citrix 1y0-a28 exam questions & answers · exam a question 1 an engineer has two netscaler...

54
CITRIX 1Y0-A28 EXAM QUESTIONS & ANSWERS Number : 1Y0-A28 Passing Score : 800 Time Limit : 120 min File Version : 34.4 http://www.gratisexam.com/ CITRIX 1Y0-A28 EXAM QUESTIONS & ANSWERS Exam Name: Implementing NetScaler 10 for Networking and Traffic Optimization

Upload: nguyennhu

Post on 07-Sep-2018

213 views

Category:

Documents


0 download

TRANSCRIPT

CITRIX 1Y0-A28 EXAM QUESTIONS & ANSWERS

Number: 1Y0-A28Passing Score: 800Time Limit: 120 minFile Version: 34.4

http://www.gratisexam.com/

CITRIX 1Y0-A28 EXAM QUESTIONS & ANSWERS

Exam Name: Implementing NetScaler 10 for Networkin g and Traffic Optimization

Exam A

QUESTION 1An engineer has two NetScaler devices in two different datacenters and wants to create a high availability (HA)pair with the two devices, even though they are on two different subnets. How can the engineer configure theHA Pair between the two NetScaler devices?

A. Configure StaySecondary on the second datacenter appliance.B. Ensure that INC mode is enabled during the creation of the HA Pair.C. Enable the HAMonitors on all interfaces after the HA Pair has been created.D. Change the NSIP of the second appliance to be on the same subnet as the first appliance.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Limiting Failovers Caused by Route Monitors in non- INC mode

In an HA configuration in non-INC mode, if route monitors fail on both nodes, failover happens every 180seconds until one of the nodes is able to reach all of the routes monitored by the respective route monitors.However, for a node, you can limit the number of failovers for a given interval by setting the Maximum Numberof Flips and Maximum Flip Time parameters on the nodes. When either limit is reached, no more failoversoccur, and the node is assigned as primary even if any route monitor fails on that node. If the node is then ableto reach all of the monitored routes, the next monitor failure triggers resetting of the Maximum Number of Flipsand Maximum Flip Time parameters on the node and starting the time specified in the Maximum Flip Timeparameter.These parameters are set independently on each node and therefore are neither propagated nor synchronized.Note: This feature is supported only on NetScaler 9.3.e. Parameters for limiting the number of failovers Maximum Number of Flips (maxFlips) Maximum number of failovers allowed, within the Maximum Flip Time interval, for the node in HA in non INCmode, if the failovers are caused by route-monitor failure.Maximum Flip Time ( maxFlipTime ) Amount of time, in seconds, during which failovers resulting from route-monitor failure are allowed for the nodein HA in non INC mode.To limit the number of failovers by using the NetScaler command line At the NetScaler command prompt, type:

set HA node [-maxFlips < positive_integer>] [-maxFlipTime <positive_integer>] show HA node [< id>]Example> set ha node -maxFlips 30 -maxFlipTime 60 Done> sh ha node 1) Node ID: 0 IP: 10.102.169.82 (NS) Node State: UP Master State: Primary Fail-Safe Mode: OFF INC State: DISABLED Sync State: ENABLED Propagation: ENABLED Enabled Interfaces : 1/1 Disabled Interfaces : None HA MON ON Interfaces : 1/1 Interfaces on which heartbeats are not seen :None Interfaces causing Partial Failure:None SSL Card Status: NOT PRESENT

Hello Interval: 200 msecs Dead Interval: 3 secs Node in this Master State for: 0:4:24:1 (days:hrs:min:sec)2) Node ID: 1 IP: 10.102.169.81 Node State: UP Master State: Secondary Fail-Safe Mode: OFF INC State: DISABLED Sync State: SUCCESS Propagation: ENABLED Enabled Interfaces : 1/1 Disabled Interfaces : None HA MON ON Interfaces : 1/1 Interfaces on which heartbeats are not seen : None Interfaces causing Partial Failure: None SSL Card Status: NOT PRESENT

Local node information: Configured/Completed Flips: 30/0 Configured Flip Time: 60 Critical Interfaces: 1/1

Done To limit the number of failovers by using the configuration utility

In the navigation pane, expand System and click High Availability.In the details pane, on the Nodes tab, select the local node, and then click Open.In the Configure Node dialog box, under Intervals, set the following parameters: Maximum Number of Flips Maximum Flip TimeClick OK.

QUESTION 2What should a network engineer do to prevent unauthorized users from using the root user account?

A. Reset the nsroot account.B. Change the nsroot password.C. Create an authorization policy.D. Bind a policy to the root user account.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Changing the Password of the Default User AccountUpdated: 2012-03-21The default user account provides complete access to all features of the Citrix SDX appliance. Therefore, topreserve security, the nsroot account should be used only when necessary, and only individuals whose dutiesrequire full access should know the password for the nsroot account. Citrix recommends changing the nsrootpassword frequently. If you lose the password, you can reset the password to the default by reverting theappliance settings to factory defaults .You can change the password of the default user account in the Users pane. In the Users pane, you can viewthe following details: Name Lists the user accounts configured on the SDX appliance. Permission Displays the permission levelassigned to the user account. To change the password of the default user accountOn the Configuration tab, in the navigation pane, expand System, and then click Users.

In the Users pane, click the default user account, and then click Modify.In the Modify System User dialog box, in Password and Confirm Password, enter the password of your choice.Click OK.

QUESTION 3Scenario: The NetScaler has connections to a large number of VPNs. The network engineer wants to minimizethe number of ARP requests. Which feature should the network engineer enable to minimize ARP requests?

A. TCP BufferingB. Use Source IPC. Edge ConfigurationD. MAC based forwarding

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Enabling and Disabling MAC-Based Forwarding ModeUpdated: 2012-03-16

You can use MAC-based forwarding to process traffic more efficiently and avoid multiple-route or ARP lookupswhen forwarding packets, because the NetScaler remembers the MAC address of the source. To avoid multiplelookups, the NetScaler caches the source MAC address of every connection for which it performs an ARPlookup, and it returns the data to the same MAC address. MAC-based forwarding is useful when you use VPN devices because the NetScaler ensures that all trafficflowing through a particular VPN passes through the same VPN device.The following figure shows the process of MAC-based forwarding.

Figure 1. MAC-Based Forwarding Process

When MAC-based forwarding is enabled, a NetScaler caches the MAC address of:

The source (a transmitting device such as router, firewall, or VPN device) of the inbound connection. The server that responds to the requests. When a server responds through a NetScaler, the NetScaler sets the destination MAC address of the responsepacket to the cached address, ensuring that the traffic flows in a symmetric manner, and then forwards theresponse to the client. The process bypasses the route table lookup and ARP lookup functions. However, whena NetScaler initiates a connection, it uses the route and ARP tables for the lookup function. To enable MAC-based forwarding, use the configuration utility or the command line.Some deployments require the incoming and outgoing paths to flow through different routers. In thesesituations, MAC-based forwarding breaks the topology design. For a global server load balancing (GSLB) sitethat requires the incoming and outgoing paths to flow through different routers, you must disable MAC-basedforwarding and use the NetScaler unit’s default router as the outgoing router. With MAC-based forwarding disabled and Layer 2 or Layer 3 connectivity enabled, a route table can specifyseparate routers for outgoing and incoming connections. To disable MAC-based forwarding, use theconfiguration utility or the command line.

To enable or disable MAC-based forwarding by using the NetScaler command line

At the NetScaler command prompt, type the following commands to enable/disable MAC-based forwardingmode and verify that it has been enabled/disabled:

enable ns mode <Mode>disable ns mode <Mode>show ns modeExample > enable ns mode mbf Done> show ns mode

Mode Acronym Status ------- ------- ------ 1) Fast Ramp FR ON 2) Layer 2 mode L2 OFF . . . 6) MAC-based forwarding MBF ON . . . Done>

> disable ns mode mbf Done> show ns mode

Mode Acronym Status ------- ------- ------ 1) Fast Ramp FR ON 2) Layer 2 mode L2 OFF . . . 6) MAC-based forwarding MBF OFF . . . Done>

To enable or disable MAC-based forwarding by using the configuration utility

In the navigation pane, expand System, and then click Settings.In the details pane, under Modes and Features group, click Change modes. In the Configure Modes dialog box, to enable MAC-based forwarding mode, select the MAC Based Forwardingcheck box. To disable MAC-based forwarding mode, clear the check box.Click OK. The Enable/Disable Mode(s)? message appears in the details pane.Click Yes.

QUESTION 4A network engineer has configured two NetScaler MPX appliances as a high availability (HA) pair. What canthe engineer configure to prevent failover if only a single interface fails?

A. FISB. PBRC. SNMPD. VMAC

Correct Answer: ASection: (none)Explanation

Explanation/Reference:To overcome a Switch being the single point of failure in the network, the appliances of a high availability setupcan be configured to be physically connected to redundant Switches. This addresses the following scenario:NetScaler appliance A is connected to Switch A NetScaler appliance B is connected to Switch B NetScaler appliances A and B are part of a high availability setupIf both Switch A and NetScaler appliance B fail, then no network traffic can reach the local virtual servers. Toovercome this failure scenario, two links can be used from each NetScaler appliance with each link connectedto a different Switch.Using link redundancy, you can group the two interfaces into a Failover Interface Set, and therefore prevent thefailure of a single link from causing a failover to the secondary appliance unless all interfaces on the primaryappliance stop functioning.

Using the NetScaler Command Line InterfaceTo configure the NetScaler appliances in a High Availability setup with redundant Switches, complete thefollowing procedure in the command line interface of the appliance:Run the following command to disable L2 mode on both the appliances:>disable ns mode L2Create two separate port VLANs on the switch; for example, VLAN 2 and VLAN 3.Enable interfaces 1/1 and 1/2.Connect 1/1 from both appliances to VLAN 2.Connect 1/2 from both appliances to VLAN 3.Run the following commands to set up an Failover Interface Set group:>add fis <set name>>bind fis <set name> 1/1>bind fis <set name> 1/2Using the Graphical User InterfaceTo configure the NetScaler appliances in a High Availability setup with redundant Switches, complete thefollowing procedure from the Configuration Utility of the appliance:Expand the System node.Select the Settings node.Click on the Configure Modes link in the Modes and Features section.Clear the Layer 2 Mode option.

Select the High Availability node.Select the Failover Interface Set tab.Click Add .Configure the Failover Interface Set name and move the appropriate interfaces from the AvailableInterfaces list to the Configured Interfaces list, as shown in the following screen shot:

QUESTION 5Scenario: A NetScaler appliance currently has a manually configured channel containing four interfaces;however, the engineer has been told that the NetScaler must now only use a single interface for this network.The engineer removes the channel and immediately notices a decrease in network performance. How could theengineer resolve this issue?

A. Reset the unused interfacesB. Disable the unused interfacesC. Enable flow control on all interfacesD. Disable HA monitoring on the three interfaces that are no longer required

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 6Scenario: A NetScaler engineer needs to enable access to some web servers running on an IPv6-only network.The clients connecting the services are on an IPv4 network. The engineer has already enabled IPv6 on theNetScaler. What does the engineer need to do in order to provide access to the services on the IPv6 network?

A. Create an IPv6 tunnel and a IPv4 virtual server.B. Configure an IPv6 VLAN and bind the required interface.C. Create a IPv4 virtual server and bind the service group to it.D. Create an IPv6 ACL and a IPv4 virtual server and bind the ACL to the virtual server.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 7Scenario: A network engineer needs to configure Citrix NetScaler to provide Access Gateway services to VLAN2 using interface 1/1 only, while also using interface 1/2 to provide load balancing services to VLAN 3. Howcould this result be achieved?

http://www.gratisexam.com/

A. Disable static route advertisement.B. Disable layer 2 mode

Create 2 untagged VLANs - VLAN 2 and VLAN 3Bind VLAN 2 to Interface 1/1Bind VLAN 3 to Interface 1/2

C. Enable Layer 3 modeCreate a Channel Interface using Interface 1/1 and 1/2 Create 2 VMACsBind a VMAC to interface 1/1 and 1/2

D. Configure policy-based routing using the Interface option as a filter.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 8Why would an engineer want to specify a TCP Profile for a specific service group?

A. To enable use of features like SSL over TCP for that specific service group.B. To adjust the TCP settings for traffic to and from that specific service group.C. To use a specific SNIP for traffic to the back-end servers in that service group.D. To enable features like use source IP, TCP keep alive and TCP buffering for a specific service group.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

Configuring TCP ProfilesUpdated: 2013-03-28A Transmission Control Protocol (TCP) profile is a collection of TCP parameter settings that can be applied tovirtual servers and services. A TCP profile can be reused on multiple virtual servers or services. You can usebuilt-in TCP profiles or configure custom profiles. The following table describes the built-in TCP profiles.Table 1. Built-in TCP Profiles

.To add a TCP profile by using the command line inte rfaceAt the command prompt, type the following commands to add a TCP profile and verify the configuration:add ns tcpProfile <name> [-WS (ENABLED | DISABLED )] [-SACK (ENABLED | DISABLED )] [-WSVal<positive_integer>] [-nagle (ENABLED | DISABLED )] [-ackOnPush (ENABLED | DISABLED )] [-maxBurst<positive_integer>] ... show ns tcpProfileExample> add ns tcpProfile tcp_profile1 -nagle DISABLED -a ckOnPush ENABLED -maxBurst 10-initialCwnd 6 -delayedAck 200 -oooQSize 100 -maxPk tPerMss 0

To add a TCP profile by using the configuration uti lityNavigate to System > Profiles.In the details pane, click on the TCP Profiles tab and then click Add.In the Create TCP Profiles dialog box, configure the parameters for the TCP profile. For a description of aparameter, hover the mouse cursor over the corresponding field. Click Create.

QUESTION 9Some SSL certificate files may be missing from a NetScaler appliance. Which directory should an engineercheck to determine which files are missing?

A. /nsconfig/ssl

B. /nsconfig/sshC. flash/nsconfig/D. /var/netscaler/ssl/

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

from my lab

QUESTION 10Scenario: The NetScaler is configured with a NSIP of 10.20.30.40. Management access is NOT enabled on anyother IP address. Which command should an engineer execute to prevent access to the NetScaler using HTTPand only allow HTTPS access?

A. set ns ip 10.20.30.40 -gui disabled -telnet disabledB. set ip 10.20.30.40 -gui secureonly -mgmtaccess enabledC. set ip 10.20.30.40 -mgmtaccess disabled -gui secureonlyD. set ns ip 10.20.30.40 -gui enabled -restrictAccess enabled

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 11Scenario: The IT department in an organization manages servers and network devices from an internalmanagement subnet. A Netscaler device has recently been installed into the DMZ network. The intranet firewallallows TCP 443 from the management subnet to the Netscaler device. How could the engineer ensure that onlyworkstations in the management network are permitted to manage the Netscaler?

A. Create an Extended ACL based on the source IP address.B. Create a restricted route from the internal network to the DMZ.C. Enable the management access control option on the NSIP address.D. Enable the management access control on the internal SNIP address.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 12Scenario: An engineer has three subnets configured on a NetScaler appliance. The engineer must only allow acertain group of users to access a virtual server on the appliance. The IT Manager requires that all rules areflexible and can be easily modified for ease of administration. How could the engineer allow certain groups toaccess the virtual server while still being able to modify the setting in the future?

A. Add a Simple ACL.B. Disable USNIP Mode.C. Create an Extended ACL.D. Add a Host Route to the virtual server.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 13Scenario: A company has three HTTP servers that are load balanced using NetScaler. When users connect tothe HTTP application they often receive inconsistent data or are advised that they need to log on again. Whichstep should the engineer take to correct this?

A. Remove Down State Flush.B. Change the idle timeout value for the service.C. Configure persistence with appropriate timeouts.D. Change the global TCP Client Idle Time-Out value.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 14Scenario: A network engineer has configured a load balancing virtual server for an HTTP application. Due tothe application architecture, it is imperative that a user's session remains on a single server during the session.The session has an idle timeout of 60 minutes. Some devices are getting inconsistent application access whilemost are working fine. The problematic devices all have tighter security controls in place. Which step should theengineer take to resolve this issue?

A. Set the cookie timeout to 60 minutes.B. Configure a backup persistence of SourceIP.

C. Change the HTTP parameters to Cookie Version 1.D. Utilize SSL offload to enable the application to use SSL.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 15Scenario: A network engineer has configured an HTTP application to be load balanced using a virtual servernamed Svr1. Users have reported intermittent errors and the engineer has been given the client IP address ofan affected user and asked to determine which back end service they are connected to. Using the command-line interface, how could the engineer find this information?

A. Show lb vServer Svr1B. Show system sessionC. Show lb vServer Svr1 -SummaryD. Show lb persistentSessions Svr1

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 16Scenario: The network engineer has created a monitor and bound it to a service group containing four webservers to verify that the web application responds. During routine maintenance one of the web servers is shutdown; however, the server state remains UP and user requests are still attempting to communicate with theserver. What could be causing this problem?

A. The server has been disabled.B. The monitor is not bound at the correct bind point.C. Health monitoring is disabled for the service group.D. The NetScaler configuration has not been saved since before the monitor was bound.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 17What should a network engineer configure to set high availability for a load balanced virtual server?

A. Session persistenceB. A backup virtual serverC. Load balancing policiesD. Load balancing Services

Correct Answer: B

Section: (none)Explanation

Explanation/Reference:

QUESTION 18Scenario: A NetScaler engineer is adding a new SSL certificate to a NetScaler device. During the process theengineer receives an error message:"Certificate with key size greater than RSA512 or DSA512 bits not supported." The same process has beenfollowed previously on the same model of NetScaler successfully.What is the likely cause of this error?

A. The certificate hostname is invalid.B. RSA authentication has been added to the VIP.C. The NetScaler has not been licensed correctly.D. The CSR has not been submitted to the certificate authority.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

This was proven in the lab:

QUESTION 19Users have reported that they are receiving a confusing error message related to SSL sessions whenconnecting from older browsers. How could the network engineer present this error to users in a customizedformat?

A. Enable the SSL v2 protocol.B. Set a URL on the backup virtual server.C. Add a redirect URL to the virtual server.D. Configure SSL v2 Redirection for the virtual server.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

Disable SSLv2 Redirect— If you enable the SSL v2 Redirect feature on a NetScaler appliance, the applianceperforms the SSL handshake and redirects the client to the configured URL. If this feature is disabled, theappliance denies performing the SSL handshake process with SSL v2 clients.

Run the following command to disable the SSLv2 redirect: > set ssl vserver <vserver_name> -sslv2redirect DIS ABLED -cipherredirectDISABLED

Note : Starting with NetScaler software release 9.2, SSLv2 redirect and cipher redirect features are disabled bydefault.

http://support.citrix.com/proddocs/topic/netscaler-ssl-93/ns-ssl-config-sslv2-redirect-tsk.html#configuringsslparameters

Configuring SSLv2 RedirectionUpdated: 2012-03-22For an SSL transaction to be initiated, and for successful completion of the SSL handshake, the server and theclient should agree on an SSL protocol that both of them support. If the SSL protocol version supported by theclient is not acceptable to the server, the server does not go ahead with the transaction, and an error messageis displayed.You can configure the server to display a precise error message (user-configured or internally generated)advising the client on the next action to be taken. Configuring the server to display this message requires thatyou set up SSLv2 redirection.To configure SSLv2 redirection by using the NetScal er command line

At the NetScaler command prompt, type the following commands to configure SSLv2 redirection and verify theconfiguration:set ssl vserver <vServerName> [-sslv2Redirect ( ENABLED | DISABLED ) [-sslv2URL <URL>]]show ssl vserver <vServerName>Example> set ssl vserver vs-ssl -sslv2Redirect ENABLED -ss lv2URL http://sslv2URL Done> show ssl vserver vs-ssl

Advanced SSL configuration for VServer vs-s sl: DH: DISABLED Ephemeral RSA: ENABLED Refresh Cou nt: 1000 Session Reuse: ENABLED Timeout: 60 0 seconds Cipher Redirect: DISABLED SSLv2 Redirect: ENABLED Redirect URL: http: //sslv2URL ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENAB LED

1) CertKey Name: Auth-Cert-1 Server Cert ificate

1) Cipher Name: DEFAULT Description: Predefined Cipher Alias Done

Parameters for configuring SSLv2 redirection vServerName The name of the SSL based virtual server that you are configuring SSLv2 redirection for.sslv2Redirect (Enable SSLv2 Redirect) Enable or disable redirection based on the SSL protocol mismatchbetween the client and the NetScaler. Possible values: ENABLED, DISABLED. Default: DISABLED. sslv2URL(SSLv2 URL) The URL of the page to which the client must be redirected in case of a protocol mismatch. Thisis typically a page that has a clear explanation of the error, or an alternative location from which the transactioncan continue. To configure SSLv2 redirection by using the configu ration utility In the navigation pane, expand SSL Offload, and then click Virtual Servers.Select the virtual server for which you want to customize SSL settings, and then click Open.On the SSL Settings tab, click SSL Parameters.In the Configure SSL Params dialog box, specify values for the following parameters, which correspond toparameters described in “Parameters for configuring SSLv2 redirection” as shown: Enable SSLv2 Redirect SSLv2 URLClick OK, and in the Configure Virtual Server (SSL Offload) dialog box, click OK. The NetScaler is nowconfigured to redirect clients that only support SSLv2 protocol.

QUESTION 20A network engineer must determine which SSL protocols are enabled on a virtual server named SSL01. Whichcommand could the engineer run to see this information?

A. Show ssl statsB. Show server SSL01C. Show vServer SSL01D. Show ssl vserver SSL01

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 21Which policy expression must an engineer use to enable compression for javascript files?

A. HTTP.RES.BODY(0).CONTAINS("javascript")B. HTTP.REQ.BODY(0).CONTAINS("javascript")C. HTTP.RES.HEADER("Content-Type").CONTAINS("javascript")D. HTTP.REQ.HEADER("Content-Type").CONTAINS("javascript")

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

Exam B

QUESTION 1A network engineer needs to upgrade both appliances of a High Availability (HA) pair. In which order should thenetwork engineer upgrade the appliances?

A. Disable high availability and upgrade one node at a time.B. Upgrade the primary node first without disabling high availability.C. Upgrade the secondary node first without disabling high availability.D. Perform the upgrade simultaneously without disabling high availability.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:http://support.citrix.com/proddocs/topic/netscaler-migration-10/ns-instpk-upgrd-high-avail-pair-tsk.html

To upgrade NetScaler units in a high availability p air running release 8.1, 9.0, 9.1, 9.2,9.3 by using the configuration utilityLog on to the secondary node and perform the upgrade as described in To upgrade a standalone NetScalerrunning release 8.0, 8.1, 9.0, 9.1, 9.2, or 9.3 by using the configuration utility.

Note: Before upgrading the primary node (machine A), you have the option to test the new release by enteringthe force failover command at the NetScaler command line on the secondary node (machine B). When you doso, machine B becomes the primary node. If machine B does not function as expected, enter the force failovercommand at the NetScaler command line on the new primary node (machine B) forcing it to again become thesecondary node, and contact Citrix Customer Service before proceeding. If machine B properly assumes therole of primary node, proceed with upgrading the former primary node (machine A).

Log on to the primary node and perform the upgrade as described in To upgrade a standalone NetScalerrunning release 8.0, 8.1, 9.0, 9.1, 9.2, or 9.3 by using the configuration utility.

QUESTION 2Scenario: A network engineer has created two selectors to use to populate a cache group in integrated caching.One selector, "Hit," will determine what to add to the group. The other, "Inval", will select what should beinvalidated. Which command should the engineer run to create the cache group?

A. add cache contentgroup CacheGroup1 -hitParams Hit -invalParam InvalB. add cache contentgroup CacheGroup1 -hitSelector Hit -invalSelector InvalC. set cache contentgroup CacheGroup1 - hitParams Hit -invalParam Inval -type HTTPD. set cache contentgroup CacheGroup1 -hitSelector Hit - invalSelector Inval -type HTTP

Correct Answer: BSection: (none)Explanation

Explanation/Reference:http://support.citrix.com/proddocs/topic/ns-optimization-10-map/ns-IC-setbasiccntgrp-tsk.html

Setting Up a Basic Content GroupUpdated: 2013-06-17By default, all cached data is stored in the default content group. You can configure additional content groupsand specify these content groups in one or more policies. You can configure content groups for static content, and you must configure content groups for dynamic

content. You can modify the configuration of any content group, including the default group. To set up a basic content group by using the comman d line interfaceAt the command prompt, type: add cache contentgroup <name> (-hitSelector <hitSelectorName> -invalSelector <invalidationSelectorName> |-hitParams <hitParamName> -invalParams <invalidationParamName>) -type <type> [-relExpiry <sec> | -relExpiryMilliSec <msec>] [-heurExpiryParam <positiveInteger>] Examples

> add cache contentgroup Products_Details –hitSelec tor product_selector –invalSelector id_selector> add cache contentgroup bugrep -hitParams IssuePag e RecordID Template TableId -invalParams RecordID -relExpiry 864000

To set up a basic content group by using the config uration utilityIn the navigation pane, expand Integrated Caching, and then click Content Groups. In the details pane, do one of the following: To create a new content group, click Add. To modify an existing content group, select the content group, and then click Open. In the Create Cache Content Group or the Configure Cache Content Group dialog box, set the relevantparameters in Expiry Method and Parameterization tabs. Click Create or OK.

When configuring a content group for the Integrated Caching feature of the Citrix NetScaler appliance, you canuse the –hitParams option on the command line interface of the appliance to configure parameters for cachehits.The hitParams option defines a list of parameters to use when searching in a content group for a response thatyou want to serve from cache. You can configure up to 128 hit parameters with a maximum length of 4095bytes. You can specify hit parameters as an alternate to a selector for a content group. However, as a bestpractice, Citrix recommends that you configure selectors for a content group.

QUESTION 3Scenario: An organization has recently been penetration-tested by a security company. The findings haveindicated that the NetScaler device is responding to requests revealing web server information within the HTTPresponse headers. Which NetScaler feature can a network engineer use to prevent this information from beingleaked to a potential malicious user?

A. RewriteB. ResponderC. Web LoggingD. URL Transformation

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

This was done in the course

QUESTION 4Scenario: Company Inc. wants to tag incoming requests with a header that indicates which browser is beingused on the connection. This helps the server keep track of the browsers after the NetScaler has delivered theconnections to the back end. The engineer should create __________ actions to __________. (Choose thecorrect set of options to complete the sentence.)

A. rewrite; insert tags on the client headerB. responder; separate the client requestsC. rewrite; insert tags on the server responseD. responder; filter the browser type on the client header

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 5Which step could a network engineer take to prevent brute force logon attacks?

A. Enable the Rate Limiting feature.B. Enable the AAA Application feature.C. Configure the Access Gateway Policies.D. Configure the Cache redirection Policies.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 6A network engineer needs to prevent too many simultaneous HTTP requests that can cause a Denial OfService (DDoS). What could the engineer enable to prevent too many simultaneous HTTP requests?

A. Rate LimitingB. SureConnectC. Priority QueuingD. Authorization Policy

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 7An engineer has bound three monitors to a service group and configured each of the monitors with a weight of10. How should the engineer ensure that the members of the service group are marked as DOWN when atleast two monitors fail?

A. Re-configure the weight of each monitor to 0.B. Configure the service group with a threshold of 21.C. Configure the service group with a threshold of 20.D. Re-configure the weight of each monitor to 5, and configure the service group threshold to 15.

Correct Answer: C

Section: (none)Explanation

Explanation/Reference:

QUESTION 8Scenario: A network engineer has created and bound an UDP-ECV monitor to identify the status of a UDPservice. However, no matter what the response is, the service is always marked as UP. A possible cause of thisbehavior is that the network engineer __________. (Choose the correct option to complete the sentence.)

A. forgot to add a receive stringB. added the string ns_true as receive stringC. added a string that is invalid and thus skippedD. added a string that is always part of the UDP handshake

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 9While performing some re-cabling, a NetScaler engineer noticed that a power supply unit failed on a NetScaler

appliance. What should the engineer enable to receive notification of a future hardware failure?

A. SMTPB. SNMPC. Health monitoringD. EdgeSight monitoring

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 10What type of protocol does AppFlow use for reporting?

A. TCPB. UDPC. HTTPD. SSL_TCP

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 11A network engineer wants to collect performance statistics regarding the traffic between different points in theconnection, specifically from client-to-NetScaler and from NetScaler to back-end server, and be able to presentthis to different analysis tools. Which feature on the NetScaler could the engineer use for this?

A. SyslogB. nstraceC. AppFlowD. nsconmsg

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 12A network engineer has been tasked with identifying the cause of intermittent network connectivity issues.Which command should the engineer use to generate the necessary network information required to diagnosethe connectivity issues?

A. nslogB. nstraceC. nsumonD. nsconmsg

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 13A NetScaler implementation is experiencing intermittent network issues, specifically regarding traffic to a back-end service associated with IP address 10.10.1.86. Which command should a network engineer execute togenerate diagnostic information to investigate this issue?

A. traceroute 10.10.1.86B. show run | grep 10.10.1.86C. nstcpdump.sh host 10.10.1.86D. show service 10.10.1.86 -summary

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

In my lab

The command must be performed from the shell

QUESTION 14A network engineer needs to investigate why a few users have issues logging on to the NetScaler system. Howcan the engineer troubleshoot authentication issues on the NetScaler system?

A. Use ECV monitoring.B. Run a violations report in Reporting.

C. Use the CAT aaad.debug command.D. Check the system-authentication setting in the GUI.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:drop the the shell and the file is located at:

/tmp/aaad.debug

QUESTION 15Scenario: A NetScaler environment uses two-factor authentication and the second authentication method is AD.A user logs in to the environment but does NOT receive access to the resources that the user should haveaccess to. How can an engineer determine the AD authentication issue on the NetScaler?

A. Check NSlogs.B. Use nsconmsg.C. Use the cat aaad.debug command.D. Check the authorization configuration.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

drop the the shell and the file is located at:

/tmp/aaad.debug

QUESTION 16Scenario: Primary NetScaler (NS1) is licensed for 10000 Maximum ICA users and 305 Access Gateway users.Secondary NetScaler (NS2) is licensed for 10000 Maximum ICA users and five Access Gateway users. Fromwhere and which command should a network engineer run to display diagnostics on the licenses?

A. From the shell, run 'view license'.B. From the shell, run 'more /var/log/license.log'.C. From the command-line interface, run 'show license'.D. From the command-line interface, run 'cat /var/log/license.log'.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

Drop to shell

root@ns# cat license.log23:14:27 (lmgrd) -----------------------------------------------23:14:27 (lmgrd) Please Note:23:14:27 (lmgrd)23:14:27 (lmgrd) This log is intended for debug purposes only.23:14:27 (lmgrd) In order to capture accurate license23:14:27 (lmgrd) usage data into an organized repository,23:14:27 (lmgrd) please enable report logging. Use Macrovision's23:14:27 (lmgrd) software license administration solution,23:14:27 (lmgrd) FLEXnet Manager, to readily gain visibility23:14:27 (lmgrd) into license usage data and to create23:14:27 (lmgrd) insightful reports on critical information like23:14:27 (lmgrd) license availability and usage. FLEXnet Manager23:14:27 (lmgrd) can be fully automated to run these reports on23:14:27 (lmgrd) schedule and can be used to track license23:14:27 (lmgrd) servers and usage across a heterogeneous23:14:27 (lmgrd) network of servers including Windows NT, Linux23:14:27 (lmgrd) and UNIX. Contact Macrovision at23:14:27 (lmgrd) www.macrovision.com for more details on how to23:14:27 (lmgrd) obtain an evaluation copy of FLEXnet Manager23:14:27 (lmgrd) for your enterprise.23:14:27 (lmgrd)23:14:27 (lmgrd) -----------------------------------------------23:14:27 (lmgrd)23:14:27 (lmgrd)23:14:27 (lmgrd) The license server manager (lmgrd) running as root:

23:14:27 (lmgrd) This is a potential security problem23:14:27 (lmgrd) and is not recommended.23:14:27 (lmgrd) FLEXnet Licensing (v11.5.0.0 build 59386 i86_f6) started on ns () (8/8/2013)23:14:27 (lmgrd) Copyright (c) 1988-2007 Macrovision Europe Ltd. and/or Macrovision Corporation. All RightsReserved.23:14:27 (lmgrd) US Patents 5,390,297 and 5,671,412.23:14:27 (lmgrd) World Wide Web: http://www.macrovision.com23:14:27 (lmgrd) License file(s): /nsconfig/license/FID__4cd04b50_1405594d8d1_2997.lic23:14:27 (lmgrd) lmgrd tcp-port 2700023:14:27 (lmgrd) Starting vendor daemons ...23:14:27 (lmgrd) Started CITRIX (internet tcp_port 64529 pid 241)23:14:27 (CITRIX) FLEXnet Licensing version v11.3.0 build 2887723:14:27 (CITRIX) lmgrd version 11.5, CITRIX version 11.3

23:14:27 (CITRIX) Server started on ns for: CNS_SPE_SERVER23:14:27 (CITRIX) CNS_V1000_SERVER23:14:27 (CITRIX)23:14:27 (CITRIX) Licenses are case sensitive for CITRIX23:14:27 (CITRIX)23:14:27 (lmgrd) CITRIX using TCP-port 64529lmstat - Copyright (c) 1989-2007 Macrovision Europe Ltd. and/or Macrovision Corporation. All Rights Reserved.Flexible License Manager status on Thu 8/8/2013 23:14

License server status: 27000@ns License file(s) on ns: /nsconfig/license/FID__4cd04b50_1405594d8d1_2997.lic:

ns: license server UP (MASTER) v11.5

Vendor daemon status (on ns):

CITRIX: UP v11.3Feature usage info:

Users of CNS_SPE_SERVER: (Total of 1 license issued; Total of 0 licenses in use)

Users of CNS_V1000_SERVER: (Total of 1 license issued; Total of 0 licenses in use)

23:14:32 (lmgrd) lmgrd will now shut down all the vendor daemons

23:14:32 (lmgrd) Shutting down CITRIX pid=241 because of signal 1523:14:32 (CITRIX) Shutdown requested from root@ns IP=127.0.0.123:14:32 (CITRIX) daemon shutdown requested - shutting down23:14:32 (lmgrd) CITRIX exited with status 46 (lmgrd requested vendor daemon down)23:14:32 (lmgrd) Shut down FLEXnet CITRIX license server system on machine ns23:14:32 (lmgrd) EXITING DUE TO SIGNAL 15root@ns#

QUESTION 17A client is trying to reach a back-end server with an IP address of 10.192.31.5 given the following routing table:

Which route would the NetScaler use for this client?

A. 1B. 5C. 6D. 7

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

This is a basic sub netting question.With a mask of 255.255.254.0 we borrow one bit from the network and use it for the hosts. The client addressthat are are interest in is 10.192.31.5 and following on from the previous statement we know that the one bitwhich is borrowed can be on or off and still be on the same subnet. This would mean that 10.192.0.x and10.192.1.x would be on the same subnet, like wise 10.192.2.x and 10.192.3.x. The pattern is odd number andthe next even number in the third octec are in the same subnet. From tis we can see that 10.192..30.x and10.192..31.x are on the same subnet hence the traffic would go through option 6

QUESTION 18A network engineer is testing a new load balancing virtual server "test" that has the service group "test-grp"bound to it. Which command could the engineer run to show connection details for the new virtual server?

A. show serverB. show servicesC. show servicegroupsD. show connectiontable

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 19An engineer is checking that ports are configured correctly between the NetScaler system and a back-end webserver. Which command should the engineer use to test that the web server is responding on port 80?

A. telnet webA.example.com 80B. telnet webA.example.com:80C. telnet webA.example.com port=80D. telnet webA.example.com -port 80

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 20How could a network engineer gather detailed network information?

A. System node -> Diagnostics -> Call homeB. System node -> Diagnostics -> Start new traceC. System node -> Diagnostics -> Show techsupportD. System node -> Diagnostics -> Show running vs saved config

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

The nstrace file can be found in /var/nstrace

The file is binary but could be copied to a workstation and viewed with wireshark

QUESTION 21An engineer has configured a DNS virtual server on a NetScaler appliance but the monitors are showingDOWN and DNS resolution is failing. Which of the following should the engineer check?

A. Port 53 between the VIP address and the DNS servers is allowedB. That a ADNS_TCP service has been configured on the NetScalerC. That the load balancing feature has been enabled on the NetScalerD. Port 53 between the NSIP address and the DNS servers is allowedE. Port 53 between the SNIP address and the DNS servers is allowed

Correct Answer: ESection: (none)Explanation

Explanation/Reference:

QUESTION 22Scenario: The network engineer is setting up a new NetScaler using a direct connection. Three networks areconnected to the NetScaler. After initial configuration and restart, the engineer would like to confirm the routingtable entries. From which location and which command should the engineer run to display the routing table?

A. From the shell 'netstat -r'B. From the shell 'route monitor'C. From the command-line interface 'show pbr'D. From the command-line interface 'show route'

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 23

A network engineer is troubleshooting a situation where ARP requests for IPs in other subnets (for example10.192.12.80) are appearing in the 10.192.8.0/24 subnet. Which command could the engineer run on theNetScaler to verify IP to VLAN bindings?

A. show ipB. netstat -rC. show arpD. show vlan

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 24Scenario: A network engineer suspects that there is a duplex mismatch in the network configuration. The NSIPaddress is 10.10.1.206. How can the administrator verify the configuration in this scenario?

A. Run the 'netstat -r' command.B. Run the show IP 10.10.1.206 command.C. Run the start nstrace -level 10 command.D. Check for the interface configuration in the GUI.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 25Scenario: A user browses to a page and is presented with a warning that he is trying to enter a web site with anuntrusted certificate. The network engineer had added the correct certificate to the SSL virtual server. Whatcould be the cause of this issue?

A. TLS is disabled on the virtual server.B. The certificate is not linked to the intermediate CAC. The certificate has expired and needs to be renewed.D. The CA certificate has not been added to the SSL virtual server.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 26A network engineer is trying to read a nstrace from the NetScaler but can only see encrypted traffic. Which file(s) are required to decrypt the network trace?

A. The server certificateB. The servers root certificateC. The private key for the server certificateD. The private key for the server root certificate

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 27Scenario: A network engineer created an SSL virtual server and enabled smart card on it. The engineer triedbrowsing to the server and noticed the back-end system could NOT see the users certificates. What could becausing this issue?

A. The SSL virtual server cannot forward a client certificate.B. The network engineer has not set smart card to mandatory.C. The SSL virtual server cannot use smart card authentication.D. The network engineer has not enabled SNI on the virtual server.E. The network engineer forgot to enable the SSL policy allowing smart card forwarding on the SSL virtual

server.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 28A network engineer might choose to use SSL_Bridge instead of a SSL virtual server in order to __________.(Choose the correct option to complete the sentence.)

A. be able to decrypt the SSL trafficB. enable use of OCSP for revoked certificatesC. pass user certificates to the back-end serversD. enable SSL server certificates on the service group

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 29Scenario: A network engineer has bound four policies to an HTTP virtual server as follows:PolicyA is bound with a priority of 10 and has the following expression: REQ.IP.SOURCEIP == 10.10.10.0PolicyB is bound with a priority of 15 and has the following expression: REQ.IP.SOURCEIP != 10.10.11.0PolicyC is bound with a priority of 20 and has the following expression: REQ.IP.SOURCEIP == 10.10.12.0PolicyD is bound with a priority of 25 and has the following expression: REQ.IP.SOURCEIP != 10.10.13.0When a connection is made from a PC with an IP address of 10.10.12.15, which policy will be applied?

A. PolicyAB. PolicyBC. PolicyCD. PolicyD

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Don't be fooled by this as the first policy to match will be used, in this case 10.10.12.15 is not 10.10.11.0 henceit statisfies policyB

QUESTION 30Scenario: A network engineer has bound four policies to a virtual server as follows:PolicyA has a priority of 10PolicyB has a priority of 20PolicyC has a priority of 30PolicyD has a priority of 0Which policy will be evaluated first?

A. PolicyAB. PolicyBC. PolicyCD. PolicyD

Correct Answer: DSection: (none)Explanation

Explanation/Reference:The lowest number is the highest priority and zero counts as low

QUESTION 31Scenario: An engineer has a NetScaler system with NSIP 192.168.10.1 with subnet mask 255.255.0.0. Thecompany changed the IP network to use subnet mask 255.255.255.0. Which two commands could theengineer run to modify the subnet mask of the NSIP? (Choose two.)

A. ifconfigB. confignsC. set ns ipD. add ns ip

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:

QUESTION 32Scenario: A network engineer is going to roll out an upgrade from a 9.x version on a standalone NetScalerappliance using the command-line interface. Which two items does the engineer need to download beforeproceeding with the upgrade? (Choose two.)

A. SSL Certificates FilesB. NetScaler Firmware FileC. NetScaler Configuration fileD. NetScaler Documentation File

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:

QUESTION 33Scenario: A network engineer needs to implement high availability (HA) for a pair of NetScaler appliances. Theexisting appliance was recently restarted and the new appliance has been rack mounted and turned on forseveral weeks waiting to be configured. The engineer needs to create an HA pair, but is concerned that hisoriginal appliance will get erased when the HA pair is created. Which two tasks could the engineer do beforethe creation of the HA pair to ensure that the exiting unit stays the main appliance? (Choose two.)

A. Set StayPrimary on the existing node.B. Configure StaySecondary on the new node.C. Enable HA Sync before adding the second node.D. Create a Route Monitor to ensure proper synchronization.E. Ensure that INC mode is enabled during creation of HA Pair.

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:

Exam C

QUESTION 1The purpose of pre-fetch in integrated caching is to automatically __________. (Choose the correct option tocomplete the sentence.)

A. refresh a cached object before expiringB. fetch objects from the forwarding cache before expiringC. retrieve all objects on a published website after a policy is appliedD. retrieve an object in the expression from a website after a policy is applied

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 2Scenario: A network engineer configured a new NetScaler MPX appliance without any VLANs and with a singleinterface connected to the network. The engineer has not completed any other configurations. The interface isthen accidentally disabled and contact is lost with the appliance. Which two actions can the network engineertake to restore communications to the appliance? (Choose two.)

A. Connect to the SNIP instead of the NSIP.B. Connect another of the unused interfaces.C. Use the serial port to connect and then bring the disabled interface online.D. Connect a crossover cable to port that has been disabled and connect to the NSIP.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:By default all address talk out on all interfaces

The hardware version of the Netscaler can be configured via serial cable and Putty

QUESTION 3Scenario: A pair of NetScaler devices have recently been installed into the corporate DMZ. The Netscalershave been installed in two-arm mode, with two interfaces in a Internet-facing VLAN and two interfaces in theinternal VLAN. A private management subnet also exists. The NetScaler engineer would like to secure andrestrict communication between the management subnet and the SNIP address on that subnet. Which twoactions could the engineer take to help with these goals? (Choose two.)

A. Apply an ACL on the specified SNIP.B. Remove the ACL list to the internal VLAN.C. Remove the NSIP address from the Netscaler.

D. Configure the SNIP with the -gui SECUREONLY option.

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:

QUESTION 4Which two of the following settings could be configured using a TCP profile that is bound to a service? (Choosetwo.)

A. TCP buffer sizeB. Window scalingC. TCP Server time-out valuesD. Source IP for specific subnetE. Allowed bandwidth throughputF. Number of max concurrent TCP connections

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:

QUESTION 5Scenario: The NetScaler has been connected to two external networks provided by different Internet serviceproviders(ISPs). Dynamic routing is not enabled. Traffic is expected to use the first ISP (through the 10.50.1.1router) if possible and the second, slower ISP (through the 10.51.1.1 router) only if the Primary ISP fails. Whichtwo commands could the network engineer execute to configure the routes? (Choose two.)

A. add route 0.0.0.0 0.0.0.0 10.51.1.1 -cost 10 -monitor arpB. add route 0.0.0.0 0.0.0.0 10.50.1.1 -cost 5 -monitor PING

C. add route 0.0.0.0 0.0.0.0 10.50.1.1 -cost 15 -msr ENABLEDD. add route 0.0.0.0 0.0.0.0 10.51.1.1 -cost 3 -monitor PING-DEFAULT

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:

QUESTION 6Scenario: A network engineer plans to configure an Active Directory Server as the default authentication for aNetScaler deployment and provide users with the option to change their password if it is expired. Which twoactions should the engineer take to configure this authentication requirement on the NetScaler system?(Choose two.)

A. Configure a pre-authentication policy.B. Select security type as SSL on Authentication policy.C. Configure Authentication server with SSO name attribute.D. Configure Authentication server with allow Password change option.

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:

QUESTION 7When configuring NetScaler authentication to access a web site, which two things should a network engineerverify in the environment? (Choose two.)

A. AAA is enabled.B. One DNS server exists.C. A Keytab file is available.D. An authentication virtual server exists.E. A traffic management virtual server exists.

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:

QUESTION 8Scenario: A NetScaler engineer has received an SSL certificate and bound it to the vServer. However, usersare unable to browse to the website using HTTPS. When the NetScaler engineer browses to the site usingHTTPS, the engineer notices that the certificate chain is incomplete. Which two steps should the administratortake to fix the virtual server? (Choose two.)

A. Generate a new CSR.B. Install a new Certificate Authority (CA).C. Install the Intermediate Certificate from the CA.D. Link the Intermediate Certificate to the virtual server.E. Link the SSL Certificate to the Intermediate Certificate.

Correct Answer: CESection: (none)Explanation

Explanation/Reference:

QUESTION 9A security test has been completed on an SSL offload implementation and it has been determined that thecertificate key length is too short and must be increased. Which two steps must the network engineer completeto resolve this? (Choose two.)

A. Bind the certificate to an SSL service group.B. Bind the certificate to an SSL Offload virtual server.C. Add a new SSL policy to the SSL offload virtual server.D. Use the "Client certificate wizard" to generate a CSR, request a certificate and import.E. Use the "Server certificate wizard" to generate a CSR, request a certificate and import.

Correct Answer: BESection: (none)Explanation

Explanation/Reference:

QUESTION 10What are two ways in which the NetScaler TCP buffering feature improves application performance? (Choosetwo.)

A. Buffers the client requestB. Buffers the server responseC. Forwards the response to the client at the speed of the client networkD. Forwards the request to the server at the speed of the server network

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:

QUESTION 11Which two parameters in the TCP buffering settings can be controlled by a network engineer? (Choose two.)

A. buffering sizeB. source IP rangeC. destination IP rangeD. memory size for buffering

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:

Setting TCP Buffering ParametersUpdated: 2013-06-17You can configure two TCP buffering parameters: buffer size and memory usage limit. For best performance,set the connection buffer size so that most responses can fit in the TCP buffer. If integrated caching is notenabled, to provide maximum buffering capacity, increase the memory usage limit to up to half the total systemmemory.

To set TCP buffering parameters by using the comman d line interfaceAt the command prompt, type: set ns tcpbufParam -size <positiveInteger> -memLimit <positiveInteger>

To set TCP buffering parameters by using the config uration utilityNavigate to System > Settings. In the details pane, under Settings, click Change TCP parameters. In the Configure TCP Parameters dialog box, under TCP Buffering, in the Buffer Size (KBytes) text box, typethe size of the TCP buffer you want to set, for example, 128. In the Memory Usage Limit (MBytes) text box, type the maximum memory size that you want to use for

buffering, for example, 128. Click OK.

QUESTION 12Which two response codes and pages can be cached on the NetScaler using Integrated Caching? (Chose two.)

A. 400 Bad requestB. 302 Found pagesC. 401 UnauthorizedD. 404 Not found pagesE. 500 Internal server error

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:

QUESTION 13Scenario: Company Inc. wants to modify the HTTP Server header so that unauthorized users and malicious

code CANNOT use the header to identify the software that the HTTP server uses. Which two actions can theengineer take to meet the needs of the scenario? (Choose two.)

A. Add an HTTP Server Type on the Client Request.B. Mask the HTTP Server Type on the Server Response.C. Replace the HTTP Server Type on the Client Request.D. Delete the HTTP Server Type on the Server Response.

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:

QUESTION 14An engineer should use the filter (content filtering) feature to prevent __________ and __________. (Choosethe two correct options to complete the sentence.)

A. the use of unauthorized HTTP methodsB. a client from accessing a specific IP on the back-endC. inappropriate HTTP headers from being sent to your Web serverD. inappropriate MSSQL commands from being sent to your SQL serverE. a client from a specific VLAN ID to access resources on the NetScaler

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:

QUESTION 15When configuring an advanced HTTP callout based on attributes, what are two valid parameters? (Choosetwo.)

A. SSL cipher typeB. Down state flushC. Gateway addressD. IP address and portE. URL stem expression

Correct Answer: DESection: (none)Explanation

Explanation/Reference:

QUESTION 16What are two valid ways of checking that a back-end web server is reachable from the NetScaler SNIP addressusing port 80? (Choose two.)

A. Run traceroute.B. Run telnet using the -srcip option.C. Bind a DNS monitor to a service group containing the web server.D. Bind a HTTP monitor to a service group containing the web server.E. Run the ping command between the NetScaler and the web server.

Correct Answer: BDSection: (none)Explanation

Explanation/Reference:

QUESTION 17Scenario: An engineer implementing a NetScaler is tasked with creating a new VLAN, named VLAN 2, andadded to the current interfaces. A new IP address of 10.102.29.54 with a network mask of 255.255.255.0 mustbe configured for VLAN 2. Which commands could the engineer use to achieve this configuration in thecommand-line interface prior to binding VLAN 2?

A. add ns ip 10.102.29.54 255.255.255.0add vlan 2

B. set vlan 2 -aliasName VLAN2add ns ip 10.102.29.54 255.255.255.0

C. add ns ip 10.102.29.54 255.255.255.0 -vrID 2D. add ns ip 10.102.29.54 255.255.255.0 -type SNIP

set ns ip 10.102.29.54 255.255.255.0 -vrID 2

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

http://www.gratisexam.com/

QUESTION 18Scenario: GSLB has been configured for use within a multisite environment. The MEP status is reported asdown on all GSLB appliances. The appliances have been configured for unsecured MEP exchange. Which portmust the network engineer ensure is open between the NetScaler appliances?

A. TCP 3011B. UDP 3011C. TCP 3012D. UDP 3012

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 19Scenario: The network engineer is unable to access a specific SSL site through the NetScaler. While reviewingtraces on the NetScaler, the network engineer noticed "Handshake" failures from the server. These handshakefailures could be the result of the virtual server __________. (Choose the correct option to complete thesentence.)

A. only allowing TLSB. not allowing SSLv3C. not allowing correct ciphersD. configured to demand client authentication

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 20Scenario: A network engineer has installed a NetScaler system into their corporate DMZ and would like toprovide access to a web server on the internal LAN. The web server will be accessed by external users throughthe Netscaler. The firewall administrator has opened the relevant ports required on the external and the internalfirewall. The engineer notices that the virtual server and services representing the web server are down and theinternal web server does NOT appear accessible from the NetScaler. What could be the cause of this?

A. USIP is not enabled.B. Client IP Insertion is not enabled.C. A URL rewrite policy is not created.D. A SNIP address has not been added.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 21Scenario: A network engineer gets an error message when using the configuration utility to import a PKCS#12certificate that contains a dollar sign ($), a backquote (`), or an escape (\) character password. In order toaddress this error, the network engineer could prefix it with __________. (Choose the correct option tocomplete the sentence.)

A. an escape character (\)B. a backquote character (`)C. a dollar sign character ($)D. a double quotation character (")

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 22Scenario: A network engineer has modified the configuration of a content-switching virtual server,Website_main, because a second content-switching server that is capable of handling more connections hasbeen added to the NetScaler implementation. Both servers will remain in operation. The engineer made thefollowing configuration changes:>set cs vserver Website_main -lbvserver New_Server -backupVserver Old_Server -redirectURL http://www.mydomain.com/maintenance -soMethod Connection -soThreshold 1000 Why did the engineer enable thespillover option?

A. To handle incoming connections in case the new server is unavailableB. To handle the extra connections using the old server without dropping themC. To redirect the extra connections to the Maintenance website when it is needed

D. To handle incoming connections while the server reaches its limit of connections

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 23Scenario: A company is using Citrix NetScaler VPX for publishing internal resources using Citrix AccessGateway with Smart Access. Since the number of users has increased the company wants to migrate fromCitrix NetScaler VPX to Citrix NetScaler MPX. The engineer is running a parallel installation of the CitrixNetScaler MPX and now needs to transfer the Citrix Access Gateway Universal Licenses from a CitrixNetScaler VPX to a Citrix NetScaler MPX platform. How should the engineer transfer the Citrix AccessGateway Universal License files from the VPX to the MPX?

A. Backup the /nsconfig directory from the Citrix NetScaler VPX using SCP, restore the /nsconfig directory tothe Citrix NetScaler MPX using SCP.

B. Download the Access Gateway Universal License file(s) from the Citrix NetScaler VPX using SCP.Upload the Access Gateway Universal License file(s) to the Citrix NetScaler MPX using SCP.

C. Logon to www.MyCitrix.com, return the Citrix Access Gateway Universal License file(s), reallocate the CitrixAccess Gateway Universal License file using the hostname of the Citrix NetScaler MPX.

D. Logon to www.MyCitrix.com, return the Citrix Access Gateway Universal License file(s), reallocate the CitrixAccess Gateway Universal License file using the MAC Address of the Citrix NetScaler MPX.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 24A network engineer should use the Advanced tab when configuring load balancing to enable __________.(Choose the correct option to answer the question.)

A. SSL offloadingB. Integrated cachingC. EdgeSight MonitoringD. Direct Server Return Mode

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 25Scenario: A network engineer needs to add an NTP server to a NetScaler appliance. The NTP service isconfigured on 10.10.1.49. Which command should the network engineer use within the command- line interfaceto add in an NTP server for time synchronization?

A. add ntp server 10.10.1.49B. add server NTP 10.10.1.49

C. add service NTP 10.10.1.49 TCP 123D. add service NTP 10.10.1.49 UDP 123

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 26Scenario: A network engineer deployed a new NetScaler MPX appliance on the network and all interfaces areconnected to the core switch. The network engineer notices the CPU utilization has become very high on theswitch since the NetScaler deployment. Which two actions could the engineer perform on the NetScaler toresolve this issue? (Choose two.)

A. Configure VMACB. Utilize static routingC. Configure a channelD. Connect a single interface only

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:

QUESTION 27A network engineer has enabled USIP and USNIP and set a unique IP address as the source IP using theproxyIP parameter on an INAT policy. Which is the correct order of precedence for the IP addresses?

A. Unique IP-USIP-MIP-ErrorB. USIP-unique IP-USNIP-MIP-ErrorC. USIP-Unique IP-MIP-USNIP-ErrorD. USIP-USNIP-MIP-Unique IP-Error

Correct Answer: BSection: (none)Explanation

Explanation/Reference:http://support.citrix.com/proddocs/topic/netscaler-advanced-networking-93-map/ns-nw-ipaddrssng-confrng-inbnd-nw-addrss-trnsltn-tsk.html

If both USIP and USNIP modes are enabled and a unique IP address has been specified, the order ofprecedence is as follows: USIP-unique IP-USNIP-MIP-Error.

QUESTION 28Scenario: An engineer configures two NetScaler appliances in a high availability (HA) pair. As part of a monthlyhealth check, the engineer attempts to log on to the second node of the HA pair and is unable to access themanagement IP Address. The engineer logs on to the first NetScaler node and verifies that HA is working andoperational. What does the engineer need to do to resolve this problem?

A. Create an ACL to allow access to the NSIP of the second node.

B. Add a SNIP for the Management IP Address of the second node.C. Ensure that HA Route Monitors have been configured for the second node.D. Change the NSRoot password back to default then log on to the second node.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 29A public SSL certificate on a virtual server is about to expire and the NetScaler engineer needs to renew thecertificate before it expires. Which step must the engineer take to renew the SSL Certificate?

A. Generate a new CSRB. Recreate the Private KeysC. Execute CRL ManagementD. Update the existing certificate

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 30An environment network has:High bandwidthLow packet lossHigh Round-Trip Time (RTT)Which TCP profile should an engineer configure for the environment described?

A. Nstcp_default_profileB. Nstcp_default_tcp_lfpC. Nstcp_default_tcp_lnpD. Nstcp_default_tcp_lan

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 31A network engineer is investigating a recent failure of NetScaler high availability and confirms that some recentchanges were made to the configuration. What is a likely cause of the failure?

A. Load balancing virtual server marked DOWN.B. SNIP has had management access removed.C. RPC node password changed on an appliance.D. The network command policy has been modified.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 32Scenario: A network engineer adds a secondary node for high availability (HA) purposes. To confirm theimplementation is working, the engineer initiates a fail over; however when this is complete, some virtualservers are un-reachable. What is a possible cause of this issue?

A. SSL has not been enabled as a feature.B. The network configuration is mismatched on the nodes.C. HA sync does not propagate network settings by default.D. The nsroot password has been changed on the new node.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 33Scenario: A network engineer needs to provide web server administrators with access to monitoring andreporting after changing the default root password during the initial setup of the NetScaler. The engineer needsto ensure that the administrators can perform this task. What should the engineer do in order to ensure that theadministrators are able to log on to the NetScaler?

A. Create a group.B. Create user accounts.C. Create an authorization policy.D. Create an authentication policy.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 34A network engineer has started at a new company and has been instructed to restrict access to an externalfacing VIP to selected third party clients, based on their source IP address range. What could the engineer doto accomplish this task?

A. Enable USNIP mode on the Netscaler.B. Enable the host route option on the external VIP.C. Create an Extended ACL based on the source IP address.D. Create a SNIP address in the external VLAN limited to the source IP addresses.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:

QUESTION 35Scenario: An engineer has been asked to implement load balancing of an existing unsecured web application.The engineer needs to ensure that users will access the web application using HTTPS, but no changes can bemade to the web servers hosting the web application. In order to fulfill the requirements, the engineer mustcreate an __________ service group and add members with port __________; and bind the service group to an__________ virtual server. (Choose the correct set of options to complete the sentence.)

A. SSL; 443; SSLB. HTTP; 80; SSLC. SSL; 80; HTTPD. HTTPS; 443; HTTP

Correct Answer: BSection: (none)Explanation

Explanation/Reference:

QUESTION 36A network engineer notes that a high availability pair (HA) is NOT synchronizing correctly and decides to open aticket with Citrix Support. When opening the new ticket with Citrix Support, the engineer should run show__________ and __________. (Choose the correct set of options to complete the sentence.)

A. ha node; provide any public IP addresses listedB. ha node; provide the hello and dead interval dataC. techsupport on the primary device; send the output to Citrix SupportD. techsupport on both the primary and secondary devices; send the output to Citrix support

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

http://www.gratisexam.com/