Introduction to ESS Pro

What is the difference between ESS Pro and ESS Classic?

Currently there are two generations of the Element Server Suite, ESS Pro and ESS Classic. ESS Pro refers to the new stack that is fully based on Helm charts while ESS Classic refers to the operator-based stack that is delivered with an installer tool and a web-based installer GUI.

At this point, both stacks are supported and receive regular updates. It is recommended to base new deployments off ESS Pro.

Find more detailed information about each generation in their dedicated documentation sections.

Element Server Suite Pro (ESS Pro) is the commercial Matrix distribution from Element for professional use. It is based on ESS Community and includes additional features and services that are tailored to professional environments with more than 100 users up to massive scale in the millions.

ESS Pro is designed to support enterprise requirements in terms of advanced IAM, compliance, scalability, high availability and multi-tenancy. ESS Pro makes use of Synapse Pro to provide infrastructure cost savings with unmatched stability and user experience under high load. It uses Element’s Secure Border Gateway (SBG) as an application layer firewall to manage federation and to ensure that deployments stay compliant at any time. ESS Pro includes L3 support, Long-term Support (LTS), Advanced Security Advisory and prepares customers for the Cyber Resilience Act (CRA).

Additional capabilities with ESS Pro

Find below an overview of the most important additional product capabilities for professional use with ESS Pro.

Synapse Pro
- Resource and operational cost savings (up to 90% compared to Community, depending on usage patterns)
  - Multi-tenancy (for running many small hosts)
  - More efficient and cloud-native Synapse subsystems (for running individual large hosts)
- Dynamic and automatic scaling with adaptation to actual load (horizontal and vertical)
- In-cluster high availability (HA)
- Improved end-user experience due to better stability under load
Application-level firewall with federation controls and more (Secure Border Gateway)
User lifecycle management and group access control via LDAP/SCIM (Advanced Identity Management)
Malware scanning of media attachments (Content Scanner)
Room auditing capabilities (AuditBot)
Room moderation and central control (AdminBot)
LDAP and SSO support for user authentication
S3 support for media storage
Distroless/minimal images of all relevant core components

A full comparison between the editions can be found here. See below for more details.

This documentation provides all the information needed for Element customers to get started and run ESS Pro professionally.

Editions

There are three editions of Element Server Suite:

ESS Community is a cutting-edge Matrix distribution including all the latest features of the Matrix server Synapse and other components. It is freely available under the AGPLv3 license and tailored to small-/mid-scale, non-commercial community use cases. It's designed to easily and quickly set up a Matrix deployment. It comprises the basic components needed to get you running and is a great way to get started.
ESS Pro is the commercial Matrix distribution from Element for professional use (see above) which is described in this documentation.
ESS TI-M is a special version of ESS Pro focused on the requirements of TI-Messenger Pro and ePA as specified by the German National Digital Health Agency Gematik. It complies with a specific Matrix version and does not make use of experimental features.

Deploying

ESS Pro comes as a Helm chart and can be deployed using any Kubernetes distribution. It requires an existing Kubernetes cluster and can be operated on the public internet as well as in air-gapped scenarios.

See the full step-by-step deployment guide for ESS Pro using K3s.

Architecture

The diagram below provides an overview of the ESS Pro deployment architecture and the interplay of the individual components.

Components

Most of the components in ESS Pro get deployed by default (bolded) but some of them require additional configuration first. Any component can be enabled/disabled as desired.

Synapse Pro
Matrix Authentication Service (MAS)
Element Admin
Dex (for LDAP support)
Element Web
Element Call / Matrix RTC
Advanced Identity and Access Management (Advanced IAM, formerly Group Sync)
Secure Border Gateway (SBG)
Sygnal (Push Gateway)
PostgreSQL database
.well-known delegation

Synapse Pro

Purpose

The Matrix server that provides client-to-server and server-to-server APIs
Consists of Synapse and additional Pro components that improve performance, scalability and stability

Deployment recommendations

Enabled and deployed by default
Should only be disabled if there is an external Synapse deployment to be used instead
Works out-of-the-box with default configuration. For advanced configuration, see the below guide
Deployment and configuration guide
Documentation

Matrix Authentication Service (MAS)

Purpose

Authentication server for Matrix using the OpenID Connect / OAuth 2.0 standard
Provides local user management capabilities
Allows integration of external IDM systems

Deployment recommendations

Enabled and deployed by default
Should only be disabled on initial installation if Matrix legacy authentication is required
- Can’t be disabled after being enabled
- Migration from Synapse legacy authentication is possible using the chart
Works out-of-the-box with default configuration. For advanced configuration, see the below guide
Deployment and configuration guide
Authentication configuration guide (LDAP / OIDC)
Documentation

Element Admin

Purpose

Admin console for ESS deployments
Can be used to manage local users (if no LDAP or OIDC IdP is in use), rooms and more

Deployment Recommendations

Enabled and deployed by default
Should only be disabled if a browser-based admin console is not desired

Dex (for LDAP support)

Purpose

Lightweight Identity Provider supporting various protocols
Only used for LDAP support with MAS

Deployment Recommendations

Automatically enabled if LDAP authentication is configured in a Matrix Authentication Service enabled install
Authentication configuration guide (LDAP / OIDC)

Element Web

Purpose

The browser-based Matrix client from Element

Deployment Recommendations

Enabled and deployed by default
Should only be disabled if a browser-based client is not desired
Deployment and configuration guide

Element Call / Matrix RTC

Purpose

Backend to support Element Call in-app calling
Includes an SFU (selective forwarding unit)

Deployment Recommendations

Enabled and deployed by default
Should only be disabled if in-app calling functionality is not desired
Deployment and configuration guide
Documentation

Advanced Identity and Access Management (Advanced IAM, formerly Group Sync)

Purpose

Integration and automation between external Identity and Access Management (IAM) systems and the Matrix backend
Supports LDAP and SCIM
Features
- Synchronize user attributes (e.g., display name, email address, etc.) with external IDM systems
- User lifecycle management (automated user deprovisioning)
- Group Access Control (ability to control room memberships based on LDAP/IdP attributes)
- Mirror organizational structures to Matrix rooms and Spaces
  - Automated room memberships based on user attributes in external IDM systems (e.g., group memberships)
  - Automated room permission management based on user attributes in external IDM systems

Deployment Recommendations

Disabled by default as enabling it requires additional configuration
For organizations with external IDM (LDAP or OIDC IdP), it is highly recommended to configure and enable AIM
Deployment and configuration guide
Documentation

Secure Border Gateway (SBG)

Purpose

SBG is an application-level firewall to inspect incoming and outgoing traffic to/from the Matrix server
SBG can be applied to both the Client-Server API (Matrix clients) and the Server-Server API (federated Matrix servers)
Features
- Closed federation enforcement by using an allow-/deny-list of Matrix server domains
- Messenger Proxy feature set for TI-Messenger in German healthcare

Deployment Recommendations

Disabled by default as enabling it requires additional configuration
Should be configured and enabled if federation controls or other features are desired
Deployment and configuration guide upcoming

Sygnal (Push Gateway)

Purpose

Push Gateway for mobile apps
Sends push notifications triggered by the Matrix server to Apple / Google push infrastructure
Supports the Apple Push Notification Service (APNS) and Google/Firebase Cloud Messaging (GCM/FCM)
Requires an Element Sovereign subscription

Deployment Recommendations

Disabled by default as enabling it requires additional configuration
Element mobile apps by default rely on a cloud-hosted push gateway from Element which can just be used
Should only be configured and enabled if
- a customer has their own/custom apps
- a customer's networking configuration doesn't allow access to the cloud-hosted push gateway from Element
- full sovereignty over push notifications is required
Deployment and configuration guide upcoming

PostgreSQL database

Purpose

Default database for the Matrix server (Synapse) and other components
Provided for quick and easy deployment
Not supported by Element

Deployment Recommendations

Enabled and deployed by default
Should be replaced by an external database cluster for production environments as the integrated database doesn't come with optimizations for production use and is not supported by Element
Deployment and configuration guide for using Synapse with an external database

.well-known delegation

Purpose

A simple web server hosting .well-known files for service discovery
This is required for enabling federation and is needed for certain client features like Element Call

Deployment Recommendations

Enabled and deployed by default
Should not be changed unless the well-known files are hosted externally