Skip to main content

Introduction to ESS Pro

[WORK IN PROGRESS]

Element Server Suite Pro (ESS Pro) is the commercial Matrix distribution from Element for professional use. It is based off ESS Community and includes additional features and services that are tailored to professional environments with more than 100 users up to massive scale in the millions.

ESS Pro is designed to support enterprise requirements in terms of advanced IAM, compliance, scalability, high availability and multi-tenancy. ESS Pro makes use of Synapse Pro to provide infrastructure cost savings with unmatched stability and user experience under high load. It uses Element’s Secure Border Gateway (SBG) as an application layer firewall to manage federation and to ensure that deployments stay compliant at any time. ESS Pro includes L3 support, Long-term Support (LTS), Advanced Security Advisory and prepares customers for the Cyber Resilience Act (CRA).

This documentation provides all information for Element customers to get started as well as to work with ESS Pro.

Contents

TOC

Editions

There are three editions of Element Server Suite:

ESS Community

ESS Community is a cutting-edge Matrix distribution including all the latest features of the Matrix server Synapse and other components. It is freely available under the AGPLv3 license and tailored to small-/mid-scale, non-commercial community use cases. It's designed to easily and quickly set up a Matrix deployment. It comprises the basic components needed to get you running and is a great way to get started.

ESS Pro

ESS Pro is the commercial Matrix distribution from Element for professional use (see above) which is described in this documentation.

ESS TI-M

ESS TI-M is a special version of ESS Pro focused on the requirements of TI-Messenger Pro and ePA as specified by the German National Digital Health Agency Gematik. It complies with a specific Matrix version and does not make use of experimental features.

Deploying ESS Pro

ESS Pro comes as a Helm chart and can be deployed using any Kubernetes distribution. It requires an existing Kubernetes cluster and can be operated on the public internet as well as in airgapped scenarios.

A full step-by-step deployment guide for ESS Pro using K3s can be found here.

Components

Next you find an overview of the components in ESS Pro including their purpose and additional information. Most of the components get deployed by default but some of them require additional configuration first. Any component can be enabled/disabled as desired.

The following components are included in ESS Pro (bolded items are being deployed by default):

  • Synapse Pro
  • Matrix Authentication Service (MAS)
  • Dex (for LDAP support)
  • Element Web
  • Element Call / Matrix RTC
  • Advanced Identity Management (AIM, formerly Group Sync)
  • Secure Border Gateway (SBG)
  • Sygnal (Push Gateway)
  • PostgreSQL database
  • .well-known delegation

Find below more details on each of the components, information about their capabilities and our recommendations for deployment.

Synapse Pro

Purpose

  • The Matrix server that provides client-to-server and server-to-server APIs
  • Consists of Synapse and additional Pro components that improve performance, scalability and stability

Deployment recommendations

  • Enabled and deployed by default. Should only be disabled if there is an external Synapse deployment to be used instead.
  • Works out-of-the-box with default configuration. For advanced configuration, see the below guide.
  • Deployment and configuration guide
  • Documentation

Matrix Authentication Service (MAS)

Purpose

  • Authentication server for Matrix using the OpenID Connect / OAuth 2.0 standard
  • Provides local user management capabilities
  • Allows integration of external IDM systems

Deployment recommendations

Dex (for LDAP support)

Purpose

  • Lightweight Identity Provider supporting various protocols
  • Only used for LDAP support with MAS

Deployment recommendations

Element Web

Purpose

  • The browser-based client from Element

Deployment recommendations

  • Enabled and deployed by default. Should only be disabled if a browser-based client is undesired.
  • Deployment and configuration guide
  • Documentation

Element Call / Matrix RTC

Purpose

  • Backend to support Element Call in-app calling
  • Includes an SFU (selective forwarding unit)

Deployment recommendations

  • Enabled and deployed by default. Should only be disabled if in-app calling functionality is undesired.
  • Deployment and configuration guide
  • Documentation

Advanced Identity Management (AIM, formerly Group Sync)

Purpose

  • Integration and automation between external Identity Management (IDM) systems and the Matrix backend
  • Supports LDAP and SCIM
  • Features
    • Synchronize user attributes (e.g., display name, email address, etc.) with external IDM systems
    • User lifecycle management (automated user deprovisioning)
    • Mirror organizational structures to Matrix rooms and Spaces
      • Automated room memberships based on user attributes in external IDM systems (e.g., group memberships)
      • Automated room permission management based on user attributes in external IDM systems

Deployment recommendations

  • Disabled by default as enabling it requires configuration
  • For organizations with external IDM (LDAP or OIDC IdP), it is highly recommended to configure and enable AIM
  • Deployment and configuration guide
  • Documentation

Secure Border Gateway (SBG)

Purpose

Deployment recommendations

Sygnal (Push Gateway)

Purpose

Deployment recommendations

PostgreSQL database

Purpose

Deployment recommendations

.well-known delegation

Purpose

Deployment recommendations

Architecture

Back to top