Tomcat's socket handling abilities are not quite as robust as Apache httpd's socket handling, especially when it comes to system error handling. Tomcat performs all its socket handling through the Java VM. Since Java is designed to be cross-platform, it lacks some system-specific optimizations, such as socket optimization. In situations where the Pentaho Server is hit with a large number of dropped connections, invalid packets, or invalid requests from invalid IP addresses, httpd would do a much better job of dropping these error conditions than Tomcat. Therefore, you can improve Pentaho Server security by fronting Tomcat with httpd.
A side-effect of this configuration is increased performance when delivering static content from the Pentaho Server. For this reason, the same procedure below is covered in the section called Tuning Guide Overview. If you have already followed the Apache httpd procedure in that guide, you do not need to perform it again.