Local MCP servers over SSH tunnels: are your controls keeping up?

TL;DR: Hosted clusters in Pomerium Zero let local MCP servers expose a public HTTPS endpoint over an SSH reverse tunnel, removing the need for manual tunnelling, TLS setup, or brittle ephemeral URLs so frontier models can call tools directly, according to Pomerium. The broader issue is that MCP access now depends on identity and policy decisions at runtime, not just network reachability.

NHIMG editorial — based on content published by Pomerium: Hosted Clusters in Pomerium Zero and MCP hacking endpoints from localhost via SSH

Questions worth separating out

Q: How should security teams govern local MCP servers that become publicly reachable?

A: They should treat public reachability as a governed access decision, not a networking shortcut.

Q: Why do reverse tunnels change MCP security risk?

A: Reverse tunnels change the risk because they convert a private local service into an externally reachable endpoint without forcing the same deployment controls as production.

Q: What breaks when MCP tool access is not scoped tightly enough?

A: Unscoped MCP access turns a narrow integration into a general-purpose execution surface.

Practitioner guidance

• Classify MCP endpoints by actor type Decide whether each endpoint is serving a human developer, an NHI workload, or an autonomous agent.
• Require policy before public exposure Do not treat an SSH reverse tunnel or hosted cluster as harmless because it is easy to create.
• Inventory all local-to-public MCP paths Track every workflow that turns localhost into a reachable service, including ad hoc tunnels used for testing.

What's in the full article

Pomerium's full post covers the operational detail this post intentionally leaves for the source:

• Step-by-step SSH reverse tunnel setup for hosted MCP exposure
• Local MCP development flow using ChatGPT's Apps SDK template
• Guidance on how the hosted cluster forwards to localhost over pom.run
• Practical notes on using the beta workflow for remote MCP servers

👉 Read Pomerium's post on hosted clusters for local MCP server access →

Local MCP servers over SSH tunnels: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →