diff --git a/docker-compose.yml b/docker-compose.yml
index 74ddb9e..afcc7ec 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,6 +44,10 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=principal"
 
+      # ======================================================================
+      # HTTP Services & Routers - Para Web UI de usuarios
+      # ======================================================================
+
       # Service - Conexión HTTP interna (Traefik maneja HTTPS hacia el exterior)
       - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=81"
 
@@ -70,6 +74,21 @@ services:
       - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Host=${APP_DOMAIN}"
       - "traefik.http.middlewares.${APP_NAME}-headers.headers.sslredirect=true"
 
+      # ======================================================================
+      # TCP Router & Service - Para agentes con TCP Passthrough
+      # ======================================================================
+      # Los agentes se conectarán a mesh-agents.nucleoriofrio.com
+      # y verán el certificado SSL de MeshCentral (no el de Traefik)
+
+      # TCP Router - SNI routing para subdominio de agentes
+      - "traefik.tcp.routers.${APP_NAME}-agents-tcp.rule=HostSNI(`mesh-agents.${APP_DOMAIN#*.}`)"
+      - "traefik.tcp.routers.${APP_NAME}-agents-tcp.entrypoints=websecure"
+      - "traefik.tcp.routers.${APP_NAME}-agents-tcp.tls.passthrough=true"
+      - "traefik.tcp.routers.${APP_NAME}-agents-tcp.service=${APP_NAME}-tcp"
+
+      # TCP Service - Conexión directa al puerto HTTPS de MeshCentral
+      - "traefik.tcp.services.${APP_NAME}-tcp.loadbalancer.server.port=443"
+
 networks:
   principal:
     external: true