Skip to content

Introduction to ESS Pro

What is the difference between ESS Pro and ESS Classic?

Currently there are two generations of the Element Server Suite, ESS Pro and ESS Classic. ESS Pro refers to the new stack that is fully based on Helm charts while ESS Classic refers to the operator-based stack that is delivered with an installer tool and a web-based installer GUI.

At this point, both stacks are supported and receive regular updates. It is recommended to base new deployments off ESS Pro.

Find more detailed information about each generation in their dedicated documentation sections.

Element Server Suite Pro (ESS Pro) is the commercial Matrix distribution from Element for professional use. It is based on ESS Community and includes additional features and services that are tailored to professional environments with more than 100 users up to massive scale in the millions.

ESS Pro is designed to support enterprise requirements in terms of advanced IAM, compliance, scalability, high availability and multi-tenancy. ESS Pro makes use of Synapse Pro to provide infrastructure cost savings with unmatched stability and user experience under high load. It uses Element’s Secure Border Gateway (SBG) as an application layer firewall to manage federation and to ensure that deployments stay compliant at any time. ESS Pro includes L3 support, Long-term Support (LTS), Advanced Security Advisory and prepares customers for the Cyber Resilience Act (CRA).

This documentation provides all the information needed for Element customers to get started and run ESS Pro professionally.

Editions

There are three editions of Element Server Suite:

  • ESS Community is a cutting-edge Matrix distribution including all the latest features of the Matrix server Synapse and other components. It is freely available under the AGPLv3 license and tailored to small-/mid-scale, non-commercial community use cases. It's designed to easily and quickly set up a Matrix deployment. It comprises the basic components needed to get you running and is a great way to get started.
  • ESS Pro is the commercial Matrix distribution from Element for professional use (see above) which is described in this documentation.
  • ESS TI-M is a special version of ESS Pro focused on the requirements of TI-Messenger Pro and ePA as specified by the German National Digital Health Agency Gematik. It complies with a specific Matrix version and does not make use of experimental features.

Deploying

ESS Pro comes as a Helm chart and can be deployed using any Kubernetes distribution. It requires an existing Kubernetes cluster and can be operated on the public internet as well as in air-gapped scenarios.

See the full step-by-step deployment guide for ESS Pro using K3s.

Architecture

The diagram below provides an overview of the ESS Pro deployment architecture and the interplay of the individual components.

ESS Pro Architecture diagram

Components

Most of the components in ESS Pro get deployed by default (bolded) but some of them require additional configuration first. Any component can be enabled/disabled as desired.

  • Synapse Pro
  • Matrix Authentication Service (MAS)
  • Dex (for LDAP support)
  • Element Web
  • Element Call / Matrix RTC
  • Advanced Identity Management (AIM, formerly Group Sync)
  • Secure Border Gateway (SBG)
  • Sygnal (Push Gateway)
  • PostgreSQL database
  • .well-known delegation

Synapse Pro

Purpose

  • The Matrix server that provides client-to-server and server-to-server APIs
  • Consists of Synapse and additional Pro components that improve performance, scalability and stability

Deployment recommendations

  • Enabled and deployed by default
  • Should only be disabled if there is an external Synapse deployment to be used instead
  • Works out-of-the-box with default configuration. For advanced configuration, see the below guide
  • Deployment and configuration guide
  • Documentation

Matrix Authentication Service (MAS)

Purpose

  • Authentication server for Matrix using the OpenID Connect / OAuth 2.0 standard
  • Provides local user management capabilities
  • Allows integration of external IDM systems

Deployment recommendations

Dex (for LDAP support)

Purpose

  • Lightweight Identity Provider supporting various protocols
  • Only used for LDAP support with MAS

Deployment Recommendations

Element Web

Purpose

  • The browser-based Matrix client from Element

Deployment Recommendations

Element Call / Matrix RTC

Purpose

  • Backend to support Element Call in-app calling
  • Includes an SFU (selective forwarding unit)

Deployment Recommendations

Advanced Identity Management (AIM, formerly Group Sync)

Purpose

  • Integration and automation between external Identity Management (IDM) systems and the Matrix backend
  • Supports LDAP and SCIM
  • Features
    • Synchronize user attributes (e.g., display name, email address, etc.) with external IDM systems
    • User lifecycle management (automated user deprovisioning)
    • Mirror organizational structures to Matrix rooms and Spaces
      • Automated room memberships based on user attributes in external IDM systems (e.g., group memberships)
      • Automated room permission management based on user attributes in external IDM systems

Deployment Recommendations

Secure Border Gateway (SBG)

Purpose

  • SBG is an application-level firewall to inspect incoming and outgoing traffic to/from the Matrix server
  • SBG can be applied to both the Client-Server API (Matrix clients) and the Server-Server API (federated Matrix servers)
  • Features
    • Closed federation enforcement by using an allow-/deny-list of Matrix server domains
    • Messenger Proxy feature set for TI-Messenger in German healthcare

Deployment Recommendations

  • Disabled by default as enabling it requires additional configuration
  • Should be configured and enabled if federation controls or other features are desired
  • Deployment and configuration guide upcoming

Sygnal (Push Gateway)

Purpose

  • Push Gateway for mobile apps
  • Sends push notifications triggered by the Matrix server to Apple / Google push infrastructure
  • Supports the Apple Push Notification Service (APNS) and Google/Firebase Cloud Messaging (GCM/FCM)

Deployment Recommendations

  • Disabled by default as enabling it requires additional configuration
  • Element mobile apps by default rely on a cloud-hosted push gateway from Element which can just be used
  • Should only be configured and enabled if
    • a customer has their own/custom apps
    • a customer's networking configuration doesn't allow access to the cloud-hosted push gateway from Element
    • full sovereignty over push notifications is required
  • Deployment and configuration guide upcoming

PostgreSQL database

Purpose

  • Default database for the Matrix server (Synapse) and other components
  • Provided for quick and easy deployment

Deployment Recommendations

.well-known delegation

Purpose

  • A simple web server hosting .well-known files for service discovery
  • This is required for enabling federation and is needed for certain client features like Element Call

Deployment Recommendations

  • Enabled and deployed by default
  • Should not be changed unless the well-known files are hosted externally