When running CA Access Gateway (SPS), what are the best practices for hardening it?

At first glance, set the CA Access Gateway (SPS) in a DMZ, which protects it from the internet and restricts the connection to the internal Policy Servers.

As per documentation:

• Install the CA Access Gateway (SPS) as a non-root user (1);
• Keep the user nobody to run Apache and Tomcat (1);
  
  

1. Install Access Gateway
   https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/installing/install-access-gateway.html