Permalink
Switch branches/tags
5.0-docs-es Basic-Export Bind-SAML-to-ID-Attribute CLI-Campaign-Docs Edit-Other-Post-Permission LDAP-Group-Sync Restrict-Team-by-Email SAML-AD/LDAP-Override SAML-Button-Default Themes-Across-Teams WebRTC Webhook-Delete-Command add_doc_mm_gitlab_helm advanced-permissions amyblais-patch-1 amyblais-patch-2 amyblais-patch-3 amyblais-patch-4 amyblais-patch-5 amyblais-patch-6 amyblais-patch-7 amyblais-patch-9 amyblais-patch-11 amyblais-patch-12 amyblais-patch-13 api-naming cff channels checksum commercial-support config-settings deprecation design-process desktop display docs-seperation docs downgrade download-links emoji-bulk-load esethna-5.4 esethna-patch-1 esethna-patch-2 hmhealey-patch http-proxy icloud it33-patch-1 it33-patch-3 it33-patch-6 jasonblais-53-documentation jasonblais-certificate-based-authentication jasonblais-dialogs jasonblais-install-guide-updates jasonblais-install-guides jasonblais-integrations-program jasonblais-interactive-message-menus jasonblais-interactive-messages jasonblais-patch-1 jasonblais-patch-2 jasonblais-patch-3 jasonblais-patch-4 jasonblais-patch-5 jasonblais-patch-6 jasonblais-patch-7 jasonblais-patch-8 jasonblais-patch-9 jasonblais-patch-10 jasonblais-patch-15 jasonblais-patch-17 jasonblais-terms-of-service jasonblais-ubuntu1804 js-api-route js-slack-import js-ulimits js-upgrade-guide js-user-guide js40-teammate-name js310-loadtest js310-turkish-translate lfbrock-patch-1 lfbrock-patch-3 lindy65-patch-1 lindy65-patch-4 lindy65-patch-5 lm-5.5-doc lm-5.5release lm-QA-proce lm-release master md-image-size mfa migration mindsets minimums mm-10555 mm-12505-remove-webrtc-store mm9547 msg-attachment-api name-value new-metrics onboard onboarding paul-recipes-info plan-options pr-customer-thermometer pr-get-desktop-log pr-mobile-push pr-platform-channel-modify pr-typo-fix pr-update-s3-docs public-links push-metadata reseller restrict-team-names revert-1441-jasonblais-patch-10 revert-1693-amyblais-patch-6 sales shoulder-check statistics test-build thread-notifications v3.3-documentation v3.4-documentation v3.5-documentation v3.6-documentation v3.7-documentation v3.8-changelog v3.8-documentation v3.9-conf.py v3.9-documentation v3.10-documentation v4.0-changelog v4.0-documentation v4.2-documentation v4.3-documentation v4.4-documentation v4.6-changelog v4.6-documentation v4.7-documentation v4.8-documentation v4.9-documentation v4.10-documentation v5.0-documentation v5.1-documentation v5.2-documentation v5.3-documentation v5.4-documentation v5.5-documentation v5.6-documentation version-checksum webhook wiersgallak-patch-2 yangchen1-patch-3 yangchen1-patch-4 zapier-1 zapier-2 zapier
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
187 lines (97 sloc) 13.1 KB

Deployment Overview

The below diagram illustrates a private cloud deployment of Mattermost with optional configurations for scaling to performance from teams to large organizations.

image

View Mattermost Network Diagram

Notes:

Requirements and Installation Guides

Mattermost supports workplace messaging for teams using one to three servers with instructions available in the Install Guides section of this documentation. See Software and Hardware Requirements documentation for server sizing estimates.

User Experience

PC Web Experience

End users can securely share messages and files using a web-based Mattermost experience in IE, Chrome and Firefox. Please see Software and Hardware Requirements documentation for full details.

Mobile App Experience

Native applications for iOS and Android are available for interacting with the Mattermost server and receiving encrypted push notifications from your private cloud. Organizations can use a Hosted Push Notification Service with encrypted communications to mobile apps on iTunes and Google Play, or deploy to an Enterprise App Store on your organization's private network. A Test Push Notification Service is available for use while evaluating options.

Mobile Web Experience

End users can securely share messages and files using a web-mobiled-based Mattermost experience on iOS and Android devices. Please see Software and Hardware Requirements documentation for full details.

Email Client

Receive emails on desktop and mobile from the Mattermost server.

Communication Protocols

HTTPS Connection (Secure Hypertext Transfer Protocol)

The HTTPS connection to the Mattermost server renders pages and provides core functionality. It does not include real-time interactivity, which is enabled by the WSS connection.

If the HTTPS connection is not available, the Mattermost service will not work. HTTPS is a secure, encrypted protocol and is highly recommended for production. An unencrypted HTTP connection may be used in initial testing and configuration but it is not recommended for production.

WSS Connection (Secure WebSocket Protocol)

The WSS connection to the Mattermost server enables real-time updates and notifications. If the WSS connection is not available, but HTTPS is available, the system will appear to work, but real time updates and notifications will not work. Updates will only appear on a page refresh. WSS will be a persistent connection to the Mattermost server while you are connected, while HTTPS will be intermittent depending on when you load a page or a file.

Typically a "Mattermost unreachable" error message will be displayed warning users that the Mattermost server is either unreachable or the WebSocket connection is not properly configured.

WSS is a secure, encrypted connection and is highly recommended. An unencrypted WS connection may be used in initial testing and configuration but it is not recommended for production.

Network Access and Multi-Factor Authentication

Behind a VPN

Mattermost is intended to be installed within a private network which can offer multiple factors of authentication, including secure access to computing devices and physical locations.

If outside access is required, a virtual private network client (VPN), such as OpenVPN, with additional authentication used to connect to Mattermost for web, desktop and mobile experiences, is recommended.

Non-VPN Setup

If Mattermost is accessible from the open internet, the following is recommended:

  1. An IT admin should be assigned to set up appropriate network security, subscribe to the Mattermost security bulletin and apply new security updates.
  2. The organization upgrades to Mattermost Enterprise Edition to enable SAML single sign-on or enable MFA using Google Authenticator. For non-enterprise deployments, VPN is recommended.

If Mattermost is accessible from the open internet with no VPN or MFA set up, we recommended using it only for non-confidential, unimportant conversations where impact of a compromised system is not essential.

Note: Not-for-profit and academic institutions are eligible for special not-for-profit and academic pricing for Mattermost Enterprise Edition.

Data Center Infrastructure

Push Notification Service

The Mattermost Push Notification Service (MPNS) routes push notifications to:

  1. Apple Push Notification Service to send notifications to the Mattermost iOS app.
  2. Google Push Notification Service to send notifications to the Mattermost Android app.

If you're deploying mobile applications to an Enterprise App Store, your MPNS should be behind your firewall on your private network. If you're using mobile apps in iTunes and Google Play, you can relay notifications to mobile apps using the Hosted Push Notification Service (HPNS) included with Mattermost Enterprise Edition.

HPNS does not connect to your mobile apps directly. It sends messages over an encrypted channel to Apple or Google which are relayed to the app users downloaded from iTunes or Google Play.

Proxy

The proxy manages Secure Socket Layer encryption and sets the policy on how network traffic will be routed to the Mattermost server.

Mattermost install guides include setup instructions for the NGNIX software proxy by default. For large scale deployments, a hardware proxy with dedicated devices for processing SSL encryption and decryption could potentially increase efficiencies.

In a high availability configuration (Enterprise Edition only) the proxy would also balance network load across multiple Mattermost servers.

Microsoft Active Directory Single Sign-On (Enterprise Edition)

Mattermost Enterprise Edition supports Microsoft Active Directory and LDAP single sign-on with secure transport over TLS or stunnel.

Private Cloud Integrations

Mattermost offers complete access to its Web Service APIs, along with incoming and outgoing webhooks, and Slash command options for integrating with your on-premises systems.

Visit our app directory for dozens of open source integrations to common tools like Jira, Jenkins, GitLab, Trac, Redmine and SVN, along with interactive bot applications (Hubot, mattermost-bot), and other communication tools (Email, IRC, XMPP, Threema) that are freely available for use and customization.

Email Service

For notifications and account verification, Mattermost connects to your existing email service over SMTP, including Microsoft Exchange, Amazon SES, SendGrid and self-hosted email solutions.

Mattermost Server

The Mattermost server installs as a single compiled binary file. All server settings are stored in a configuration file, config/config.json, which can be updated directly or via a web-based System Console user interface.

RESTful JSON Web Service

The entirety of the Mattermost server is accessible through a RESTful Web Service API. The API can be completely accessed by developers creating custom applications for Mattermost either directly or via Javascript and Golang drivers.

Authentication Client

Authenticates users by email or username plus password.

For customers of Enterprise Edition, single sign-on via Microsoft Active Directory and LDAP is also available.

Authentication Provider

Enables authentication of Mattermost server to other services with Authentication Client interface using OAuth2.

Notification Service

Sends notifications via SMTP email and mobile push notifications via Mattermost Push Notificiation Service.

Data Management Service

Connects to and manages supported databases.

High Availability (Enterprise Edition)

Large organizations needing sophisticated, high scale, high availability configurations can set up a highly available, horizontally scalable deployment. Contact the enterprise team for guidance on configuring and sizing Mattermost Enterprise Edition to support your specific needs.

Data Stores

Databases

Mattermost uses a MySQL or Postgres database to store and retrieve system data and to execute full text search. Solid State Drives can be used for faster read times to increase performance.

See Database requirements for full details.

Multiple Read Replicas (Enterprise Edition)

For enterprise deployments, the Mattermost database can be configured with a master and multiple read replicas. The read replicas can be configured as a redundant backup to the active server, so that during hardware failures operation can be diverted to the read replica server without interrupting service. The safest configuration is to size the disk space on the read replica used for failover two to three times larger than storage available on master, so that if the master fails because it runs out of disk space it will fail over to a read replica with enough extra space to run smoothly until the master is corrected.

Search Replicas (Enterprise Edition)

You can configure one or more search replicas to isolate search queries. A search replica is similar to a read replica, but is used only for handling search queries.

Global Deployments (Enterprise Edition)

Enterprise customers with deployments spanning many time zones can contact the Enterprise Team for advanced configurations to minimize latency by:

  1. Storing static assets over a global CDN.
  2. Deploying multiple Mattermost servers to host API communication closer to the location of end users.
  3. Deploying multiple database read replicas closer to the location of end users.

File Store

Images and files shared by users are stored and retrieved in one of three options.

  1. For teams sharing only modest amounts of file data, local storage on the same physical machine as the Mattermost server may be sufficient.
  2. For enterprises sharing very large amounts of data, a Network-Attached Storage server may be used, which can scale to peta-bytes if necessary.
  3. Alternatively, for both ease-of-use and scale, Amazon's S3 file storage service is another option as well.

Deployment Options

Mattermost Enterprise Edition customers can contact Mattermost, Inc. for advisory on deployment options for their specific environments. The following section describes common deployment configurations.

Mobile devices with VPN clients (recommended)

Mattermost can be deployed behind your company firewall on a private network with access from the outside via a Virtual Private Network (VPN). This means running a VPN client on the mobile devices and desktop computers that need to access Mattermost.

The Mattermost Push Notification Service (MPNS) should be behind your firewall on your private network. MPNS does not connect with mobile apps directly, it forwards push notifications from the Mattermost server to a relay service for iTunes or Google Play, or to mobile apps within an Enterprise App Store.

Mobile devices without VPN clients

If Mattermost is available on the internet, we recommend Mattermost Enterprise Edition featuring SAML-based single sign-on and multi-factor authentication (MFA) using Google Authenticator.

The Mattermost Push Notification Service (MPNS) should be behind your firewall inside your private network. MPNS does not connect with mobile apps directly, it forwards push notifications from the Mattermost server to a relay service for iOS App Store or Google Play, or directly to mobile apps within an Enterprise App Store behind your firewall.

For support for certificate-based authentication for mobile devices, contact the Enterprise Sales Team for more information.

Mobile devices with an EMM provider

Mattermost mobile applications can also be deployed via EMM providers who support AppConfig such as Blackberry UEM, Mobileiron, and Airwatch. EMM solutions typically offer "App Tunnel" or per-app VPN capabilities that can be used to connect to mobile apps behind a VPN.