How to Install and Configure Tomcat on Windows Server 2025
Apache Tomcat is the industry-standard Java Servlet container used to deploy Java web applications packaged as WAR (Web Application Archive) files. Many enterprise line-of-business applications — particularly those built on Spring Boot, JSF, or legacy Java EE stacks — are deployed to Tomcat. Running Tomcat on Windows Server 2025 requires a Java runtime, correct configuration of environment variables, tuning of server.xml for production workloads, and a mechanism to keep Tomcat running as a Windows service. This guide walks through the complete setup: installing OpenJDK, downloading and extracting Tomcat, installing it as a Windows service, deploying a WAR file, securing the Tomcat Manager application, and optionally fronting Tomcat with IIS using ARR as a reverse proxy.
Prerequisites
- Windows Server 2025 with administrative privileges
- At least 2 GB of RAM dedicated to the JVM (more for production workloads)
- A Java web application packaged as a
.warfile, or the sample application for testing - IIS with ARR installed if you want to proxy from port 80/443 to Tomcat’s port 8080
- Familiarity with XML configuration files and the Windows command line
Step 1: Install OpenJDK
Tomcat requires a Java Development Kit or Java Runtime Environment. Use Eclipse Temurin (formerly AdoptOpenJDK), the most widely used OpenJDK distribution for production deployments:
# Install via Chocolatey (recommended)
choco install temurin21 -y
# Verify installation
java -version
# Expected output:
# openjdk version "21.0.x" ...
# OpenJDK Runtime Environment Temurin-21.x.x
Alternatively, download the MSI installer from https://adoptium.net/temurin/releases/ and choose Windows x64 JDK for Tomcat 10.x or later. During installation, select Set JAVA_HOME variable to automatically configure the environment variable.
Verify that JAVA_HOME is set correctly:
# Check JAVA_HOME
[System.Environment]::GetEnvironmentVariable("JAVA_HOME", "Machine")
# Should return: C:Program FilesEclipse Adoptiumjdk-21.x.x.x-hotspot
# If not set, configure it manually
[System.Environment]::SetEnvironmentVariable("JAVA_HOME", "C:Program FilesEclipse Adoptiumjdk-21.0.5.11-hotspot", "Machine")
Step 2: Download and Extract Apache Tomcat
Download the latest stable Tomcat release from https://tomcat.apache.org/download-10.cgi. Choose the 64-bit Windows zip under the Core section. Do not use the Windows Service Installer for production — the ZIP gives you full control over configuration and upgrades.
# Extract to a dedicated directory
Expand-Archive -Path "$env:USERPROFILEDownloadsapache-tomcat-10.1.34-windows-x64.zip" -DestinationPath "C:Tomcat"
# Rename for a clean, version-independent path
Rename-Item "C:Tomcatapache-tomcat-10.1.34" "C:Tomcattomcat10"
# Set CATALINA_HOME
[System.Environment]::SetEnvironmentVariable("CATALINA_HOME", "C:Tomcattomcat10", "Machine")
Verify the directory structure:
C:Tomcattomcat10
├── bin (startup.bat, shutdown.bat, service.bat, catalina.bat)
├── conf (server.xml, web.xml, context.xml, tomcat-users.xml)
├── lib (core Tomcat JARs)
├── logs (catalina.out, access logs)
├── webapps (ROOT, manager, host-manager, deployed WARs)
└── work (compiled JSPs)
Step 3: Install Tomcat as a Windows Service
Tomcat’s binservice.bat registers it as a Windows service using the tomcat10.exe wrapper included in the distribution:
# Open an elevated Command Prompt (not PowerShell)
cd C:Tomcattomcat10bin
# Install the service with a named service identifier
service.bat install Tomcat10
# Verify service registration
sc query Tomcat10
Configure the service to start automatically and set JVM memory options:
# Set service startup type to automatic
sc config Tomcat10 start= auto
# Configure JVM heap settings via the Tomcat Service Monitor
# Or set via registry using tomcat10w.exe (the service configuration GUI)
tomcat10w.exe //ES//Tomcat10
# Alternatively, set JVM options via command line
C:Tomcattomcat10bintomcat10.exe //US//Tomcat10 ^
--JvmMs=512 ^
--JvmMx=1024 ^
--JvmOptions=-Djava.awt.headless=true
# Start and stop the service
net start Tomcat10
net stop Tomcat10
# Check service status
sc query Tomcat10
Step 4: Configure server.xml for Production
Open C:Tomcattomcat10confserver.xml. The main items to tune for a production deployment are the HTTP connector settings:
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Service name="Catalina">
<!-- Main HTTP connector -->
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
maxThreads="200"
minSpareThreads="10"
maxConnections="10000"
acceptCount="100"
URIEncoding="UTF-8"
redirectPort="8443"
compression="on"
compressionMinSize="2048"
compressableMimeType="text/html,text/css,application/javascript,application/json" />
<!-- AJP connector for integration with Apache httpd (disable if using HTTP proxy) -->
<!-- <Connector protocol="AJP/1.3" address="::1" port="8009" redirectPort="8443" /> -->
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<!-- Access log valve -->
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="access_log"
suffix=".txt"
pattern="%h %l %u %t "%r" %s %b %D" />
</Host>
</Engine>
</Service>
</Server>
Key directives explained:
maxThreads: Maximum simultaneous request threads. Default is 200; tune based on application profiling.URIEncoding: Always set toUTF-8to correctly handle international characters in URLs.compression: Enable HTTP-level gzip compression to reduce bandwidth.acceptCount: Queue depth for incoming connections when all threads are busy.
Step 5: Deploy a WAR File
Tomcat’s hot-deployment feature detects WAR files placed in the webapps directory and automatically extracts and deploys them:
# Copy WAR file to webapps directory
Copy-Item "C:releasesmyapp-1.2.0.war" -Destination "C:Tomcattomcat10webappsmyapp.war"
# Tomcat will auto-deploy within a few seconds (watch logscatalina.log)
# The app will be accessible at http://localhost:8080/myapp/
# To deploy as the ROOT application (accessible at /)
Copy-Item "C:releasesmyapp-1.2.0.war" -Destination "C:Tomcattomcat10webappsROOT.war"
# Delete the existing ROOT directory first if it exists
Remove-Item "C:Tomcattomcat10webappsROOT" -Recurse -Force
Monitor the deployment in the log file:
# Tail the Catalina log (PowerShell equivalent of tail -f)
Get-Content "C:Tomcattomcat10logscatalina.$(Get-Date -Format 'yyyy-MM-dd').log" -Wait -Tail 50
Step 6: Configure the Tomcat Manager Application
The Tomcat Manager web application allows you to deploy, undeploy, start, and stop applications without restarting Tomcat. It is disabled by default for security — enable it only after setting a strong password:
Edit C:Tomcattomcat10conftomcat-users.xml:
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
version="1.0">
<!-- Grant manager-gui only to the manager web interface -->
<role rolename="manager-gui" />
<role rolename="manager-script" />
<role rolename="admin-gui" />
<user username="tomcatadmin"
password="ChangeMe!2025SecurePass"
roles="manager-gui,admin-gui" />
<!-- Separate user for CI/CD deployments via API -->
<user username="deployer"
password="DeployerPass!2025"
roles="manager-script" />
</tomcat-users>
By default, the Manager application restricts access to localhost only. To allow access from your management network, edit C:Tomcattomcat10webappsmanagerMETA-INFcontext.xml:
<Context antiResourceLocking="false" privileged="true">
<CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127.0.0.1|10.0.1.d+" />
</Context>
Replace 10.0.1.d+ with your actual management subnet regex. Restart Tomcat and access the manager at http://localhost:8080/manager/html.
Step 7: Configure IIS as a Reverse Proxy to Tomcat
With ARR and URL Rewrite installed on IIS, add a web.config to your IIS site to proxy requests to Tomcat’s HTTP port:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Tomcat Reverse Proxy" stopProcessing="true">
<match url="(.*)" />
<serverVariables>
<set name="HTTP_X_FORWARDED_PROTO" value="https" />
<set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
</serverVariables>
<action type="Rewrite"
url="http://localhost:8080/{R:1}"
appendQueryString="true" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
With this configuration, clients connect to IIS on port 443 (HTTPS), IIS terminates SSL, and forwards requests to Tomcat on port 8080 over the local loopback interface. Tomcat never needs to handle SSL directly, simplifying certificate management.
Conclusion
Apache Tomcat is now installed and running on Windows Server 2025 as a managed Windows service, with production-tuned connector settings in server.xml, a secured Manager application with role-based access control, and IIS handling SSL termination and acting as the public-facing reverse proxy. This architecture is reliable, maintainable, and integrates cleanly with the rest of the Windows Server ecosystem. For updates, always test a new Tomcat version in a staging environment first — the upgrade process involves replacing the bin and lib directories while preserving your customized conf, webapps, and logs directories.
