Skip to main content

Zscaler Internet Access MCP server

Zscaler Internet Access (ZIA) is a cloud-native security service edge that protects internet traffic with web filtering, malware protection, and data controls. An MCP server for ZIA allows AI agents to manage security policies, user access, threat protection, and compliance across your organization without needing direct portal access.

Setting up an MCP server

This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.

Before you begin

You'll need:

  • Access to AI Gateway with permission to create MCP servers
  • API credentials for the application you're connecting (see the relevant application page for what to collect)

Create an MCP server

Find the API in the catalog

  1. Sign in to AI Gateway and select MCP Servers from the left navigation.
  2. Select New MCP Server.
  3. Search for the application you want to connect, then select it from the catalog.

Configure the server

  1. Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
  2. Enter a Description so your team knows what the server is for.
  3. Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
  4. Toggle Production mode on if this server will be used in a live workflow.
  5. Select Next.

Configure authentication

Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.

Configure security

  1. Set any Rate limits appropriate for your use case and the API's own limits.
  2. Enable Logging if you want AI Gateway to record requests and responses for auditing.
  3. Select Next.

Deploy

Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.

Connect to an AI client

Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:

Tips

  • You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
  • If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
  • You can edit a server's name, description, timeout, and security settings after deployment without redeploying.

Authentication

Zscaler ZIA uses API key authentication combined with basic auth (username and password). Your ZIA tenant determines the base URL pattern: https://<cloudname>.api.zscaler.net/api/v1 for production or https://<cloudname>.api.zscalerbeta.net for beta environments. Generate an API key from Administration > API Key Management in the ZIA admin portal, then note your cloud name, the API key itself, and your admin credentials to complete authentication setup.

Available tools

The tools enable management of security policies, user access, data protection, network controls, and monitoring across ZIA. They let you configure URL filtering, malware protection, SSL inspection, DLP rules, location policies, and more.

ToolDescription
URL FilteringCreate and manage URL categories, allow/block lists, and custom categorization rules
Malware ProtectionConfigure malware policies, advanced threat settings, file policies, and AV scanning
SSL InspectionEnable SSL inspection, exclude specific sites, manage certificate policies, and configure bypass lists
User ManagementCreate users, assign departments, manage groups, and perform bulk imports
AuthenticationConfigure SAML, LDAP, MFA requirements, and manage auth exemptions
Location ManagementAdd and manage branch locations, set policies per location, control IP addresses
DLP PoliciesCreate DLP rules for sensitive data, configure incident management and EDM settings
Cloud App ControlBlock unsanctioned apps, allow specific cloud applications, monitor shadow IT
Firewall RulesCreate outbound rules, manage NAT policies, set port blocking and application control
Bandwidth ManagementSet QoS policies, prioritize applications, configure traffic throttling
DNS SecurityBlock malicious domains, set sinkhole addresses, monitor DNS queries
Policy ActivationActivate pending changes, schedule deployments, rollback policies if needed
Admin AccountsCreate admin users, set role permissions, configure audit settings
Audit LogsReview admin actions, track changes, export audit trails

Tips

Start with broad policies and use rule order to control precedence.

Test policy changes before activation to avoid unintended blocking.

Minimize SSL inspection bypass to maintain security.

Use location-based policies to improve performance while maintaining security.

Review admin actions regularly to track changes.

Monitor policy violations for security anomalies.

Enable MFA for admin accounts to maintain security posture over time.