AZ-800 Question #141: Real Exam Question with Answer & Explanation

Question

Drag and Drop Question Your network contains an Active Directory domain, a web app named App1, and a perimeter network. The perimeter network contains a server named Server1 that runs Windows Server. You plan to provide external access to App1. You need to implement the Web Application Proxy role service on Server1. Which role should you add to Server1, and which role should you add to the network? To answer, drag the appropriate roles to the correct targets. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. Answer:

Explanation

To implement Web Application Proxy on Server1 for external access to App1, the Remote Access role must be installed on Server1, and Active Directory Federation Services is required on the network for pre-authentication.

Approach. The question asks to implement the Web Application Proxy (WAP) role service on Server1, which is located in a perimeter network. WAP is a component of the 'Remote Access' server role in Windows Server. Therefore, 'Remote Access' should be dragged to the 'Role on Server1:' target. WAP functions as a reverse proxy to publish internal web applications, and it relies on Active Directory Federation Services (AD FS) for pre-authentication of users accessing these applications. AD FS is typically deployed on servers within the internal network (the 'network' context in the question) to provide identity federation. Thus, 'Active Directory Federation Services' should be dragged to the 'Role on the network:' target. This configuration allows Server1 (running WAP) in the DMZ to securely publish App1 by integrating with the internal AD FS infrastructure for authentication.

Common mistakes.

• common_mistake. 1. Active Directory Certificate Services (AD CS): While certificates are essential for WAP and AD FS (for SSL/TLS), AD CS itself is not the primary 'role on the network' that directly enables WAP's functionality. It's an infrastructure service that provides certificates, but not the core federation service WAP integrates with. Installing AD CS directly for this purpose alone is incorrect. 2. Network Policy and Access Services: This role includes components like Network Policy Server (NPS) for RADIUS authentication, and Routing and Remote Access Service (RRAS) for VPNs and routing. It is not the correct role for publishing web applications via Web Application Proxy or for providing identity federation, which are the requirements in this scenario. 3. Using a single role for both targets: The question implies two distinct roles, one on Server1 and one supporting infrastructure role on the network, making it unlikely for one role to fill both slots effectively in this specific context.

Concept tested. Web Application Proxy (WAP) architecture, its dependency on Active Directory Federation Services (AD FS), and the associated Windows Server roles for publishing internal web applications to external users.

No community discussion yet for this question.