Introduction to ESS Pro
What is the difference between ESS Pro and ESS Classic?
Currently there are two generations of the Element Server Suite, ESS Pro and ESS Classic. ESS Pro refers to the new stack that is fully based on Helm charts while ESS Classic refers to the operator-based stack that is delivered with an installer tool and a web-based installer GUI.
At this point, both stacks are supported and receive regular updates. It is recommended to base new deployments off ESS Pro.
Find more detailed information about each generation in their dedicated documentation sections.
Element Server Suite Pro (ESS Pro) is the commercial Matrix distribution from Element for professional use. It is based on ESS Community and includes additional features and services that are tailored to professional environments with more than 100 users up to massive scale in the millions.
ESS Pro is designed to support enterprise requirements in terms of advanced IAM, compliance, scalability, high availability and multi-tenancy. ESS Pro makes use of Synapse Pro to provide infrastructure cost savings with unmatched stability and user experience under high load. It uses Element’s Secure Border Gateway (SBG) as an application layer firewall to manage federation and to ensure that deployments stay compliant at any time. ESS Pro includes L3 support, Long-term Support (LTS), Advanced Security Advisory and prepares customers for the Cyber Resilience Act (CRA).
Additional capabilities with ESS Pro
Find below an overview of the most important additional product capabilities for professional use with ESS Pro.
- Synapse Pro
- Resource and operational cost savings (up to 90% compared to Community, depending on usage patterns)
- Multi-tenancy (for running many small hosts)
- More efficient and cloud-native Synapse subsystems (for running individual large hosts)
- Dynamic and automatic scaling with adaptation to actual load (horizontal and vertical)
- In-cluster high availability (HA)
- Improved end-user experience due to better stability under load
- Resource and operational cost savings (up to 90% compared to Community, depending on usage patterns)
- Application-level firewall with federation controls and more (Secure Border Gateway)
- User lifecycle management and group access control via LDAP/SCIM (Advanced Identity Management)
- Malware scanning of media attachments (Content Scanner)
- Room auditing capabilities (AuditBot)
- Room moderation and central control (AdminBot)
- LDAP and SSO support for user authentication
- S3 support for media storage
- Distroless/minimal images of all relevant core components
A full comparison between the editions can be found here. See below for more details.
This documentation provides all the information needed for Element customers to get started and run ESS Pro professionally.
Editions
There are three editions of Element Server Suite:
- ESS Community is a cutting-edge Matrix distribution including all the latest features of the Matrix server Synapse and other components. It is freely available under the AGPLv3 license and tailored to small-/mid-scale, non-commercial community use cases. It's designed to easily and quickly set up a Matrix deployment. It comprises the basic components needed to get you running and is a great way to get started.
- ESS Pro is the commercial Matrix distribution from Element for professional use (see above) which is described in this documentation.
- ESS TI-M is a special version of ESS Pro focused on the requirements of TI-Messenger Pro and ePA as specified by the German National Digital Health Agency Gematik. It complies with a specific Matrix version and does not make use of experimental features.
Deploying
ESS Pro comes as a Helm chart and can be deployed using any Kubernetes distribution. It requires an existing Kubernetes cluster and can be operated on the public internet as well as in air-gapped scenarios.
See the full step-by-step deployment guide for ESS Pro using K3s.
Architecture
The diagram below provides an overview of the ESS Pro deployment architecture and the interplay of the individual components.
Components
Most of the components in ESS Pro get deployed by default (bolded) but some of them require additional configuration first. Any component can be enabled/disabled as desired.
- Synapse Pro
- Matrix Authentication Service (MAS)
- Element Admin
- Dex (for LDAP support)
- Element Web
- Element Call / Matrix RTC
- Advanced Identity and Access Management (Advanced IAM, formerly Group Sync)
- Secure Border Gateway (SBG)
- Sygnal (Push Gateway)
- PostgreSQL database
- .well-known delegation
Synapse Pro
Purpose
- The Matrix server that provides client-to-server and server-to-server APIs
- Consists of Synapse and additional Pro components that improve performance, scalability and stability
Deployment recommendations
- Enabled and deployed by default
- Should only be disabled if there is an external Synapse deployment to be used instead
- Works out-of-the-box with default configuration. For advanced configuration, see the below guide
- Deployment and configuration guide
- Documentation
Matrix Authentication Service (MAS)
Purpose
- Authentication server for Matrix using the OpenID Connect / OAuth 2.0 standard
- Provides local user management capabilities
- Allows integration of external IDM systems
Deployment recommendations
- Enabled and deployed by default
- Should only be disabled on initial installation if Matrix legacy authentication is required
- Can’t be disabled after being enabled
- Migration from Synapse legacy authentication is possible using the chart
- Works out-of-the-box with default configuration. For advanced configuration, see the below guide
- Deployment and configuration guide
- Authentication configuration guide (LDAP / OIDC)
- Documentation
Element Admin
Purpose
- Admin console for ESS deployments
- Can be used to manage local users (if no LDAP or OIDC IdP is in use), rooms and more
Deployment Recommendations
- Enabled and deployed by default
- Should only be disabled if a browser-based admin console is not desired
Dex (for LDAP support)
Purpose
- Lightweight Identity Provider supporting various protocols
- Only used for LDAP support with MAS
Deployment Recommendations
- Automatically enabled if LDAP authentication is configured in a Matrix Authentication Service enabled install
- Authentication configuration guide (LDAP / OIDC)
Element Web
Purpose
- The browser-based Matrix client from Element
Deployment Recommendations
- Enabled and deployed by default
- Should only be disabled if a browser-based client is not desired
- Deployment and configuration guide
Element Call / Matrix RTC
Purpose
- Backend to support Element Call in-app calling
- Includes an SFU (selective forwarding unit)
Deployment Recommendations
- Enabled and deployed by default
- Should only be disabled if in-app calling functionality is not desired
- Deployment and configuration guide
- Documentation
Advanced Identity and Access Management (Advanced IAM, formerly Group Sync)
Purpose
- Integration and automation between external Identity and Access Management (IAM) systems and the Matrix backend
- Supports LDAP and SCIM
- Features
- Synchronize user attributes (e.g., display name, email address, etc.) with external IDM systems
- User lifecycle management (automated user deprovisioning)
- Group Access Control (ability to control room memberships based on LDAP/IdP attributes)
- Mirror organizational structures to Matrix rooms and Spaces
- Automated room memberships based on user attributes in external IDM systems (e.g., group memberships)
- Automated room permission management based on user attributes in external IDM systems
Deployment Recommendations
- Disabled by default as enabling it requires additional configuration
- For organizations with external IDM (LDAP or OIDC IdP), it is highly recommended to configure and enable AIM
- Deployment and configuration guide
- Documentation
Secure Border Gateway (SBG)
Purpose
- SBG is an application-level firewall to inspect incoming and outgoing traffic to/from the Matrix server
- SBG can be applied to both the Client-Server API (Matrix clients) and the Server-Server API (federated Matrix servers)
- Features
- Closed federation enforcement by using an allow-/deny-list of Matrix server domains
- Messenger Proxy feature set for TI-Messenger in German healthcare
Deployment Recommendations
- Disabled by default as enabling it requires additional configuration
- Should be configured and enabled if federation controls or other features are desired
- Deployment and configuration guide upcoming
Sygnal (Push Gateway)
Purpose
- Push Gateway for mobile apps
- Sends push notifications triggered by the Matrix server to Apple / Google push infrastructure
- Supports the Apple Push Notification Service (APNS) and Google/Firebase Cloud Messaging (GCM/FCM)
- Requires an Element Sovereign subscription
Deployment Recommendations
- Disabled by default as enabling it requires additional configuration
- Element mobile apps by default rely on a cloud-hosted push gateway from Element which can just be used
- Should only be configured and enabled if
- a customer has their own/custom apps
- a customer's networking configuration doesn't allow access to the cloud-hosted push gateway from Element
- full sovereignty over push notifications is required
- Deployment and configuration guide upcoming
PostgreSQL database
Purpose
- Default database for the Matrix server (Synapse) and other components
- Provided for quick and easy deployment
- Not supported by Element
Deployment Recommendations
- Enabled and deployed by default
- Should be replaced by an external database cluster for production environments as the integrated database doesn't come with optimizations for production use and is not supported by Element
- Deployment and configuration guide for using Synapse with an external database
.well-known delegation
Purpose
- A simple web server hosting .well-known files for service discovery
- This is required for enabling federation and is needed for certain client features like Element Call
Deployment Recommendations
- Enabled and deployed by default
- Should not be changed unless the well-known files are hosted externally