Citrix Introduces NetScaler MCP Gateway to Secure Enterprise AI Agents
Citrix has introduced NetScaler MCP Gateway, a centralized security and traffic-management layer for enterprise AI agents that connect to tools and data through the Model Context Protocol.
The gateway routes agent requests to approved MCP servers while enforcing authentication, access policies, rate limits, and server restrictions. It aims to help businesses prevent unmanaged AI agents from reaching unauthorized services or using excessive resources.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Citrix has also expanded NetScaler AI Gateway with policy-based model routing and token-level usage monitoring. The additions give organizations more control over which AI models employees and applications use, how much they consume, and which internal tools they can access.
What is NetScaler MCP Gateway?
NetScaler MCP Gateway acts as a single entry point between AI agents and enterprise MCP servers. Instead of allowing every agent to connect directly to individual servers, organizations can send MCP traffic through one managed gateway.
The design applies familiar API and application-delivery controls to AI agent traffic. Security teams can manage authentication and access centrally rather than creating separate rules for every MCP deployment.
The gateway builds on the broader NetScaler application delivery platform, which already provides traffic routing, application security, authentication, analytics, and health monitoring across cloud and on-premises environments.
| Capability | Purpose |
|---|---|
| Centralized MCP endpoint | Provides one managed entry point for AI agents |
| Dynamic server routing | Directs requests to approved backend MCP servers |
| Authentication | Verifies users, applications, and agent requests |
| Tool-level rate limits | Controls how frequently agents can call specific tools |
| Server access policies | Allows or blocks selected MCP servers |
| Session persistence | Keeps multi-step workflows connected to the correct server |
| Health monitoring | Detects unavailable or unhealthy MCP services |
Why enterprises need centralized MCP security
AI agents can perform more actions than traditional chatbots. They may search databases, access documents, call APIs, create support tickets, modify records, or trigger workflows in business applications.
These capabilities create risks when organizations deploy agents without consistent governance. An agent with excessive permissions could access sensitive data, call an unsafe tool, or repeatedly execute an expensive operation.
The Model Context Protocol provides a standard way for AI applications to connect with tools, services, and data sources. However, the protocol does not remove the need for enterprise authentication, authorization, monitoring, and traffic controls.
- Unapproved MCP servers may connect to sensitive enterprise systems.
- Agents may receive broader tool permissions than their users require.
- Different servers may use inconsistent authentication methods.
- Organizations may lack complete records of agent activity.
- Automated workflows can generate unpredictable traffic volumes.
- Compromised agents may repeatedly call sensitive tools.
NetScaler routes agents to approved MCP servers
The MCP Gateway dynamically routes agent requests to authorized backend servers. Developers can connect agents to the gateway instead of hard-coding separate server addresses and security settings.
This approach can simplify changes as organizations add, remove, or replace MCP servers. Infrastructure teams can update routing policies at the gateway without modifying every connected agent.
Central routing also gives security teams a clearer view of which users, applications, and agents access each tool. They can apply consistent controls across development, testing, and production environments.
- An AI agent sends an MCP request to NetScaler MCP Gateway.
- The gateway authenticates the user, application, or agent.
- Security policies determine whether the requested tool is allowed.
- NetScaler selects an approved and healthy MCP server.
- The gateway routes the request to the selected backend.
- The response returns to the agent through the same controlled path.
- Usage and traffic information becomes available for monitoring.
Several authentication methods are supported
Citrix says the gateway supports per-user tokens, global tokens, OAuth, and hybrid authentication configurations.
Per-user authentication can help organizations connect agent actions to individual identities. Global tokens may suit controlled service-to-service deployments, while OAuth can provide delegated authorization for supported applications.
Hybrid configurations allow businesses to support different agent frameworks and MCP servers while moving toward a more consistent identity model.
| Authentication option | Potential use |
|---|---|
| Per-user tokens | Associates MCP requests with individual users |
| Global tokens | Supports centrally managed service connections |
| OAuth | Provides delegated access through established identity flows |
| Hybrid authentication | Combines methods across different servers and deployments |
Tool-level limits can control agent activity
NetScaler MCP Gateway allows administrators to set rate limits for individual MCP tools. A business could permit frequent read-only searches while placing stricter limits on tools that modify records or trigger costly processes.
These controls can reduce accidental request loops and limit the effect of a malfunctioning or compromised agent. They can also protect backend services from unexpected traffic spikes.
Administrators can use server allowlists and blocklists to define which MCP systems agents may access. This helps prevent employees or applications from connecting to unapproved servers outside the organizationโs governance process.
- Limit requests to expensive database tools.
- Restrict tools that create, update, or delete records.
- Block unknown or unapproved MCP servers.
- Allow only reviewed production services.
- Apply different policies to teams and applications.
- Reduce damage from automated request loops.
Session persistence supports multi-step workflows
Agent tasks often involve several connected requests. An agent may retrieve information, analyze the result, call another tool, and then update an application.
Session persistence keeps these requests connected to the appropriate backend MCP server. This can prevent workflow interruptions when several servers provide the same service or maintain temporary session state.
NetScaler also adds protocol-aware health monitoring. The gateway can identify an unavailable MCP server and avoid routing new requests to it until it returns to a healthy state.
AI Gateway can route requests between language models
Alongside the MCP Gateway, Citrix has expanded NetScaler AI Gateway with content-switching-based model routing.
Organizations can create policies that send requests to different language models according to the application, team, task, or other request characteristics. Routine prompts could go to a lower-cost model, while complex work could reach a more capable model.
The feature extends the traffic-management approach used by the Citrix Platform, which combines secure access, application delivery, networking, and observability capabilities.
| Request type | Possible routing policy |
|---|---|
| Basic summarization | Send to a lower-cost model |
| Complex code analysis | Send to a higher-capability model |
| Sensitive internal task | Route to an approved private deployment |
| High-volume application | Distribute traffic across available providers |
| Regulated workload | Use a model approved for the required environment |
Token monitoring gives businesses clearer cost data
NetScaler AI Gateway can track input tokens, output tokens, and request volumes by user, team, or application.
This visibility can help businesses identify which services generate the highest AI costs. It can also expose sudden changes that may indicate an application error, automated loop, or unauthorized use.
Organizations can use the information for internal cost allocation and capacity planning. Product teams may also compare usage across models before selecting a provider for a production workload.
- Input token consumption
- Output token consumption
- Total request volume
- Usage by user
- Usage by team
- Usage by application
- Unexpected consumption spikes
Claude Code support enters a private preview
Citrix says it is testing a private technology preview in which NetScaler AI Gateway serves as a centralized language-model gateway for Claude Code deployments.
Developers can access supported Anthropic models through a service provider while the organization applies authentication, routing, and usage policies at one central point.
The approach may help large development teams avoid distributing separate provider credentials to every user. Administrators could also route requests across available services as capacity, policy, and business needs change.
One gateway can simplify AI governance
Enterprises often begin AI adoption with separate pilot projects. Each team may choose its own model provider, agent framework, authentication method, and MCP servers.
This fragmented approach becomes difficult to govern as projects move into production. Security teams may struggle to identify every agent, track tool access, or determine which system produced an unexpected action.
A centralized gateway can provide a shared policy layer without requiring every agent and backend service to use identical technology.
| Without a centralized gateway | With a centralized gateway |
|---|---|
| Separate endpoints for each MCP server | One managed entry point |
| Different authentication configurations | Central identity policies |
| Limited visibility across agents | Consolidated monitoring |
| Manual server changes in every application | Gateway-based routing updates |
| Inconsistent rate limits | Central tool-level controls |
| Fragmented AI spending data | Usage tracking by user, team, and application |
NetScaler uses a one-pass architecture
Citrix says NetScaler performs authentication, routing, security inspection, traffic management, rate limiting, and observability through a single data path.
The company argues that this one-pass design reduces the additional latency and processor overhead that can result from sending AI traffic through several separate security and management products.
The public NetScaler platform overview describes a one-pass architecture designed to reduce latency and improve CPU use while providing application delivery, security, and analytics.
Regulated industries may benefit from stronger controls
Centralized policies may prove especially useful in healthcare, financial services, government, and other regulated environments.
AI agents in these sectors may access patient data, financial information, case records, or operational systems. Organizations need to control which tools agents can call and preserve records of their activity.
An MCP gateway does not automatically make an AI deployment compliant. Businesses still need appropriate data governance, least-privilege access, identity controls, risk assessments, and human approval for sensitive actions.
- Restrict agents to approved MCP servers.
- Link requests to verified user identities.
- Apply least-privilege tool permissions.
- Record token and request activity.
- Limit high-risk or high-cost tool calls.
- Monitor server availability and unusual traffic.
- Require human approval for sensitive actions.
MCP adoption creates API-style security challenges
MCP gives AI applications a common method for discovering and using external capabilities. That standardization can speed development, but it can also increase the number of tools available to agents.
Each new server creates another connection that organizations must authenticate, monitor, update, and protect. Poorly governed deployments may expose sensitive resources or allow agents to perform actions beyond their intended purpose.
The official MCP documentation describes a client-server architecture that connects AI applications with tools, data, and workflows. Enterprises still need an additional governance layer around those connections.
New capabilities come with selected Citrix licenses
Citrix says the MCP Gateway and expanded AI Gateway capabilities come at no additional charge for customers with a Citrix Platform License or Universal Hybrid Multi-Cloud license.
Availability may still depend on the customerโs NetScaler deployment, supported software version, configuration, and access to preview features.
The Citrix Platform overview positions NetScaler as its application delivery and security component across on-premises, cloud, and hybrid environments.
Citrix uses AI Gateway for its own assistant
Citrix says it has deployed NetScaler AI Gateway internally to govern model interactions and token consumption for Citrix Aidrien, its enterprise AI assistant.
The internal use provides the company with a production example of centralized prompt routing, model access, and consumption monitoring.
Customers will still need to test the gateway against their own agent frameworks, security requirements, traffic patterns, and MCP server implementations before using it for critical workloads.
What enterprises should evaluate before deployment
Organizations should begin by identifying every AI agent, MCP client, MCP server, model provider, and connected data source in their environment.
They should then define which identities can use each tool and whether agents may perform read-only or state-changing actions.
Teams should also test failure scenarios, including unavailable MCP servers, provider outages, request loops, expired tokens, and attempts to access blocked tools.
- Inventory AI agents and MCP servers.
- Identify the data and tools available through each server.
- Define user, team, and application identities.
- Apply least-privilege access policies.
- Set rate limits for costly or sensitive tools.
- Test server health checks and failover behavior.
- Monitor token use and unusual request spikes.
- Review logs for unauthorized tool calls.
- Require approval for actions with significant business impact.
FAQ
NetScaler MCP Gateway is a centralized entry point that authenticates, routes, monitors, and controls AI agent requests sent to approved Model Context Protocol servers.
Citrix says the gateway supports per-user tokens, global tokens, OAuth, and hybrid authentication configurations.
Yes. Administrators can apply tool-level rate limits and use server allowlists or blocklists to control which MCP services agents can reach.
The AI Gateway can track input tokens, output tokens, and request volumes by user, team, or application. This can support cost management and unusual-usage detection.
Citrix says the new capabilities come at no additional cost for customers with a Citrix Platform License or Universal Hybrid Multi-Cloud license.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages