Citrix 1Y0-350

download Citrix 1Y0-350

of 44

Transcript of Citrix 1Y0-350

  • 8/10/2019 Citrix 1Y0-350


    QUESTION: 1A network engineer needs to upgrade both appliances of a High Availability (HA)

    pair. In which order should the network engineer upgrade the appliances?

    A. Disable high availability and upgrade one node at a time.B. Upgrade the primary node first without disabling high availability.C. Upgrade the secondary node first without disabling high availability.D. Perform the upgrade simultaneously without disabling high availability.

    Answer: C

    QUESTION: 2Scenario: A network engineer is managing a NetScaler environment that has two

    NetScaler devices running as a high availability pair. The engineer must upgradethe current version from NetScaler 9 to NetScaler 10. Which action must theengineer take?

    A. Upgrade the primary node and perform HA sync.B. Upgrade the secondary node and then upgrade the primary node.C. Upgrade the primary node and then upgrade the secondary node.D. Break the high availability pair, upgrade each NetScaler device, and then

    reconfigure high availability.

    Answer: B

    QUESTION: 3An engineer has two NetScaler devices in two different datacenters and wants tocreate a high availability (HA) pair with the two devices, even though they are ontwo different subnets. How can the engineer configure the HA Pair between thetwo NetScaler devices?

    A. Configure StaySecondary on the second datacenter appliance.B. Ensure that INC mode is enabled during the creation of the HA Pair.C. Enable the HAMonitors on all interfaces after the HA Pair has been created.D. Change the NSIP of the second appliance to be on the same subnet as the firstappliance.

    Answer: B

  • 8/10/2019 Citrix 1Y0-350


    QUESTION: 4When a network engineer logs onto a new NetScaler device in the Londondatacenter, data output indicates that the device is NOT configured for the local

    time. How can the network engineer synchronize the correct time with an NTPserver in the local data center?

    A. Configure the correct time from the GUI and restart.B. Modify the ntp.conf and rc.netscaler files and restart.C. Logon using the nsrecover/nsroot credentials and restart.D. Configure the NetScaler as a secondary NTP server and restart.

    Answer: B

    QUESTION: 5Scenario: The NetScaler has connections to a large number of VPNs. The networkengineer wants to minimize the number of ARP requests. Which feature should thenetwork engineer enable to minimize ARP requests?

    A. TCP BufferingB. Use Source IP

    C. Edge ConfigurationD. MAC based forwarding

    Answer: D

    QUESTION: 6A network engineer has configured two NetScaler MPX appliances as a highavailability (HA) pair. What can the engineer configure to prevent failover if only asingle interface fails?


    Answer: A

  • 8/10/2019 Citrix 1Y0-350


    QUESTION: 7Scenario: A NetScaler appliance currently has a manually configured channelcontaining four interfaces; however, the engineer has been told that the NetScalermust now only use a single interface for this network. The engineer removes the

    channel and immediately notices a decrease in network performance. How couldthe engineer resolve this issue?

    A. Reset the unused interfacesB. Disable the unused interfacesC. Enable flow control on all interfacesD. Disable HA monitoring on the three interfaces that are no longer required

    Answer: B

    QUESTION: 8Scenario: A NetScaler engineer needs to enable access to some web serversrunning on an IPv6-only network. The clients connecting the services are on anIPv4 network. The engineer has already enabled IPv6 on the NetScaler. What doesthe engineer need to do in order to provide access to the services on the IPv6network?

    A. Create an IPv6 tunnel and a IPv4 virtual server.B. Configure an IPv6 VLAN and bind the required interface. C.Create a IPv4 virtual server and bind the service group to it.D. Create an IPv6 ACL and a IPv4 virtual server and bind the ACL to the virtualserver.

    Answer: C


    Scenario: A network engineer created an IPv6 virtual server on the NetScaler. Thevirtual server is using a service group with two IPv4 servers bound to it. Whentesting access to the virtual server from a client configured with an IPv6 address,he is unable to connect. What could be the reason for this issue?

    A. The NetScaler is disabled for NAT.B. IPv6 protocol translation is disabled.C. An IPv6 address on the NetScaler is not bound to the correct VLAN.D. The NetScaler does not have an INAT rule to convert IPv4 to IPv6 from the

    back-end servers.

  • 8/10/2019 Citrix 1Y0-350


    Answer: B

    QUESTION: 10Scenario: An engineer executes the following commands:add vlan 2

    bind vlan 2 -ifnum 1/2add ns ip

    bind vlan 2 -IPAddress type of IP address has been added to the NetScaler?

    A. VIP addressB. NSIP addressC. SNIP addressD. GSLB Site IP address

    Answer: C

    QUESTION: 11Scenario: For security reasons, the NSIP needs to be configured to only be

    accessible on interface 0/1, which is VLAN 300.The NSIP address is and the subnet mask is would the network engineer achieve this configuration?

    A. set ns config -nsvlan 300 -ifnum 0/1B. set ns ip -gui ENABLED -vrID 300C. add vlan 300 set ns ip -mgmtAccess ENABLEDD. set ns config -IPAddress -netmask

    Answer: A

    QUESTION: 12Why would an engineer want to specify a TCP Profile for a specific service group?

    A. To enable use of features like SSL over TCP for that specific service group.B. To adjust the TCP settings for traffic to and from that specific service group.C. To use a specific SNIP for traffic to the back-end servers in that service group.

  • 8/10/2019 Citrix 1Y0-350


    D. To enable features like use source IP, TCP keep alive and TCP buffering for aspecific service group.

    Answer: B

    QUESTION: 13A network engineer wants to optimize a published load balanced SSL virtual serverfor WAN connection with long delay, high bandwidth with minimal packet drops.What would the network engineer use to do this type of optimization for the SSLvirtual server?

    A. SSL policyB. TCP profileC. Compression policyD. Priority queuing policy

    Answer: B

    QUESTION: 14Scenario: The NetScaler is connected to two subnets. The NSIP is The

    external SNIP is The MIP for internal access is Web servers,authentication servers and time servers are on the network which isavailable through the router. The external firewall has the Traffic bound for Internet clients should flow through the externalfirewall. Which command should be used to set the default route?

    A. add route add route add route add route

    Answer: A

    QUESTION: 15Some SSL certificate files may be missing from a NetScaler appliance. Whichdirectory should an engineer check to determine which files are missing?

    A. /nsconfig/ssl

  • 8/10/2019 Citrix 1Y0-350


    B. /nsconfig/sshC. flash/nsconfig/D. /var/netscaler/ssl/

    Answer: A

    QUESTION: 16Scenario: An engineer has been hired to manage the content-switchingconfigurations on the NetScaler. The user account for this engineer must have thestandard rules that apply to the other administrators. What should the engineer doto allow for the extra privileges?

    A. Modify the current Command Policy and then save the changes.B. Unbind the current Command Policy of the user account and then save thechanges.C. Remove the custom Command Policy and then create one with the newrequirements.D. Create a custom Command Policy and bind it to the user account with thehighest priority.

    Answer: D

    QUESTION: 17A network engineer needs to configure smart card-based authentication on

    NetScaler Access Gateway. Which type of authentication policy could the engineerconfigure in order to accomplish this task?

    A. LocalB. RADIUSC. Certificate

    D. Secure LDAP

    Answer: C

    QUESTION: 18A company wants to implement a policy where all passwords should be encryptedwhile transiting the network. Where in the GUI would the network engineer

    prevent access to unsecured management protocols?

  • 8/10/2019 Citrix 1Y0-350


    A. Network -> IPsB. System -> AuditingC. AppExpert -> Pattern Sets

    D. Protection Features -> Filter

    Answer: A

    QUESTION: 19Scenario: The NetScaler is configured with a NSIP of Managementaccess is NOT enabled on any other IP address. Which command should anengineer execute to prevent access to the NetScaler using HTTP and only allowHTTPS access?

    A. set ns ip -gui disabled -telnet disabledB. set ip -gui secureonly -mgmtaccess enabled C.set ip -mgmtaccess disabled -gui secureonly D.set ns ip -gui enabled -restrictAccess enabled

    Answer: B

    QUESTION: 20Company policy states that SNMP management should only be allowed fromspecific hosts. What should the network engineer do to prevent unauthorized accessto SNMP?

    A. Add an SNMP manager.B. Add an SNMP trap destination.C. Check secure access only on the NSIP.D. Add an SNMP community name that is difficult to guess.

    Answer: A

    QUESTION: 21Scenario: The IT department in an organization manages servers and networkdevices from an internal management subnet. A NetScaler device has recently beeninstalled into the DMZ network. The intranet firewall allows TCP 443 from themanagement subnet to the NetScaler device. How could the engineer ensure that

  • 8/10/2019 Citrix 1Y0-350


    only workstations in the management network are permitted to manage theNetScaler?

    A. Create an Extended ACL based on the source IP address.B. Create a restricted route from the internal network to the DMZ.C. Enable the management access control option on the NSIP address.D. Enable the management access control on the internal SNIP address.

    Answer: A

    QUESTION: 22Scenario: An engineer has three subnets configured on a NetScaler appliance. Theengineer must only allow a certain group of users to access a virtual server on theappliance. The IT Manager requires that all rules are flexible and can be easilymodified for ease of administration. How could the engineer allow certain groupsto access the virtual server while still being able to modify the setting in the future?

    A. Add a Simple ACL.B. Disable USNIP Mode.C. Create an Extended ACL.D. Add a Host Route to the virtual server.

    Answer: C

    QUESTION: 23Scenario: An engineer created a new test Web Interface site for the newXenDesktop farm that the IT Department is developing. Several weeks later theengineer finds out that several people across the company have been accessing thenew test site. The engineer needs to ensure that only the IT Department subnets canaccess the test site. How could the engineer restrict access to the site so that only

    certain subnets can access this resource?

    A. Add an Extended ACL to only allow specific subnets to the Web Interface Site.B. Modify an existing simple ACL to allow specific subnets to the Web InterfaceSite.C. Enable USNIP Mode on the appliance to allow specific subnets to the WebInterface Site.D. Change the Access Method on the Web Interface Site to allow specific subnetsto the Web Interface Site.

  • 8/10/2019 Citrix 1Y0-350


    Answer: A

    QUESTION: 24A network engineer needs to configure load balancing for an FTP site. Which typeof session persistence method can the engineer select for this scenario?

    A. RuleB. Source IPC. Cookie InsertD. Custom Server ID

    Answer: B

    QUESTION: 25Scenario: runs a dating service site that provides a service withvideos of candidates. They want to use RTSP load balancing to stream the videosmore effectively. Which load balancing method should the engineer select?

    A. Least packet

    B. Round RobinC. Least bandwidthD. Least connection

    Answer: C

    QUESTION: 26A network engineer needs to configure load balancing for secured web traffic thatdoes NOT terminate at the NetScaler device. Which type of session persistence

    method can the engineer select for this scenario?

    A. Source IPB. Cookie InsertC. URL PassiveD. SRCIPDESTIP

    Answer: A

  • 8/10/2019 Citrix 1Y0-350


    QUESTION: 27A company has two sites that host six cache web servers that are used to promotesales information. Which feature on the NetScaler should an engineer enable to

    provide faster application performance and also provide additional capacity if thedemand increases for one site?

    A. Load balancing B.Integrated Cache C.Responder Policy D.Content switching

    Answer: A

    QUESTION: 28Scenario: A network engineer has configured a load balancing virtual server for anHTTP application. Due to the application architecture, it is imperative that a userssession remains on a single server during the session. The session has an idletimeout of 60 minutes. Some devices are getting inconsistent application accesswhile most are working fine. The problematic devices all have tighter securitycontrols in place. Which step should the engineer take to resolve this issue?

    A. Set the cookie timeout to 60 minutes.B. Configure a backup persistence of SourceIP.C. Change the HTTP parameters to Cookie Version 1.D. Utilize SSL offload to enable the application to use SSL.

    Answer: B

    QUESTION: 29

    Scenario: The network engineer has created a monitor and bound it to a servicegroup containing four web servers to verify that the web application responds.During routine maintenance one of the web servers is shut down; however, theserver state remains UP and user requests are still attempting to communicate withthe server. What could be causing this problem?

    A. The server has been disabled.B. The monitor is not bound at the correct bind point.C. Health monitoring is disabled for the service group.

  • 8/10/2019 Citrix 1Y0-350


    D. The NetScaler configuration has not been saved since before the monitor wasbound.

    Answer: C

    QUESTION: 30Scenario: An engineer is configuring services to allow load balancing of backendweb servers on the internal network. The engineer bound multiple monitors to thefirst service, but notices that the service is reporting as DOWN. The monitorthreshold default has NOT been changed. What could be causing this issue?

    A. The service type is HTTP.B. One of the monitors' tests is failing.C. Some of the monitors have a higher weight.D. The monitors are both reporting an UP status.

    Answer: B

    QUESTION: 31What should a network engineer configure to set high availability for a load

    balanced virtual server?

    A. Session persistenceB. A backup virtual serverC. Load balancing policiesD. Load balancing services

    Answer: B

    QUESTION: 32Scenario: A NetScaler engineer is adding a new SSL certificate to a NetScalerdevice. During the process the engineer receives an error message:"Certificate with key size greater than RSA512 or DSA512 bits not supported."The same process has been followed previously on the same model of NetScalersuccessfully. What is the likely cause of this error?

    A. The certificate hostname is invalid.B. RSA authentication has been added to the VIP.

  • 8/10/2019 Citrix 1Y0-350


    C. The NetScaler has not been licensed correctly.D. The CSR has not been submitted to the certificate authority.

    Answer: C

    QUESTION: 33Scenario: A network engineer needs to generate a certificate on the NetScalerappliance. The environment requires a private key with 4096-bit encryption. Togenerate a new SSL certificate from a NetScaler Appliance, the engineer must firstcreate . (Choose the correct option to complete the sentence.)

    A. CSRB. DSA keyC. RSA keyD. Diffie-Hellman key

    Answer: C

    QUESTION: 34Scenario: An engineer has configured an SSL virtual server and has bound a

    service group of type HTTP containing several servers. The service group is UPbut the virtual server is in a DOWN state. The engineer has verified that the SSLfeature is enabled. What should the engineer do to ensure that the virtual servershows as UP?

    A. Add a monitor that checks for HTTP.B. Change the service group to type SSL.C. Bind an SSL certificate to the virtual server.D. Configure the service group to use port 443.E. Change the monitor for a larger time out period.

    Answer: C

    QUESTION: 35Users have reported that they are receiving a confusing error message related toSSL sessions when connecting from older browsers. How could the networkengineer present this error to users in a customized format?

  • 8/10/2019 Citrix 1Y0-350


    A. Enable the SSL v2 protocol.B. Set a URL on the backup virtual server.C. Add a redirect URL to the virtual server.D. Configure SSL v2 Redirection for the virtual server.

    Answer: D

    QUESTION: 36A network engineer must determine which SSL protocols are enabled on a virtualserver named SSL01. Which command could the engineer run to see thisinformation?

    A. Show ssl statsB. Show server SSL01C. Show vServer SSL01D. Show ssl vServer SSL01

    Answer: D

    QUESTION: 37

    The security department just conducted a penetration test on the published virtualservers and all of the SSL virtual servers returned the result Allowed changing toweak certificate standard in the report. The reason for this result could be that thenetwork engineer who configured the virtual servers forgot to .(Choose the correct option to complete the sentence.)

    A. block TLSv1B. apply the SSL policyC. configure the HIGH Cipher group onlyD. configure the DEFAULT Cipher group only

    Answer: C

    QUESTION: 38Which policy expression must an engineer use to enable compression for javascriptfiles?

    A. HTTP.RES.BODY(0).CONTAINS("javascript")

  • 8/10/2019 Citrix 1Y0-350


    B. HTTP.REQ.BODY(0).CONTAINS("javascript")C. HTTP.RES.HEADER("Content-Type").CONTAINS("javascript")D. HTTP.REQ.HEADER("Content-Type").CONTAINS("javascript")

    Answer: C

    QUESTION: 39Which expression must an engineer use to prevent compression of Cascading StyleSheets?

    A. HTTP.RES.BODY(0).CONTAINS("text/css")B. HTTP.REQ.BODY(0).CONTAINS("text/css")C. HTTP.RES.HEADER("Content-Type").CONTAINS("text/css")D. HTTP.REQ.HEADER("Content-Type").CONTAINS("text/css")

    Answer: C

    QUESTION: 40The purpose of pre-fetch in integrated caching is to automatically .(Choose the correct option to complete the sentence.)

    A. refresh a cached object before expiringB. fetch objects from the forwarding cache before expiringC. retrieve all objects on a published website after a policy is appliedD. retrieve an object in the expression from a website after a policy is applied

    Answer: A

    QUESTION: 41What is the purpose of the flash cache option in integrated caching?

    A. To completely wipe a cache group when the targeted selector is hit in the cacheB. To use the flash memory for storage for a specific cache group to improve

    performanceC. To queue simultaneous requests of an object and answer all with the sameresponse from the serverD. To answer the client request without checking if the object has expired, objectsare checked periodically instead

  • 8/10/2019 Citrix 1Y0-350


    Answer: C

    QUESTION: 42Scenario: A network engineer has created two selectors to use to populate a cachegroup in integrated caching. One selector, "Hit," will determine what to add to thegroup. The other, "Inval", will select what should be invalidated. Which commandshould the engineer run to create the cache group?

    A. add cache contentgroup CacheGroup1 -hitParams Hit -invalParam InvalB. add cache contentgroup CacheGroup1 -hitSelector Hit -invalSelector InvalC. set cache contentgroup CacheGroup1 - hitParams Hit -invalParam Inval -typeHTTPD. set cache contentgroup CacheGroup1 -hitSelector Hit - invalSelector Inval -typeHTTP

    Answer: B

    QUESTION: 43Scenario: An organization has recently been penetration-tested by a security

    company. The findings have indicated that the NetScaler device is responding torequests revealing web server information within the HTTP response headers.Which NetScaler feature can a network engineer use to prevent this informationfrom being leaked to a potential malicious user?

    A. RewriteB. ResponderC. Web LoggingD. URL Transformation

    Answer: A

    QUESTION: 44Scenario: Company Inc. wants to tag incoming requests with a header thatindicates which browser is being used on the connection. This helps the server keeptrack of the browsers after the NetScaler has delivered the connections to the backend. The engineer should create actions to . (Choose thecorrect set of options to complete the sentence.)

  • 8/10/2019 Citrix 1Y0-350


    A. rewrite; insert tags on the client headerB. responder; separate the client requestsC. rewrite; insert tags on the server response

    D. responder; filter the browser type on the client header

    Answer: A

    QUESTION: 45Which step could a network engineer take to prevent brute force logon attacks?

    A. Enable the Rate Limiting feature.B. Enable the AAA Application feature.C. Configure the Access Gateway policies.D. Configure the Cache redirection policies.

    Answer: A

    QUESTION: 46

    A network engineer should enable the Rate Limiting feature of a NetScaler system

    to mitigate the threat ofthe sentence.)

    A. reverse proxyingB. Java decompilationC. source code disclosureD. brute force logon attacks

    Answer: D

    attack. (Choose the correct option to complete

    QUESTION: 47Which NetScaler feature could be used to stall policy processing to retrieveinformation from an external server?

    A. ResponderB. HTTP calloutC. AppExpert templateD. EdgeSight monitoring

  • 8/10/2019 Citrix 1Y0-350


    Answer: B

    QUESTION: 48An engineer has bound three monitors to a service group and configured each ofthe monitors with a weight of 10. How should the engineer ensure that themembers of the service group are marked as DOWN when at least two monitors fail?

    A. Re-configure the weight of each monitor to 0.B. Configure the service group with a threshold of 21.C. Configure the service group with a threshold of 20.D. Re-configure the weight of each monitor to 5, and configure the service groupthreshold to 15.

    Answer: C

    QUESTION: 49A network engineer has noted that the primary node in an HA pair has beenalternating as many as three times a day due to intermittent issues. What should theengineer configure to ensure that HA failures are alerted?

    A. LACPB. SNMPC. Route monitorsD. Failover Interface Set

    Answer: B

    QUESTION: 50The disk is full on a NetScaler appliance but NO alerts were generated by theSNMP traps. What is the likely cause of this failed alert?

    A. Auditing is not enabled.B. EdgeSight monitoring is not configured.C. The threshold was not set for the alarm.D. Health monitoring has not been enabled.

  • 8/10/2019 Citrix 1Y0-350


    Answer: C

    QUESTION: 51What type of protocol does AppFlow use for reporting?


    Answer: B

    QUESTION: 52Scenario: A network engineer monitoring an HTTP service-related issue needs toview only the relevant data pertaining to the service being monitored. The IPaddress of the back-end service being monitored is The NSIP address is10.10.1.230. Which command should the engineer execute to monitor data relevantto this issue only in realtime?

    A. telnetB. tracerouteC. nsconmsgD. nstcpdump

    Answer: D

    QUESTION: 53Scenario: A NetScaler environment uses two-factor authentication and the second

    authentication method is AD. A user logs in to the environment but does NOTreceive access to the resources that the user should have access to. How can anengineer determine the AD authentication issue on the NetScaler?

    A. Check NSlogs.B. Use nsconmsg.C. Use the cat aaad.debug command.D. Check the authorization configuration.

  • 8/10/2019 Citrix 1Y0-350


    Answer: C

    QUESTION: 54

    A NetScaler is configured with two-factor authentication. A user reported thatauthentication failed. How can an engineer determine which factor of theauthentication method failed?

    A. Check NSlog.B. Use nsconmsg.C. Check the dashboard.D. Use cat aaad.debug command.

    Answer: D

    QUESTION: 55Scenario: A NetScaler high availability (HA) pair has the following interfacesconnected:1/1 - Test network1/2 - Production networkThe network engineer needs to re-cable the test network and wants to ensure that,when the cable is removed, HA fail over does NOT occur unless the production

    network also goes down.Which step should the engineer take to meet these requirements?

    A. Configure LACP for interface 1/1.B. Disable HA monitoring on interface 1/1.C. Set the throughput to 0 for interface 1/1.D. Bind interfaces 1/1 and 1/2 into a channel, then disable HA monitoring.

    Answer: B

    QUESTION: 56Scenario: A NetScaler engineer is on the phone with Technical Support totroubleshoot an issue. The NetScaler engineer generated a support archive andneeds to send the file to the Technical Support Specialist to help resolve the

    problem with the appliance. In which directory could the engineer retrieve theinformation?

    A. /nsconfig

  • 8/10/2019 Citrix 1Y0-350


    B. /var/crashC. /var/nstraceD. /var/tmp/support

    Answer: D

    QUESTION: 57Scenario: A network engineer has bound a service group containing four webservers to a virtual server. The virtual server is UP but users report that they areunable to access the virtual server. In order to troubleshoot this issue, the engineershould use telnet fromsentence.)

    . (Choose the correct option to complete the

    A. a PC to the virtual IP addressB. a PC to the subnet IP addressC. a PC to the mapped IP addressD. the NetScaler shell to one of the web servers

    Answer: A

    QUESTION: 58How could a network engineer gather detailed network information?

    A. System node -> Diagnostics -> Call homeB. System node -> Diagnostics -> Start new traceC. System node -> Diagnostics -> Show techsupportD. System node -> Diagnostics -> Show running vs saved config

    Answer: B

    QUESTION: 59Scenario: A security test has shown that the NetScaler is forwarding IP packets.Company standard operating procedure is that the routers should be the onlydevices forwarding packets. Which step should the network engineer take to

    prevent forwarding packets?

    A. Enable Layer 2 mode.B. Disable Layer 3 mode.

  • 8/10/2019 Citrix 1Y0-350


    C. Disable Path MTU Discovery. D.Enable MAC based forwarding.

    Answer: B

    QUESTION: 60An engineer has bound a policy to a test virtual server. How could the engineerverify that the policy is being applied?

    A. Monitor the number of hits for the policy.B. Monitor the number of hits for the virtual server.C. Enable the AppFlow logging option for the virtual server.D. Ensure the policy has a greater priority value than other policies bound to thetest virtual server.

    Answer: A

    QUESTION: 61Scenario: An engineer implementing a NetScaler is tasked with creating a newVLAN, named VLAN 2, and adding it to the current interfaces. A new IP address

    of with a network mask of must be configured forVLAN 2. Which commands could the engineer use to achieve this configuration inthe command-line interface prior to binding VLAN 2?

    A. add ns ip add vlan 2B. set vlan 2 -aliasName VLAN2 add ns ip add ns ip -vrID 2D. add ns ip -type SNIP set ns ip -vrID 2

    Answer: A

    QUESTION: 62Scenario: A network engineer has configured GSLB for a multisite environment.All GSLB services show as UP with an UP MEP status. The engineer has observedthat DNS queries are directed to the SNIP of the NetScaler; however, no DNSresponse is being received. How can the engineer resolve this issue?

  • 8/10/2019 Citrix 1Y0-350


    A. Add an ADNS service on the SNIP.B. Change the DNS delegation to the NSIP.C. Create a load balancing virtual server for DNS.D. Select the Send all active service IPs in response (MIR) option.

    Answer: A

    QUESTION: 63Scenario: GSLB has been configured for use within a multisite environment. TheMEP status is reported as down on all GSLB appliances. The appliances have beenconfigured for unsecured MEP exchange. Which port must the network engineerensure is open between the NetScaler appliances?

    A. TCP 3011B. UDP 3011C. TCP 3012D. UDP 3012

    Answer: A

    QUESTION: 64Scenario: The network engineer is unable to access a specific SSL site through theNetScaler. While reviewing traces on the NetScaler, the network engineer noticed"Handshake" failures from the server. These handshake failures could be the resultof the virtual serversentence.)

    . (Choose the correct option to complete the

    A. only allowing TLSB. not allowing SSLv3C. not allowing correct ciphers

    D. configured to demand client authentication

    Answer: C

    QUESTION: 65Scenario: A virtual server named New_Server has been disabled to perform anemergency upgrade; however requests from clients are NOT being redirected to themaintenance page. The redirected URL configuration is:

  • 8/10/2019 Citrix 1Y0-350


    >set cs vserver Website_main -lbvserver New_Server -backupVserverBackup_Server - redirectURL -soMethodConnection -soThreshold 1000 -soPersistence enabledWhy are requests from clients NOT being redirected to the maintenance page?

    A. The backup virtual server is unavailable.B. The spillover persistence has been activated.C. It has not been linked to content switching policies.D. The backup virtual server takes precedence over the redirect URL.

    Answer: D

    QUESTION: 66Scenario: A network engineer gets an error message when using the configurationutility to import a PKCS#12 certificate that contains a dollar sign ($), a backquote(`), or an escape (\) character password. In order to address this error, the networkengineer could prefix it withthe sentence.)

    A. an escape character (\)B. a backquote character (`)

    C. a dollar sign character ($)D. a double quotation character (")

    Answer: A

    . (Choose the correct option to complete

    QUESTION: 67Scenario: A network engineer has modified the configuration of a content-switching virtual server, Website_main, because a second content-switching serverthat is capable of handling more connections has been added to the NetScaler

    implementation. Both servers will remain in operation. The engineer made thefollowing configuration changes:>set cs vserver Website_main -lbvserver New_Server -backupVserver Old_Server- redirectURL -soMethod Connection -soThreshold 1000 Why did the engineer enable the spillover option?

    A. To handle incoming connections in case the new server is unavailableB. To handle the extra connections using the old server without dropping themC. To redirect the extra connections to the Maintenance website when it is needed

  • 8/10/2019 Citrix 1Y0-350


    D. To handle incoming connections while the server reaches its limit ofconnections

    Answer: B

    QUESTION: 68Scenario: A company is using Citrix NetScaler VPX for publishing internalresources using Citrix Access Gateway with Smart Access. Since the number ofusers has increased the company wants to migrate from Citrix NetScaler VPX toCitrix NetScaler MPX. The engineer is running a parallel installation of the Citrix

    NetScaler MPX and now needs to transfer the Citrix Access Gateway UniversalLicenses from a Citrix NetScaler VPX to a Citrix NetScaler MPX platform. Howshould the engineer transfer the Citrix Access Gateway Universal License filesfrom the VPX to the MPX?

    A. Backup the /nsconfig directory from the Citrix NetScaler VPX using SCP,restore the /nsconfig directory to the Citrix NetScaler MPX using SCP.B. Download the Access Gateway Universal License file(s) from the Citrix

    NetScaler VPX using SCP. Upload the Access Gateway Universal License file(s)to the Citrix NetScaler MPX using SCP.C. Logon to, return the Citrix Access Gateway UniversalLicense file(s), reallocate the Citrix Access Gateway Universal License file using

    the hostname of the Citrix NetScaler MPX.D. Logon to, return the Citrix Access Gateway UniversalLicense file(s), reallocate the Citrix Access Gateway Universal License file usingthe MAC Address of the Citrix NetScaler MPX.

    Answer: C

    QUESTION: 69Scenario: A network engineer needs to add an NTP server to a NetScaler appliance.

    The NTP service is configured on Which command should the networkengineer use within the command-line interface to add in an NTP server for timesynchronization?

    A. add ntp server add server NTP add service NTP TCP 123D. add service NTP UDP 123

  • 8/10/2019 Citrix 1Y0-350


    Answer: A

    QUESTION: 70

    A network engineer has enabled USIP and USNIP and set a unique IP address asthe source IP using the proxyIP parameter on an INAT policy. Which is the correctorder of precedence for the IP addresses?

    A. Unique IP-USIP-MIP-ErrorB. USIP-unique IP-USNIP-MIP-ErrorC. USIP-Unique IP-MIP-USNIP-ErrorD. USIP-USNIP-MIP-Unique IP-Error

    Answer: B

    QUESTION: 71Scenario: An engineer configures two NetScaler appliances in a high availability(HA) pair. As part of a monthly health check, the engineer attempts to log on to thesecond node of the HA pair and is unable to access the management IP Address.The engineer logs on to the first NetScaler node and verifies that HA is workingand operational. What does the engineer need to do to resolve this problem?

    A. Create an ACL to allow access to the NSIP of the second node.B. Add a SNIP for the Management IP Address of the second node.C. Ensure that HA Route Monitors have been configured for the second node.D. Change the NSRoot password back to default then log on to the second node.

    Answer: A

    QUESTION: 72

    A public SSL certificate on a virtual server is about to expire and the NetScalerengineer needs to renew the certificate before it expires. Which step must theengineer take to renew the SSL Certificate?

    A. Generate a new CSRB. Recreate the Private KeysC. Execute CRL ManagementD. Update the existing certificate

  • 8/10/2019 Citrix 1Y0-350


    Answer: D

    QUESTION: 73

    An environment network has:High bandwidthLow packet lossHigh Round-Trip Time (RTT)Which TCP profile should an engineer configure for the environment described?

    A. Nstcp_default_profileB. Nstcp_default_tcp_lfpC. Nstcp_default_tcp_lnpD. Nstcp_default_tcp_lan

    Answer: B

    QUESTION: 74Scenario: A network engineer needs to provide web server administrators withaccess to monitoring and reporting after changing the default root password duringthe initial setup of the NetScaler. The engineer needs to ensure that the web serveradministrators can perform this task. What should the engineer do in order to

    ensure that the administrators are able to log on to the NetScaler?

    A. Create a group.B. Create user accounts.C. Create an authorization policy.D. Create an authentication policy.

    Answer: B

    QUESTION: 75Scenario: An engineer has configured a virtual server that users access using HTTP

    port 80. The web application also uses TCP port 81 and 8080 for non-user access.The engineer would like to prevent users from connecting to web servers if any ofthe ports go down. How should the engineer set this configuration to ensure serviceavailability?

    A. Increase the monitor threshold.B. Lower the server timeout value.

  • 8/10/2019 Citrix 1Y0-350


  • 8/10/2019 Citrix 1Y0-350


  • 8/10/2019 Citrix 1Y0-350


    D. Disable the Health monitoring option for the service group

    Answer: B

    QUESTION: 82Scenario: A network engineer suspects that there is a duplex mismatch in thenetwork configuration. The NSIP address is How can theadministrator verify the configuration in this scenario?

    A. Run the 'netstat -r' command.B. Run the show IP command.C. Run the start nstrace -level 10 command.D. Check for the interface configuration in the GUI.

    Answer: D

    QUESTION: 83Scenario: Primary NetScaler (NS1) is licensed for 10000 Maximum ICA users and305 Access Gateway users. Secondary NetScaler (NS2) is licensed for 10000Maximum ICA users and five Access Gateway users. From where and which

    command should a network engineer run to display diagnostics on the licenses?

    A. From the shell, run 'view license'.B. From the shell, run 'more /var/log/license.log'.C. From the command-line interface, run 'show license'.D. From the command-line interface, run 'cat /var/log/license.log'.

    Answer: B

    QUESTION: 84NSROOT is the only account configured with super user rights. In order to initiatethe password recovery procedure, the engineer mustcorrect option to complete the sentence.)

    A. logon using SCP and modify ns.confB. connect to the physical NetScaler deviceC. connect using SSH to the NetScaler deviceD. logon using nsrecover/nsroot and reallocate licenses

    . (Choose the

  • 8/10/2019 Citrix 1Y0-350


    Answer: B

    QUESTION: 85

    A network engineer should use a HTTP-ECV monitor type to control the status of aload balanced web server resource whento complete the sentence.)

    . (Choose the correct option

    A. checking for multiple HTTP response codesB. wanting to use a customized HTTP RequestC. checking for a specific pattern in the HTTP Response bodyD. checking for a specific pattern in the HTTP Response header

    Answer: C

    QUESTION: 86Scenario: A network engineer has installed a NetScaler system into their corporateDMZ and would like to provide access to a web server on the internal LAN. Theweb server will be accessed by external users through the NetScaler. The firewalladministrator has opened the relevant ports required on the external and the internal

    firewall. The engineer notices that the virtual server and services representing theweb server are down and the internal web server does NOT appear accessible fromthe NetScaler. What could be the cause of this?

    A. USIP is not enabled.B. Client IP Insertion is not enabled.C. A URL rewrite policy is not created.D. A SNIP address has not been added.

    Answer: C

    QUESTION: 87Scenario: A network engineer has configured an HTTP application to be load

    balanced using a virtual server named Svr1. Users have reported intermittent errorsand the engineer has been given the client IP address of an affected user and askedto determine which back end service they are connected to. Using the command-line interface, how could the engineer find this information?

  • 8/10/2019 Citrix 1Y0-350


    A. Show lb vServer Svr1B. Show system sessionC. Show lb vServer Svr1 -SummaryD. Show lb persistentSessions Svr1

    Answer: D

    QUESTION: 88A network engineer is troubleshooting a situation where ARP requests for IPs inother subnets (for example are appearing in the Which command could the engineer run on the NetScaler to verify IP toVLAN bindings?

    A. show ip B.netstat -r arp vlan

    Answer: D

    QUESTION: 89Scenario: An engineer needs to configure a monitor to ensure that each server istested every 10 seconds and requires that the server pass the test four consecutivetimes before marking a server as UP. If the test fails, the server should be markedas down for 60 seconds. To configure the monitor, the engineer should configurean interval of 10 seconds, down- time of 60 seconds; as 4; and retries

    as . (Choose the correct set of options to complete the sentence.)

    A. failure retries; 1B. failure retries; 4

    C. success retries; 1D. success retries; 4

    Answer: C

    QUESTION: 90An engineer has configured a DNS virtual server on a NetScaler appliance but themonitors are showing DOWN and DNS resolution is failing. Which of thefollowing should the engineer check?

  • 8/10/2019 Citrix 1Y0-350


    A. Port 53 between the VIP address and the DNS servers is allowedB. That a ADNS_TCP service has been configured on the NetScaler

    C. That the load balancing feature has been enabled on the NetScalerD. Port 53 between the NSIP address and the DNS servers is allowedE. Port 53 between the SNIP address and the DNS servers is allowed

    Answer: E

    QUESTION: 91A network engineer should use the Advanced tab when configuring load balancingto enable . (Choose the correct option to answer the question.)

    A. SSL offloadingB. Integrated cachingC. EdgeSight MonitoringD. Direct Server Return Mode

    Answer: D

    QUESTION: 92Scenario: A network engineer has created and bound an UDP-ECV monitor toidentify the status of a UDP service. However, no matter what the response is, theservice is always marked as UP. A possible cause of this behavior is that thenetwork engineersentence.)

    . (Choose the correct option to complete the

    A. forgot to add a receive stringB. added the string ns_true as receive string

    C. added a string that is invalid and thus skippedD. added a string that is always part of the UDP handshake

    Answer: A

    QUESTION: 93A network engineer wants to collect performance statistics regarding the traffic

    between different points in the connection, specifically from client-to-NetScaler

  • 8/10/2019 Citrix 1Y0-350


    and from NetScaler to back-end server, and be able to present this to differentanalysis tools. Which feature on the NetScaler could the engineer use for this?

    A. SyslogB. nstraceC. AppFlowD. nsconmsg

    Answer: C

    QUESTION: 94A network engineer has been tasked with identifying the cause of intermittentnetwork connectivity issues. Which command should the engineer use to generatethe necessary network information required to diagnose the connectivity issues?

    A. nslog B.nstrace C.nsumonD. nsconmsg

    Answer: B

    QUESTION: 95A network engineer is testing a new load balancing virtual server "test" that has theservice group "test-grp" bound to it. Which command could the engineer run toshow connection details for the new virtual server?

    A. show serverB. show services

    C. show servicegroupsD. show connectiontable

    Answer: D

    QUESTION: 96An network engineer is asked to perform an export of the captured trace outputfiles as requested by Citrix Tech support. In which directory could the engineerretrieve the captured log files in the NetScaler system?

  • 8/10/2019 Citrix 1Y0-350


    A. /var/logB. /var/nstrace C.

    /netscaler/log D./nsconfig/trace

    Answer: B

    QUESTION: 97A network engineer is trying to read a nstrace from the NetScaler but can only seeencrypted traffic. Which file is required to decrypt the network trace?

    A. The server certificateB. The servers root certificateC. The private key for the server certificateD. The private key for the server root certificate

    Answer: C

    QUESTION: 98Scenario: A network engineer has bound four policies to a virtual server as follows:PolicyA has a priority of 10PolicyB has a priority of 20PolicyC has a priority of 30PolicyD has a priority of 0Which policy will be evaluated first?

    A. PolicyAB. PolicyB

    C. PolicyCD. PolicyD

    Answer: D

    QUESTION: 99A client is trying to reach a back-end server with an IP address of the following routing table: Which route would the NetScaler use for thisclient?

  • 8/10/2019 Citrix 1Y0-350


  • 8/10/2019 Citrix 1Y0-350


    B. 302 Found pagesC. 401 UnauthorizedD. 404 Not found pagesE. 500 Internal server error

    Answer: B, D

    QUESTION: 103What are two ways in which the NetScaler TCP buffering feature improvesapplication performance? (Choose two.)

    A. Buffers the client requestB. Buffers the server responseC. Forwards the response to the client at the speed of the client networkD. Forwards the request to the server at the speed of the server network

    Answer: B, C

    QUESTION: 104Scenario: A network engineer deployed a new NetScaler MPX appliance on the

    network and all interfaces are connected to the core switch. The network engineernotices the CPU utilization has become very high on the switch since the NetScalerdeployment. Which two actions could the engineer perform on the NetScaler toresolve this issue? (Choose two.)

    A. Configure VMACB. Utilize static routingC. Configure a channelD. Connect a single interface only

    Answer: C, D

    QUESTION: 105Scenario: A network engineer has created an SSL offload virtual server. The virtualserver shows as a DOWN state. Which two scenarios could cause the virtual servershowing as DOWN? (Choose two.)

    A. Persistence is set to NONE.

  • 8/10/2019 Citrix 1Y0-350


  • 8/10/2019 Citrix 1Y0-350


    B. Run telnet using the -srcip option.C. Bind a DNS monitor to a service group containing the web server.D. Bind a HTTP monitor to a service group containing the web server.E. Run the ping command between the NetScaler and the web server.

    Answer: B, D

    QUESTION: 109A network engineer wants to hide the IP address of the outgoing packets bychanging it to the IP of the VIP. Which feature should the administrator use?

    A. ACLB. PBRC. RNATD. Rewrite

    Answer: C

    QUESTION: 110During a recent security penetration test, several ports on the management address

    were identified as providing unsecured services. Which two methods could thenetwork engineer use to restrict these services? (Choose two.)

    A. Configure Auditing policies.B. Create Content Filtering policies.C. Create Access Control Lists (ACLs).D. Configure options on the Management IP addresses.

    Answer: C, D

    QUESTION: 111An engineer should use the filter (content filtering) feature to prevent

    and . (Choose the two correct options to complete the sentence.)

    A. the use of unauthorized HTTP methodsB. a client from accessing a specific IP on the back-endC. inappropriate HTTP headers from being sent to your Web serverD. inappropriate MSSQL commands from being sent to your SQL server

  • 8/10/2019 Citrix 1Y0-350


    E. a client from a specific VLAN ID to access resources on the NetScaler

    Answer: A, C

    QUESTION: 112Scenario: A network engineer needs to implement high availability (HA) for a pairof NetScaler appliances. The existing appliance was recently restarted and the newappliance has been rack mounted and turned on for several weeks waiting to beconfigured. The engineer needs to create an HA pair, but is concerned that hisoriginal appliance will get erased when the HA pair is created. Which two taskscould the engineer do before the creation of the HA pair to ensure that the exitingunit stays the main appliance? (Choose two.)

    A. Set StayPrimary on the existing node.B. Configure StaySecondary on the new node.C. Enable HA Sync before adding the second node.D. Create a Route Monitor to ensure proper synchronization.E. Ensure that INC mode is enabled during creation of HA Pair.

    Answer: A, B

    QUESTION: 113Scenario: A network engineer plans to configure an Active Directory Server as thedefault authentication for a NetScaler deployment and provide users with theoption to change their password if it is expired. Which two actions should theengineer take to configure this authentication requirement on the NetScalersystem? (Choose two.)

    A. Configure a pre-authentication policy.B. Select security type as SSL on Authentication policy.

    C. Configure Authentication server with SSO name attribute.D. Configure Authentication server with allow password change option.

    Answer: B, D

    QUESTION: 114Which two parameters in the TCP buffering settings can be controlled by anetwork engineer? (Choose two.)

  • 8/10/2019 Citrix 1Y0-350


    A. buffering sizeB. source IP rangeC. destination IP range

    D. memory size for buffering

    Answer: A, D

    QUESTION: 115Scenario: A NetScaler engineer has received an SSL certificate and bound it to thevServer. However, users are unable to browse to the website using HTTPS. Whenthe NetScaler engineer browses to the site using HTTPS, the engineer notices thatthe certificate chain is incomplete. Which two steps should the administrator taketo fix the virtual server? (Choose two.)

    A. Generate a new CSR.B. Install a new Certificate Authority (CA).C. Install the Intermediate Certificate from the CA.D. Link the Intermediate Certificate to the virtual server.E. Link the SSL Certificate to the Intermediate Certificate.

    Answer: C, E

    QUESTION: 116The network engineer is investigating issues and suspects that one of theadministrators recently changed the NetScaler configuration. Which commandcould the engineer run to check the logs that will contain such details?

    A. nsconmsg -K newnslog -d statsB. nsconmsg -K newnslog -d stats -d current

    C. nsconmsg -K /var/nslog/newnslog -d eventD. nsconmsg -K /var/nslog/newnslog -d consmsg

    Answer: C

    QUESTION: 117A network engineer has enabled BGP routing. Which two additional featuresshould the network engineer enable for BGP routing to function? (Choose two.)

  • 8/10/2019 Citrix 1Y0-350


    A. Layer 2 modeB. Layer 3 modeC. Dynamic routing

    D. MAC based forwarding

    Answer: B, C

    QUESTION: 118Which two compression actions could a NetScaler engineer use? (Choose two.)

    A. bzip2B. deflateC. compressD. pack200-gzip

    Answer: B, C

    QUESTION: 119Scenario: The NetScaler has been connected to two external networks provided by

    different Internet Service Providers (ISPs). Dynamic routing is not enabled. Trafficis expected to use the first ISP (through the router) if possible and thesecond, slower ISP (through the router) only if the Primary ISP fails.Which two commands could the network engineer execute to configure the routes?(Choose two.)

    A. add route -cost 10 -monitor arpB. add route -cost 5 -monitor PINGC. add route -cost 15 -msr ENABLEDD. add route -cost 3 -monitor PING-DEFAULT

    Answer: A, B

    QUESTION: 120When configuring an advanced HTTP callout based on attributes, what are twovalid parameters? (Choose two.)

    A. SSL cipher type

  • 8/10/2019 Citrix 1Y0-350


    B. Down state flushC. Gateway addressD. IP address and portE. URL stem expression

    Answer: D, E

    QUESTION: 121Scenario: A network engineer configured a new NetScaler MPX appliance withoutany VLANs and with a single interface connected to the network. The engineer hasnot completed any other configurations. The interface is then accidentally disabledand contact is lost with the appliance. Which two actions can the network engineertake to restore communications to the appliance? (Choose two.)

    A. Connect to the SNIP instead of the NSIP.B. Connect another of the unused interfaces.C. Use the serial port to connect and then bring the disabled interface online.D. Connect a crossover cable to the port that has been disabled and connect to the


    Answer: B, C

    QUESTION: 122A security test has been completed on an SSL offload implementation and it has

    been determined that the certificate key length is too short and must be increased.Which two steps must the network engineer complete to resolve this? (Choosetwo.)

    A. Bind the certificate to an SSL service group.B. Bind the certificate to an SSL Offload virtual server.

    C. Add a new SSL policy to the SSL offload virtual server.D. Use the Client certificate wizard to generate a CSR, request a certificate andimport.E. Use the Server certificate wizard to generate a CSR, request a certificate andimport.

    Answer: B, E

    QUESTION: 123

  • 8/10/2019 Citrix 1Y0-350


    When binding a certificate to a virtual server, which two certificate formats aresupported by NetScaler? (Choose two.)


    Answer: C, D

    QUESTION: 124When configuring NetScaler authentication to access a web site, which two thingsshould a network engineer verify in the environment? (Choose two.)

    A. AAA is enabled.B. One DNS server exists.C. A Keytab file is available.D. An authentication virtual server exists.E. A traffic management virtual server exists.

    Answer: A, D

    QUESTION: 125A NetScaler engineer generates a techsupport archive to be sent to TechnicalSupport. Which three of the following pieces of information will be included in thearchive file? (Choose three.)

    A. Model NumberB. SSL Private Keys

    C. Old Configuration Files D.Hardware Boot sequence E.Webpage Customizations F.Certificate Revocation List

    Answer: A, C, D

    QUESTION: 126

  • 8/10/2019 Citrix 1Y0-350