UAG SP1 DirectAccess Contest 1–Round 2/Quiz 4 (Final) and Contest 2 Round 1/Quiz 4

imageWow! This is it – the last quiz in Contest 1. That’s right – this is quiz 4 of the second round.

To celebrate this occasion and to make things more interesting, we’re going to have FIVE questions. This will give those who are behind a better chance of catching up and put some pressure on the leaders.

Let the game begin!

Question 1:

Regarding Certificate Revocation List (CRL) checks, which is the following answers is true? (Choose all true answers):

     A.  If the client certificate CRL check fails, the IPsec tunnels cannot be established
     B.  If the server certificate CRL check fails, the IP-HTTPS tunnel cannot be established
     C.  You must publish the private CRL Distribution Point if you use a commercial CA for your IP-HTTPS listener
     D.  A CRL check is not performed when the DirectAccess client connections to the NLS


Question 2:
True or False: The DirectAccess can use IP-HTTPS to connect to the UAG DirectAccess server when located behind an authenticating proxy where authentication is required:

     A.  True
     B.  False


Question 3:
For the default settings for end-to-end Authentication and encryption with UAG SP1, which of the following statements are true (select all true statements):

     A.  End to End security uses IPsec tunnel mode from DA client to intranet server
     B.  End to End security uses Authentication with null encapsulation
     C.  End to End security authenticates only the first packet to the destination server
     D.  End to End security uses ESP-NULL


Question 4:

Bob wants to enable a “manage out” scenario where intranet management servers can initiate connections to DirectAccess clients over the Internet. To do some basic testing, he wants the intranet management servers to be able to ping the DirectAccess client. When Bob tries to ping the DirectAccess client from the management server, the ping requests fail.

Bob checks the Firewall Rule he created to support inbound ping to the DirectAccess client and sees the following:

Figure A

Figure B

Figure C

Figure D

Which of these figures most likely explains the ping failure (Pick one)?:

     A.  Figure A
     B.  Figure B
     C.  Figure C
     D.  Figure D


Question 5:

Review the following figure:


Based on this figure, which of the following can you state are correct (pick all correct answers)?:

     A.  The intranet tunnel is active
     B.  The infrastructure tunnel is active
     C.  The DirectAccess client is using IP-HTTPS as its active IPv6 transition technology
     D.  The DirectAccess client is a domain member


There you go! Five questions with five answers ready for you to send to me.

Send me your answer with the following email link:

by 11AM Central Standard Time (-0600 UTC) on Monday January 31.



Tom Shinder
Principal Knowledge Engineer, Microsoft DAIP iX/Identity Management
Anywhere Access Group (AAG)
The “Edge Man” blog :
Follow me on Twitter:

Visit the TechNet forums to discuss all your UAG DirectAccess issues

Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki

Skip to main content