ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam 70-345 All Questions

View all questions & answers for the 70-345 exam
Go to Exam

Exam 70-345 topic 1 question 33 discussion

Actual exam question from Microsoft's 70-345
Question #: 33
Topic #: 1
[All 70-345 Questions]

HOTSPOT -
You deploy an Exchange Server 2016 organization. The organization contains two servers. The servers are configured as shown in the following table.

The default self-signed certificates are installed on both servers.
All of the users in the organization work from home and from customer locations.
You purchase a Layer 7 hardware-based load balancer. You configure SSL bridging without session affinity for Outlook on the web connections. The load balancer has an internal fully qualified domain name (FQDN) of lb1.contoso.local.
DNS servers are configured to resolve mail.contoso.com names to the external IP address of the load balancer.
You need to recommend which names must be included in the certificates installed on the load balancers and the Exchange servers.
What should you recommend for each certificate? To answer, select the appropriate options in the answer area.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by l1f3rl at March 9, 2020, 3:03 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
l1f3rl
Highly Voted 5 years, 3 months ago
mail.contoso.com ex01.contoso.local ex02.contoso.local
upvoted 8 times
Remoman85
5 years, 2 months ago
Since the Load Balancer is External Facing and the Exchange Servers depend on Traffic routed through the Load Balancer I concur on these answers. As a Best Practice, SSL should terminate at the load balancer as this offers a centralized place to correct SSL attacks. https://docs.microsoft.com/en-us/exchange/architecture/client-access/load-balancing?view=exchserver-2019
upvoted 2 times
Harry83
4 years, 6 months ago
I agree. The question talk about SSL bridging. SSL Bridging will terminate the traffic to the HLB (the HLB must have a public certificate). Then a second tunnel will open between the HLB & one of the published Exchange servers (on the Exchange servers we can use both a public or a private CA; most of the time HLB do not validate the certificate on server side & the load balancing work even if the certificate is expired or contains the wrong name on the Exchange side).
upvoted 1 times
vladgo
4 years, 5 months ago
"The default self-signed certificates are installed on both servers." so Internal names already exists and the client uses mail.contoso.com I think you have to add this name.
upvoted 1 times
...
...
...
...
RakRocky
Most Recent 4 years, 6 months ago
LB1.contoso.local mail.contoso.com mail.contoso.com
upvoted 2 times
paperA4
4 years, 5 months ago
This is the only correct answer. The only way u access the load balancer is via internal IP or internal fqdn for administrative purpose thus LB1.contoso.local External DNS points to the external IP of the LB which redirects you to the internal nodes. And all local nodes should be mail.contoso.com Have worked with load balancers and multiple exchange nodes. Trust me.
upvoted 1 times
...
...
potpal
4 years, 8 months ago
mail.contoso.com ex01.contoso.local ex02.contoso.local
upvoted 4 times
...
resmail
4 years, 11 months ago
Load balancer: mail.certbase.de ex1.certbase.local: ex1.certbase.local ex2.certbase.local: ex2.certbase.local Erläuterungen: Wenn SSL-Bridging aktiviert ist, wird eingehender HTTPS-Datenverkehr für eine tiefergehende Analyse auf dem Load Balancer entschlüsselt. Anschließend werden die Daten neu verschlüsselt und an den Zielserver weitergeleitet. Die Clients kommunizieren mit dem Load Balancer über den Namen mail.certbase.de. Dieser Name muss daher zwingend im Zertifikat des Load Balancers enthalten sein. Der Load Balancer kommuniziert mit den Exchange Servern über deren interne Namen.
upvoted 1 times
...
riccardo
4 years, 11 months ago
an SSL certificate can not have internal domain name as .local, so the right answer is for me: mail.contoso.com ex1.contoso.com ex2.contoso.com
upvoted 2 times
Harry83
4 years, 6 months ago
The question do not precise where we buy the certificate. Therefore we can assume that we may use public and/or private certificate. With a public CA you can not buy a .local cert but with an internal CA you can generate a .local certificate.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel