1Y0-351 - Citrix NetScaler 10.5 Essentials and Networking
Go back to Citrix
Scenario: An engineer has configured an SSL virtual server and has bound a service group of type HTTP containing several servers. The service group is UP but the virtual server is in a DOWN state. The engineer has verified that the SSL feature is enabled. What should the engineer do to ensure that the virtual server shows as UP?
Bind an SSL certificate to the virtual server.
Scenario: A network engineer created an IPv6 virtual server on the NetScaler. The virtual server is using a service group with two IPv4 servers bound to it. When testing access to the virtual server from a client configured with an IPv6 address, he is unable to connect. What could be the reason for this issue?
IPv6 protocol translation is disabled.
What is the key benefit to enabling Session Reuse on an SSL offload VServer?
A partial SSL handshake is sent over the existing SSL connection, reducing CPU and bandwidth usage.
Scenario: A network engineer adds a secondary node for high availability (HA) purposes. To confirm the implementation is working, the engineer initiates a fail over; however when this is complete, some virtual servers are un-reachable. What is a possible cause of this issue?
The network configuration is mismatched on the nodes.
A NetScaler Engineer has created a new custom user monitor script and needs to place it in the NetScaler filesystem for use. Where must the engineer place the custom script so that it is available for use?
Scenario: An engineer implementing a NetScaler is tasked with creating a new VLAN, named VLAN 2, and adding it to the current interfaces. A new IP address of 10.102.29.54 with a network mask of 255.255.255.0 must be configured for VLAN 2. Which commands could the engineer use to achieve this configuration in the command-line interface prior to binding VLAN 2?
add ns ip 10.102.29.54 255.255.255.0 add vlan 2
When using static proximity load-balancing method for a Global Server Load Balancing (GSLB) virtual server, there must be a match between the IP addresses in the custom/static database to the IP address of the _________ so that it is associated with a given location. (Choose the correct option to complete the sentence.)
Scenario: An engineer created a new test Web Interface site for the new XenDesktop farm that the IT Department is developing. Several weeks later the engineer finds out that several people across the company have been accessing the new test site. The engineer needs to ensure that only the IT Department subnets can access the test site. How could the engineer restrict access to the site so that only certain subnets can access this resource?
Add an Extended ACL to only allow specific subnets to the Web Interface Site.
What should a network engineer do to prevent unauthorized users from using the root user account?
Change the nsroot password.
A NetScaler Engineer is reviewing the performance of a NetScaler appliance and notices that TCP multiplexing (TCP connection reuse) appears to NOT be working for a virtual server. What could be the cause of this issue?
The virtual server was created as type SSL_BRIDGE
Scenario: A NetScaler Engineer is using the DataStream feature. The NetScaler appliance is located in front of a MySQL Database server in the network topology. The engineer would like to block requests that would drop a database. The engineer comes up with the expression MYSQL.REQ.QUERY.TEXT.CONTAINS("drop database"). The engineer should configure the expression with the ___________ feature to block these requests. (Choose the option to complete the sentence.)
Scenario: The network engineer is unable to access a specific SSL site through the NetScaler. While reviewing traces on the NetScaler, the network engineer noticed "Handshake" failures from the server. These handshake failures could be the result of the virtual server __________. (Choose the correct option to complete the sentence.)
not allowing correct ciphers
Scenario: A NetScaler Engineer connected a new NetScaler MPX appliance to the network. However, some of the interfaces were blocked on the uplink switch. The engineer needs to perform a network packet trace on the NetScaler appliance. For troubleshooting purposes, the engineer needs to separate trace files for each interface. The engineer executed the following command from the NetScaler CLI: start nstrace -perNIC ENABLED However, NetScaler created a single trace file. What should the engineer do to produce separate trace files for each interface?
Specify the tcpdump parameter.
Scenario: A network engineer needs to implement high availability (HA) for a pair of NetScaler appliances. The existing appliance was recently restarted and the new appliance has been rack mounted and turned on for several weeks waiting to be configured. The engineer needs to create an HA pair, but is concerned that his original appliance will get erased when the HA pair is created. Which two tasks could the engineer do before the creation of the HA pair to ensure that the exiting unit stays the main appliance? (Choose two.)
Set StayPrimary on the existing node.
Configure StaySecondary on the new node.
Scenario: A network engineer has bound four policies to an HTTP virtual server as follows: PolicyA is bound with a priority of 10 and has the following expression: REQ.IP.SOURCEIP == 10.10.10.0 PolicyB is bound with a priority of 15 and has the following expression: REQ.IP.SOURCEIP != 10.10.11.0 PolicyC is bound with a priority of 20 and has the following expression: REQ.IP.SOURCEIP == 10.10.12.0 PolicyD is bound with a priority of 25 and has the following expression: REQ.IP.SOURCEIP != 10.10.13.0 When a connection is made from a PC with an IP address of 10.10.12.15, which policy will be applied?
Which two compression actions could a NetScaler engineer use? (Choose two.)
A network engineer notes that a high availability pair (HA) is NOT synchronizing correctly and decides to open a ticket with Citrix Support. When opening the new ticket with Citrix Support, the engineer should run show __________ and __________. (Choose the set of options to complete the sentence.)
techsupport on both the primary and secondary devices; send the output to Citrix support
Server Name Indication (SNI) is required when __________. (Choose the option to complete the sentence.)
multiple certificates are used on multiple domains on the same VServer
Which two response codes and pages can be cached on the NetScaler using Integrated Caching? (Chose two)
302 Found pages
404 Not found pages
A network engineer has enabled USIP and USNIP and set a unique IP address as the source IP using the proxyIP parameter on an INAT policy. Which is the correct order of precedence for the IP addresses?
Scenario: A NetScaler Engineer creates a new HTTP VServer using the following command: add lb vserver lb_test HTTP 172.20.10.85 80 -lbMethod LEASTCONNECTION - persistencetype COOKIEINSERT -timeout 0 -authentication ON -cacheable YES During testing, the engineer notices a cookie named NSC_iuuq2 with a value of: ffffffff020a1d1545525d5f4f58455e445a4a423660 What is the purpose of this cookie?
It is used for persistence, describing the VServer ID, Service IP and Service Port.
Scenario: A NetScaler Engineer has discovered that the object home.php is NOT found in the cache on the system. Below is the relevant configuration: add cache contentGroup cache_content_group_1 -relExpiry 0 add cache policy cache_pol_1 -rule "http.REQ.URL.CONTAINS(\"home.php\")" -action MAY_CACHE -storeInGroup cache_content_group_1 add cache policy cache_pol_2 -rule "http.REQ.METHOD.EQ(\"GET\")" -action NOCACHE add cache policy cache_pol_3 -rule "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS" -action CACHE bind cache global cache_pol_1 -priority 90 -gotoPriorityExpression END -type REQ_OVERRIDE bind cache global cache_pol_2 -priority 100 -gotoPriorityExpression END -type REQ_OVERRIDE bind cache global cache_pol_3 -priority 100 -gotoPriorityExpression END -type RES_OVERRIDE The data from the client and the server are as following: GET /home.php HTTP/1.1 Host: www.website.com User-Agent: Mozilla Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Date: Thu, 09 Oct 2014 18:25:00 GMT Cookie: sessionid=100xyz HTTP/1.1 200 OK Date: Thu, 09 Oct 2014 18:25:00 GMT Server: Apache/2.2.3 (Fedora) Last-Modified: Wed, 09 Jul 2014 21:55:36 GMT ETag: "27db3c-12ce-5e52a600" Accept-Ranges: bytes Cache-Control: private, max-age=0 Set-Cookie: sessionid=100xyz; expires=Thu, 09-Oct-2014 18:30:00 GMT; path=/ Content-Length: 119 Connection: close Content-Type: text/html; charset=UTF-8 Why does the object NOT persist in the cache?
The content group has been configured with relExpiry 0.
Which statement is true about interface link-state on the NetScaler?
Interface link-state CANNOT be brought down from the NetScaler.
Scenario: A NetScaler Engineer is viewing Authentication, Authorization and Access (AAA) events on the NetScaler appliance to determine why a user is unable to log on. The events below have been logged during this timeframe: Fri Oct 17 18:17:16 2014 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[40\]: start_ldap_auth attempting to auth scottli @ 10.12.33.216 Fri Oct 17 18:17:18 2014 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[291\]: recieve_ldap_bind_event receive ldap bind event Fri Oct 17 18:17:18 2014 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[326\]: recieve_ldap_bind_event ldap_bind with binddn bindpw failed:Invalid credentials Fri Oct 17 18:17:18 2014 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1198\]: send_reject sending reject to kernel for : scottli What is the root cause of this issue?
The Bind DN credentials are invalid.
Scenario: A NetScaler Engineer has configured COOKIEINSERT persistence with a timeout value of two minutes on an SSL LBvServer. The idle time requirement for the application itself CANNOT be determined. Users report connections are intermittent. Once a session is disconnected, a user must re-authenticate in order to regain access. In order to this issue, the engineer should set persistence to __________ with a timeout of __________ minutes. (Choose the set of options to complete the sentence.)
Scenario: A NetScaler appliance currently has a manually configured channel containing four interfaces; however, the engineer has been told that the NetScaler must now only use a single interface for this network. The engineer removes the channel and immediately notices a decrease in network performance. How could the engineer resolve this issue?
Disable the unused interfaces
A NetScaler Engineer created an SSL virtual server but the status is showing as state DOWN. What could be causing the virtual server to show as state DOWN?
The SSL certificate is NOT bound to the virtual server.
Scenario: Users complain that they are NOT able to connect to a web site using the IP address. The relevant portion of the configuration is shown below: add ssl profile srv-web -sessReuse ENABLED -sessTimeout 120 -tls11 DISABLED -tls12 DISABLED -strictCAChecks YES add service svc-web 192.168.1.3 HTTP 80 add lb vserver srv-web SSL 192.168.1.22 443 -persistenceType NONE -cltTimeout 180 bind lb vserver srv-web svc-web set ssl vserver srv-web -eRSA DISABLED -clientAuth ENABLED -clientCert Optional -tls11 DISABLED -tls12 DISABLED -SNIEnable ENABLED add ssl policy svc-web -rule true -action NOOP bind ssl vserver srv-web -certkeyName WebCert -SNICert bind ssl vserver srv-web -policyName svc-web -priority 100 What is the likely cause of the connectivity issue?
Server Name Indication is enabled.
A network engineer must determine which SSL protocols are enabled on a virtual server named SSL01. Which command could the engineer run to see this information?
Show ssl vServer SSL01
A recent security audit has identified that NetScaler management is available on all Subnet IP (SNIP) adresses. Which step could an engineer take to ensure that these services are only available through the NetScaler IP (NSIP)?
Disable the 'Management Access' option on all SNIPs.
Multiple Subnet IPs (SNIPs) are defined in the same network. A NetScaler Engineer could specify the SNIP to use to communicate with servers on that network by configuring a __________. (Choose the option to complete the sentence.)
Which protocol is responsible for exchanging site metric, network metric, and persistence information between sites using Global Server Load Balancing (GSLB)?
Which two of the listed statements are true about Access Control Lists (ACLs) on the NetScaler? (Choose two.)
Extended ACLs may BRIDGE traffic.
Simple ACLs are bound on ALL interfaces.
An engineer is checking that ports are configured correctly between the NetScaler system and a back-end web server. Which command should the engineer use to test that the web server is responding on port 80?
telnet webA.example.com 80
An engineer should use the filter (content filtering) feature to prevent __________ and __________. (Choose the two correct options to complete the sentence.)
the use of unauthorized HTTP methods
inappropriate HTTP headers from being sent to your Web server
Which NetScaler feature could be used to stall policy processing to retrieve information from an external server?
Which setting would a NetScaler Engineer disable in order to stop the NetScaler from acting as a router for non-NetScaler owned IP addresses or entities?
In which two places could a NetScaler Engineer enable TCP Buffering? (Choose two.)
Scenario: A NetScaler Engineer is configuring a new system with connected interfaces 10/1 - 10/4 and runs the following commands: add ip 10.10.10.1 255.255.255.0 -type snip add vlan 10 bind vlan 10 -ifnum 10/1 On which interface(s) will subnet 10.10.10.1 respond to requests?
Interfaces 10/1 through 10/4
Scenario: A NetScaler Engineer is using the following policy to forward traffic when performing content switching: add cs action cs1_act -targetVserverExpr "HTTP.REQ.HOSTNAME" add cs policy cs1_switch_policy -rule true -action cs1_act bind cs vserver CS1-VIP -policyName cs1_switch_policy -priority 10 In order to make sure the policy works correctly, the engineer must name the __________ to match the hostname. (Choose the option to complete the sentence.)
load-balancing virtual servers
Scenario: A network engineer monitoring an HTTP service-related issue needs to view only the relevant data pertaining to the service being monitored. The IP address of the back-end service being monitored is 10.10.1.99. The NSIP address is 10.10.1.230. Which command should the engineer execute to monitor data relevant to this issue only in realtime?
Scenario: A network engineer deployed a new NetScaler MPX appliance on the network and all interfaces are connected to the core switch. The network engineer notices the CPU utilization has become very high on the switch since the NetScaler deployment. Which two actions could the engineer perform on the NetScaler to resolve this issue? (Choose two.)
Configure a channel
Connect a single interface only
Traffic to which destination is sourced from the NetScaler IP (NSIP) by default?
Scenario: An engineer configures two NetScaler appliances in a high availability (HA) pair. As part of a monthly health check, the engineer attempts to log on to the second node of the HA pair and is unable to access the management IP Address. The engineer logs on to the first NetScaler node and verifies that HA is working and operational. What does the engineer need to do to resolve this problem?
Create an ACL to allow access to the NSIP of the second node.
Which SSL parameter should an engineer configure to bind multiple certificate key pairs to a virtual server?
When configuring NetScaler authentication to access a web site, which two things should a network engineer verify in the environment? (Choose two.)
AAA is enabled.
An authentication virtual server exists.
A network engineer wants to configure a NetScaler for load balancing Voice over IP traffic (VoIP). Which hash method is the best fit for VoIP traffic?
Scenario: An engineer has a NetScaler system with NSIP 192.168.10.1 with subnet mask 255.255.0.0. The company changed the IP network to use subnet mask 255.255.255.0. Which two commands could the engineer run to modify the subnet mask of the NSIP? (Choose two.)
set ns ip
Scenario: A NetScaler Engineer is addressing an issue discovered during a vulnerability scan. The security team is requiring that the engineer disable specific SSL ciphers on the SSL VServer. Which two methods could the engineer use to meet this requirement? (Choose two.)
Change the list of bound ciphers on the VServer directly.
Un-assign the default group, create a custom cipher group and assign it to the VServer.