Good afternoon.
The gateway does not require an agent or library to be installed on the back-end servers. The Gateway is meant to have requests forwarded through to process, validate, etc against. This is normally controlled by isolating the back-end environment from direct traffic both from external or internal sources. If this is not feasible then depending on the back-end technology, you can setup redirect rules or outright denial of access based on the client IP address accessing it, and/or using client mutual authentication that only the Gateway has the private key for and the back-end trusts.
Sincerely,
Stephen Hughes
Director, CA Support