Citrix Introduces NetScaler MCP Gateway to Secure Enterprise AI Agents


Citrix has introduced NetScaler MCP Gateway, a centralized security and traffic-management layer for enterprise AI agents that connect to tools and data through the Model Context Protocol.

The gateway routes agent requests to approved MCP servers while enforcing authentication, access policies, rate limits, and server restrictions. It aims to help businesses prevent unmanaged AI agents from reaching unauthorized services or using excessive resources.

Citrix has also expanded NetScaler AI Gateway with policy-based model routing and token-level usage monitoring. The additions give organizations more control over which AI models employees and applications use, how much they consume, and which internal tools they can access.

What is NetScaler MCP Gateway?

NetScaler MCP Gateway acts as a single entry point between AI agents and enterprise MCP servers. Instead of allowing every agent to connect directly to individual servers, organizations can send MCP traffic through one managed gateway.

The design applies familiar API and application-delivery controls to AI agent traffic. Security teams can manage authentication and access centrally rather than creating separate rules for every MCP deployment.

The gateway builds on the broader NetScaler application delivery platform, which already provides traffic routing, application security, authentication, analytics, and health monitoring across cloud and on-premises environments.

CapabilityPurpose
Centralized MCP endpointProvides one managed entry point for AI agents
Dynamic server routingDirects requests to approved backend MCP servers
AuthenticationVerifies users, applications, and agent requests
Tool-level rate limitsControls how frequently agents can call specific tools
Server access policiesAllows or blocks selected MCP servers
Session persistenceKeeps multi-step workflows connected to the correct server
Health monitoringDetects unavailable or unhealthy MCP services

Why enterprises need centralized MCP security

AI agents can perform more actions than traditional chatbots. They may search databases, access documents, call APIs, create support tickets, modify records, or trigger workflows in business applications.

These capabilities create risks when organizations deploy agents without consistent governance. An agent with excessive permissions could access sensitive data, call an unsafe tool, or repeatedly execute an expensive operation.

The Model Context Protocol provides a standard way for AI applications to connect with tools, services, and data sources. However, the protocol does not remove the need for enterprise authentication, authorization, monitoring, and traffic controls.

  • Unapproved MCP servers may connect to sensitive enterprise systems.
  • Agents may receive broader tool permissions than their users require.
  • Different servers may use inconsistent authentication methods.
  • Organizations may lack complete records of agent activity.
  • Automated workflows can generate unpredictable traffic volumes.
  • Compromised agents may repeatedly call sensitive tools.

NetScaler routes agents to approved MCP servers

The MCP Gateway dynamically routes agent requests to authorized backend servers. Developers can connect agents to the gateway instead of hard-coding separate server addresses and security settings.

This approach can simplify changes as organizations add, remove, or replace MCP servers. Infrastructure teams can update routing policies at the gateway without modifying every connected agent.

Central routing also gives security teams a clearer view of which users, applications, and agents access each tool. They can apply consistent controls across development, testing, and production environments.

  1. An AI agent sends an MCP request to NetScaler MCP Gateway.
  2. The gateway authenticates the user, application, or agent.
  3. Security policies determine whether the requested tool is allowed.
  4. NetScaler selects an approved and healthy MCP server.
  5. The gateway routes the request to the selected backend.
  6. The response returns to the agent through the same controlled path.
  7. Usage and traffic information becomes available for monitoring.

Several authentication methods are supported

Citrix says the gateway supports per-user tokens, global tokens, OAuth, and hybrid authentication configurations.

Per-user authentication can help organizations connect agent actions to individual identities. Global tokens may suit controlled service-to-service deployments, while OAuth can provide delegated authorization for supported applications.

Hybrid configurations allow businesses to support different agent frameworks and MCP servers while moving toward a more consistent identity model.

Authentication optionPotential use
Per-user tokensAssociates MCP requests with individual users
Global tokensSupports centrally managed service connections
OAuthProvides delegated access through established identity flows
Hybrid authenticationCombines methods across different servers and deployments

Tool-level limits can control agent activity

NetScaler MCP Gateway allows administrators to set rate limits for individual MCP tools. A business could permit frequent read-only searches while placing stricter limits on tools that modify records or trigger costly processes.

These controls can reduce accidental request loops and limit the effect of a malfunctioning or compromised agent. They can also protect backend services from unexpected traffic spikes.

Administrators can use server allowlists and blocklists to define which MCP systems agents may access. This helps prevent employees or applications from connecting to unapproved servers outside the organizationโ€™s governance process.

  • Limit requests to expensive database tools.
  • Restrict tools that create, update, or delete records.
  • Block unknown or unapproved MCP servers.
  • Allow only reviewed production services.
  • Apply different policies to teams and applications.
  • Reduce damage from automated request loops.

Session persistence supports multi-step workflows

Agent tasks often involve several connected requests. An agent may retrieve information, analyze the result, call another tool, and then update an application.

Session persistence keeps these requests connected to the appropriate backend MCP server. This can prevent workflow interruptions when several servers provide the same service or maintain temporary session state.

NetScaler also adds protocol-aware health monitoring. The gateway can identify an unavailable MCP server and avoid routing new requests to it until it returns to a healthy state.

AI Gateway can route requests between language models

Alongside the MCP Gateway, Citrix has expanded NetScaler AI Gateway with content-switching-based model routing.

Organizations can create policies that send requests to different language models according to the application, team, task, or other request characteristics. Routine prompts could go to a lower-cost model, while complex work could reach a more capable model.

The feature extends the traffic-management approach used by the Citrix Platform, which combines secure access, application delivery, networking, and observability capabilities.

Request typePossible routing policy
Basic summarizationSend to a lower-cost model
Complex code analysisSend to a higher-capability model
Sensitive internal taskRoute to an approved private deployment
High-volume applicationDistribute traffic across available providers
Regulated workloadUse a model approved for the required environment

Token monitoring gives businesses clearer cost data

NetScaler AI Gateway can track input tokens, output tokens, and request volumes by user, team, or application.

This visibility can help businesses identify which services generate the highest AI costs. It can also expose sudden changes that may indicate an application error, automated loop, or unauthorized use.

Organizations can use the information for internal cost allocation and capacity planning. Product teams may also compare usage across models before selecting a provider for a production workload.

  • Input token consumption
  • Output token consumption
  • Total request volume
  • Usage by user
  • Usage by team
  • Usage by application
  • Unexpected consumption spikes

Claude Code support enters a private preview

Citrix says it is testing a private technology preview in which NetScaler AI Gateway serves as a centralized language-model gateway for Claude Code deployments.

Developers can access supported Anthropic models through a service provider while the organization applies authentication, routing, and usage policies at one central point.

The approach may help large development teams avoid distributing separate provider credentials to every user. Administrators could also route requests across available services as capacity, policy, and business needs change.

One gateway can simplify AI governance

Enterprises often begin AI adoption with separate pilot projects. Each team may choose its own model provider, agent framework, authentication method, and MCP servers.

This fragmented approach becomes difficult to govern as projects move into production. Security teams may struggle to identify every agent, track tool access, or determine which system produced an unexpected action.

A centralized gateway can provide a shared policy layer without requiring every agent and backend service to use identical technology.

Without a centralized gatewayWith a centralized gateway
Separate endpoints for each MCP serverOne managed entry point
Different authentication configurationsCentral identity policies
Limited visibility across agentsConsolidated monitoring
Manual server changes in every applicationGateway-based routing updates
Inconsistent rate limitsCentral tool-level controls
Fragmented AI spending dataUsage tracking by user, team, and application

NetScaler uses a one-pass architecture

Citrix says NetScaler performs authentication, routing, security inspection, traffic management, rate limiting, and observability through a single data path.

The company argues that this one-pass design reduces the additional latency and processor overhead that can result from sending AI traffic through several separate security and management products.

The public NetScaler platform overview describes a one-pass architecture designed to reduce latency and improve CPU use while providing application delivery, security, and analytics.

Regulated industries may benefit from stronger controls

Centralized policies may prove especially useful in healthcare, financial services, government, and other regulated environments.

AI agents in these sectors may access patient data, financial information, case records, or operational systems. Organizations need to control which tools agents can call and preserve records of their activity.

An MCP gateway does not automatically make an AI deployment compliant. Businesses still need appropriate data governance, least-privilege access, identity controls, risk assessments, and human approval for sensitive actions.

  • Restrict agents to approved MCP servers.
  • Link requests to verified user identities.
  • Apply least-privilege tool permissions.
  • Record token and request activity.
  • Limit high-risk or high-cost tool calls.
  • Monitor server availability and unusual traffic.
  • Require human approval for sensitive actions.

MCP adoption creates API-style security challenges

MCP gives AI applications a common method for discovering and using external capabilities. That standardization can speed development, but it can also increase the number of tools available to agents.

Each new server creates another connection that organizations must authenticate, monitor, update, and protect. Poorly governed deployments may expose sensitive resources or allow agents to perform actions beyond their intended purpose.

The official MCP documentation describes a client-server architecture that connects AI applications with tools, data, and workflows. Enterprises still need an additional governance layer around those connections.

New capabilities come with selected Citrix licenses

Citrix says the MCP Gateway and expanded AI Gateway capabilities come at no additional charge for customers with a Citrix Platform License or Universal Hybrid Multi-Cloud license.

Availability may still depend on the customerโ€™s NetScaler deployment, supported software version, configuration, and access to preview features.

The Citrix Platform overview positions NetScaler as its application delivery and security component across on-premises, cloud, and hybrid environments.

Citrix uses AI Gateway for its own assistant

Citrix says it has deployed NetScaler AI Gateway internally to govern model interactions and token consumption for Citrix Aidrien, its enterprise AI assistant.

The internal use provides the company with a production example of centralized prompt routing, model access, and consumption monitoring.

Customers will still need to test the gateway against their own agent frameworks, security requirements, traffic patterns, and MCP server implementations before using it for critical workloads.

What enterprises should evaluate before deployment

Organizations should begin by identifying every AI agent, MCP client, MCP server, model provider, and connected data source in their environment.

They should then define which identities can use each tool and whether agents may perform read-only or state-changing actions.

Teams should also test failure scenarios, including unavailable MCP servers, provider outages, request loops, expired tokens, and attempts to access blocked tools.

  1. Inventory AI agents and MCP servers.
  2. Identify the data and tools available through each server.
  3. Define user, team, and application identities.
  4. Apply least-privilege access policies.
  5. Set rate limits for costly or sensitive tools.
  6. Test server health checks and failover behavior.
  7. Monitor token use and unusual request spikes.
  8. Review logs for unauthorized tool calls.
  9. Require approval for actions with significant business impact.

FAQ

What is NetScaler MCP Gateway?

NetScaler MCP Gateway is a centralized entry point that authenticates, routes, monitors, and controls AI agent requests sent to approved Model Context Protocol servers.

Which authentication methods does NetScaler MCP Gateway support?

Citrix says the gateway supports per-user tokens, global tokens, OAuth, and hybrid authentication configurations.

Can NetScaler limit which tools an AI agent uses?

Yes. Administrators can apply tool-level rate limits and use server allowlists or blocklists to control which MCP services agents can reach.

What does NetScaler AI Gateway monitor?

The AI Gateway can track input tokens, output tokens, and request volumes by user, team, or application. This can support cost management and unusual-usage detection.

Is NetScaler MCP Gateway included with Citrix licenses?

Citrix says the new capabilities come at no additional cost for customers with a Citrix Platform License or Universal Hybrid Multi-Cloud license.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages