Listen policiesB. Traffic domainsC. Dynamic routingD. Policy-based routing



QUESTION 156Which two content types are, by default, compressible content on the NetScaler? (Choose two.)

A. zipB. pngC. cssD. jpegE. html

Correct Answer: CESection: (none)Explanation


QUESTION 157Which persistence method is only applicable to load-balancing SIP?

A. CALLIDB. RTSPIDC. SOURCEIPD. COOKIEINSERT



QUESTION 158In which two places could a NetScaler Engineer enable TCP Buffering? (Choose two.)

A. ServiceB. GloballyC. HTTP profileD. Virtual server



QUESTION 159Which command must a NetScaler Engineer run at the command-line interface to enable a LinkAggregation Control Protocol (LACP) channel?

A. Use "set lacp" with sysPriority parameter.B. Use "set lacp" with ownerNode parameter.C. Use "set interface" with lacpKey parameter.D. Use "set interface" with lacpPriority parameter.



QUESTION 160When creating a link aggregation channel on the NetScaler, the "-throughput" option sets the __________.(Choose the option to complete the sentence.)

A. max interface speed of the channelB. interface threshold for channel failoverC. interface bandwidth limit for the channelD. interface speed of each member of the channel



QUESTION 161What are two benefits of using Link Aggregation Control Protocol (LACP)? (Choose two.)

A. RedundancyB. CompressionC. Reduce TCP latencyD. Increased throughputE. Automatic configuration of TCP windows



QUESTION 162Which NetScaler caching type requires proxy configuration on all client devices?

A. SOCKSB. REVERSE

C. FORWARDD. TRANSPARENT



QUESTION 163Scenario: A NetScaler engineer needs to enable access to some web servers running on an IPv6-onlynetwork. The clients connecting the services are on an IPv4 network. The engineer has already enabledIPv6 on the NetScaler.

What does the engineer need to do in order to provide access to the services on the IPv6 network?

A. Create an IPv6 tunnel and a IPv4 virtual server.B. Configure an IPv6 VLAN and bind the required interface.C. Create a IPv4 virtual server and bind the service group to it.D. Create an IPv6 ACL and a IPv4 virtual server and bind the ACL to the virtual server.



QUESTION 164Scenario: An engineer has been given the task of selecting the TCP profile for a NetScaler appliance. Theappliance has a 1.5Mbit WAN interface that has considerable and intermittent packet loss.

Which TCP profile should the engineer choose to optimize traffic for the WAN interface?

A. nstcp_default_profileB. nstcp_default_tcp_lfpC. nstcp_default_tcp_lnpD. nstcp_default_tcp_lan



QUESTION 165Scenario: A website that provides hotel bookings lists each hotel through their membership number on thesite URL. For example, the Martello Tower member ID is 6754 and its web presence is at http://www.hoteltestwebsite.com/hotels/6754/index.html.

There are 20,000 hotels in the database of the website. The website business owner no longer wants todisplay the hotel sites for hotel numbers 1-10000, inclusive. A NetScaler Engineer must configure anappropriate responder page to indicate that these sites are unavailable.

Which expression will meet the requirements of the business owner?

A. HTTP.REQ.URL.PATH.GET(2).TYPECAST_NUM_T(DECIMAL).BETWEEN(0, 10000)B. HTTP.REQ.URL.AFTER_STR("hotels").TYPECAST_NUM_T(DECIMAL).BETWEEN(0, 10000)

C. HTTP.REQ.URL.BEFORE_STR("index.html").TYPECAST_NUM_T(DECIMAL).BETWEEN (0, 10000)D. HTTP.REQ.URL.PATH.GET(1).TYPECAST_NUM_T(DECIMAL).GT(0) &&

HTTP.REQ.URL.PATH.GET(1).TYPECAST_NUM_T(DECIMAL).LT(10000)



QUESTION 166Scenario: A NetScaler Engineer has discovered that the object home.php is NOT found in the cache on thesystem.

Below is the relevant configuration:

add cache contentGroup cache_content_group_1 -relExpiry 0

add cache policy cache_pol_1 -rule "http.REQ.URL.CONTAINS(\"home.php\")" -action MAY_CACHE -storeInGroup cache_content_group_1

add cache policy cache_pol_2 -rule "http.REQ.METHOD.EQ(\"GET\")" -action NOCACHE

add cache policy cache_pol_3 -rule "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS" -action NOCACHE



bind cache global cache_pol_3 -priority 100 -gotoPriorityExpression END -type RES_OVERRIDE

The data from the client and the server are as following:

GET /home.php HTTP/1.1

Host: www.website.com

User-Agent: Mozilla Firefox/3.0.3

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Date: Thu, 09 Oct 2014 18:25:00 GMT

Cookie: sessionid=100xyz

HTTP/1.1 200 OK

Date: Thu, 09 Oct 2014 18:25:00 GMT

Server: Apache/2.2.3 (Fedora)

Last-Modified: Wed, 09 Jul 2014 21:55:36 GMT

ETag: "27db3c-12ce-5e52a600"

Accept-Ranges: bytes

Cache-Control: private, max-age=0

Set-Cookie: sessionid=100xyz; expires=Thu, 09-Oct-2014 18:30:00 GMT; path=/

Content-Length: 119

Connection: close

Content-Type: text/html; charset=UTF-8

Why does the object NOT persist in the cache?

A. The request is a GET request.B. The response has Set-Cookie.C. The content group is missing a cache selector.D. The content group has been configured with relExpiry 0.



QUESTION 167Which statement is true about interface link-state on the NetScaler?

A. Interface link-state is controlled by ifconfig in BSD.B. Interface link-state is dependent on the HAMON setting.C. Interface link-state CANNOT be brought down from the NetScaler.D. Interface link-state on both appliances is unaffected by the force failover command.




citrix 1y0-351 : practice test - gratis exam...jun 05, 2015 · connections in any given second. a...

Documents