We have deployed a CX 10.2.1 environment with the Cognos Express Gateway on a separate IIS server in a DMZ. From the Gateway server, everything works just fine HOWEVER we see after login the browser is simply redirected to the CX application server's URL which of course is not externally accessible. Triple checked the documentation and everything seems to be configured correctly. We have not tested externally yet...pending firewall configuration but seems reasonable it's going to fail. Are we missing something? All other aspects including AD namespace and SSO work great. Thanks!
RESOLVED! The short story is that the Cognos Express Gateway, is not at all a gateway in the traditional sense like in the enterprise version of the product. Its only purpose is to provide Windows Authentication (SSO). While this is not stated in the documentation, it was confirmed by IBM. For external access to CX, you must expose the CX server port 19300 to the Internet.