Deploying workstation servers is gated by capabilities: Deploy new workstation instances and Create and configure managed and workstation servers. If you don’t see the option to add a workstation server, your role doesn’t have the relevant capability — ask a workspace administrator to grant it. See the capabilities reference.
Why use a workstation server
A workstation server is the right choice when:- The server needs local access — tools like Playwright (browser automation), filesystem servers, or anything that interacts with a user’s machine need to run where that machine is.
- You’re working with on-premises resources — if a server must reach systems available only on your internal network, running it on a workstation inside that network is the simplest approach.
- You want governance for local servers — even though the server runs locally, all traffic still flows through the MCP Manager gateway, so you keep full logging, security guardrails, identity management, and access control.
How a workstation server connects
MCP Manager uses a lightweight tunnel agent to create a secure connection between the workstation and the gateway. A small container runs on the machine and establishes an encrypted tunnel to MCP Manager. The gateway routes requests through that tunnel; on the workstation, a local router validates each request with an access key before forwarding it to your MCP server. The tunnel handles NAT traversal automatically, so workstation servers work even behind firewalls or corporate networks with no special configuration in most environments. The exception is a corporate proxy or secure web gateway that intercepts outbound traffic — see When a network proxy blocks the connection. Because the connection is outbound from the workstation and end-to-end encrypted, the local server is never exposed to the public internet, and only requests carrying the correct access key reach it. Even though the connection is encrypted, MCP Manager can still see every request that flows through it. That’s deliberate: it’s how each call gets checked against your policies and written to the audit log before reaching your server. It’s what keeps a server on a laptop as governed as any other.What makes this safe
- Encrypted with WireGuard. Traffic between the workstation and MCP Manager travels over a tunnel built on WireGuard, a modern, widely trusted encryption standard.
- Nothing exposed to the internet. The workstation dials out to MCP Manager and never opens an inbound port, so your local server stays invisible to the outside world, even behind a corporate firewall.
- Only MCP Manager gets in. Requests reach your server only through the tunnel, and only when they carry the correct access key.
- Every call governed. Each request is checked against your policies and recorded in the audit log, exactly like any other server.
What you need to connect a workstation server
Before you run the generated command, the machine needs:- Docker — the tunnel agent runs as a container on your machine.
- The local MCP server you want to connect, or the command that launches it.
- Outbound network access to MCP Manager’s tunnel endpoint. To bring up the tunnel, the agent dials outbound to
headscale.mcpmanager.aion TCP port 443. It opens no inbound ports, but this outbound connection must be allowed to leave the machine.
headscale.mcpmanager.ai on port 443 without TLS interception, or have it allowlisted. If setup stalls, see When a network proxy blocks the connection.
The setup experience: TUI and CLI
MCP Manager provides an in-product wizard that generates a single Docker command for you to run on the workstation. The command starts the tunnel agent and connects your local MCP server to MCP Manager.1
Run it on the workstation
Run the command in your terminal. It launches an interactive terminal user interface (TUI) — a dashboard right in your command line.
2
Watch the connection establish
The TUI shows the progress of each step as the tunnel is established and the workstation registers with MCP Manager.
- Connection status — the progress of each step as the tunnel comes up and the workstation registers.
- Health monitoring — real-time health information and connection statistics.
- Logs — local workstation logs for troubleshooting.
- Port information — which ports are in use on the machine.
- Server controls — start, stop, or restart the workstation connection.
When a network proxy blocks the connection
If the setup TUI stalls at “Tailscale daemon started” — the step stays yellow and never advances to “Authenticated on tailnet” — the tunnel agent can’t reach MCP Manager’s coordination server. The usual cause is a corporate secure web gateway or TLS-inspection proxy intercepting the outbound connection. The encrypted tunnel is built on WireGuard. To establish it, the agent opens an outbound connection toheadscale.mcpmanager.ai on TCP 443. Products such as Zscaler Internet Access, Netskope, Cisco Umbrella, Cloudflare Gateway, Palo Alto Prisma Access, Forcepoint, Broadcom/Symantec Web Security Service, and Microsoft Entra Internet Access can block that connection or re-sign its certificate, which leaves the daemon waiting and the step stuck.
To fix it:
- Allowlist the endpoint (recommended). Have your network or IT team permit outbound access to
headscale.mcpmanager.aion TCP 443 and exempt it from TLS/SSL inspection — an allow rule alone is not enough if the proxy still re-signs the certificate. Allowlist by hostname, not IP, since the underlying addresses can change. - Temporarily disable the proxy on the machine to confirm it’s the cause, then add the allowlist entry for a lasting fix.
Blocking outbound UDP alone does not cause this stall: the tunnel falls back to a relay over TCP 443. A connection that hangs at “Tailscale daemon started” almost always means TCP 443 to
headscale.mcpmanager.ai is itself blocked or TLS-intercepted.Governance and visibility
Routing local MCP traffic through the MCP Manager gateway is what makes workstation servers safe to use at an organization. The same logging, gateway rules, identity management, and access controls that apply to remote and managed servers apply here — so a server running on a laptop is no longer a blind spot. Every request is recorded and inspected, and a connection that drops is automatically retried by the tunnel agent.Identities for workstation servers
Workstation servers use the same identity model as every other server type: an identity is Private by default or Global to share across your organization, and administrators can require per-user identities or share a single identity across a gateway. See the identities section of the overview for the full model.Pros and cons
- Pros: direct access to the local environment (files, editors, hardware) with no intervening abstraction; never exposed to the public internet; full gateway governance, logging, and policy even though the server runs locally; works behind firewalls without special networking.
- Cons: the server still depends on the machine it runs on being available; large-scale rollouts benefit from configuration-management tooling to distribute the command.
Further reading
Connect a workstation MCP server
The hands-on tutorial — connect a local server and call a tool through a gateway in about ten minutes.
MCP Gateways
How a gateway aggregates servers behind one governed URL.
Managed MCP Servers
Run a server in your own infrastructure from a generated command.
External sources
WireGuard
The encrypted-tunnel protocol that workstation connections are built on.

