Introduction to ESS Pro

Element Server Suite Pro (ESS Pro) is the commercial Matrix distribution from Element for professional use. It is based off ESS Community and includes additional features and services that are tailored to professional environments with more than 100 users up to massive scale in the millions.

ESS Pro is designed to support enterprise requirements in terms of advanced IAM, compliance, scalability, high availability and multi-tenancy. ESS Pro makes use of Synapse Pro to provide infrastructure cost savings with unmatched stability and user experience under high load. It uses Element’s Secure Border Gateway (SBG) as an application layer firewall to manage federation and to ensure that deployments stay compliant at any time. ESS Pro includes L3 support, Long-term Support (LTS), Advanced Security Advisory and prepares customers for the Cyber Resilience Act (CRA).

This documentation provides all information for Element customers to get started as well as to work with ESS Pro.

Editions

There are three editions of Element Server Suite:

• ESS Community is a cutting-edge Matrix distribution including all the latest features of the Matrix server Synapse and other components. It is freely available under the AGPLv3 license and tailored to small-/mid-scale, non-commercial community use cases. It's designed to easily and quickly set up a Matrix deployment. It comprises the basic components needed to get you running and is a great way to get started.
• ESS Pro is the commercial Matrix distribution from Element for professional use (see above) which is described in this documentation.
• ESS TI-M is a special version of ESS Pro focused on the requirements of TI-Messenger Pro and ePA as specified by the German National Digital Health Agency Gematik. It complies with a specific Matrix version and does not make use of experimental features.

Deploying ESS Pro

ESS Pro comes as a Helm chart and can be deployed using any Kubernetes distribution. It requires an existing Kubernetes cluster and can be operated on the public internet as well as in air-gapped scenarios.

See the full step-by-step deployment guide for ESS Pro using K3s.

Components

Next you find an overview of the components in ESS Pro including their purpose and additional information. Most of the components get deployed by default but some of them require additional configuration first. Any component can be enabled/disabled as desired.

The following components are included in ESS Pro (bolded items get deployed by default):

• Synapse Pro
• Matrix Authentication Service (MAS)
• Dex (for LDAP support)
• Element Web
• Element Call / Matrix RTC
• Advanced Identity Management (AIM, formerly Group Sync)
• Secure Border Gateway (SBG)
• Sygnal (Push Gateway)
• PostgreSQL database
• .well-known delegation

Find below more details on each of the components, information about their capabilities and our recommendations for deployment.

Synapse Pro

Purpose

• The Matrix server that provides client-to-server and server-to-server APIs
• Consists of Synapse and additional Pro components that improve performance, scalability and stability

Deployment recommendations

• Enabled and deployed by default
• Should only be disabled if there is an external Synapse deployment to be used instead
• Works out-of-the-box with default configuration. For advanced configuration, see the below guide
• Deployment and configuration guide
• Documentation

Matrix Authentication Service (MAS)

Purpose

• Authentication server for Matrix using the OpenID Connect / OAuth 2.0 standard
• Provides local user management capabilities
• Allows integration of external IDM systems

Deployment recommendations

• Enabled and deployed by default
• Should only be disabled if Matrix legacy authentication is required
• Works out-of-the-box with default configuration. For advanced configuration, see the below guide
• Deployment and configuration guide
• Authentication configuration guide (LDAP / OIDC)
• Documentation

Dex (for LDAP support)

Purpose

• Lightweight Identity Provider supporting various protocols
• Only used for LDAP support

Deployment Recommendations

• Disabled by default as enabling it requires configuration
• Automatically enabled if LDAP authentication is configured
• Authentication configuration guide (LDAP / OIDC)

Element Web

Purpose

• The browser-based client from Element

Deployment Recommendations

• Enabled and deployed by default
• Should only be disabled if a browser-based client is undesired
• Deployment and configuration guide
• Documentation

Element Call / Matrix RTC

Purpose

• Backend to support Element Call in-app calling
• Includes an SFU (selective forwarding unit)

Deployment Recommendations

• Enabled and deployed by default
• Should only be disabled if in-app calling functionality is undesired
• Deployment and configuration guide
• Documentation

Advanced Identity Management (AIM, formerly Group Sync)

Purpose

• Integration and automation between external Identity Management (IDM) systems and the Matrix backend
• Supports LDAP and SCIM
• Features
  • Synchronize user attributes (e.g., display name, email address, etc.) with external IDM systems
  • User lifecycle management (automated user deprovisioning)
  • Mirror organizational structures to Matrix rooms and Spaces
    • Automated room memberships based on user attributes in external IDM systems (e.g., group memberships)
    • Automated room permission management based on user attributes in external IDM systems

Deployment Recommendations

• Disabled by default as enabling it requires configuration
• For organizations with external IDM (LDAP or OIDC IdP), it is highly recommended to configure and enable AIM
• Deployment and configuration guide
• Documentation

Secure Border Gateway (SBG)

Purpose

• SBG is an application-level firewall to inspect incoming and outgoing traffic to/from the Matrix server
• SBG can be applied to both the Client-Server API (Matrix clients) and the Server-Server API (federated Matrix servers)
• Features
  • Closed federation enforcement by using an allow-/deny-list of Matrix server domains
  • Messenger Proxy feature set for TI-Messenger in German healthcare

Deployment Recommendations

• Disabled by default as enabling it requires configuration
• Should be configured and enabled if federation controls or other features are desired
• Deployment and configuration guide upcoming

Sygnal (Push Gateway)

Purpose

• Push Gateway for mobile apps
• Sends push notifications triggered by the Matrix server to Apple / Google push infrastructure
• Supports the Apple Push Notification Service (APNS) and Google/Firebase Cloud Messaging (GCM/FCM)

Deployment Recommendations

• Disabled by default as enabling it requires configuration
• Element mobile apps by default rely on a cloud-hosted push gateway from Element which can just be used
• Should only be configured and enabled if
  • a customer has their own/custom apps
  • a customer's networking configuration doesn't allow access to the cloud-hosted push gateway from Element
  • full sovereignty over push notifications is required
• Deployment and configuration guide upcoming

PostgreSQL database

Purpose

• Default database for the Matrix server (Synapse) and other components
• Provided for quick and easy deployment

Deployment Recommendations

• Enabled and deployed by default
• Should be replaced by an external database cluster for production environments as the integrated database doesn't come with optimizations for production use
• Deployment and configuration guide for using Synapse with an external database

.well-known delegation

Purpose

• A simple web server hosting .well-known files for service discovery
• This is required for enabling federation and is needed for certain client features like Element Call

Deployment Recommendations

• Enabled and deployed by default
• Should not be changed

Architecture