Citrix PracticeTest 1Y0-351 v2015-06-05 by Jimmy 167q

Citrix 1Y0-351 : Practice Test
Passing Score: 800

Time Limit: 120 min
http://www.gratisexam.com/
Exam Code: 1Y0-351

Title : Citrix NetScaler 10.5 Essentials and Networking
Sections
1. I&O&T Managed Services Traversing the Core
Exam A
QUESTION 1
Scenario: An engineer is upgrading the NetScaler firmware from version 10.1 to 10.5 and has a highavailability (HA) setup of two NetScaler MPX appliances.
What is the best practice process to upgrade this HA pair?
A.
B.
C.
D.
Upgrade the primary unit, test on the new build, and then upgrade the secondary unit.
Disable the secondary unit, upgrade the primary, test the new build and then upgrade the other unit.
Upgrade the secondary unit, do the failover, test on the new build, and then upgrade the primary unit.
Upgrade and restart both units at the same time and test on the new build after they both are running.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
What is the purpose of binding Certificate Authority (CA) certificates to a virtual server?
A.
B.
C.
D.
For SSL Offload

To validate the server certificate
For client certificate authentication
To provide intermediate certificates to the client
Correct Answer: C
Section: (none)
Explanation
QUESTION 3
Scenario: NetScaler is configured with a Subnet IP (SNIP) 192.168.1.10/24 on VLAN 1 and a SNIP
172.168.1.50/24 on VLAN 100.
VLAN 100 has been properly associated with interface 1/1 and SNIP 172.168.1.50.
A user on VLAN 100 is attempting to access a virtual server on 192.168.1.25 and NOT getting a response.
After troubleshooting the network, an engineer identifies that asymmetric packet flows are NOT using the
right interfaces on the return path to the client.
Which NetScaler setting must be enabled to avoid this behavior?
A.
B.
C.
D.
Layer 3 Mode
Layer 2 Mode
Direct Route Advertisement
MAC-based forwarding (MBF)
Correct Answer: D
Section: (none)
Explanation
QUESTION 4
What is the purpose of the SSL Certificate Authority (CA) root certificate during an SSL connection?
A.
B.
C.
D.
SSL Cipher Exchange

Session Key Exchange
Pre Shared Master Secret Generation
Server Certificate Signature Verification
Correct Answer: A
Section: (none)
Explanation
QUESTION 5
Which two options could a NetScaler Engineer configure to ensure that a revoked client certificate
CANNOT be used for a client certificate authentication? (Choose two.)
A.
B.
C.
D.
Server Name Indication (SNI)

Certificate Revocation List (CRL)
Certificate Signing Request (CSR)
Online Certification Status Protocol (OCSP)
Correct Answer: BD
Section: (none)
Explanation
QUESTION 6
Scenario: A NetScaler Engineer is using the DataStream feature. The NetScaler appliance is located in
front of a MySQL Database server in the network topology.
The engineer would like to block requests that would drop a database. The engineer comes up with the
expression MYSQL.REQ.QUERY.TEXT.CONTAINS("drop database").
The engineer should configure the expression with the ___________ feature to block these requests.
(Choose the option to complete the sentence.)
A.
B.
C.
D.
Responder
Rate Limiting
Content Filtering
Access Control List
Correct Answer: A
Section: (none)
Explanation
QUESTION 7
A NetScaler Engineer has created a new custom user monitor script and needs to place it in the NetScaler
filesystem for use.
Where must the engineer place the custom script so that it is available for use?
A.
B.
C.
D.
/nsconfig/monitors
/netscaler/monitors
/var/nstemp/monitors
/netscaler/monitors/perl_mod
Correct Answer: A
Section: (none)
Explanation
QUESTION 8
Which setting would a NetScaler Engineer disable in order to stop the NetScaler from acting as a router for
non-NetScaler owned IP addresses or entities?
A.
B.
C.
D.
Layer 2 mode
Layer 3 mode
MAC-based forwarding
Use Subnet IP (USNIP)
Correct Answer: C
Section: (none)
Explanation
QUESTION 9
Scenario: A NetScaler Engineer recently enabled the HTTP Compression feature. In reviewing the HTTP
compression statistics, the engineer notices that content from all HTTP virtual servers created prior to
enabling the compression feature is NOT being compressed.
What should the engineer do to allow compression for any pre-existing HTTP virtual servers?
A.
B.
C.
D.
Recreate the HTTP virtual servers.

Recreate any existing compression policies.
Enable compression on the associated bound services.
Ensure 'Allow Server side compression' is unchecked on the NetScaler.
Correct Answer: C
Section: (none)
Explanation
QUESTION 10
In a high-availability (HA) configuration, a NetScaler Engineer notices that the HA Synchronization status
shows as failed.
What could be causing the HA Synchronization to fail?
A. Port 3003 is being blocked
B. Port 3009 is being blocked
C. The RPC passwords are incorrect

D. The nsroot passwords are incorrect
Correct Answer: C
Section: (none)
Explanation
QUESTION 11
Scenario: An organization has a fair usage policy that limits each customer to a maximum of five active
connections in any given second. A NetScaler Engineer is given the task of implementing the requirements
to enforce a policy using the Rate Limiting feature on NetScaler.
Which commands should the network engineer execute to create a proper selector and limit identifier that
fulfills the policy requirement?
A. add stream selector API_selector CLIENT.IP.SRC
add ns limitIdentifier API_limitidf -threshold 5 -mode CONNECTION -timeslice 1000 - selectorName
API_selector
B. add stream selector API_selector HTTP.REQ.URL
add ns limitIdentifier API_limitidf -threshold 5 -mode CONNECTION -timeslice 1000 - selectorName
API_selector
C. add stream selector API_selector HTTP.REQ.URL
add ns limitidentifier limit_req -mode request_rate -limitType smooth -timeslice 1000 - Threshold 5 selectorName API_selector
D. add stream selector API_selector CLIENT.IP.SRC
add ns limitidentifier limit_req -mode request_rate -limitType smooth -timeslice 1000 - Threshold 5 selectorName API_selector
Correct Answer: A
Section: (none)
Explanation
QUESTION 12
A network engineer needs to prevent too many simultaneous HTTP requests that can cause a Denial Of
Service (DDoS). What could the engineer enable to prevent too many simultaneous HTTP requests?
A.
B.
C.
D.
Rate Limiting
SureConnect
Priority Queuing
Authorization Policy
Correct Answer: A
Section: (none)
Explanation
QUESTION 13
Scenario: A network engineer created an IPv6 virtual server on the NetScaler. The virtual server is using a
service group with two IPv4 servers bound to it. When testing access to the virtual server from a client
configured with an IPv6 address, he is unable to connect.
What could be the reason for this issue?
A.
B.
C.
D.
The NetScaler is disabled for NAT.

IPv6 protocol translation is disabled.
An IPv6 address on the NetScaler is not bound to the VLAN.
The NetScaler does not have an INAT rule to convert IPv4 to IPv6 from the back-end servers.
Correct Answer: B
Section: (none)
Explanation
QUESTION 14
What should a network engineer do to prevent unauthorized users from using the root user account?
A.
B.
C.
D.
Reset the nsroot account.

Change the nsroot password.
Create an authorization policy.
Bind a policy to the root user account.
Correct Answer: B
Section: (none)
Explanation
Changing the Password of the Default User Account
The default user account provides complete access to all features of the Citrix SDX appliance. Therefore,
to preserve security, the nsroot account should be used only when necessary, and only individuals whose
duties require full access should know the password for the nsroot account. Citrix recommends changing
the nsroot password frequently. If you lose the password, you can reset the password to the default by
reverting the appliance settings to factory defaults.
You can change the password of the default user account in the Users pane. In the Users pane, you can
view the following details:
Name Lists the user accounts configured on the SDX appliance. Permission Displays the permission level
assigned to the user account.
To change the password of the default user account On the Configuration tab, in the navigation pane,
expand System, and then click Users. In the Users pane, click the default user account, and then click
Modify. In the Modify System User dialog box, in Password and Confirm Password, enter the password of
your choice.
Click OK.
QUESTION 15
Scenario: A NetScaler Engineer connected a new NetScaler MPX appliance to the network. However,
some of the interfaces were blocked on the uplink switch. The engineer needs to perform a network packet
trace on the NetScaler appliance. For troubleshooting purposes, the engineer needs to separate trace files
for each interface. The engineer executed the following command from the NetScaler CLI:
start nstrace -perNIC ENABLED
However, NetScaler created a single trace file.
What should the engineer do to produce separate trace files for each interface?
A.
B.
C.
D.
Specify the nodes parameter.

Use the nsconmsg command.
Specify the tcpdump parameter.
Use the nstracemerge.sh command.
Correct Answer: C
Section: (none)
Explanation
QUESTION 16
Scenario: A NetScaler Engineer is configuring a new system with connected interfaces 10/1 - 10/4 and runs
the following commands:
add ip 10.10.10.1 255.255.255.0 -type snip
add vlan 10
bind vlan 10 -ifnum 10/1
On which interface(s) will subnet 10.10.10.1 respond to requests?
A.
B.
C.
D.
Only interface 10/1

Interfaces on VLAN 10
Only interfaces on VLAN 1
Interfaces 10/1 through 10/4
Correct Answer: D
Section: (none)
Explanation
QUESTION 17
Which tool could a NetScaler Engineer use to monitor client-side rendering times for a Web application that
is load-balanced by NetScaler?
A.
B.
C.
D.
Tcpdump
Insight Center
Command Center
NetScaler Dashboard
Correct Answer: A
Section: (none)
Explanation
QUESTION 18
A NetScaler Engineer needs to audit extended Access Control List (ACL) hits.
Which two areas would the engineer enable logging so that the ACL hits could be stored in the /var/log/
ns.log? (Choose two.)
A.
B.
C.
D.
The ACL
The syslogAction
The nslog parameters
The syslog parameters
Correct Answer: AD
Section: (none)
Explanation
QUESTION 19
A NetScaler Engineer would like to direct identical requests for the same service to specific cache servers.
Which load-balancing method should the engineer use?
A.
B.
C.
D.
URL Hash
Domain Hash
Source IP Hash
Source IP Destination IP Hash
Correct Answer: A
Section: (none)
Explanation
QUESTION 20
Scenario: A NetScaler Engineer is addressing an issue discovered during a vulnerability scan. The security
team is requiring that the engineer disable specific SSL ciphers on the SSL VServer.
Which two methods could the engineer use to meet this requirement? (Choose two.)
A.
B.
C.
D.
E.
Modify the list of ciphers in the Default cipher group.

Change the list of bound ciphers on the VServer directly.
Enable Cipher Redirect on the VServer and configure OCSP.
Disable SSLv2 Redirect on the VServer and update the CRLs.
Un-assign the default group, create a custom cipher group and assign it to the VServer.
Correct Answer: BE
Section: (none)
Explanation
QUESTION 21
Scenario: A network engineer needs to re-configure the NetScaler to utilize two new VLANs - VLAN2 and
VLAN3. VLAN2 is an untagged VLAN and VLAN3 will require a .1q compliant tag. Interface 1/1 is the only
interface that will be used on the NetScaler.
How could the engineer configure the NetScaler so that it can communicate with both networks?
A. Change the NSVLAN to 3
Add VLAN 2 and bind interface 1/1 as untagged
B. Enable the Tag all VLANs option on interface 1/1.
C. Add VLAN2 and bind interface 1/1 as untagged
Add VLAN3 and bind interface 1/1 as tagged
D. Add a SNIP for each VLAN
Enable management access on the SNIP for VLAN3
Correct Answer: C
Section: (none)
Explanation
QUESTION 22
Which feature could a Network Engineer configure in order to restrict client connections to a specific
bandwidth limit?
A.
B.
C.
D.
Spillover
Rate Limiting
SureConnect
Filter Policies
Correct Answer: B
Section: (none)
Explanation
QUESTION 23
Scenario: A NetScaler Engineer is working with a NetScaler appliance that has two network interface cards
(NICs). The first NIC is placed on the DMZ network and the second NIC is on the internal network. The
default route is configured to the gateway on the internal network. A virtual server is configured on the DMZnetwork and the firewall on the DMZ is using network address translation (NAT) to allow external traffic to
the virtual server.
When a user from the Internet attempts to connect to the NAT'd external address, the session never
establishes. The engineer performs an nstrace and sees that the user's traffic hits the NetScaler. The
engineer then discovers that the problem is an asymmetrical packet flow.
Which two settings could the engineer configure to resolve the issue? (Choose two.)
A.
B.
C.
D.
E.
Link load balancing (LLB)

Policy-based routing (PBR)
Extended access list (ACL)
MAC-based forwarding (MBF)
Reverse network address translation (RNAT)
Correct Answer: BD
Section: (none)
Explanation
QUESTION 24
A company has an external-facing web application that requires end-to-end encryption and Layer-7
functionality.
Which protocol type would an engineer choose for the virtual server and service?
A.
B.
C.
D.
SSL
SSL_TCP
SSL_PUSH
SSL_BRIDGE
Correct Answer: B
Section: (none)
Explanation
QUESTION 25
When configuring NetScaler authentication to access a web site, which two things should a network
engineer verify in the environment? (Choose two.)
A.
B.
C.
D.
E.
AAA is enabled.
One DNS server exists.
A Keytab file is available.
An authentication virtual server exists.
A traffic management virtual server exists.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 26
Scenario: A NetScaler Engineer is viewing Authentication, Authorization and Access (AAA) events on the
NetScaler appliance to determine why a user is unable to log on. The events below have been logged
during this timeframe:
Fri Oct 17 18:17:16 2014
/usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[40\]:
start_ldap_auth attempting to
auth scottli @ 10.12.33.216
Fri Oct 17 18:17:18 2014
recieve_ldap_bind_event receive ldap bind event
Fri Oct 17 18:17:18 2014
recieve_ldap_bind_event ldap_bind with binddn bindpw failed:Invalid credentials Fri Oct 17
18:17:18 2014
/usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1198\]:
send_reject sending reject to kernel for : scottli
What is the root cause of this issue?
A.
B.
C.
D.
The LDAP Base DN is incorrect.

The Bind DN credentials are invalid.
The LDAP server is NOT responding.
The user has entered an invalid password.
Correct Answer: B
Section: (none)
Explanation
QUESTION 27
Scenario: A NetScaler Engineer has created an SSL virtual server that utilizes SSL services. The engineer
needs to configure certificate authentication from the NetScaler to the backend web services.
What should the engineer do to meet the requirements outlined in the scenario?
A.
B.
C.
D.
Bind a CA Certificate to the SSL Services.

Bind a Client Certificate to the SSL Services.
Create an SSL policy to present the Client Certificate to the web services.
Enable Client Authentication and set Client Certificate to mandatory on the virtual server.
Correct Answer: B
Section: (none)
Explanation
QUESTION 28
A NetScaler Engineer created an HTTP service and did NOT bind any monitors to the service.
Which monitor will the NetScaler automatically bind to the HTTP service?
A.
B.
C.
D.
E.
F.
tcp
http
tcp-ecv
http-ecv
tcp-default
ping-default
Correct Answer: E
Section: (none)
Explanation
QUESTION 29
A NetScaler Engineer plans to deploy a third-party application that will perform scheduled configuration
auditing by using NITRO API with a REST interface.
Which management protocol should the engineer enable to allow NITRO API access?
A.
B.
C.
D.
SSH
HTTP
Telnet
SNMP
Correct Answer: B
Section: (none)
Explanation
QUESTION 30
A NetScaler implementation is experiencing intermittent network issues, specifically regarding traffic to a

back-end service associated with IP address 10.10.1.86. Which command should a network engineer
execute to generate diagnostic information to investigate this issue?
A.
B.
C.
D.
traceroute 10.10.1.86
show run | grep 10.10.1.86
nstcpdump.sh host 10.10.1.86
show service 10.10.1.86 -summary
Correct Answer: C
Section: (none)
Explanation
In my lab
The command must be performed from the shell
QUESTION 31
A network engineer notes that a high availability pair (HA) is NOT synchronizing correctly and decides to
open a ticket with Citrix Support.
When opening the new ticket with Citrix Support, the engineer should run show __________ and
__________. (Choose the set of options to complete the sentence.)
A.
B.
C.
D.
ha node; provide any public IP addresses listed

ha node; provide the hello and dead interval data
techsupport on the primary device; send the output to Citrix Support
techsupport on both the primary and secondary devices; send the output to Citrix support
Correct Answer: D
Section: (none)
Explanation
QUESTION 32
Which troubleshooting tool will show policy hits and verify that a policy expression is being invoked?
A.
B.
C.
D.
nspepi
nsapimgr
nstrace.sh
nsconmsg
Correct Answer: D
Section: (none)
Explanation
QUESTION 33
Scenario: A NetScaler engineer configured a service and server for RADIUS authentication. To ensure that
the RADIUS service is available and responding to authentication requests, the engineer has added the
NetScaler built-in monitor to the service. On inspecting the RADIUS service the engineer notices it is
marked as DOWN.
What could be causing this issue?
A.
B.
C.
D.
The built-in monitor has been changed.

RADIUS accounting must be enabled under the server.
There is no built-in monitor available to monitor RADIUS.
The NetScaler-owned IP address has not been added to the RADIUS database.
Correct Answer: D
Section: (none)
Explanation
QUESTION 34
Scenario: A NetScaler Engineer has configured COOKIEINSERT persistence with a timeout value of two
minutes on an SSL LBvServer. The idle time requirement for the application itself CANNOT be determined.
Users report connections are intermittent. Once a session is disconnected, a user must re-authenticate in
order to regain access. In order to this issue, the engineer should set persistence to __________ with a
timeout of __________ minutes. (Choose the set of options to complete the sentence.)
A.
B.
C.
D.
SOURCEIP; two
SSLSESSION; ten
SRCIPDESTIP; two
COOKIEINSERT; zero
Correct Answer: D
Section: (none)
Explanation
QUESTION 35
Which command must an engineer use to run a cluster with less than (n/2+1) number nodes online?
A.
B.
C.
D.
add cluster <node> -quorumType Majority

add cluster instance <name> -quorum None
add cluster instance <clid> -quorumType None
add cluster instance <clid> -quorumType Majority
Correct Answer: C
Section: (none)
Explanation
QUESTION 36
Scenario: A NetScaler Engineer has discovered that the object home.php is NOT found in the cache on the
system.
Below is the relevant configuration:
add cache contentGroup cache_content_group_1 -relExpiry 0
add cache policy cache_pol_1 -rule "http.REQ.URL.CONTAINS(\"home.php\")" -action MAY_CACHE storeInGroup cache_content_group_1
add cache policy cache_pol_2 -rule "http.REQ.METHOD.EQ(\"GET\")" -action NOCACHE
add cache policy cache_pol_3 -rule "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS" -action CACHE
bind cache global cache_pol_1 -priority 90 -gotoPriorityExpression END -type REQ_OVERRIDE
bind cache global cache_pol_3 -priority 100 -gotoPriorityExpression END -type RES_OVERRIDE
The data from the client and the server are as following:
GET /home.php HTTP/1.1
Host: www.website.com
User-Agent: Mozilla Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Date: Thu, 09 Oct 2014 18:25:00 GMT
Cookie: sessionid=100xyz
HTTP/1.1 200 OK
Date: Thu, 09 Oct 2014 18:25:00 GMT
Server: Apache/2.2.3 (Fedora)
Last-Modified: Wed, 09 Jul 2014 21:55:36 GMT
ETag: "27db3c-12ce-5e52a600"
Accept-Ranges: bytes
Cache-Control: private, max-age=0
Set-Cookie: sessionid=100xyz; expires=Thu, 09-Oct-2014 18:30:00 GMT; path=/ Content-Length: 119

Connection: close
Content-Type: text/html; charset=UTF-8
Why does the object NOT persist in the cache?
A.
B.
C.
D.
The request is a GET request.

The response has Set-Cookie.
The content group is missing a cache selector.
The content group has been configured with relExpiry 0.
Correct Answer: D
Section: (none)
Explanation
QUESTION 37
A NetScaler Engineer created an SSL virtual server but the status is showing as state DOWN.
What could be causing the virtual server to show as state DOWN?
A.
B.
C.
D.
The virtual server is configured for port 444.

HTTP services are used instead of HTTPS services.
The SSL certificate is NOT bound to the virtual server.
The certificate bound to the virtual server has a private key of 512-bits.
Correct Answer: C
Section: (none)
Explanation
QUESTION 38
Scenario: A NetScaler Engineer needs to enable access to a load-balancing virtual server from two
customers that belong to different VLANs, VLAN500 and VLAN600. Each customer must access the
services and servers specific to their VLAN and should never be able to reach another customer service or
servers.
Traffic Domain (TD) 1 has been created for VLAN500 and Traffic Domain (TD) 2 for VLAN600. Loadbalancing services have also been created for each server on TD1 and TD2. The TD for the virtual server is
TD 3 and IP address 172.10.0.30. In order to complete this setup, the engineer should create a loadbalancing virtual server with IP 172.10.0.30 on TD 3 and use __________. (Choose the option to complete
the sentence.)
A.
B.
C.
D.
TD2 services as a backup virtual server

TD1 and TD2 services on one virtual server
TD1 and TD2 services on two virtual servers
TD1 on one virtual server and TD2 on second
Correct Answer: D
Section: (none)
Explanation
QUESTION 39
Scenario: A NetScaler Engineer has the following set in the Global Server Load Balancing (GSLB)
configuration:
set gslb site SiteB -triggerMonitor MEPDOWN
How does this influence the default service monitoring behavior on the remote site?
A.
B.
C.
D.
The service monitor will take precedence over MEP.

The state of the GSLB service will always be controlled by MEP.
The service monitor is invoked only when MEP has marked the service as down for any reason.
The service monitor is invoked only when MEP connectivity has been lost between SiteA and SiteB.
Correct Answer: C
Section: (none)
Explanation
QUESTION 40
Scenario: A NetScaler appliance currently has a manually configured channel containing four interfaces;
however, the engineer has been told that the NetScaler must now only use a single interface for this
network. The engineer removes the channel and immediately notices a decrease in network performance.
How could the engineer resolve this issue?
A.
B.
C.
D.
Reset the unused interfaces

Disable the unused interfaces
Enable flow control on all interfaces
Disable HA monitoring on the three interfaces that are no longer required
Correct Answer: B
Section: (none)
Explanation
QUESTION 41
Which two of the listed statements are true about Access Control Lists (ACLs) on the NetScaler? (Choose
two.)
A.
B.
C.
D.
Extended ACLs may BRIDGE traffic.

Simple ACLs are bound on ALL interfaces.
Extended ACLs are evaluated after creation.
Simple ACLs are processed after Extended ACLs.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 42
Scenario: A NetScaler Engineer must implement load-balancing on a web server farm that serves video
clips to end users. Video clip files vary in size. The engineer needs to send traffic to the server with the least
amount of network utilization.
Which load-balancing method should the engineer use?
A.
B.
C.
D.
Least Request
Least Bandwidth
Least Connection
Least Response Time
Correct Answer: B
Section: (none)
Explanation
QUESTION 43
Scenario: A Network Engineer needs to provide a solution for mobile users who use devices that do NOT
support basic access authentication.
Which three steps should be included as part of the engineer's plan to implement this requirement using
NetScaler? (Choose three.)
A.
B.
C.
D.
E.
F.
Configure an OCSP responder.

Create an authentication VServer.
Configure a Pre-Authentication policy.
Create an LDAP authentication policy and bind it to the authentication server.
Enable and configure the authentication option on a VServer to use 401-based authentication.
Enable and configure the Authentication option on a load balancing VServer to use form- based
authentication.
Correct Answer: BDF

Section: (none)
Explanation
QUESTION 44
A network engineer wants to configure a NetScaler for load balancing Voice over IP traffic (VoIP).
Which hash method is the best fit for VoIP traffic?
A.
B.
C.
D.
Call ID
Source IP
Destination IP
Domain name
Correct Answer: A
Section: (none)
Explanation
QUESTION 45
A company has a new CEO and wants to update their website with the new CEO's name.
What could the engineer do on the website while this modification is being made?
A. Insert the new name on the header requests using Rewrite policies.
B. Hide the current name on the header request using Rewrite policies.
C. Delete the current name on the body response using Rewrite policies.
D. Replace the current name on the body response using Rewrite policies.
Correct Answer: D
Section: (none)
Explanation
QUESTION 46
What is the key benefit to enabling Session Reuse on an SSL offload VServer?
A.
B.
C.
D.
The number of HTTP requests to the backend services are decreased.

Resumed SSL sessions are more secure than sessions that require renegotiation.
Reusing existing sessions decreases the number of TCP connections made to backend services.
A partial SSL handshake is sent over the existing SSL connection, reducing CPU and bandwidth usage.
Correct Answer: D
Section: (none)
Explanation
QUESTION 47
A NetScaler Engineer needs an SNMP alert to be sent when CPU utilization is 90% or higher on a
NetScaler instance.
Which two steps must the engineer take to configure the SNMP alert? (Choose two.)
A.
B.
C.
D.
E.
Enable SNMP trap logging.

Add an SNMP trap destination.
Set an SNMP community string.
Set the CPU-USAGE alarm thresholds.
Add an SNMP manger to poll the instance.
Correct Answer: BD
Section: (none)
Explanation
QUESTION 48
A network engineer might choose to use SSL_Bridge instead of a SSL virtual server in order to
__________. (Choose the option to complete the sentence.)
A.
B.
C.
D.
be able to decrypt the SSL traffic

enable use of OCSP for revoked certificates
pass user certificates to the back-end servers
enable SSL server certificates on the service group
Correct Answer: C
Section: (none)
Explanation
QUESTION 49
Scenario: A company has three HTTP servers that are load balanced using NetScaler. When users
connect to the HTTP application they often receive inconsistent data or are advised that they need to log on
again. Which step should the engineer take to correct this?
A.
B.
C.
D.
Remove Down State Flush.

Change the idle timeout value for the service.
Configure persistence with appropriate timeouts.
Change the global TCP Client Idle Time-Out value.
Correct Answer: C
Section: (none)
Explanation
QUESTION 50
Scenario: A NetScaler Engineer is using the following policy to forward traffic when performing content
switching:
add cs action cs1_act -targetVserverExpr "HTTP.REQ.HOSTNAME"
add cs policy cs1_switch_policy -rule true -action cs1_act
bind cs vserver CS1-VIP -policyName cs1_switch_policy -priority 10
In order to make sure the policy works correctly, the engineer must name the __________ to match the
hostname. (Choose the option to complete the sentence.)
A.
B.
C.
D.
load-balancing servers
load-balancing services
load-balancing virtual servers
content-switching virtual server
Correct Answer: C
Section: (none)
Explanation
QUESTION 51
Scenario: A NetScaler Engineer configures COOKIEINSERT persistence method for an HTTP VServer
named 'myApp'. Many clients do NOT allow the persistence cookie to be set and application sessions fail
as a result. All clients are behind a network address translation (NAT) gateway, which will insert the client IP
address into an HTTP header called X-Forwarded-For.
Which command could the engineer execute to provide persistence for clients while still distributing the
requests across the bound services?
A. set lb vserver myApp -persistenceType SOURCEIP
B. set lb vserver myApp -persistenceType NONE -lbmethod SRCIPDESTIPHASH
C. set lb vserver myApp -persistenceType COOKIEINSERT -timeout 0 -cookieName X- Forwarded-For

D. set lb vserver myApp -persistenceType NONE -lb method TOKEN -rule "HTTP.REQ.HEADER(\"XForwarded-For\").VALUE(0)
Correct Answer: D
Section: (none)
Explanation
QUESTION 52
A network engineer needs to upgrade both appliances of a High Availability (HA) pair.
In which order should the network engineer upgrade the appliances?
A.
B.
C.
D.
Disable high availability and upgrade one node at a time.

Upgrade the primary node first without disabling high availability.
Upgrade the secondary node first without disabling high availability.
Perform the upgrade simultaneously without disabling high availability.
Correct Answer: C
Section: (none)
Explanation
QUESTION 53
In order to configure integrated cache, a NetScaler Engineer would need to reboot the NetScaler when the
integrated caching feature is __________ and cache memory limit is set to __________. (Choose the set of
options to complete the sentence.)
A.
B.
C.
D.
enabled; zero
disabled; zero
enabled; non-zero
disabled; non-zero
Correct Answer: A
Section: (none)
Explanation
QUESTION 54
Scenario: A NetScaler appliance currently has a manually configured channel containing four interfaces;
however, the engineer has been told that the NetScaler must now only use a single interface for this
network. The engineer removes the channel and immediately notices a decrease in network performance.
How could the engineer resolve this issue?
A.
B.
C.
D.
Reset the unused interfaces

Disable the unused interfaces
Enable flow control on all interfaces
Disable HA monitoring on the three interfaces that are no longer required
Correct Answer: B
Section: (none)
Explanation
QUESTION 55
A NetScaler Engineer needs to gather information from a NetScaler VPX before allocating the platform
license.
Which shell command could the engineer use to gather the needed information?
A.
B.
C.
D.
lmutil lmhostid -user

lmutil lmhostid -ether
lmutil lmhostid -internet
lmutil lmhostid -hostname
Correct Answer: B
Section: (none)
Explanation
QUESTION 56
Scenario: A NetScaler Engineer has configured a virtual server as follows:
set lb vserver web_vserver -redirectURL http://www.external.hosting.com -backupVServer maint_vserver
The virtual server web_vserver is marked as DOWN; maint_vserver is marked as UP.
The following request is sent to the web_vserver:
GET /path/query HTTP/1.1
What would happen to this request?
A.
B.
C.
D.
Redirected to http://www.external.hosting.com
Forwarded to the backup server, ignoring the query
Forwarded to the backup server, preserving the query
Redirected to http://www.external.hosting.com/path/query
Correct Answer: C
Section: (none)
Explanation
QUESTION 57
Scenario: A NetScaler Engineer is configuring LACP (Link Aggregation Configuration Protocol) on the
NetScaler. The engineer adds interface 10/3 and 10/4 to LA/1 (which already contains interfaces 10/1 and
10/2) and is configured for VLAN 500.
VLAN 100 is bound to interface 10/3 and VLAN 200 is bound to interface 10/4.
VLAN 500 is bound to channel LA/1.
Which VLAN is shown with a "show interface" command for interface 10/3?
A. 1
B. 100
C. 200
D. 500
Correct Answer: D
Section: (none)
Explanation
QUESTION 58
Scenario: The NetScaler has connections to a large number of VPNs. The network engineer wants to
minimize the number of ARP requests.
Which feature should the network engineer enable to minimize ARP requests?
A.
B.
C.
D.
TCP Buffering
Use Source IP
Edge Configuration
MAC based forwarding
Correct Answer: D
Section: (none)
Explanation
QUESTION 59
A NetScaler Engineer has installed Command Center, Insight Center, Web Logging and an Integration
Pack for System Center.
Which tool would be appropriate to see client-side rendering times?
A.
B.
C.
D.
Web Logging
Insight Center
Command Center
Integration Pack for System Center
Correct Answer: B
Section: (none)
Explanation
QUESTION 60
An engineer has two NetScaler devices in two different datacenters and wants to create a high availability
(HA) pair with the two devices, even though they are on two different subnets.
How can the engineer configure the HA Pair between the two NetScaler devices?
A.
B.
C.
D.
Configure StaySecondary on the second datacenter appliance.

Ensure that INC mode is enabled during the creation of the HA Pair.
Enable the HAMonitors on all interfaces after the HA Pair has been created.
Change the NSIP of the second appliance to be on the same subnet as the first appliance.
Correct Answer: B
Section: (none)
Explanation
QUESTION 61
Scenario: Users complain that they are NOT able to connect to a web site using the IP address. The
relevant portion of the configuration is shown below:
add ssl profile srv-web -sessReuse ENABLED -sessTimeout 120 -tls11 DISABLED -tls12 DISABLED strictCAChecks YES
add service svc-web 192.168.1.3 HTTP 80
add lb vserver srv-web SSL 192.168.1.22 443 -persistenceType NONE -cltTimeout 180
bind lb vserver srv-web svc-web
set ssl vserver srv-web -eRSA DISABLED -clientAuth ENABLED -clientCert Optional -tls11 DISABLED tls12 DISABLED -SNIEnable ENABLED
add ssl policy svc-web -rule true -action NOOP
bind ssl vserver srv-web -certkeyName WebCert -SNICert
bind ssl vserver srv-web -policyName svc-web -priority 100
What is the likely cause of the connectivity issue?
A.
B.
C.
D.
SSL policy is incorrect.

Client Authentication is enabled.
Server Name Indication is enabled.
Load Balancing persistence is set to NONE.
Correct Answer: C
Section: (none)
Explanation
QUESTION 62
Which command would an engineer run to deny access to destination port 103 from a host with an IP
address of 10.0.1.1?
A.
B.
C.
D.
add ns acl rule1 DENY -srcIP 10.0.1.1 -srcPort 103 -TTL 600
add ns acl rule1 DENY -srcIP 10.0.1.1 -srcPort 103 -protocol TCP
add ns acl rule1 DENY -srcport 103 -destIP 10.0.1.1 -protocol TCP
add ns simpleacl rule1 DENY -srcIP 10.0.1.1 -destport 103 -protocol TCP
Correct Answer: D
Section: (none)
Explanation
QUESTION 63
A network engineer selected the option on a SSL certificate to provide notification upon expiration of the
certificate; however when a certificate expires, NO notification is sent to the engineer. Which step could the
engineer take to enable notification?
A. Configure SNMP.
B. Create a SSL policy.

C. Enable the SSL offload feature.
D. Ensure that the certificate is linked to a Root certificate.
Correct Answer: A
Section: (none)
Explanation
QUESTION 64
An end user is receiving authentication errors when accessing a load-balancing virtual server that uses
Authentication, Authorization and Access (AAA)-TM.
Which shell command should a NetScaler Engineer execute to show AAA events in real time to help
diagnose this issue?
A.
B.
C.
D.
tail /tmp/aaad.debug
cat /tmp/aaad.debug
grep aaa /tmp/nskrb.debug
egrep aaa /tmp/pitboss.debug
Correct Answer: B
Section: (none)
Explanation
QUESTION 65
On a load-balancing virtual server with multiple bound services, Redirect URL will be invoked when
__________. (Choose the phrase to complete the sentence.)
A.
B.
C.
D.
a backup virtual server has been configured

Health Based Spillover has been configured
one of the bound services is marked as DOWN
the load-balancing virtual server is marked as DOWN
Correct Answer: D
Section: (none)
Explanation
QUESTION 66
Which two authentication types on the NetScaler support password changes? (Choose two.)
A.
B.
C.
D.
E.
F.
TACACS+
LDAP (TLS)
LDAP (SSL)
RADIUS (PAP)
LDAP (PLAINTEXT)
RADIUS (MSCHAPv2)
Correct Answer: BC
Section: (none)
Explanation
QUESTION 67
Scenario: A NetScaler Engineer has a high-availability (HA) pair of NetScaler MPX devices (NS1 and NS2)
connected on interfaces 0/1, 1/1 and 1/2. NS1 is currently the primary unit. Fail-safe mode is NOT enabled.
High-availability monitor is enabled on all the connected interfaces. The engineer sees the following line in
the output of his "show node" command from the command-line interface:
Interfaces on which heartbeats are not seen: 1/1 1/2
Interfaces causing Partial Failure: None
What will happen if the 0/1 interface fails?
A.
B.
C.
D.
NS1 and NS2 will both become primary.

NS2 will fail and NS1 will remain primary.
NS1 will fail and NS2 will become primary.
NS1 and NS2 will both fail and become secondary.
Correct Answer: A
Section: (none)
Explanation
QUESTION 68
Which command will allow an engineer to change the NetScaler IP (NSIP) from the command-line
interface?
A.
B.
C.
D.
add ns ip 10.100.10.100 255.255.255.0 -type SNIP

add ns ip 10.100.10.100 255.255.255.0 -type NSIP
set ns config -ipaddress 10.100.10.100 -netmask 255.255.255.0
set ns ip 10.100.10.100 -netmask 255.255.255.0 -mgmtaccess enabled
Correct Answer: C
Section: (none)
Explanation
QUESTION 69
The network engineer would like all HTTP and HTTPS requests that travel through the NetScaler to have
an HTTP header added with the source IP address for logging on the web servers.
How should the network engineer accomplish this?
A.
B.
C.
D.
Enable Web Logging

Enable the client IP option
Configure the TCP Parameters
Enable the 'Use Source IP mode'
Correct Answer: B
Section: (none)
Explanation
Enabling Use Source IP Mode

When the NetScaler appliance communicates with the physical servers or peer devices, by default, it uses
one of its own IP addresses as the source IP. The appliance maintains a pool of mapped IP addresses
(MIPs) and subnet IP addresses (SNIPs), and selects an IP address from this pool to use as the source IP
address for a connection to the physical server. The decision of whether to select a MIP or a SNIP depends
on the subnet in which the physical server resides.
If necessary, you can configure the NetScaler appliance to use the client's IP address as source IP. Some
applications need the actual IP address of the client. The following use cases are a few examples:
Client's IP address in the web access log is used for billing purposes or usage analysis. Client's IP address
is used to determine the country of origin of the client or the originating ISP of the client. For example, many
search engines such as Goggle provide content relevant to the location to which the user belongs. The
application must know the client's IP address to verify that the request is from a trustworthy source.
Sometimes, even though an application server does not need the client's IP address, a firewall placed
between the application server and the NetScaler may need the client's IP address for filtering the traffic.
Enable Use Source IP mode (USIP) mode if you want NetScaler to use the client's IP address for
communication with the servers. By default, USIP mode is disabled. USIP mode can be enabled globally on
the NetScaler or on a specific service. If you enable it globally, USIP is enabled by default for all
subsequently created services. If you enable USIP for a specific service, the client's IP address is used only
for the traffic directed to that service.
As an alternative to USIP mode, you have the option of inserting the client's IP address (CIP) in the request
header of the server-side connection for an application server that needs the client's IP address.
In earlier NetScaler releases, USIP mode had the following source-port options for server- side
connections:
Use the client's port. With this option, connections cannot be reused. For every request from the client, a
new connection is made with the physical server. Use proxy port. With this option, connection reuse is
possible for all requests from the same client. Before NetScaler release 8.1 this option imposed a limit of
64000 concurrent connections for all server-side connections.
In the later NetScaler releases , if USIP is enabled, the default is to use a proxy port for server-side
connections and not reuse connections. Not reusing connections may not affect the speed of establishing
connections.
By default, the Use Proxy Port option is enabled if the USIP mode is enabled. For more information about
the Use Proxy Port option, see Using the Client Port When Connecting to the Server.
Note: If you enable the USIP mode, it is recommended to enable the Use Proxy Port option.
The following figure shows how the NetScaler uses IP addresses in USIP mode.
IP Addressing in USIP Mode
Recommended Usage
Enable USIP in the following situations:
Load balancing of Intrusion Detection System (IDS) servers Stateless connection failover
Sessionless load balancing
If you use the Direct Server Return (DSR) mode
Note: When USIP is required in the one-arm mode installation of the NetScaler appliance, make sure that
the server's gateway is one of the IP addresses owned by the NetScaler. For more information about
NetScaler owned IP addresses, see Configuring NetScaler owned IP addresses.
If you enable USIP, set the idle timeout for server connections to a value lower than the default value, so
that idle connections are cleared quickly on the server side. For more information about setting an idle timeout value, see "Load Balancing" chapter of the Citrix NetScaler
Traffic Management Guide at http://support.citrix.com/article/CTX132359. For transparent cache
redirection, if you enable USIP, enable L2CONN also. Because HTTP connections are not reused when
USIP is enabled, a large number of server-side connections may accumulate. Idle server connections can
block connections for other clients. Therefore, set limits on maximum number of connections to a service.
Citrix also recommends setting the HTTP server time-out value, for a service on which USIP is enabled, to
a value lower than the default, so that idle connections are cleared quickly on the server side.
To globally enable or disable USIP mode by using the NetScaler command line At the NetScaler command
prompt, type one of the following commands:
Enable ns mode usip
Disable ns mode usip
To enable USIP mode for a service by using the NetScaler command line At the NetScaler command
prompt, type:
Set service <ServiceName> -usip (YES | NO)
Example
Set service Service-HTTP-1 -usip YES
To globally enable or disable USIP mode by using the configuration utility In the navigation pane, expand
System and click Settings. On the Settings page, under Modes and Features, click Configure modes. In the
Configure Modes dialog box, do one of the following:
To enable Use Source IP mode, select the Use Source IP check box. To disable Use Source IP mode,
clear the Use Source IP check box.
Click OK.
In the Enable/Disable Feature(s)? dialog box, click Yes. To enable USIP mode for a service by using the
configuration utility In the navigation pane, expand Load Balancing, and then click Services. In the details
pane, select the service for which you want to enable the USIP mode, and then click Open.
In the Configure Service dialog box, click the Advanced tab. Under Settings, select the Use Source IP
check box.
Click OK
QUESTION 70
Scenario: A NetScaler Engineer has enabled the HTTP Compression feature on an existing production
NetScaler. The engineer is using the built-in policies. The engineer reviews the HTTP Compression
statistics but does NOT see any compression statistic data.
What is the likely reason?
A.
B.
C.
D.
SSL protocol is being used for encryption.

The Compression Policy engine is set to default.
"Allow Server side compression" is checked on the NetScaler.
Responses with the Content-Length or Chunked header are being sent from the server.
Correct Answer: C
Section: (none)
Explanation
QUESTION 71
Scenario: The marketing department would like a short URL to use for a product launch that will redirect
users to the product information page on the company's website. The marketing URL they require is http://
www.turboappliances.com/prima. It should redirect the user to http://www.turboappliances.com/products/
solutions/primaversion1234.html.
Which NetScaler command should a NetScaler Engineer run in order to meet the requirements of the
scenario?
A. add responder action MarketingURL redirect
"\"http://www.turboappliances.com/products/solutions/primaversion1234.html\""
B. add rewrite action MarketingURL4 replace_http_res "\"http://www.turboappliances.com/products/
solutions/primaversion1234.html\""
C. add rewrite action MarketingURL1 insert_http_header Location "\"http://www.turboappliances.com/
products/solutions/primaversion1234.html\""
D. add transform action MarketingURL2 -priority 100 -reqUrlFrom www.turboappliances.com/ -reqUrlInto
"http://www.turboappliances.com/products/solutions/primaversion1234.html"
Correct Answer: A
Section: (none)
Explanation
QUESTION 72
Scenario: An application that uses HTTP for connections and other protocols for different types of content
has been deployed. Load balancing virtual servers have been created for each protocol and the engineer
now needs to ensure that once a load balancing decision has occurred, further requests for different
content are served from the same server.
How could the engineer achieve this?
A.
B.
C.
D.
Create a persistency group.

Set the Spillover method to DYNAMICCONNECTION.
Add a new virtual server for each protocol that is not directly addressable.
Set each virtual server to use Source IP Hash as the load balancing method.
Correct Answer: A
Section: (none)
Explanation
Summary
A Web application may use HTTP and HTTPS in the same session. This article describes the configuration
necessary to ensure persistence is maintained across both HTTP and HTTPS connections.
Background
The NetScaler allows us to configure persistency groups to accommodate exactly such a need. A practical
example of this might be a shopping cart where items are browsed over HTTP, but purchased over HTTPS.
If persistency were not maintained, it's possible the shopping cart might be lost, the user logged out, or
other adverse actions. By using persistency groups, the HTTP and HTTPS vServers are grouped together
into one persistent entity.
Procedure
From the GUI:
1. Click and expand the Load Balancing node.
2. Click Persistency Groups.
3. Click Add.
4. Populate the Group Name field.
5. Choose between COOKIEINSERT, SOURCEIP or RULE from the Persistence dropdown and configure
a timeout.
6. Choose a backup persistence method if desired.
7. Select the vServers to be grouped from the Available Virtual Servers list.
8. Click Add to move the vServers from the available list to the configured list.
From the command line interface (CLI):
Issue the following commands:
1. bind lb group <name of group> <vserver 1>
2. bind lb group <name of group> <vserver 2>
3. ....
4. set lb group <name of group> -persistenceType <persistence method> - persistenceBackup <backup
persistence method>
QUESTION 73
Scenario: A network engineer is going to roll out an upgrade from a 9.x version on a standalone NetScaler
appliance using the command-line interface.
Which two items does the engineer need to download before proceeding with the upgrade? (Choose two.)
A.
B.
C.
D.
SSL Certificates Files

NetScaler Firmware File
NetScaler Configuration file
NetScaler Documentation File
Correct Answer: BD
Section: (none)
Explanation
QUESTION 74
On a NetScaler system, the __________ timeout value will mark any session that has reached the idle
timeout for cleanup. (Choose the option to complete the sentence.)
A.
B.
C.
D.
Client
Server
Zombie
NATPCB
Correct Answer: C
Section: (none)
Explanation
QUESTION 75
Scenario: A NetScaler Engineer is troubleshooting a high-availability issue. The engineer needs to
determine if the port being used by the high-availability heartbeats is blocked.
Which port is used by high-availability heartbeats?
A.
B.
C.
D.
3003
3008
3010
3011
Correct Answer: A
Section: (none)
Explanation
QUESTION 76
What is the default load-balancing method?
A.
B.
C.
D.
Round Robin
Source IP Hash
Least Connection
Least Response Time
Correct Answer: C
Section: (none)
Explanation
QUESTION 77
Which two NetScaler command-line interface commands could an engineer execute to change TCP
Window Scaling settings on the NetScaler? (Choose two.)
A.
B.
C.
D.
E.
set netProfile
add ns tcpProfile
unset ns tcpParam
set ns tcpbufParam
add autoscale profile
Correct Answer: BC
Section: (none)
Explanation
QUESTION 78
A NetScaler Engineer is reviewing the performance of a NetScaler appliance and notices that TCP
multiplexing (TCP connection reuse) appears to NOT be working for a virtual server.
What could be the cause of this issue?
A. Compression is enabled on the services
B. Persistence is enabled on the virtual server
C. HTTP services are bound to the virtual server

D. The virtual server was created as type SSL_BRIDGE
Correct Answer: D
Section: (none)
Explanation
QUESTION 79
Which option needs to be set on the service in order to maintain the original client-IP to the backend
service?
A.
B.
C.
D.
-cka yes
-usip yes
-cip disabled
-useproxyport yes
Correct Answer: B
Section: (none)
Explanation
QUESTION 80
Which type of authentication server could an engineer configure in order to provide the use of RSA token
authentication as a permitted authentication method to access a AAA Virtual Server?
A.
B.
C.
D.
LDAP
SAML
RADIUS
Negotiate
Correct Answer: C
Section: (none)
Explanation
http://support.citrix.com/article/CTX127543
This document describes how to configure Access Gateway 5.0 for authentication against an RSA SecurID
Authentication server. It describes the configuration required in both the Access Gateway and the RSA
server for various deployment topologies.
Within the RSA Authentication Manager console, choose Agent Host > Generate Configuration
Files and select for One Agent Host, and choose the Agent Host created in step 1 and save the generated
sdconf.rec file.
If using RSA 7.1

Open the RSA Security Console and navigate to Access > Authentication Agents > Add New.
Enter the name and IP Address of the Access Gateway, and set Agent type to Standard Agent. Save this
new agent.
Select Access > Authentication Agents > Generate Configuration File and generate the configuration file.
There is no option to generate a configuration file for a single host in RSA 7.1. Save and extract the
sdconf.rec from the generated zip file.
Log on to the Access Gateway AdminLogonPoint and go to Authentication Profiles to create an RSA
authentication profile. Browse to the generated sdconf.rec file on your computer to upload it on the
Appliance, and save the profile.
Additional Notes for Creating the Agent Record in RSA. The details entered into the Agent Host
configuration are specific, and depend on the deployment configuration of your Access Gateway. The
following are the different deployment methods and the associated configuration within the RSA Agent:
Access Gateway is a non-HA deployment in one-arm mode.
Network Address: IP address of Access Gateway
Access Gateway is a non-HA deployment in two-arm mode, traffic to the RSA server is through the
interface with the Internal role
Network Address: IP address of the interface with the Internal role Access Gateway is a non-HA
deployment in two-arm mode, traffic to the RSA server is through the interface with the External role
Network Address: IP address of the interface with the Internal role Secondary Nodes: IP address of the
interface with the External role Access Gateway is in an HA deployment in one-arm mode Network
Address: The HA Virtual IP address
Secondary Nodes: The physical IP addresses of both Access Gateways Access Gateway is in an HA
deployment in two-arm mode, traffic to the RSA server is through the interface marked as INTERNAL
Network Address: The HA Internal virtual IP address Secondary Nodes: The physical IP addresses of the
interfaces with the Internal role on both Access Gateways
Access Gateway is in an HA deployment in two-arm mode, traffic to the RSA server is through the interface
marked as EXTERNAL
Network Address: The HA Internal virtual IP address Secondary Nodes: The physical IP addresses of the
interfaces with the External role on both Access Gateways
*In RSA 7.1 Secondary Nodes have been renamed to Alternate IP Addresses in the Authentication Agent
configuration.
QUESTION 81
The upgrade script copies the updated NetScaler kernel file to the __________ NetScaler directory.
A.
B.
C.
D.
/var
/flash
/nsconfig
/flash/boot
Correct Answer: B
Section: (none)
Explanation
QUESTION 82
Scenario: A NetScaler Engineer is configuring a NetScaler that has three interfaces. The first interface is
connected to the internal network, the second interface is connected to the DMZ1-network, and the third
interface is connected to the DMZ2-network.
DMZ1 and DMZ2 networks are behind different firewalls, and both firewalls are sending traffic through
network address translation (NAT) to the DMZ networks.
The default route is to the gateway on the DMZ1-network.
DMZ1: 10.10.10.0/24 (Gateway: 10.10.10.1)
DMZ2: 10.20.20.0/24 (Gateway: 10.20.20.1)
Internal: 192.168.0.0/24 (Gateway: 192.168.0.1)
Internet traffic reaches the virtual servers located in DMZ1 but NOT the virtual servers located in DMZ2.
Which policy-based route (PBR) would resolve the issue?
A. add ns pbr PBR1 ALLOW -srcIP = 10.20.20.0-10.20.20.255 -destIP != 10.20.20.0- 10.20.20.255 nextHop 10.10.10.1 -priority 10
B. add ns pbr PBR1 ALLOW -srcIP != 10.20.20.0-10.20.20.255 -destIP = 10.20.20.0- 10.20.20.255 nextHop 10.20.20.1 -priority 10
C. add ns pbr PBR1 ALLOW -srcIP = 10.20.20.0-10.20.20.255 -destIP != 10.20.20.0- 10.20.20.255 nextHop 10.20.20.1 -priority 10
D. add ns pbr PBR1 ALLOW -srcIP != 10.20.20.0-10.20.20.255 -destIP != 10.20.20.0- 10.20.20.255 nextHop 10.10.10.1 -priority 10
Correct Answer: C
Section: (none)
Explanation
QUESTION 83
Server Name Indication (SNI) is required when __________. (Choose the option to complete the sentence.)
A.
B.
C.
D.
TLS 1.1/1.2 is enabled exclusively

a SAN extension certificate is used
multiple certificates are used on multiple domains on the same VServer
configuring a content switching SSL VServer with a single domain certificate
Correct Answer: C
Section: (none)
Explanation
QUESTION 84
Scenario: A NetScaler Engineer wants to make it easier for the help desk group to access the active node
in a high-availability pair. Members of the help desk group must be able to access the NetScaler in a secure
way without being notified of warnings in their web browsers.
Which two of the listed steps must the engineer take to meet the requirements of the scenario? (Choose
two.)
A.
B.
C.
D.
E.
Enable management access to the VIP.

Enable management access to the SNIP.
Bind a trusted certificate to the internal service.
Bind the ns-server-certificate to the SNIP to the internal service.
Create a self-signed certificate on the NetScaler and assign it to the internal service.
Correct Answer: BC
Section: (none)
Explanation
QUESTION 85
What would a NetScaler Engineer configure to allow internal IPv4 servers on a private subnet access to the
external Internet through the NetScaler?
A.
B.
C.
D.
Link Load Balancing (LLB)

Network Address Translation 64 (NAT64)
Inbound Network Address Translation (INAT)
Reverse network address translation (RNAT)
Correct Answer: D
Section: (none)
Explanation
QUESTION 86
When a network engineer logs onto a new NetScaler device in the London datacenter, data output indicates
that the device is NOT configured for the local time.
How can the network engineer synchronize the time with an NTP server in the local data center?
A.
B.
C.
D.
Configure the time from the GUI and restart.

Modify the ntp.conf and rc.netscaler files and restart.
Logon using the nsrecover/nsroot credentials and restart.
Configure the NetScaler as a secondary NTP server and restart.
Correct Answer: B
Section: (none)
Explanation
QUESTION 87
A recent security audit has identified that NetScaler management is available on all Subnet IP (SNIP)
adresses.
Which step could an engineer take to ensure that these services are only available through the NetScaler
IP (NSIP)?
A. Unbind all SNIPs from the NSVLAN.
B. Disable the 'GUI' option on all SNIPs.
C. Enable the 'Restrict Access' option on all SNIPs.
D. Disable the 'Management Access' option on all SNIPs.

Correct Answer: D
Section: (none)
Explanation
QUESTION 88
Which connection state is included in the Current Server Connections parameter, but not affected by Max
Clients?
A.
B.
C.
D.
Open
Listen
Closing
Open Established
Correct Answer: C
Section: (none)
Explanation
QUESTION 89
Scenario: A NetScaler Engineer creates a new HTTP VServer using the following command:
add lb vserver lb_test HTTP 172.20.10.85 80 -lbMethod LEASTCONNECTION - persistencetype
COOKIEINSERT -timeout 0 -authentication ON -cacheable YES
During testing, the engineer notices a cookie named NSC_iuuq2 with a value of:
ffffffff020a1d1545525d5f4f58455e445a4a423660
What is the purpose of this cookie?
A.
B.
C.
D.
It indicates that the client has been authenticated.

It indicates that the client has NOT been authenticated.
It is used for persistence, describing only the VServer ID and Service IP.
It is used for persistence, describing the VServer ID, Service IP and Service Port.
Correct Answer: D
Section: (none)
Explanation
QUESTION 90
Scenario: A NetScaler Engineer is troubleshooting an issue and using /var/log/ns.log to view the errors.
The logs are being filled with messages like the ones below:
Oct 6 14:03:23 <local0.info> 192.168.10.50 10/06/2014:14:03:23 GMT ns1 0-PPE-0 : TCP CONN_DELINK
4471 0 : Source 192.168.10.10:52187 - Vserver 192.168.10.50:80 - NatIP 192.168.10.10:52187 Destination 192.168.10.50:80 - Delink Time 10/06/2014:14:03:23 GMT - Total_bytes_send 1075 Total_bytes_recv 352
Oct 6 14:03:30 <local0.info> 192.168.10.50 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP
CONN_TERMINATE 4472 0 : Source 192.168.10.35:80 - Destination 192.168.10.51:35341
- Start Time 10/06/2014:14:02:43 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 Total_bytes_recv 1

CONN_TERMINATE 4473 0 : Source 127.0.0.1:7776 - Destination 127.0.0.2:55623 - Start Time
10/06/2014:14:02:45 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv
1
CONN_TERMINATE 4474 0 : Source 127.0.0.1:80 - Destination 127.0.0.2:39771 - Start Time
10/06/2014:14:02:46 GMT - End Time 10/06/2014:14:03:30 GMT - Total_bytes_send 1 - Total_bytes_recv
1
Which option should the engineer modify to stop these types of messages from getting logged in /var/log/
ns.log?
A.
B.
C.
D.
ACL logging in the nslog parameters

ACL logging in the syslog parameters
TCP logging in the nslog parameters
TCP logging in the syslog parameters
Correct Answer: D
Section: (none)
Explanation
QUESTION 91
Which two are HTTP response codes from a successful cache hit by default? (Choose two.)
A.
B.
C.
D.
304
500
200
401
Correct Answer: AC
Section: (none)
Explanation
QUESTION 92
Which outcome does the minify JavaScript option of the Front End Optimization (FEO) feature provide?
A.
B.
C.
D.
It will replace characters with shorter names.

It will change all uppercase letters to lowercase.
It will remove all comments from the JavaScript.
It will compress JavaScript with the GZIP algorithm.
Correct Answer: C
Section: (none)
Explanation
QUESTION 93
Scenario: A network engineer is managing a NetScaler environment that has two NetScaler devices
running as a high availability pair. The engineer must upgrade the current version from NetScaler 9 to
NetScaler 10.5.
Which action must the engineer take?
A.
B.
C.
D.
Upgrade the primary node and perform HA sync.

Upgrade the secondary node and then upgrade the primary node.
Upgrade the primary node and then upgrade the secondary node.
Break the high availability pair, upgrade each NetScaler device, and then reconfigure high availability.
Correct Answer: B
Section: (none)
Explanation
QUESTION 94
Scenario: NetScaler features are NOT licensed. A NetScaler Engineer has checked that the proper
platform license file has been uploaded.
Why are the NetScaler features NOT licensed?
A.
B.
C.
D.
The features are NOT enabled.

The NetScaler needs to be restarted.
The NetScaler initial setup is NOT completed.
There is no universal license on the NetScaler.
Correct Answer: B
Section: (none)
Explanation
QUESTION 95
A network engineer runs the following command:
nsconmsg -K /var/nslog/newnslog -s nsdebug_pe=1 -d oldconmsg
What is the engineer trying to check in the log?
A.
B.
C.
D.
Bandwidth information
Load-balancing information
Content-switching statistics
Memory utilization information
Correct Answer: A
Section: (none)
Explanation
http://www.netscalerkb.com/netscaler-tricks-and-guides/nsconmsg- examples/?
wap2;PHPSESSID=6bab876c08055dc69f12fb005869478f
Paul B:
Some of this probably duplicates my original post.... here's some bits stolen from the Netscaler Advanced
course.....
Enter the following command in the shell to trim a newnslog file:
nsconmsg -K input_file -s time=DDMMMYYYY:HH:MM -k output_file -T seconds -d copy Command
example:
nsconmsg -K /var/nslog/newnslog -s time=19Jan2009:17:00 -k slice1_newnslog -T 3600 -d copy
This command writes newnslog entries from 5pm-6pm in the slice1_newnslog file. Enter the following
command in the shell to view the time span of the current newnslog file:
nsconmsg -K /var/nslog/newnslog -d setime
Enter the following command in the shell to display event information, such as entity up/down, alerts and
configuration saves:
nsconmsg -K /var/nslog/newnslog -d event
Enter the following command in the shell to view console messages, which include IP address conflicts and
duplex mismatch, in the current newnslog file:
nsconmsg -K /var/nslog/newnslog -d consmsg
Enter the following command in the shell to display memory utilization:
nsconmsg -s -K /var/nslog/newnslogConMEM=1 -d oldconmsg Enter the following command in the shell to
display bandwidth information:
nsconmsg -K /var/nslog/newnslog -s nsdebug_pe=1 -d oldconmsg Enter the following command in the shell
to display load-balancing information:
nsconmsg -K /var/nslog/newnslog -s ConLb=1 -d oldconmsg Enter the following command in the shell to
view SSL stats for front-end connections:
nsconmsg -K /var/nslog/newnslog -s ConSSL=1 -d oldconmsg Enter the following command in the shell to
view SSL stats for back-end connections:
view SSL stats for front- and back-end connections:
display monitoring statistics:
nsconmsg -K /var/nslog/newnslog s ConMon=x d oldconmsg This command gives basic information when
x=1 and gives detailed information when x=2. Enter the following command in the shell to display content
switching statistics:
nsconmsg -K /var/nslog/newnslog s ConCSW=1 -d oldconmsg Enter the following command in the shell to
view all non-zero totals in the current newnslog file:
nsconmsg -K /var/nslog/newnslog -d statswt0 | more Enter the following command in the shell to view the
average rates in the current newnslog file:
nsconmsg -K /var/nslog/newnslog d current | more Use -g to grep for specific counters of interest. For
example:
nsconmsg -K /var/nslog/newnslog -g cpu -d statswt0 | more nsconmsg -K /var/nslog/newnslog -g arp d
current | more Enter following command in the shell to display CPU usage in the shell:
nsconmsg -K /var/nslog/newnslog -s totalcount=200 -g cpu_use -d current Enter the following command in
the shell to display NIC information:
nsconmsg -K /var/nslog/newnslog -g nic -d current And watch out for the parameters: a "-k" and a "K" (lower- vs upper-case) have VERY different meanings!!!!
For example the UPPERcase "-K" refers to an input file, whilst the lowercase "-k" refers to an output file.
Getting them wring could mean over-writing your log file!!! Ooops!
QUESTION 96
Scenario: A company is hosting an external, Internet-facing website that is load balanced by a NetScaler.
The backend servers are on a 1 Gbps network and clients connect over 3G connections. The Server
Administrator reviewed the performance metrics on the backend servers and noticed a lot of overall
network retirements and retransmissions.
Which NetScaler feature would help improve the network performance of the backend servers in this
scenario?
A.
B.
C.
D.
SureConnect
Compression
TCP Buffering
Surge Protection
Correct Answer: C
Section: (none)
Explanation
QUESTION 97
A network engineer needs to configure Citrix NetScaler to provide Access Gateway services to VLAN 2
using interface 1/1 only, while also using interface 1/2 to provide load balancing services to VLAN 3.
How could this result be achieved?
A. Disable static route advertisement.

B. Disable layer 2 mode
Create 2 untagged VLANs - VLAN 2 and VLAN 3
Bind VLAN 2 to Interface 1/1
Bind VLAN 3 to Interface 1/2
C. Enable Layer 3 mode
Create a Channel Interface using Interface 1/1 and 1/2 Create 2 VMACs
Bind a VMAC to interface 1/1 and 1/2
D. Configure policy-based routing using the Interface option as a filter.
Correct Answer: B
Section: (none)
Explanation
QUESTION 98
Scenario: A client connecting to an SSL virtual server receives the following error:
"Invalid Server Certificate The server certificate is invalid. Do you wish to accept this certificate and connect
to the server anyway?"
What is a possible cause of this error message?
A.
B.
C.
D.
The private key is NOT password-protected.

The certificate key pair is password-protected.
The intermediate CA certificate is NOT linked to the server certificate.
Certificate Revocation Lists (CRLs) have NOT been defined on the NetScaler.
Correct Answer: C
Section: (none)
Explanation
QUESTION 99
When would it be necessary to configure Failover Interface Set (FIS) in an environment that has two
NetScaler appliances in high availability (HA) mode?
A.
B.
C.
D.
Link redundancy is required.

Route monitors are required.
HA monitor is disabled in some interfaces.
The NetScaler appliances are configured on different networks.
Correct Answer: A
Section: (none)
Explanation
QUESTION 100
What is the only input format supported by the NetScaler when using the NetScaler Certificate Import
wizard within the configuration utility?
A. JKS
B. PEM
C. DER
D. PKCS#12
Correct Answer: D
Section: (none)
Explanation
QUESTION 101
What does the TCP Buffering feature on the NetScaler accomplish?
A.
B.
C.
D.
It enables the TCP options field syn-cookie.

It optimizes the client and server TCP window size.
It buffers incoming client connections on the NetScaler.
It offloads the server response to the NetScaler before delivering it to the client.
Correct Answer: D
Section: (none)
Explanation
QUESTION 102
How could a NetScaler Engineer ensure that a content-switching virtual server is marked as DOWN if all
target load-balancing servers show as DOWN?
A.
B.
C.
D.
Specify a monitor
Enable State Update
Specify a route monitor
Configure a backup virtual server
Correct Answer: B
Section: (none)
Explanation
QUESTION 103
An engineer is checking that ports are configured correctly between the NetScaler system and a back-end
web server. Which command should the engineer use to test that the web server is responding on port 80?
A.
B.
C.
D.
telnet webA.example.com 80
telnet webA.example.com:80
telnet webA.example.com port=80
telnet webA.example.com -port 80
Correct Answer: A
Section: (none)
Explanation
QUESTION 104
Which two certificate formats are supported when creating a certificate key pair on the NetScaler? (Choose
two.)
A.
B.
C.
D.
PEM
DER
PKCS7
PKCS12
Correct Answer: AB
Section: (none)
Explanation
QUESTION 105
A network engineer has started at a new company and has been instructed to restrict access to an external
facing VIP to selected third party clients, based on their source IP address range.
What could the engineer do to accomplish this task?
A.
B.
C.
D.
Enable USNIP mode on the Netscaler.

Enable the host route option on the external VIP.
Create an Extended ACL based on the source IP address.
Create a SNIP address in the external VLAN limited to the source IP addresses.
Correct Answer: C
Section: (none)
Explanation
QUESTION 106
The Lazy Load action of Front End Optimization (FEO) improves the end-user experience by allowing
images to __________. (Choose the phrase to complete the sentence.)
A.
B.
C.
D.
load faster due to compression

load images from the bottom of the page and then upward to the top
NOT load until a user scrolls the page to the location where they are displayed
load from the local browser cache so it does NOT have to fetch them from the origin server
Correct Answer: C
Section: (none)
Explanation
QUESTION 107
Which protocol is responsible for exchanging site metric, network metric, and persistence information
between sites using Global Server Load Balancing (GSLB)?
A.
B.
C.
D.
SSH
MEP
RPC
NITRO
Correct Answer: B
Section: (none)
Explanation
QUESTION 108
While performing some re-cabling, a NetScaler engineer noticed that a power supply unit failed on a
NetScaler appliance. What should the engineer enable to receive notification of a future hardware failure?
A.
B.
C.
D.
SMTP
SNMP
Health monitoring
EdgeSight monitoring
Correct Answer: B
Section: (none)
Explanation
QUESTION 109
Which service setting would a NetScaler Engineer use in the command-line interface to limit connections to
server resources?
A.
B.
C.
D.
-maxReq
-maxClient
-monThreshold
-maxBandwidth
Correct Answer: B
Section: (none)
Explanation
QUESTION 110
Scenario: An engineer has been asked to implement load balancing of an existing unsecured web
application. The engineer needs to ensure that users will access the web application using HTTPS, but no
changes can be made to the web servers hosting the web application.
In order to fulfill the requirements, the engineer must create an __________ service group and add
members with port __________; and bind the service group to an __________ virtual server. (Choose the
set of options to complete the sentence.)
A.
B.
C.
D.
SSL; 443; SSL

HTTP; 80; SSL
SSL; 80; HTTP
HTTPS; 443; HTTP
Correct Answer: B
Section: (none)
Explanation
QUESTION 111
A network engineer has configured two NetScaler MPX appliances as a high availability (HA) pair.
What can the engineer configure to prevent failover if only a single interface fails?
A.
B.
C.
D.
FIS
PBR
SNMP
VMAC
Correct Answer: A
Section: (none)
Explanation
QUESTION 112
What are the supported protocols for management authentication?
A.
B.
C.
D.
LOCAL, LDAP, and SAML

RADIUS, LDAP and TACACS+
CERTIFICATE, LDAP and SAML
RADIUS, TACACS+ and CERTIFICATE
Correct Answer: B
Section: (none)
Explanation
QUESTION 113
Which protocol can be monitored by Insight Center?
A.
B.
C.
D.
FTP
HTTP
RTSP
RADIUS
Correct Answer: B
Section: (none)
Explanation
QUESTION 114
Which two encryption algorithms are supported on the NetScaler to store the encrypted SSL private key
with a password? (Choose two.)
A.
B.
C.
D.
AES
RC4
DES
DES3
Correct Answer: CD
Section: (none)
Explanation
QUESTION 115
Scenario: A pair of NetScaler devices have recently been installed into the corporate DMZ. The Netscalers
have been installed in two-arm mode, with two interfaces in a Internet- facing VLAN and two interfaces in
the internal VLAN. A private management subnet also exists.
The NetScaler engineer would like to secure and restrict communication between the management subnet
and the SNIP address on that subnet.
Which two actions could the engineer take to help with these goals? (Choose two.)
A.
B.
C.
D.
Apply an ACL on the specified SNIP.

Remove the ACL list to the internal VLAN.
Remove the NSIP address from the Netscaler.
Configure the SNIP with the -gui SECUREONLY option.
Correct Answer: AD
Section: (none)
Explanation
QUESTION 116
Which of the listed options is a simple Access Control List (ACL) attribute?
A.
B.
C.
D.
VLAN ID
Source IP address
NetScaler interface
Destination IP address
Correct Answer: A
Section: (none)
Explanation
QUESTION 117
A NetScaler Engineer is required to use SNMP v3 on a NetScaler instance and needs to use authentication
and encryption for all SNMP v3 communication.
What are two places where the engineer could set mandatory authentication and encryption? (Choose two.)
A.
B.
C.
D.
SNMP trap properties

SNMP user properties
SNMP group properties
SNMP manager properties
Correct Answer: BC
Section: (none)
Explanation
QUESTION 118
A NetScaler Engineer has created a new monitor using the following command:
add lb monitor mon_inline HTTP-INLINE -respCode 200 302 401 -httpRequest "HEAD /" - interval 10 reverse YES -secure YES
This monitor adds an HTTP-INLINE monitor __________. (Choose the phrase to complete the sentence.)
A. whose success criteria is an HTTP response code of 200,302,401
B. whose success criteria is any HTTP response code OTHER than 200,302,401
C. that will probe the Service every 10 seconds over an SSL connection whose success criteria is an HTTP
response code of 200,302,401
D. that will probe the Service every 10 seconds over an SSL connection whose success criteria is any
HTTP response code OTHER than 200,302,401
Correct Answer: B
Section: (none)
Explanation
QUESTION 119
Scenario: A call center has deployed Access Gateway Enterprise to provide its employees with access to
work resources from home. Due to the number of available licenses, only selected employees should
access the environment remotely based on their user account information.
How could the engineer configure access to meet the needs of this scenario?
A.
B.
C.
D.
Configure a Pre-authentication Policy.

Configure an Authentication Server using a search filter.
Configure an Authentication Policy using Client based expressions.
Add the selected employee accounts to the Local Authentication policy.
Correct Answer: B
Section: (none)
Explanation
http://support.citrix.com/article/CTX111079
When you type log in credentials on the log in page of the NetScaler VPN and press Enter, the credentials
are sent to the Active Directory for validation. If the user name and password are valid, then the Active
Directory sends the user attributes to the NetScaler appliance.
The memberOf attribute is one of the attributes that the Active Directory sends to the NetScaler appliance.
This attribute contains the group name of which you are defined as a member in the Active Directory. If you
are a member of more than one Active Directory group, then multiple memberOf attributes are sent to the
NetScaler appliance. The NetScaler appliance then parses this information to determine if the memberOf
attribute matches the Search filter parameter set on the appliance. If attribute matches, then you are
allowed to log in to the network.
The following are the sample attributes that the Active Directory can send to NetScaler appliance:
dn: CN=johnd,CN=Users,DC=citrix,DC=com
changetype: add
memberOf: CN=VPNAllowed,OU=support,DC=citrix,DC=com
cn: johnd
givenName: john
objectClass: user
sAMAccountName: johnd
Configuring a NetScaler Appliance to Extract the Active Directory Group To configure a NetScaler
appliance to extract the Active Directory group and enable clients to access the NetScaler VPN based on
the Active Directory groups by using the Lightweight Directory Access Protocol (LDAP) authentication,
compete the following procedure:
Determine the Active Directory Group that has access permission. To configure the NetScaler appliance for
Group Extraction, you must define the group a user needs to be a member of to allow access to the
network resources. Note: To determine that exact syntax, you might need to refer to the Troubleshooting
Group Extraction on the NetScaler appliance section.
Determine the Search Filter syntax.
Enter the appropriate syntax in the Search Filter field of the Create Authentication Server dialog box, as
shown in the following sample screenshot:
Note: Ensure that you start the value to the Search Filter filed with memberOf= and do not have any
embedded spaces in the value.
To configure the LDAP authentication with Group Extractions from the command line interface of the
NetScaler appliance with the values similar to the ones in the preceding screenshot, run the following
command:
add authentication ldapaction LDAP-Authentication -serverip 10.3.4.15
-ldapBase "CN=Users,DC=citrix,DC=com"
-ldapBindDn "CN=administrator,CN=Users,DC=citrix,DC=com" -ldapBindDnPassword ..dd2604527edf70
-ldapLoginName sAMAccountName
-searchFilter "memberOf=CN=VPNAllowed,OU=support,DC=citrix,DC=com" -groupAttrName memberOf
-subAttributeName CN
Note: Ensure that you set the subAttributeName parameter to CN. Troubleshooting Group Extraction on the
NetScaler appliance To troubleshoot group extraction on the NetScaler appliance, consider the following
points:
If the LDAP policy fails after configuring it for Group Extraction, it is best to create a policy that does not
have the group extraction configured to ensure that LDAP is configured appropriately.
You might need to use the LDAP Data Interchange Format Data Exchange (LDIFDE) utility from Microsoft
that extracts the attributes from the Active Directory server to determine the exact content of the memberOf
group.
You need to run this utility on the Active Directory server. The following is the syntax for the command to
run the LDIFDE utility:
ldifde -f <File_Name> -s <AD_Server_Name> -d "dc=<Domain_Name>,dc=com" -p subtree -r "(&
(objectCategory=person)(objectClass=User)(givenname=*))" -l
"cn,givenName,objectclass,samAccountName,memberOf" When you run the preceding command, a text
file, with the name you specified for File_Name parameter, is created. This file contains all objects from the
Active Directory. The following is an example from a text file so created:
dn: CN=johnd,CN=Users,DC=citrix,DC=com
changetype: add
memberOf: CN=VPNAllowed,OU=support,DC=citrix,DC=com
cn: johnd
givenName: john
objectClass: user
sAMAccountName: johnd
QUESTION 120
Company policy states that all passwords should travel the network in encrypted packets except SNMP.
Which command should the network engineer execute to comply with this policy?
A.
B.
C.
D.
set ns ip 10.20.30.40 -ssh disabled -telnet disabled -gui enabled

set ns ip 10.20.30.40 -telnet disabled -gui secureonly -ftp disabled
set ns ip 10.20.30.40 -mgmtaccess disabled -restrictaccess enabled
set ns ip 10.20.30.40 -gui secureonly -ssh enabled -restrictaccess enabled
Correct Answer: B
Section: (none)
Explanation
QUESTION 121
Scenario: A web server needs to be load-balanced but the content for the web page is retrieved from
different server pools. There is a server pool for images, another for text files, and another for documents.
Which NetScaler feature would allow a user to retrieve content from all pools through a single IP address by
leveraging the ability of NetScaler to forward traffic based on the incoming request?
A.
B.
C.
D.
Load Balancing
Content Filtering
Content Switching
Global Server Load Balancing
Correct Answer: A
Section: (none)
Explanation
QUESTION 122
On which two objects could a NetScaler Engineer bind cipher groups? (Choose two.)
A.
B.
C.
D.
E.
Server
Service
SSL policy
SSL profile
Virtual server
Correct Answer: BE
Section: (none)
Explanation
QUESTION 123
Scenario: When the NetScaler was set up, compression was enabled. The network engineer would like to
disable compression ONLY for a particular virtual server.
How could the engineer accomplish this?

A.
B.
C.
D.
Uncheck Compression in the system basic features.

Create a policy with a NOCOMPRESS action, bound to the global request point.
Disable compression on the services or service groups bound to the virtual server.
Create a policy with a NOCOMPRESS action, bound the virtual server Compression (request) point.
Correct Answer: C
Section: (none)
Explanation
QUESTION 124
A NetScaler engineer generates a techsupport archive to be sent to Technical Support.
Which three of the following pieces of information will be included in the archive file? (Choose three.)
A.
B.
C.
D.
E.
F.
Model Number
SSL Private Keys
Old Configuration Files
Hardware Boot sequence
Webpage Customizations
Certificate Revocation List
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 125
Scenario: An engineer executes the following commands:
add vlan 2
bind vlan 2 -ifnum 1/2
add ns ip 10.110.4.200 255.255.255.0
bind vlan 2 -IPAddress 10.110.4.200 255.255.255.0 What type of IP address has been added to the
NetScaler?
A.
B.
C.
D.
VIP address
NSIP address
SNIP address
GSLB Site IP address
Correct Answer: C
Section: (none)
Explanation
QUESTION 126
A NetScaler Engineer has been given the task of protecting an internal web site by requiring users to enter
their credentials.
Which feature should the engineer configure?
A.
B.
C.
D.
AAA
SSL Offloading
Content Filtering
Application Firewall
Correct Answer: D
Section: (none)
Explanation
QUESTION 127
When using static proximity load-balancing method for a Global Server Load Balancing (GSLB) virtual
server, there must be a match between the IP addresses in the custom/static database to the IP address of
the _________ so that it is associated with a given location. (Choose the option to complete the sentence.)
A.
B.
C.
D.
GSLB service
ADNS service
Load-balancing server
Client local DNS (LDNS)
Correct Answer: A
Section: (none)
Explanation
QUESTION 128
A network engineer needs to investigate why a few users have issues logging on to the NetScaler system.
How can the engineer troubleshoot authentication issues on the NetScaler system?
A.
B.
C.
D.
Use ECV monitoring.

Run a violations report in Reporting.
Use the CAT aaad.debug command.
Check the system-authentication setting in the GUI.
Correct Answer: C
Section: (none)
Explanation
drop the the shell and the file is located at:
/tmp/aaad.debug
QUESTION 129
What should an engineer configure in an environment where two NetScaler appliances are configured in
high availability (HA) mode to prevent both nodes from reporting a state of NOT_UP at the same time?
A.
B.
C.
D.
Fail-Safe Mode
Route Monitors
Command Propagation
Configuration Synchronization
Correct Answer: A
Section: (none)
Explanation
QUESTION 130
Which SSL parameter should an engineer configure to bind multiple certificate key pairs to a virtual server?
A.
B.
C.
D.
SNI enable
Session reuse
Send close-notify
Client authentication
Correct Answer: A
Section: (none)
Explanation
QUESTION 131
Multiple Subnet IPs (SNIPs) are defined in the same network.
A NetScaler Engineer could specify the SNIP to use to communicate with servers on that network by
configuring a __________. (Choose the option to complete the sentence.)
A.
B.
C.
D.
net profile
listen policy
traffic domain
policy-based route
Correct Answer: A
Section: (none)
Explanation
QUESTION 132
Scenario: A NetScaler Engineer has been tasked with reconfiguring an existing NetScaler deployment. The
engineer is currently running a high-availability (HA) pair of NetScaler 10.5 appliances, but the Vice
President of IT has requested a more efficient way of preserving and balancing network resources and
throughput while having a single point of management for the NetScaler appliances.
What should the engineer configure to satisfy the requirements outlined by the Vice President of IT?
A.
B.
C.
D.
Switch from traditional HA to -INC mode HA.

Break the HA pair and configure clustering instead.
Break the HA pair and configure three standalone NetScaler nodes.
Leave HA enabled and increase bandwidth to both NetScaler nodes.
Correct Answer: B
Section: (none)
Explanation
QUESTION 133
When binding a certificate to a virtual server, which two certificate formats are supported by NetScaler?
(Choose two.)
A.
B.
C.
D.
P7B
PFX
PEM
DER
Correct Answer: CD
Section: (none)
Explanation
QUESTION 134
Traffic to which destination is sourced from the NetScaler IP (NSIP) by default?
A.
B.
C.
D.
NTP servers
Clients on the Internet
Load-balanced web services
Load-balanced authentication services
Correct Answer: A
Section: (none)
Explanation
QUESTION 135
Scenario: A network engineer would like to prevent blacklisted remote clients from accessing NetScaler
hosted application services. An IP address blacklist database is maintained by an external company and
available to query over the Internet.
The engineer would like to reject any connections from IP addresses that are contained in the blacklist.
What could the engineer configure to achieve this goal?
A.
B.
C.
D.
SSL offload
HTTP callout
URL transformation
SSL certification revocation list check
Correct Answer: B
Section: (none)
Explanation
QUESTION 136
When a content-switching virtual server is used and idle client connections must stay established longer
than the default NetScaler value, in which two locations could an engineer adjust the client timeout setting?
(Choose two.)
A.
B.
C.
D.
Global Timeout Settings

Load-balancing services
Load-balancing virtual server
Content-switching virtual server
Correct Answer: AD
Section: (none)
Explanation
QUESTION 137
Which client header indicates support for the type of compression the NetScaler may use?
A.
B.
C.
D.
Accept
User-Agent
Content-Type
Accept-Encoding
Correct Answer: D
Section: (none)
Explanation
QUESTION 138
Scenario: A NetScaler Engineer is asked to interpret the following configuration:
add audit syslogAction syslog_srv_1 192.168.0.1 -logLevel ERROR
add audit syslogAction syslog_srv_2 192.168.0.2 -logLevel WARNING
add audit syslogAction syslog_srv_3 192.168.0.3 -logLevel CRITICAL
add audit syslogAction syslog_srv_4 192.168.0.4 -logLevel ALERT
add audit syslogPolicy audit_pol_1 ns_true syslog_srv_1

bind system global audit_pol_1 -priority 100
add audit messageaction log-act1 CRITICAL '"Client:"+CLIENT.IP.SRC+" accessed "+HTTP.REQ.URL' bypassSafetyCheck YES
add responder policy RP_pol http.REQ.IS_VALID NOOP -logAction log-act1
bind responder global RP_pol 100 END -type REQ_OVERRIDE
Which syslog server will receive log information?
A.
B.
C.
D.
syslog_srv_3
syslog_srv_4
syslog_srv_1
syslog_srv_2
Correct Answer: A
Section: (none)
Explanation
QUESTION 139
Scenario: A NetScaler Engineer has received complaints from some users stating that their business
applications are running slow. The engineer analyzes the application servers and sees the following CPU
utilization:
ServerA is utilizing 20% CPU
ServerB is utilizing 20% CPU
ServerC is utilizing 100% CPU
The engineer had set the load-balancing method to round robin but decided to change the load-balancing
configuration for the business applications.
Which load-balancing method could the engineer use to address this issue?
A.
B.
C.
D.
Custom Load
Least Packets
Least Connections
Least Response time
Correct Answer: A
Section: (none)
Explanation
QUESTION 140
Scenario: A network engineer has bound four policies to an HTTP virtual server as follows:
PolicyA is bound with a priority of 10 and has the following expression: REQ.IP.SOURCEIP == 10.10.10.0
PolicyB is bound with a priority of 15 and has the following expression: REQ.IP.SOURCEIP != 10.10.11.0
PolicyC is bound with a priority of 20 and has the following expression: REQ.IP.SOURCEIP == 10.10.12.0
PolicyD is bound with a priority of 25 and has the following expression: REQ.IP.SOURCEIP != 10.10.13.0
When a connection is made from a PC with an IP address of 10.10.12.15, which policy will be applied?
A.
B.
C.
D.
PolicyA
PolicyB
PolicyC
PolicyD
Correct Answer: B
Section: (none)
Explanation
Don't be fooled by this as the first policy to match will be used, in this case 10.10.12.15 is not 10.10.11.0
hence it statisfies policyB
QUESTION 141
While binding a certificate key pair where the key is a 2048-bit, a NetScaler Engineer receives the following
error message:
"Certificate with key size greater than RSA512 or DSA512 bits not supported"
What could be causing this error?
A.
B.
C.
D.
The certificate being used is invalid.

The license file is saved in UTF-8 format.
The NetScaler does NOT have an SSL offloading card.
The NetScaler appliance does NOT have an appropriate license.
Correct Answer: D
Section: (none)
Explanation
QUESTION 142
In order to create a three-node NetScaler cluster, all nodes must __________ and __________. (Choose
the two options to complete the sentence.)
A.
B.
C.
D.
be physical appliances
have Platinum licensing
be using the same build
be the same platform model
Correct Answer: CD
Section: (none)
Explanation
QUESTION 143
Which item needs to be configured to enable content prefetch in Integrated Caching on the NetScaler
appliance?
A.
B.
C.
D.
Cache Policy
Cache Object
Cache Selector
Cache Content Group
Correct Answer: D
Section: (none)
Explanation
QUESTION 144
Which IP address type should be bound to a VLAN in order to isolate traffic to backend services?
A.
B.
C.
D.
Virtual IP (VIP)
Cluster IP (CLIP)
Subnet IP (SNIP)
NetScaler IP (NSIP)
Correct Answer: C
Section: (none)
Explanation
QUESTION 145
Scenario: The network engineer is setting up a new NetScaler using a direct connection. Three networks
are connected to the NetScaler. After initial configuration and restart, the engineer would like to confirm the
routing table entries.
From which location and which command should the engineer run to display the routing table?
A.
B.
C.
D.
From
From
From
From
the shell 'netstat -r'

the shell 'route monitor'
the command-line interface 'show pbr'
the command-line interface 'show route'
Correct Answer: D
Section: (none)
Explanation
QUESTION 146
Scenario: A NetScaler Engineer retrieves the following configuration from support and enters it into the
command-line interface:
add rewrite action remove_server_header delete_http_header Server
add rewrite policy RP_remove_srv_header "HTTP.REQ.IS_VALID && !CLIENT.IP.SRC.IN_SUBNET

(172.16.0.0/16)" remove_server_header
bind lb vserver lb_vsrv -policyName RP_remove_srv_header -priority 100 - gotoPriorityExpression END type REQUEST
The immediate effect of this configuration is that it will __________ the server header in the __________ if
the request is coming from a network other than 172.16.0.0/16. (Choose the set of options to complete the
sentence.)
A.
B.
C.
D.
keep; request
keep; response
remove; request
remove; response
Correct Answer: D
Section: (none)
Explanation
QUESTION 147
A NetScaler Engineer would like to encrypt the LDAP authentication traffic from a NetScaler to the internal
LDAP servers.
Which type of load-balancing service should the engineer create?
A.
B.
C.
D.
SSL
TCP
RADIUS
SSL_TCP
Correct Answer: D
Section: (none)
Explanation
QUESTION 148
Scenario: A NetScaler Engineer has created a local account for a user according to the below configuration:
add system user NSUser userpassword -timeout 900
add system group "NetScaler users" -timeout 900
add system cmdPolicy netscaler-users ALLOW
"(^man.*)|(^show\\s+(?!system)(?!configstatus)(?!ns ns\\.conf)(?!ns savedconfig)(?!ns runningConfig)(?
!gslb runningConfig)(?!audit messages)(?!techsupport).*)|(^stat.*)"
bind system group "NetScaler users" -userName NSUser
bind system group "NetScaler users" -policyName netscaler-users 100
The user is able to log on but is NOT able to execute certain commands. The engineer goes back and
looks at the logs, and the following is displayed:
Oct 6 13:34:15 <local0.info> 192.168.10.50 10/06/2014:13:34:15 GMT ns1 0-PPE-0 : CLI
CMD_EXECUTED 4303 0 : User NSUser - Remote_ip 192.168.10.10 - Command "show ns runningConfig"
- Status "ERROR: Not authorized to execute this command"
Why is the command NOT working for the user?

A.
B.
C.
D.
cmdPolicy is NOT configured to allow the command

cmdPolicy should be set to DENY, instead of ALLOW
The user should be bound to the cmdPolicy netscaler-users
The priority of the cmdPolicy bound to the group "NetScaler users" should be higher
Correct Answer: A
Section: (none)
Explanation
QUESTION 149
Which setting must an engineer ensure is configured before a Subnet IP (SNIP) could be used to
communicate with servers on the same network segment?
A.
B.
C.
D.
Static route is defined

USIP mode is enabled
USNIP mode is enabled
Default gateway is defined
Correct Answer: C
Section: (none)
Explanation
QUESTION 150
As a result of connecting two NetScaler interfaces in the same L2 broadcast domain/VLAN (unless link
aggregation is configured), the NetScaler will __________. (Choose the correct option to complete the
sentence.)
A.
B.
C.
D.
restart
disable one interface
cause a network loop
disable both interfaces
Correct Answer: C
Section: (none)
Explanation
QUESTION 151
Which two of the following settings could be configured using a TCP profile that is bound to a service?
(Choose two.)
A.
B.
C.
D.
E.
F.
TCP buffer size

Window scaling
TCP Server time-out values
Source IP for specific subnet
Allowed bandwidth throughput
Number of max concurrent TCP connections
Correct Answer: AB
Section: (none)
Explanation
QUESTION 152
Scenario: A NetScaler Engineer needs to perform a network packet trace on a NetScaler appliance. For
troubleshooting purposes the engineer needs to capture traffic only from interfaces 1/3 and 1/4; traffic from
other interfaces should NOT be captured. The resulting file should be saved in NetScaler format.
What should the engineer do to accomplish this task?
A. Run the nstcpdump.sh command from the NetScaler shell and specify the interface
B. Run the nstcpdump.sh command from the NetScaler shell and specify the filter parameter
C. Run the start nstrace command from the NetScaler command-line interface and specify the filter
parameter
D. Run the start nstrace command from the NetScaler command-line interface and specify the PerNIC
parameter
Correct Answer: C
Section: (none)
Explanation
QUESTION 153
Scenario: Users in an organization need to access several web applications daily. Management has asked
a NetScaler Engineer to reduce the amount of times users have to enter credentials when accessing web
applications.
What should the engineer configure to meet this requirement?
A.
B.
C.
D.
A load-balancing VServer and an authorization policy

An authentication VServer and an authorization policy
An authentication VServer and an authentication policy
A content switching VServer and an authentication profile
Correct Answer: C
Section: (none)
Explanation
QUESTION 154
A network engineer is investigating a recent failure of NetScaler high availability and confirms that some
recent changes were made to the configuration.
What is a likely cause of the failure?
A.
B.
C.
D.
Load balancing virtual server marked DOWN.

SNIP has had management access removed.
RPC node password changed on an appliance.
The network command policy has been modified.
Correct Answer: C
Section: (none)
Explanation
QUESTION 155
What should a NetScaler Engineer configure to create load-balancing virtual servers and services on the
same VLAN with overlapping IP addresses?
A.
B.
C.
D.
Listen policies
Traffic domains
Dynamic routing
Policy-based routing
Correct Answer: B
Section: (none)
Explanation
QUESTION 156
Which two content types are, by default, compressible content on the NetScaler? (Choose two.)
A.
B.
C.
D.
E.
zip
png
css
jpeg
html
Correct Answer: CE
Section: (none)
Explanation
QUESTION 157
Which persistence method is only applicable to load-balancing SIP?
A.
B.
C.
D.
CALLID
RTSPID
SOURCEIP
COOKIEINSERT
Correct Answer: A
Section: (none)
Explanation
QUESTION 158
In which two places could a NetScaler Engineer enable TCP Buffering? (Choose two.)
A.
B.
C.
D.
Service
Globally
HTTP profile
Virtual server
Correct Answer: AB
Section: (none)
Explanation
QUESTION 159
Which command must a NetScaler Engineer run at the command-line interface to enable a Link
Aggregation Control Protocol (LACP) channel?
A.
B.
C.
D.
Use "set lacp" with sysPriority parameter.

Use "set lacp" with ownerNode parameter.
Use "set interface" with lacpKey parameter.
Use "set interface" with lacpPriority parameter.
Correct Answer: C
Section: (none)
Explanation
QUESTION 160
When creating a link aggregation channel on the NetScaler, the "-throughput" option sets the __________.
A.
B.
C.
D.
max interface speed of the channel

interface threshold for channel failover
interface bandwidth limit for the channel
interface speed of each member of the channel
Correct Answer: B
Section: (none)
Explanation
QUESTION 161
What are two benefits of using Link Aggregation Control Protocol (LACP)? (Choose two.)
A.
B.
C.
D.
E.
Redundancy
Compression
Reduce TCP latency
Increased throughput
Automatic configuration of TCP windows
Correct Answer: AD
Section: (none)
Explanation
QUESTION 162
Which NetScaler caching type requires proxy configuration on all client devices?
A. SOCKS
B. REVERSE
C. FORWARD
D. TRANSPARENT
Correct Answer: C
Section: (none)
Explanation
QUESTION 163
Scenario: A NetScaler engineer needs to enable access to some web servers running on an IPv6-only
network. The clients connecting the services are on an IPv4 network. The engineer has already enabled
IPv6 on the NetScaler.
What does the engineer need to do in order to provide access to the services on the IPv6 network?
A.
B.
C.
D.
Create an IPv6 tunnel and a IPv4 virtual server.

Configure an IPv6 VLAN and bind the required interface.
Create a IPv4 virtual server and bind the service group to it.
Create an IPv6 ACL and a IPv4 virtual server and bind the ACL to the virtual server.
Correct Answer: C
Section: (none)
Explanation
QUESTION 164
Scenario: An engineer has been given the task of selecting the TCP profile for a NetScaler appliance. The
appliance has a 1.5Mbit WAN interface that has considerable and intermittent packet loss.
Which TCP profile should the engineer choose to optimize traffic for the WAN interface?
A.
B.
C.
D.
nstcp_default_profile
nstcp_default_tcp_lfp
nstcp_default_tcp_lnp
nstcp_default_tcp_lan
Correct Answer: C
Section: (none)
Explanation
QUESTION 165
Scenario: A website that provides hotel bookings lists each hotel through their membership number on the
site URL. For example, the Martello Tower member ID is 6754 and its web presence is at http://
www.hoteltestwebsite.com/hotels/6754/index.html.
There are 20,000 hotels in the database of the website. The website business owner no longer wants to
display the hotel sites for hotel numbers 1-10000, inclusive. A NetScaler Engineer must configure an
appropriate responder page to indicate that these sites are unavailable.
Which expression will meet the requirements of the business owner?
A. HTTP.REQ.URL.PATH.GET(2).TYPECAST_NUM_T(DECIMAL).BETWEEN(0, 10000)
B. HTTP.REQ.URL.AFTER_STR("hotels").TYPECAST_NUM_T(DECIMAL).BETWEEN(0, 10000)
C. HTTP.REQ.URL.BEFORE_STR("index.html").TYPECAST_NUM_T(DECIMAL).BETWEEN (0, 10000)

D. HTTP.REQ.URL.PATH.GET(1).TYPECAST_NUM_T(DECIMAL).GT(0) &&
HTTP.REQ.URL.PATH.GET(1).TYPECAST_NUM_T(DECIMAL).LT(10000)
Correct Answer: A
Section: (none)
Explanation
QUESTION 166
Scenario: A NetScaler Engineer has discovered that the object home.php is NOT found in the cache on the
system.
Below is the relevant configuration:
add cache contentGroup cache_content_group_1 -relExpiry 0
add cache policy cache_pol_1 -rule "http.REQ.URL.CONTAINS(\"home.php\")" -action MAY_CACHE storeInGroup cache_content_group_1
add cache policy cache_pol_2 -rule "http.REQ.METHOD.EQ(\"GET\")" -action NOCACHE
add cache policy cache_pol_3 -rule "HTTP.RES.HEADER(\"Set-Cookie\").EXISTS" -action NOCACHE
bind cache global cache_pol_3 -priority 100 -gotoPriorityExpression END -type RES_OVERRIDE
The data from the client and the server are as following:
GET /home.php HTTP/1.1
Host: www.website.com
User-Agent: Mozilla Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Date: Thu, 09 Oct 2014 18:25:00 GMT
Cookie: sessionid=100xyz
HTTP/1.1 200 OK
Date: Thu, 09 Oct 2014 18:25:00 GMT
Server: Apache/2.2.3 (Fedora)
Last-Modified: Wed, 09 Jul 2014 21:55:36 GMT
ETag: "27db3c-12ce-5e52a600"
Accept-Ranges: bytes
Cache-Control: private, max-age=0
Set-Cookie: sessionid=100xyz; expires=Thu, 09-Oct-2014 18:30:00 GMT; path=/
Content-Length: 119
Connection: close
Content-Type: text/html; charset=UTF-8
Why does the object NOT persist in the cache?
A.
B.
C.
D.
The request is a GET request.

The response has Set-Cookie.
The content group is missing a cache selector.
The content group has been configured with relExpiry 0.
Correct Answer: B
Section: (none)
Explanation
QUESTION 167
Which statement is true about interface link-state on the NetScaler?
A.
B.
C.
D.
Interface link-state is controlled by ifconfig in BSD.

Interface link-state is dependent on the HAMON setting.
Interface link-state CANNOT be brought down from the NetScaler.
Interface link-state on both appliances is unaffected by the force failover command.
Correct Answer: C
Section: (none)
Explanation

Citrix PracticeTest 1Y0-351 v2015-06-05 by Jimmy 167q

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Citrix PracticeTest 1Y0-351 v2015-06-05 by Jimmy 167q

Загружено:

Авторское право:

Доступные форматы

Citrix 1Y0-351 : Practice Test

Passing Score: 800

Exam Code: 1Y0-351

For SSL Offload

SSL Cipher Exchange

Server Name Indication (SNI)

Recreate the HTTP virtual servers.

C. The RPC passwords are incorrect

The NetScaler is disabled for NAT.

Reset the nsroot account.

Specify the nodes parameter.

Only interface 10/1

Modify the list of ciphers in the Default cipher group.

Link load balancing (LLB)

The LDAP Base DN is incorrect.

Bind a CA Certificate to the SSL Services.

A NetScaler implementation is experiencing intermittent network issues, specifically regarding traffic to a

ha node; provide any public IP addresses listed

The built-in monitor has been changed.

add cluster <node> -quorumType Majority

Set-Cookie: sessionid=100xyz; expires=Thu, 09-Oct-2014 18:30:00 GMT; path=/ Content-Length: 119

The request is a GET request.

The virtual server is configured for port 444.

TD2 services as a backup virtual server

The service monitor will take precedence over MEP.

Reset the unused interfaces

Extended ACLs may BRIDGE traffic.

Configure an OCSP responder.

Correct Answer: BDF

The number of HTTP requests to the backend services are decreased.

Enable SNMP trap logging.

be able to decrypt the SSL traffic

Remove Down State Flush.

C. set lb vserver myApp -persistenceType COOKIEINSERT -timeout 0 -cookieName X- Forwarded-For

Disable high availability and upgrade one node at a time.

Reset the unused interfaces

lmutil lmhostid -user

Configure StaySecondary on the second datacenter appliance.

SSL policy is incorrect.

B. Create a SSL policy.

a backup virtual server has been configured

NS1 and NS2 will both become primary.

add ns ip 10.100.10.100 255.255.255.0 -type SNIP

Enable Web Logging

Enabling Use Source IP Mode

SSL protocol is being used for encryption.

Create a persistency group.

SSL Certificates Files

C. HTTP services are bound to the virtual server

If using RSA 7.1

Appliance, and save the profile.

TLS 1.1/1.2 is enabled exclusively

Enable management access to the VIP.

Link Load Balancing (LLB)

Configure the time from the GUI and restart.

D. Disable the 'Management Access' option on all SNIPs.

It indicates that the client has been authenticated.

Oct 6 14:03:30 <local0.info> 192.168.10.50 10/06/2014:14:03:30 GMT ns1 0-PPE-0 : TCP

ACL logging in the nslog parameters

It will replace characters with shorter names.

Upgrade the primary node and perform HA sync.

The features are NOT enabled.

A. Disable static route advertisement.