Unattended system updates

Making small updates to projects is inescapable.  

No matter how tight the original scope was, clients will want to make changes after the project is completed.  These may be small functional changes "I would like to be able to do XYZ" or changes to equipment (I know some end-users who change TVs and even AVRs seemingly annually).

Sometimes we need to make firmware updates.  We're not prone to updating firmware just because there's new firmware (if it ain't broke and all that).  However, if new firmware adds a feature we need, fixes an issue we are having on that specific site or improves security, then we will do so.

Most of these changes do not need us to attend site and I try to insist that my dealers setup a way for me to access the Crestron systems remotely once we've finished.

If we can not access systems remotely, then we have to attend site, which is problematic in terms of scheduling time and so on. Often small changes take days, if not a week or more, to get an mutually convenient appointment and make the uploads.  

So, in most circumstances, we have remote access to systems.

There are a number of ways to achieve this:

  • Port forwarding - if you are an experienced integrator, you should know why this should not be the approach you use.  

    If you are not familiar with the reasons why not - head to shodan.io and type 'crestron' in the search box.  All those results? Those are Crestron processors that have their ports exposed to the web.  Anyone can go into those systems and cause any amount of mischief.

    Trust me. Port forwarding (alone) is not the right solution to the issue.
  • VPN - this is the most common method I get into systems.  It's got a good level of security built-in (if you use the right kind of VPN and security).  Essentially, it becomes as if I were present in the property and I was on the same network (I am on the same network, just from outside the property).  

    VPNs are super useful, but can be subject to any issues with internet speed.  For different reasons, clients in Central London are just as likely to have poor internet speed as those in remote countryside.  

    There are some challenges if the internet speed is not up to scratch and some real-time diagnostics can be a bit hit and miss.  Certain devices that need firmware updating a certain way are not something I would risk over most VPN connections for fear of it dropping out.

    VPNs are cheap and easy to setup (hence, they are the most common access we have).
  • Domotz (and the like) - these sort of network overwatch devices have become increasingly common and more and more dealers are installing them as part of their support package.  

    With them, we can create custom tunnels temporarily to Crestron devices and access them.

    Whilst useful, it can be a little cumbersome especially when dealing with sites with many processors (I have a number of projects out there with 10 or more Crestron processors on).

    They are possibly slightly less secure than other options (though they do what they can very well - the tunnel is only ever opened for 60 minutes (and I always delete it the second I am done) and only accessible from the LAN it was created from (which most of the time means it is just me on that LAN).
  • Remote PC - larger sites in particular often benefit from having a dedicated PC on-site running TeamViewer (or similar.  I use TeamViewer (worth EVERY penny to buy their license)).  

    These PCs are usually something like an Intel NUC or other micro PC.  They don't need a huge amount of power or storage (I would usually specify something like a mid-range i5 and 8GB of memory).  One of the key factors is choosing a PC that will power on automatically in case of power failure etc. (NUCs are good at this.  About to start testing with the slightly cheaper Dell 3050 Micro PC.)

    The PC will have all the usual Crestron software tools loaded on and because that PC is on the network, any real-time diagnostics or flakey firmware uploads are not an issue at all.

    Can be a bit of a pain keeping everything synced up and software up to date once you have a number of PCs out there, but overall, a good solution.

And now, there is another option, that we are rolling out on most of our new projects now. 

Crestron have developed some tools to allow us to configure processors (and touchscreens etc.) to connect to a secure (important!) file-server (that we maintain and manage) on a regular basis (see below) and if we have put any new files on that server for that project, the processor will download the files and install them.

Auto-update allows us to do completely unattended software (and firmware) updates with absolutely minimal disruption to the homeowner.

Systems can be setup to check for new files every hour, every day (usually in the middle of the night) or on demand (so we can minimise any concerns the user might have and make it so they have to press the 'update now' button to action the updates).

Typically, we would see the once a day check as fine.  We can make any changes required, upload them to the secure file-server and let the client know that the updates will be live when they wake up the next day.

We have been testing our server and auto-update for some time now. We have several live client systems now and have been so pleased with the results.

Of course we had our own concerns when we first started testing the unattended updates.  We had lots of 'what if it goes wrong?' questions, particularly when it comes to firmware updates.  However, we've been delighted with it all.  Not a single issue with firmware and software updates.  

It does take some management and diligence to ensure the correct files are uploaded to the server; but that is no different to the diligence required when live updating.

Whilst the auto-update option does not replace the above methods, but is just another offering in our support and maintenance options.  It can not, for instance, help us with any live diagnostics; but it does make deployment of updates and firmware updates much more efficient as we're able to deal with just one central repository on our secure server rather than having to deal with dozens of VPNs etc.

We're really excited by this tool and will now be activating it on all of our deployments going forwards.  It sits well with a forthcoming service offering we have for clients (blog post on that coming soon!).