I use tomcat behind IIS, und HTTP and HTTPs is only served on :80 and :443. Tomcat can be accessed only directly on :8888 by ssh tunneling. IIS serves static and cached files directly, .cfm files or dynamic .html files (with CFML) are connected to Tomcat.
I would delete the tomcat admin JSPs in tomcats webroot and harden everything manually in the config-files. I wouldn’t let any other port open.