Konrado.AIdocs
IntegrationsServer Integrations

Remote Agent

Connect Konrado.AI to private MCP servers through a routed remote proxy agent

Remote Agent
Server integration
Private-network MCP pass-through proxy

Remote Agent installs an MCP-aware proxy on a server you control. Konrado.AI connects to the proxy with the Remote Agent API key, and each proxied request can include the target host and target token for the private MCP server behind it.

Use it when the real MCP endpoint is inside a private network, behind a firewall, reachable only from a jump host, or should be exposed through one stable Remote Agent URL.

Install method
Remote proxy agent
Run the generated SSH installer as root.
Default port
8001
Used for dashboard and proxy access unless changed.
Data scope
Pass-through MCP
Target data comes from the selected MCP server; the proxy adds routing and log context.
Estimated time
15 minutes
After target host/token details are ready.

What Is It?

Remote Agent is a network bridge for MCP servers that Konrado.AI cannot reach directly. It runs on a server you control, authenticates inbound MCP traffic, validates the requested target host when an allowlist is configured, optionally translates that target to an internal host:port, and forwards the request to the target server.

When a request does not include target headers, Remote Agent answers as its own local MCP service for basic agent status and maintenance context. When target headers are present, it acts as a pass-through proxy and does not reshape or merge the target server's data.

What It Can Do

CapabilityHow it helps support
Reach private MCP serversConnect Konrado.AI to internal MCP endpoints without exposing each target directly
Route target hostsAccept a public target name from Konrado.AI and optionally translate it to an internal host:port
Enforce target allowlistingUse HOSTS to restrict which target hosts can be reached through the proxy
Preserve MCP sessionsForward target authentication, cookies, MCP session headers, and JSON or event-stream responses
Inspect proxy activityReview recent request status, blocked requests, durations, target hosts, and blocked reasons in the dashboard
Support custom data sourcesUse Remote Agent together with private or generic MCP servers for internal APIs and systems

Data Available To AI And Operators

Data areaWhat can be used
Target MCP dataThe capabilities, context, and responses returned by the selected private MCP server
Routing contextRequested target host, optional internal host mapping, operator label, and whether the target is allowed
Request diagnosticsRecent request timestamp, client IP, method, path, target host, status code, duration, pass/block state, and blocked reason
Proxy healthBasic service health, Remote Agent version context, and maintenance log context
Session behaviorForwarded target token, MCP session header, cookies, and response type so stateful MCP sessions keep working

What It Cannot Do

Not supported by defaultWhy this matters
Make an unsafe MCP server read-onlyYour target MCP server controls its own permissions
Bypass target authenticationRequests still need valid target host and token details
Store target credentials for every requestThe target host and target token are sent with the request instead of being configured as static target secrets in Remote Agent
Automatically discover internal MCP serversTargets must be provided by Konrado.AI and, in production, explicitly listed in HOSTS
Proxy arbitrary HTTP applications or pathsRemote Agent is built for MCP traffic on its MCP endpoints and forwards target traffic to the target MCP endpoint
Replace firewall or reverse-proxy designYou still control which networks can reach the Remote Agent dashboard and proxy
Guarantee or normalize data shapeData depends on the MCP server behind the proxy

Security Model

Security model

Use HOSTS as an allowlist whenever possible. Empty HOSTS=[] accepts any requested target host, which is useful for testing but too broad for most production setups. Treat API_KEY and target MCP tokens as secrets, expose the dashboard only to trusted networks or behind your own access control, and keep target MCP servers scoped to the data support actually needs.

Ticket Examples

Example ticket questions
  • "Konrado can reach Remote Agent, but the private MCP target is blocked. Is the requested target host allowed?"
  • "We moved an internal MCP server to a new private IP. Can we update the route without changing the public Remote Agent URL?"
  • "Requests to the private hosting MCP server are slow. Do proxy durations show whether the delay is at the target?"
  • "The integration is returning Remote Agent context instead of the private server data. Are the target host and target token being sent?"
  • "A request fails before it reaches the target. Is the issue authentication, missing target headers, or the host allowlist?"
  • "Can we route multiple private MCP servers through one Remote Agent using labels and internal host mappings?"

Prerequisites

  • Access to Konrado.AI Integrations.
  • Root SSH access to the server where Konrado AI Remote Agent will run.
  • The target MCP server host and token that Konrado.AI will send in request headers.
  • Outbound network access from the remote server to the target MCP server.
  • An available TCP port on the remote server. The default dashboard and proxy port is 8001.

Installation

In Konrado.AI, open Integrations > Applications, click Add Integration, and choose Remote Agent.

Remote Agent installation instructions
  1. Log in to the Remote Agent server via SSH as the root user.
  2. Copy the installation command from the Remote Agent modal.
  3. Run the command in the SSH session.
  4. Wait for automatic connection detection in Konrado.AI.

The generated command will look like this:

bash <(curl -s https://raw.githubusercontent.com/konradoai/proxy-downloader/main/init.sh) --api-key=YOUR_API_KEY --callback-url=https://app.konrado.ai/api/integrations/servers/install
Run the command as root. The script installs Konrado AI Remote Agent on the selected server and registers it with Konrado.AI.

Remote Agent uses the proxy-downloader installer and does not include a --platform argument.

The installer creates /opt/KonradoAiRemoteAgent, installs the KonradoAiRemoteAgent Python package, starts konrado-mcp-remote-agent.service, generates API_KEY, and registers the server callback with Konrado.AI.

Configure host routing after installation in the Remote Agent dashboard.

Open the Dashboard

The dashboard is available at:

http://<SERVER_IP>:8001/dashboard

If port 8001 is already in use, change SERVER_PORT in the Remote Agent configuration and restart the service. Make sure your firewall allows the selected port from the networks that need dashboard or proxy access.

The Logs tab shows recent requests, status codes, durations, whether requests passed or were blocked, target hosts, and the reason for blocked requests.

Remote Agent dashboard logs tab

The Configuration tab edits the HOSTS runtime configuration saved in .env.

Remote Agent dashboard configuration tab

Configuration Fields

Remote Agent uses these .env fields:

FieldDescription
API_KEYBearer token used by Konrado.AI to authenticate to the Remote Agent
SERVER_BIND_IP_ADDRESSAddress the Remote Agent listens on, usually 0.0.0.0
SERVER_PORTPort the Remote Agent listens on, usually 8001
HOSTSJSON array managed from the dashboard. Empty HOSTS=[] allows any Target-Host; non-empty HOSTS acts as an allowlist and optional routing map

Remote Agent no longer uses static target host or target token fields in .env. The target host and token must come from request headers when Konrado.AI wants to reach a private MCP server.

Each HOSTS entry can contain:

FieldDescription
hostRequired host value accepted from the Target-Host request header
internalHostOptional internal host:port that Remote Agent connects to when Target-Host matches host
labelOptional operator label, for example DirectAdminResellers or cPanel EU clients

Example:

HOSTS='[
  {"host":"65.21.54.1:8000","label":"Direct target"},
  {"host":"konrado-test:8000","internalHost":"65.21.54.1:8000","label":"Alias through internalHost"}
]'

Request Headers

Konrado.AI authenticates to Remote Agent with:

Authorization: Bearer <API_KEY>

If a request does not include target headers, Remote Agent handles it locally. To proxy a request to a private MCP server, send both target headers:

Target-Host: <target-host>
Target-Token: <target-token>

Remote Agent forwards the request to:

http://<translated-target-host>/mcp

If the matching HOSTS entry has internalHost, Remote Agent connects to internalHost. Otherwise it connects directly to Target-Host. Sending only one target header is treated as an invalid proxied request.

Verify Success / Failure

The Konrado.AI dashboard will update from Waiting for connection... to Connected after the agent reports back.

You can also open the Remote Agent dashboard on the server and check that Konrado AI Remote Agent is running.

Remote Agent installation modal showing a successful connection

You can also verify the proxy directly:

curl -i -X POST http://<SERVER_IP>:8001/mcp \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Target-Host: <target-host>" \
  -H "Target-Token: <target-token>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"curl","version":"1.0"}}}'

Troubleshooting

IssueWhat to check
Dashboard does not openConfirm konrado-mcp-remote-agent.service is running and the selected port is reachable from your network
Proxy returns 400Confirm proxied requests include both Target-Host and Target-Token headers
Proxy returns 403 before reaching a targetConfirm the Authorization header uses the Remote Agent API key
Target request returns 403Review HOSTS in the dashboard. If HOSTS is non-empty, the requested Target-Host must be listed exactly
Proxy returns local Remote Agent contextConfirm the request includes both target headers when you expect private target data
Private target is not reachedVerify the matching HOSTS entry uses the correct internalHost and that the target is reachable from the Remote Agent server
Target returns 502 or connection errorsConfirm the target MCP server is online and reachable at its MCP endpoint from the Remote Agent host
MCP client tries /registerDisable OAuth in the MCP client or use custom headers/manual auth. Remote Agent expects direct MCP requests to /mcp or /sse

Installation Failure Commands

If Konrado.AI shows the integration as failed, first confirm the Remote Agent service is running and listening on the configured port.

Remote Agent installation modal showing a connection error
systemctl status   konrado-mcp-remote-agent.service
journalctl         -u konrado-mcp-remote-agent.service --since "15 minutes ago" --no-pager
systemctl restart  konrado-mcp-remote-agent.service
ss -ltnp | grep ':8001'

After the service restarts, open the Remote Agent dashboard and run Test Connection again in Konrado.AI.

Remove

Delete the Remote Agent integration in Konrado.AI, then uninstall the service from the remote server if it is no longer used.

On this page