Welcome to the Ranch, Justin!
There are 2 reasons for using IIS - or Apache, Nginx, or any of probably dozens of other webservers as "intermediaries" to Tomcat. Or, as they are technically known: "reverse proxy servers".
First, there's flexibility. Tomcat can host
J2EE webapps, but that's about it. Something like Apache or IIS can host webapps written in a variety of languages - PHP, .Net, Python, C, Perl and much more. But not, as it happens, J2EE, since J2EE requires a JVM and those webapp servers don't run in JVMs. So by proxying to Tomcat, you get J2EE
plus all those other language options. Not that you'd write a single webapp in multiple languages, but one webapp server often hosts many webapps.
Secondly, and equally importantly, there's security. For reasons that undoubtedly seemed good at the time, TCP/IP systems are usually set up so that only administrative users can open ports under 4096 for listening. The default port for HTTP is port 80 and the default port for HTTPS is 443, so in order for Tomcat to use those ports instead of its own defaults of 8080 and 8443, it would have to be run as an administrator/root user account. And since that means that the entire JVM would be running as a privileged user,
anything that broke through the
Java security would then own the entire OS.
The port security problem for Apache and IIS is dealt with in a different way. Those servers start up as an administrative user while they grab the TCP/IP listening ports, but then switch to a "normal" user account. So if something breaks loose, it can only meddle with OS resources that the IIS or Apache user can meddle with instead of virtually anything in the entire system.
So why doesn't Tomcat do that? Because Tomcat is written in Java and Java is "write once/run anywhere". There's no Java API function for switching user IDs - it's something that can only be done using OS-native system functions. So by using a proxy, you can have a webapp server listening on ports 80 and 8443 and the proxy channel then forwards the request to Tomcat using the AJP port (8009), or as a redirect to 8080/8443 (depending on how you set things up). Thus security is maintained and everyone's happy.