Good post. A couple notes I have on this setup that might help some folks as well.
1) If you don't want Tomcat listening on other connectors, and AJP connector only from localhost, be sure to update the connector info in server.xml
For example:
remove all 8080/8443/other HTTP connectors.
Update AJP to only 127.0.0.1
<Connector port="8009" protocol="AJP/1.3" address="127.0.0.1" />
-----------------
2) On IIS, if you're doing certificate authentication or other larger transactions, might need to adjust the worker packet size. When it's not adjusted have seen certificate auth or SAML (using Web Agent Option Pack) throw problems because it's over the current setting so not getting through properly.
For example, to set to max I would do something like the following:
Update connector
<Connector port="8009" protocol="AJP/1.3" packetSize="65536" address="127.0.0.1" />
Update worker.properties and add the following (replace worker1 with whatever your worker name is)
worker.worker1.max_packet_size=65536
*Note: in the server.xml packetSize seems to be case sensitive. At least on the versions I've tested, it must be exactly packetSize....any other seems to barf.
And of course tweak this appropriately to your setup in terms of increasing them.
---------------
3) On IIS, if you deploy the connector but when accessing a URL it tries to download the bits instead of rendering...double check that you have "Execute" enabled in Handler Mappings.
Checked by going to appropriate location and choose Handler Mappings feature --> click the Edit Feature Permissions. Verify "Execute" is enabled.
If it's not enabled, you'll see a section in the top of Handler Mappings that shows "ISAPI-dll" being Disabled. When Execute is set, it will be changed to the Enabled section.