Survivable Branch Appliances are a pretty common device in
multi-site companies that need local breakout for calls or need to have the
ability to make calls when the connection to the Front End pool of Skype for
Business servers is unavailable (WAN outage, etc).
In patching of these this question comes up at least every 3
months:
“I’ve applied all the Windows Updates that Sonus say my SBA
needs however it’s still showing as needing updates in WSUS”
Or
“We’ve had a vulnerability scan and loads of updates are
missing from all of our SBAs”
So what gives?
This comes down to past decisions from Microsoft and Sonus…..
In the dim and distant Microsoft used to release multiple updates
every Patch Tuesday. You could choose if you wanted to install update X for GDI+
but not update Y for TrueType fonts. That meant that other software companies
could say:
“Yea – we found an issue with Contoso Magic Application and
KB938464 so if you want to use our software to do your business critical
function don’t install that update…..
……honest – we’ll release an update to fix this in our
application at some point”
And you as an administrator would be told from the business
that you can’t install that update as they need Contoso Magic Application to
just work.
So how does this relate to SBA’s
Each month Sonus looked at the updates available and then at
the profile of the SBA with the Sonus hardened config on there and said:
“okay, so update X and Y we need, but update Z is for part of
Windows that is not exposed to the network with our hardening so therefore no
need to install it”
Thus inside the PKG file you download from Sonus you have a
list of updates that are allowed and only those would get installed.
Then things changed
Microsoft got bored of having to support a Swiss Cheese
deployment of Windows so they started in October 2016 to release single monthly
updates for OS. I believe that this is in part to do with this statistic I picked
up from Henk van Roest who stated “30% of support calls to Microsoft are fixed
by applying updates that are already available”. You could no longer pick and choose
which updates to install, you either installed this months updates or you didn’t.
However Sonus still release an update each month that
contains this update. However they have not gone back and subsequently
authorised the updates that came out prior to October 2016.
Where does this leave you as an Administrator?
The reason for applying updates from the Sonus PKG file is
to ensure that the SBA stays in Appliance Mode. Appliance Mode means that the
SBA call paths are supported by Sonus. However – you will not be able to
install all Windows Updates that a offered from WSUS and thus may fall down on
an audit. So, you have a choice:
- Stay in Appliance Mode - only apply PKG files from Sonus
- Apply all updates - keep off those audit reports
The choice is yours!