diff --git a/content/en/docs/2023.3/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md b/content/en/docs/2023.3/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
index 079c1ea1a..6360eae43 100644
--- a/content/en/docs/2023.3/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
+++ b/content/en/docs/2023.3/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
@@ -54,7 +54,7 @@ To get a licence file and feature identifier take the following steps:
     Please also include a suitable {{% ctx %}} Innovation feature identifier.
     ```
 
-1. Extract `Cortex Innovation 2022.9 - Licence Fingerprint Generator.zip`.
+1. Extract `Cortex Innovation {{< version >}} - Licence Fingerprint Generator.zip`.
 1. From that folder, copy `Cortex.Licensing.FingerprintGeneration.exe` to the server.
 1. Double-click `Cortex.Licensing.FingerprintGeneration.exe` to run it. A command line window will appear, containing a machine identifier and fingerprint, e.g:
 
diff --git a/content/en/docs/2023.5/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md b/content/en/docs/2023.5/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
index 079c1ea1a..6360eae43 100644
--- a/content/en/docs/2023.5/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
+++ b/content/en/docs/2023.5/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
@@ -54,7 +54,7 @@ To get a licence file and feature identifier take the following steps:
     Please also include a suitable {{% ctx %}} Innovation feature identifier.
     ```
 
-1. Extract `Cortex Innovation 2022.9 - Licence Fingerprint Generator.zip`.
+1. Extract `Cortex Innovation {{< version >}} - Licence Fingerprint Generator.zip`.
 1. From that folder, copy `Cortex.Licensing.FingerprintGeneration.exe` to the server.
 1. Double-click `Cortex.Licensing.FingerprintGeneration.exe` to run it. A command line window will appear, containing a machine identifier and fingerprint, e.g:
 
diff --git a/content/en/docs/2023.7/Reference/troubleshooting/installation.md b/content/en/docs/2023.7/Reference/troubleshooting/installation.md
index 6f07e3ce7..52dcf393b 100644
--- a/content/en/docs/2023.7/Reference/troubleshooting/installation.md
+++ b/content/en/docs/2023.7/Reference/troubleshooting/installation.md
@@ -159,6 +159,87 @@ To work around this error, either uninstall the platform and reinstall it using
 
 Check that the `Feature Flags` Guid in the `CortexGateway.SetParameters.xml` file used for installing {{% ctx %}} Gateway is correct. If it is not, update it and reinstall {{% ctx %}} Gateway or update the value in the `web.config` file and restart the website. If the value is correct, please contact [{{% ctx %}} Service Portal][CORTEX Service Portal] for assistance.
 
+### {{% ctx %}} Innovation blocks not visible in {{% ctx %}} Studio {#ts-no-blocks}
+
+#### Application Pool user does not have Modify rights to the Roaming folder
+
+The following folders require `Modify` permission to allow creating the `NuGet` folders and its `NuGet.Config` file within:
+
+* `C:\Windows\System32\config\systemprofile\AppData\Roaming`
+* `C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming`
+
+For each folder, perform the following steps:
+
+1. Navigate to the `AppData` folder.
+1. Right-click on the `Roaming` folder and click `Properties`.
+1. In the dialog, click the `Security` tab.
+1. Check the `Application Pool` user for Gateway is listed in the `Group or user names` and has `Modify` permissions.
+1. If the `Application Pool` user for Gateway is not listed:
+   1. Click the `Edit...` button.
+   1. Click the `Add...` button.
+   1. Enter the username of the application pool user and click `OK`.
+   1. In the `Permissions` section at the bottom, check `Modify`.
+   1. Click `OK`.
+   1. Click `Yes` to change the permission to the folder.
+1. If the `Application Pool` user for Gateway is listed but does not have permissions:
+   1. Click the `Edit...` button.
+   1. Select the `Application Pool` user.
+   1. Check `Modify`.
+   1. Click `OK`.
+   1. Click `Yes` to change the permission to the folder.
+
+#### Application Pool user does not have rights to the Cortex Blocks Provider Host folder
+
+Perform the following steps:
+
+1. Navigate to `C:\ProgramData\Cortex`
+1. Right-click on the `Cortex Blocks Provider Host` folder and click `Properties`.
+1. In the dialog, click the `Security` tab.
+1. Check the `Application Pool` user for Gateway is listed in the `Group or user names` and has `Modify` permissions.
+1. If the `Application Pool` user for Gateway is not listed:
+   1. Click the `Edit...` button.
+   1. Click the `Add...` button.
+   1. Enter the username of the application pool user and click `OK`.
+   1. In the `Permissions` section at the bottom, check `Modify`.
+   1. Click `OK`.
+1. If the `Application Pool` user for Gateway is listed but does not have permissions:
+   1. Click the `Edit...` button.
+   1. Select the `Application Pool` user.
+   1. Check `Modify`.
+   1. Click `OK`.
+
+#### Perform an IIS reset
+
+1. Open a Windows PowerShell (x64) window as administrator.
+1. Run the following command: `iisreset`.
+1. Wait for the action to complete.
+
+### Flow not starting in {{< ctx >}} Gateway {#ts-flow-not-starting}
+
+#### Application Pool user does not have rights to the Repo folder
+
+Check that the `Application Pool` user has rights to the `Repo` folder using the following steps:
+
+1. Check where the `Repo` folder is located
+   1. Navigate to the `gateway` IIS folder (usually `%SystemDrive%\inetpub\wwwroot\Cortex\gateway`, e.g. `C:\inetpub\wwwroot\Cortex\gateway`)
+   1. Open the `web.config` file.
+   1. Find the value of the `connectionString` named `CortexRepositories`
+1. Navigate to the `Repo` folder, not opening it.
+1. Right-click on the `Repo` folder and click `Properties`.
+1. In the dialog, click the `Security` tab.
+1. Check the `Application Pool` user for Gateway is listed in the `Group or user names` and has `Modify` permissions.
+1. If the `Application Pool` user for Gateway is not listed:
+   1. Click the `Edit...` button.
+   1. Click the `Add...` button.
+   1. Enter the username of the application pool user and click `OK`.
+   1. In the `Permissions` section at the bottom, check `Modify`.
+   1. Click `OK`.
+1. If the `Application Pool` user for Gateway is listed but does not have permissions:
+   1. Click the `Edit...` button.
+   1. Select the `Application Pool` user.
+   1. Check `Modify`.
+   1. Click `OK`.
+
 ### Cannot publish a package {#ts-no-publish}
 
 Check that the `Service Fabric Api Gateway Endpoint`, `Service Fabric Using Self Signed Certificates`, `Service Fabric ApiGateway Basic Auth Username` and `Service Fabric ApiGateway Basic Auth Password` in the `CortexGateway.SetParameters.xml` file used for installing {{% ctx %}} Gateway are correct. If any of them are not, update them and reinstall {{% ctx %}} Gateway or update the value in the "web.config" file and restart the website. If the value is correct, please contact [{{% ctx %}} Service Portal][CORTEX Service Portal] for assistance.
@@ -254,3 +335,4 @@ If this occurs on your server it is important to update your certificates as soo
 
 [CORTEX Service Portal]: {{< url path="Cortex.ServicePortal.MainDoc" >}}
 [Rollover Certificates]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.RolloverCertificates" >}}
+[add rights to nuget folder]: {{< ref "#ts-add-rights-to-nuget-folder" >}}
diff --git a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/architecture.md b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/architecture.md
index 698ebd2ba..d78d3397b 100644
--- a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/architecture.md
+++ b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/architecture.md
@@ -25,10 +25,10 @@ The installation process is the same, regardless of which architecture is used;
 
 The recommended architecture for adding Innovation to a v7.2 Dual Site, Dual Server system requires 8 servers in total; the 4 existing servers, plus 4 new servers:
 
-* 2x Existing Application Servers for v7.2, one of these will also act as the Web Application Server for Innovation. For Innovation, the existing Gateway will be upgraded.
-* 2x Existing Database Servers, used for v7.2 and Gateway databases.
-* 1x New Load Balancer Server for Innovation.
-* 3x New Application Servers for Innovation.
+* 2x Existing Application Servers for v7.2, one of these will also act as the Web Application Server for Innovation. For Innovation, the existing Gateway will be upgraded and a new Debug Node will be added
+* 2x Existing Database Servers, used for v7.2 and Gateway databases
+* 1x New Load Balancer Server for Innovation
+* 3x New Application Servers for Innovation
 
 {{< figure src="/images/editable/Cortex Innovation and v7.2 Best Architecture.png" class="centre" title="8 Server, Recommended Architecture Diagram" >}}
 
@@ -36,11 +36,12 @@ The recommended architecture for adding Innovation to a v7.2 Dual Site, Dual Ser
 
 ### Minimum Architecture
 
-The minimum architecture requires only the 4 existing servers:
+The minimum architecture requires 5 servers:
 
-* 2x Application Servers for v7.2, each of these will also host one of the three Application Servers for Innovation.
-* 1x Database Server for v7.2, which will also host the remaining Application Server for Innovation.
-* 1x Database Server for v7.2, which will also host the Load Balancer for Innovation.
+* 1x Web Application Server, which contains Gateway. For Innovation, the existing Gateway will be upgraded and a new Debug Node will be added
+* 2x Application Servers for v7.2, each of these will also host one of the three Application Servers for Innovation
+* 1x Database Server for v7.2, which will also host the remaining Application Server for Innovation
+* 1x Database Server for v7.2, which will also host the Load Balancer for Innovation
 
 {{< figure src="/images/editable/Cortex Innovation and v7.2 Min Architecture.png" class="centre" title="4 Server, Minimum Architecture Diagram" >}}
 
diff --git a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server.md b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server.md
index e29eb1603..e9da93e16 100644
--- a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server.md
+++ b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server.md
@@ -11,10 +11,15 @@ This guide describes how to upgrade Gateway on v7.2 to include Innovation. Pleas
 
 The steps to add Innovation functionality to 7.2 are:
 
+1. Install local instance of the Application Server components
 1. Upgrade {{% ctx %}} Gateway
 
 ## Make Installation Artefacts Available
 
+{{% alert title="Note" %}}
+We recommend that the single-node Service Fabric instance, used by {{% ctx %}} Gateway as a Debugger instance, and {{% ctx %}} Gateway are installed on the same Web Application Server.
+{{% /alert %}}
+
 1. Copy the following artefacts to a folder on the machine:
 
    * Cortex Innovation {{< version >}} - Block Packages.zip
@@ -45,7 +50,17 @@ A Friendly Name should be assigned to the certificate being used for the Cortex
 1. On the `General` tab in the `Friendly Name` text box, enter a name to be used for the certificate.
 1. Click `OK`.
 
-## Perform Installation
+## Perform Debugger Installation
+
+{{% alert title="Important" color="warning" %}}
+{{< ctx >}} Gateway requires a local instance of the Application Server components to enable the debugging of flows.
+{{% /alert %}}
+
+### Install Debugger
+
+To install the components required for debugging, perform the steps detailed in [Install Application Server][] on the Web Application Server.
+
+## Perform Gateway Installation
 
 ### Configure {{% ctx %}} Gateway Installation Script
 
@@ -86,9 +101,9 @@ A Friendly Name should be assigned to the certificate being used for the Cortex
     |`ServiceFabricApiGatewayBasicAuthUsername`      | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Application Servers][Configure Installation Script]; if so, this value must be configured to the one used.<br /><br />This will overwrite the `ServiceFabricApiGatewayBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
     |`ServiceFabricApiGatewayBasicAuthPassword`      | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Application Servers][Configure Installation Script]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `ServiceFabricApiGatewayBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
     |`DotNetFlowDebuggerEndpoint`                    | Replace `server.domain.com` with the fully qualified domain name of the Web Application Server.<br /><br />This will overwrite the `DotNetFlowDebuggerEndpoint` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthUsername`; if so, this value must be configured to the one used.<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthPassword`; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the site containing {{% ctx %}} Gateway, `$true` if using self-signed certificates.<br /><br />This will overwrite the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used.<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the communication between {{% ctx %}} Gateway and the Debugger, `$true` if using self-signed certificates.<br /><br />This will overwrite the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
     |`GatewayApplicationPoolUsername`                | Replace `Domain\Username` with the user that is used to run the {{% ctx %}} Gateway application pool currently.|
     |`WebRootFolder`                                 | Replace this with the correct path for the Web Root Folder on the server. Typically this will be  `C:\inetpub\wwwroot`.|
     |`WebsitePort`                                   | Replace this with the port that you wish the website to use. Typically this will be `443`.|
@@ -153,3 +168,4 @@ Ensure that the installation files are backed up or kept on the server, especial
 [Licensing Requirements]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.LicensingRequirements" >}}
 [Security Best Practices]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.SSLBestPractices" >}}
 [Try it out]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.TryItOut" >}}
+[Install Application Server]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.SingleServerWithoutHA.InstallApplicationServer" >}}
\ No newline at end of file
diff --git a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md
index 0f0eb74f7..9052fc9b2 100644
--- a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md
+++ b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md
@@ -25,7 +25,7 @@ Use these hardware requirements if using the [Recommended Architecture][].
 |------------------|-----------------------|-----------------------------------|---------------|----------------------|
 | New Innovation Load&nbsp;Balancer | 1[^1] | 4+&nbsp;*Recommended*<br>2&nbsp;*Minimum* | 8+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 50+&nbsp;*Recommended*<br>30&nbsp;*Minimum*<br>5+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive |
 | New Innovation Application&nbsp;Server | 3&nbsp;*Bronze&nbsp;availability*[^2]<br>5&nbsp;*Silver&nbsp;availability*<br>7&nbsp;*Gold&nbsp;availability*<br>9&nbsp;*Platinum&nbsp;availability* | 4+&nbsp;*Recommended*<br>2&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>8&nbsp;*Minimum* | 75+&nbsp;*Recommended*<br>60&nbsp;*Minimum*<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive |
-| Existing V7.2 Application Server with Gateway<br>+ Upgrade to Innovation Web Application Server | 1 | 4+&nbsp;*Recommended*<br>2&nbsp;*Minimum* | 8+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 75+&nbsp;*Recommended*<br>50&nbsp;*Minimum*<br>30+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive |
+| Existing V7.2 Application Server with Gateway<br>+ Upgrade to Innovation Web Application Server | 1 | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 160+&nbsp;*Recommended*<br>135&nbsp;*Minimum*<br>30+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive  |
 
 ### Minimum Architecture
 
@@ -35,8 +35,8 @@ Use these hardware requirements if using the [Minimum Architecture][] and instal
 |------------------|-----------------------|-----------------------------------|---------------|----------------------|
 | Existing V7.2 Database Server <br>+ Innovation Load Balancer| 1[^1] | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 8+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 300+&nbsp;*Recommended*<br>70&nbsp;*Minimum*<br>5+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive |
 | Existing V7.2 Database Server <br>+ Innovation Application Server | 1 | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 300+&nbsp;*Recommended*<br>100&nbsp;*Minimum*<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive|
-| Existing V7.2 Application Server <br>+ Innovation Application Server | 1 | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 120+&nbsp;*Recommended*<br>100&nbsp;*Minimum*<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive|
-| Existing V7.2 Application Server with Gateway<br>+ Innovation Application Server<br>+ Upgrade to Innovation Web Application Server | 1 | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 120+&nbsp;*Recommended*<br>100&nbsp;*Minimum*<br>30+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive |
+| Existing V7.2 Application Server <br>+ Innovation Application Server | 2 | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 120+&nbsp;*Recommended*<br>100&nbsp;*Minimum*<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive|
+| Existing V7.2 Web Application Server<br>+ Innovation Application Server<br>+ Upgrade to Innovation Web Application Server | 1 | 4+&nbsp;*Recommended*<br>2&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 150+&nbsp;*Recommended*<br>100&nbsp;*Minimum*<br>30+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive |
 
 [^1]: A software-based load balancer called [gobetween][] is provided with the platform. This must be installed on its own server as it doesn't support routing traffic to itself. It also doesn't currently support HA, but it may be possible to use multiple gobetween load balancers with Anycast network addressing and routing to provide high availability, as described in [https://en.wikipedia.org/wiki/Anycast][Anycast]; however, this has not been verified yet. It is possible to use an [alternative load balancer][] to the one provided.
 [^2]: Application Servers support HA via clustering. A cluster must consist of a minimum of 3 nodes, and the number of nodes must be an odd number to ensure a quorum. Currently only the Bronze availability (3 nodes) is supported. Silver, Gold and Platinum support will be added in future.
@@ -70,6 +70,24 @@ This table displays the additional resources required when adding an Innovation
 
 All servers must be on the same domain and cannot be domain controllers.
 
+## Active Directory Requirements
+
+For Gateway, only Windows domains with an Active Directory domain controller running Active Directory Domain Services are supported.
+
+Supported versions of Active Directory are listed below:
+
+| Version                    | Verified?      | Supported From | Supported Until  |  
+|----------------------------|----------------|----------------|------------------|
+| Windows Server 2003        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2003 R2     |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2008        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2008 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2012        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2012 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2016        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2019        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2022        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+
 ## DNS Requirements
 
 The installation requires IP to hostname resolution to be available. Please ensure that you have the appropriate pointer (PTR) records configured  on the DNS server for all of your servers (Web, Application and Load Balancer).
@@ -133,35 +151,14 @@ Gateway supports the latest versions of the following browsers:
 * Edge
 * Firefox
 
-## Additional Load Balancer Server Requirements
-
-### Filesystem Requirements
-If using the included [gobetween][] load balancer, Network Discovery and File Sharing must be enabled on the Load Balancer Server:
-
-1. Open File Explorer.
-1. Click `Network` on the left.
-1. A banner similar to the following will appear if Network Discovery and File Sharing is turned off:
-    {{< figure src="/images/Network Discovery 1.png" title="Network and File Discovery Disabled" >}}
-1. Click the banner.
-1. Click `Turn on network discovery and file sharing`:
-    {{< figure src="/images/Network Discovery 2.png" title="Enable Network and File Discovery" >}}
+## Filesystem Requirements
 
-### Alternative Load Balancer Requirements
+The Web Application Server, each Application Server and [gobetween][] Load Balancer Server (if used) must:
 
-Innovation has a [gobetween][] load balancer included that isn't highly available; It is possible to use an alternative. The requirements for installing an alternative load balancer are as follows:
+* use an NTFS filesystem.
+* enable Network Discovery and File Sharing
 
-* Must support a round robin (or similar) method of load balancing to specified ports on 3 nodes.
-* Must be able to health check each node by running a predefined batch script (`ApiGatewayTypeHealthcheck.bat`, which resides in the `gobetween` folder of the `Cortex Innovation {{< version >}} - App Server Install Scripts`) that returns 1 for healthy and 0 for unhealthy.
-* Must be able to access each of the Application Servers via HTTPS.
-* Ideally it should be highly available to avoid a single point of failure in the system.
-
-## Additional Application Server Requirements
-
-### Filesystem Requirements
-
-All Application Servers must use an NTFS filesystem.
-
-Network Discovery and File Sharing should be enabled on each Application Server:
+To enable  Network Discovery and File Sharing:
 
 1. Open File Explorer.
 1. Click `Network` on the left.
@@ -171,23 +168,23 @@ Network Discovery and File Sharing should be enabled on each Application Server:
 1. Click `Turn on network discovery and file sharing`:
     {{< figure src="/images/Network Discovery 2.png" title="Enable Network and File Discovery" >}}
 
-### Service Requirements
+## Service Requirements
 
-The following Windows Services must be running on all Application Servers:
+On the Web Application Server and each Application Server, the following Windows Services must be running:
 
 * Remote Registry
 * Windows Event Log
 * Performance Logs & Alerts
 
-### Security Requirements
+## Security Requirements
 
-#### Installation User
+### Installation User
 
-A domain user which is a member of the Local Administrators group on all Application Servers and Load Balancer Server must be available to run the installation scripts. This is a prerequisite of Microsoft Service Fabric, which is the HA platform that {{% ctx %}} Innovation is built upon.
+On all Application Servers, Web Application Server and Load Balancer Server, a domain user, which is a member of the Local Administrators group, must be available to run the installation scripts. This is a prerequisite of Microsoft Service Fabric, which is the HA platform that {{% ctx %}} Innovation is built upon.
 
-#### Antivirus Exclusions
+### Antivirus Exclusions
 
-It is advised (by Microsoft Service Fabric) that the following antivirus exclusions are created on each Application Server to reduce antivirus processing on Service Fabric artefacts:
+It is advised (by Microsoft Service Fabric) that the following antivirus exclusions are created on the Web Application Server and each Application Server to reduce antivirus processing on Service Fabric artefacts:
 
 Folder Exclusions:
 
@@ -214,15 +211,19 @@ A script is provided during installation to add these exclusions for Windows Def
 
 If adding the exclusions manually, the Process Exclusions should be done before installation occurs, as the processes will be used during installation of the application and antivirus software can cause the installation to fail or timeout. Folder Exclusions may need to be added after installation has occurred as some antivirus software needs the folders to exist.
 
-#### Port Requirements
+### Port Requirements
 
 {{% ctx %}} Innovation and Microsoft Service Fabric require a range of [firewall ports to be opened][Port Requirements] between the servers and specific services.
 
 If you are using Windows Firewall, some ports are opened during installation and others are opened dynamically as needed. If any other firewall is used, it will be necessary to add the rules described in [Port Requirements][] to open the correct ports.
 
-The `Cortex.Innovation.Test.PortUsage.ps1` script is provided during installation to test the ports on each Application Server and make sure they do not overlap with any other programs; most ports may be altered if this is the case, the description will say if this is not possible.
+The `Cortex.Innovation.Test.PortUsage.ps1` script is provided during installation to test the ports on the Web Application Server and each Application Server and make sure they do not overlap with any other programs; most ports may be altered if this is the case, the description will say if this is not possible.
+
+### Certificate Requirements
 
-#### Certificate Requirements
+{{< alert title="Important" color="warning" >}}It is critical to set a reminder to {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.RolloverCertificates" title="update certificates" >}} in good time before they expire. If they expire then the platform will cease to function and {{< ahref path="Cortex.ServicePortal.MainDoc" title="CORTEX Service Portal" >}} must be contacted for support.{{< /alert >}}
+
+#### Application Servers
 
 {{% alert title="Note" %}}
 For production systems it is recommended that X.509 SSL wildcard certificates are obtained from a Certificate Authority and used for installation. For non-production systems, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service.
@@ -250,42 +251,7 @@ This file should be placed in a known location on the Application Server where t
 
 If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject field can also be the FQDN of the load balancer (e.g. `CN=machine-name.domain.com`).
 
-#### TLS Requirements
-
-There is a set of non-compulsory security measures, recommended to be applied to the Application Servers, in order to prevent potential attacks that exploit known industry security vulnerabilities. This includes disabling all versions of SSL and TLS apart from TLS 1.2. And disabling all cipher suites apart from the following:
-
-* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
-See [SSL Best Practices][] for a full list of the security changes which will be applied. The `Cortex.Innovation.Install.Multiple.SSLBestPractices.ps1` script is provided during installation to apply these security changes to the Application Servers.
-
-## Additional Web Application Server Requirements
-
-### Security Requirements
-
-#### Installation User
-
-A domain user must be available to run the Application Pools for Gateway. This user must be given `Log on as a service` and `Log on as a batch job` permissions otherwise the Application Pools will not be able to run. Information about how to do this will be given during installation.
-
-#### Domain Requirements
-
-For Gateway, only Windows domains with an Active Directory domain controller running Active Directory Domain Services are supported.
-
-Supported versions of Active Directory are listed below:
-
-| Version                    | Verified?      | Supported From | Supported Until  |  
-|----------------------------|----------------|----------------|------------------|
-| Windows Server 2003        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2003 R2     |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2008        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2008 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2012        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2012 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2016        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2019        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2022        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-
-#### Certificate Requirements
+#### Web Application Server
 
 {{% ctx %}} Gateway requires an X.509 SSL certificate to be installed on the Web Application Server. The certificate must have the following properties:
 
@@ -294,24 +260,42 @@ Supported versions of Active Directory are listed below:
 
 If the user tries to navigate to an address not in the SAN list, then they will receive a certificate error.
 
-Wildcard certificates and self-signed certificates can also be used. However, self-signed certificates are not recommended for production instances. Details on how to create a self-signed certificate can be found at [Create Self-Signed Certificates][].
-
-The certificate may be the same one used for the Application Server installation.
+{{% alert title="Important" color="warning" %}}
+Do not reuse any auto-generated self-signed certificates as they do not meet the requirements for Gateway.  
+<br />
+Certificates, wildcard certificates and manually created self-signed certificates can be used. However, the latter are not recommended for production instances.  
+Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}.
+{{% /alert %}}
 
 More information about importing the certificate is given during installation.
 
-#### TLS Requirements
+### TLS Requirements
 
-There is a set of non-compulsory security measures, recommended to be applied to the Web Application Server, in order to prevent potential attacks that exploit known industry security vulnerabilities. This includes disabling all versions of SSL and TLS apart from TLS 1.2. And disabling all cipher suites apart from the following:
+There is a set of non-compulsory security measures, recommended to be applied to the Web Application Server and each Application Server, in order to prevent potential attacks that exploit known industry security vulnerabilities. This includes disabling all versions of SSL and TLS apart from TLS 1.2. And disabling all cipher suites apart from the following:
 
 * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 
-See [SSL Best Practices][] for a full list of the security changes which will be applied. The `Cortex.Innovation.Install.SSLBestPractices.ps1` script is provided during installation to apply these security changes to the Web Application Server.
+See [SSL Best Practices][] for a full list of the security changes which will be applied.
+
+A script is provided during installation to apply these security changes:
+
+* For the Application servers: `Cortex.Innovation.Install.Multiple.SSLBestPractices.ps1`
+* For the Web Application Server: `Cortex.Innovation.Install.SSLBestPractices.ps1`
+
+## Alternative Load Balancer Requirements
+
+Innovation has a [gobetween][] load balancer included that isn't highly available; It is possible to use an alternative. The requirements for installing an alternative load balancer are as follows:
+
+* Must support a round robin (or similar) method of load balancing to specified ports on 3 nodes.
+* Must be able to health check each node by running a predefined batch script (`ApiGatewayTypeHealthcheck.bat`, which resides in the `gobetween` folder of the `Cortex Innovation {{< version >}} - App Server Install Scripts`) that returns 1 for healthy and 0 for unhealthy.
+* Must be able to access each of the Application Servers via HTTPS.
+* Ideally it should be highly available to avoid a single point of failure in the system.
 
 ## Next Steps?
 
 Application Servers and Load Balancer server are installed in the same way regardless of whether new or existing hardware is being used:
+
 1. [Install Application Servers and Load Balancer][]
 
 [Port Requirements]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.PortRequirements" >}}
@@ -321,7 +305,6 @@ Application Servers and Load Balancer server are installed in the same way regar
 [Recommended Architecture]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.RecommendedArchitecture" >}}
 [Minimum Architecture]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.MinimumArchitecture" >}}
 [Alternative Architectures]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.AlternativeArchitectures" >}}
-[Create Self-Signed Certificates]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" >}}
 [SSL Best Practices]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.SSLBestPractices" >}}
 [gobetween]: {{< url path="GoBetween.MainDoc" >}}
 [CORTEX Service Portal]: {{< url path="Cortex.ServicePortal.MainDoc" >}}
@@ -336,7 +319,6 @@ Application Servers and Load Balancer server are installed in the same way regar
 [IIS Url Rewrite]: {{< url path="IIS.Downloads.UrlRewrite-2_1" >}}
 [Web Deploy]: {{< url path="MSDownload.WebDeploy" >}}
 [C++ Redistributable]: {{< url path="MSDownload.CPlusPlusRedistributable.2013" >}}
-[Requirements For Minimum Architecture]: {{< ref "#minimum-architecture" >}}
 [Requirements For Recommended Architecture]: {{< ref "#recommended-architecture" >}}
 [Requirements For Alternative Architectures]: {{< ref "#alternative-architectures" >}}
 [Transparent Data Encryption]: {{< url path="MSDocs.SqlServer.TransparentDataEncryption" >}}
diff --git a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/install-web-application-server.md b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/install-web-application-server.md
index cdd6b50be..cb36dc6ab 100644
--- a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/install-web-application-server.md
+++ b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/install-web-application-server.md
@@ -87,9 +87,9 @@ A Friendly Name should be assigned to the certificate being used for the Cortex
     |`ServiceFabricApiGatewayBasicAuthUsername`      | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Application Server][Configure Installation Script]; if so, this value must be configured to the one used.<br /><br />This will overwrite the `ServiceFabricApiGatewayBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
     |`ServiceFabricApiGatewayBasicAuthPassword`      | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Application Server][Configure Installation Script]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `ServiceFabricApiGatewayBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
     |`DotNetFlowDebuggerEndpoint`                    | Replace `server.domain.com` with the fully qualified domain name of the server.<br /><br />This will overwrite the `DotNetFlowDebuggerEndpoint` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthUsername`; if so, this value must be configured to the one used.<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthPassword`; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the site containing {{% ctx %}} Gateway, `$true` if using self-signed certificates.<br /><br />This will overwrite the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used.<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the communication between {{% ctx %}} Gateway and the Debugger, `$true` if using self-signed certificates.<br /><br />This will overwrite the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
     |`GatewayApplicationPoolUsername`                | Replace `Domain\Username` with the user that is used to run the {{% ctx %}} Gateway application pool currently.|
     |`WebRootFolder`                                 | Replace this with the correct path for the Web Root Folder on the server. Typically this will be  `C:\inetpub\wwwroot`.|
     |`WebsitePort`                                   | Replace this with the port that you wish the website to use. Typically this will be `443`.|
diff --git a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
index 6371ef0fa..c743c4d43 100644
--- a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
+++ b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
@@ -34,6 +34,24 @@ The prerequisites required for a single server (as described in [Architecture][]
 
 The server must be on a domain and cannot be a domain controller.
 
+## Active Directory Requirements
+
+For Gateway, only Windows domains with an Active Directory domain controller running Active Directory Domain Services are supported.
+
+Supported versions of Active Directory are listed below:
+
+| Version                    | Verified?      | Supported From | Supported Until  |  
+|----------------------------|----------------|----------------|------------------|
+| Windows Server 2003        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2003 R2     |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2008        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2008 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2012        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2012 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2016        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2019        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2022        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+
 ## DNS Requirements
 
 The installation requires IP to hostname resolution to be available. Please ensure that you have the appropriate pointer (PTR) records configured  on the DNS server for the server.
@@ -54,7 +72,7 @@ To get a licence file and feature identifier take the following steps:
     Please also include a suitable {{% ctx %}} Innovation feature identifier.
     ```
 
-1. Extract `Cortex Innovation 2022.9 - Licence Fingerprint Generator.zip`.
+1. Extract `Cortex Innovation {{< version >}} - Licence Fingerprint Generator.zip`.
 1. From that folder, copy `Cortex.Licensing.FingerprintGeneration.exe` to the server.
 1. Double-click `Cortex.Licensing.FingerprintGeneration.exe` to run it. A command line window will appear, containing a machine identifier and fingerprint, e.g:
 
@@ -75,52 +93,11 @@ Gateway supports the latest versions of the following browsers:
 * Edge
 * Firefox
 
-## Certificate Requirements
-
-{{% alert title="Note" %}}
-For production systems it is recommended that an X.509 SSL certificate is obtained from a Certificate Authority and used for installation. For non-production systems, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service.
-{{% / alert %}}
-
-An X.509 SSL certificate (standard or wildcard) should be used to:
-
-* Allow Application Services to identify themselves to clients such as Gateway.
-* Prevent unauthorised nodes from joining the single node cluster.
-* Connect to Service Fabric Explorer from the Application Server.
-* Connect to Gateway.
-
-The certificate can be obtained from a Certificate Authority, such as [Let’s Encrypt](<https://letsencrypt.org/>), and must meet the following requirements:
-
-* Subject field must be in one of the following formats, depending on the certificate type:
-  * Standard certificates must use the standard format (e.g. `CN=host.domain.com`).
-  * Wildcard certificates must use the wildcard format, pertaining to the domain of the server (e.g. `CN=*.domain.com`).
-* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service.
-* Subject Alternative Names (SAN): At minimum the FQDN of the server. It can also include NetBIOS Name, IP address, localhost, 127.0.0.1. It must include any additional host names that should be able to be used to access the API Gateway Service.
-* Certificate file must be in a .PFX file format, with a known password.
-* Certificate file must contain the full chain of certificates.
-* Certificate file must include the private key.
-* Key Usage extension must have a value of `Digital Signature, Key Encipherment (a0)`.
-* Enhanced Key Usage must include `Server Authentication` and `Client Authentication`.
-
-This file should be placed in a known location on the server. This location will be required when running the Application Server installation script.
-
-{{< alert type="warning" title="Warning" >}}It is critical to set a reminder to {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.RolloverCertificates" title="update certificates" >}} in good time before they expire. If they expire then the platform will cease to function and {{< ahref path="Cortex.ServicePortal.MainDoc" title="CORTEX Service Portal" >}} must be contacted for support.{{< /alert >}}
-
-## TLS Requirements
-
-There is a set of non-compulsory security measures, recommended to be applied to the server, in order to prevent potential attacks that exploit known industry security vulnerabilities. This includes disabling all versions of SSL and TLS apart from TLS 1.2, and disabling all cipher suites apart from the following:
-
-* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
-See [SSL Best Practices][] for a full list of the security changes which will be applied. The `Cortex.Innovation.Install.SSLBestPractices.ps1` script is provided during installation to apply these security changes to the server.
-
-## Additional Application Server Requirements
-
-### Filesystem Requirements
+## Filesystem Requirements
 
 The server must use an NTFS filesystem.
 
-### Service Requirements
+## Service Requirements
 
 The following Windows Services must be running on the server:
 
@@ -128,13 +105,13 @@ The following Windows Services must be running on the server:
 * Windows Event Log
 * Performance Logs & Alerts
 
-### Security Requirements
+## Security Requirements
 
-#### Installation User
+### Installation User
 
 A domain user which is a member of the Local Administrators group on the server must be available to run the installation scripts. This is a prerequisite of Microsoft Service Fabric, which is the platform that {{% ctx %}} Innovation is built upon.
 
-#### Antivirus Exclusions
+### Antivirus Exclusions
 
 It is advised (by Microsoft Service Fabric) that the following antivirus exclusions are created on the server to reduce antivirus processing on Service Fabric artefacts:
 
@@ -163,7 +140,7 @@ A script is provided during installation to add these exclusions for Windows Def
 
 If adding the exclusions manually, the Process Exclusions should be done before installation occurs, as the processes will be used during installation of the application and antivirus software can cause the installation to fail or timeout. Folder Exclusions may need to be added after installation has occurred as some antivirus software needs the folders to exist.
 
-#### Port Requirements
+### Port Requirements
 
 {{% ctx %}} Innovation and Microsoft Service Fabric require a range of [firewall ports to be opened][Port Requirements] between the server and specific services.
 
@@ -171,31 +148,44 @@ If you are using Windows Firewall, some ports are opened during installation and
 
 The `Cortex.Innovation.Test.PortUsage.ps1` script is provided during installation to test the ports on the server and make sure they do not overlap with any other programs; most ports may be altered if this is the case, the description will say if this is not possible.
 
-## Additional Web Application Server Requirements
+### Certificate Requirements
 
-### Security Requirements
+{{< alert title="Important" color="warning" >}}It is critical to set a reminder to {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.RolloverCertificates" title="update certificates" >}} in good time before they expire. If they expire then the platform will cease to function and {{< ahref path="Cortex.ServicePortal.MainDoc" title="CORTEX Service Portal" >}} must be contacted for support.{{< /alert >}}
 
-#### Installation User
+{{% alert title="Note" %}}
+For production systems it is recommended that an X.509 SSL certificate is obtained from a Certificate Authority and used for installation. For non-production systems, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service.
+{{% / alert %}}
 
-A domain user must be available to run the Application Pools for Gateway. This user must be given `Log on as a service` and `Log on as a batch job` permissions otherwise the Application Pools will not be able to run. Information about how to do this will be given during installation.
+An X.509 SSL certificate (standard or wildcard) should be used to:
 
-#### Domain Requirements
+* Allow Application Services to identify themselves to clients such as Gateway.
+* Prevent unauthorised nodes from joining the single node cluster.
+* Connect to Service Fabric Explorer from the Application Server.
+* Connect to Gateway.
 
-For Gateway, only Windows domains with an Active Directory domain controller running Active Directory Domain Services are supported.
+The certificate can be obtained from a Certificate Authority, such as [Let’s Encrypt](<https://letsencrypt.org/>), and must meet the following requirements:
 
-Supported versions of Active Directory are listed below:
+* Subject field must be in one of the following formats, depending on the certificate type:
+  * Standard certificates must use the standard format (e.g. `CN=host.domain.com`).
+  * Wildcard certificates must use the wildcard format, pertaining to the domain of the server (e.g. `CN=*.domain.com`).
+* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service.
+* Subject Alternative Names (SAN): At minimum the FQDN of the server. It can also include NetBIOS Name, IP address, localhost, 127.0.0.1. It must include any additional host names that should be able to be used to access the API Gateway Service.
+* Certificate file must be in a .PFX file format, with a known password.
+* Certificate file must contain the full chain of certificates.
+* Certificate file must include the private key.
+* Key Usage extension must have a value of `Digital Signature, Key Encipherment (a0)`.
+* Enhanced Key Usage must include `Server Authentication` and `Client Authentication`.
 
-| Version                    | Verified?      | Supported From | Supported Until  |  
-|----------------------------|----------------|----------------|------------------|
-| Windows Server 2003        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2003 R2     |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2008        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2008 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2012        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2012 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2016        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2019        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2022        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+This file should be placed in a known location on the server. This location will be required when running the Application Server installation script.
+
+## TLS Requirements
+
+There is a set of non-compulsory security measures, recommended to be applied to the server, in order to prevent potential attacks that exploit known industry security vulnerabilities. This includes disabling all versions of SSL and TLS apart from TLS 1.2, and disabling all cipher suites apart from the following:
+
+* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+
+See [SSL Best Practices][] for a full list of the security changes which will be applied. The `Cortex.Innovation.Install.SSLBestPractices.ps1` script is provided during installation to apply these security changes to the server.
 
 ## Next Steps?
 
@@ -204,7 +194,6 @@ Supported versions of Active Directory are listed below:
 [Architecture]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.SingleServerWithoutHA.Architecture" >}}
 [Install Application Server]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.SingleServerWithoutHA.InstallApplicationServer" >}}
 [Upgrading Gateway]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.SingleServerWithoutHA.ConfigureCortexGatewayInstallationScript" >}}
-[Create Self-Signed Certificates]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" >}}
 [Port Requirements]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.PortRequirements" >}}
 [SSL Best Practices]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.SSLBestPractices" >}}
 [CORTEX Service Portal]: {{< url path="Cortex.ServicePortal.MainDoc" >}}
diff --git a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/try-it-out.md b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/try-it-out.md
index eab0c08c4..fac624592 100644
--- a/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/try-it-out.md
+++ b/content/en/docs/2023.7/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/try-it-out.md
@@ -16,16 +16,16 @@ Test the platform by creating a new flow and executing it using the following st
 1. Click on the `Flows` charm, then the `+` button and click `Group` to open a dialog.
 1. Enter a name for the group, configure the `Permission Groups` and click `OK` to create the group.
 1. Click on the group to open it (refresh the page if it does not appear).
-1. Inside the group, click the `+` button again and click on <code>Flow<sup>(Innovation)</sup></code> to open a dialog. If the menu item is not present, it means that the `FeatureFlags` in the `CortexGateway.SetParameters.xml` file was not set properly when installing Gateway. See [Troubleshooting][Troubleshooting No Innovation] for more information.
+1. Inside the group, click the `+` button again and click on <code>Flow<sup>(Innovation)</sup></code> to open a dialog. If the menu item is not present, it means that the `FeatureFlags` in the `CortexGateway.SetParameters.xml` file was not set properly when updating Gateway. See [Troubleshooting][Troubleshooting No Innovation] for more information.
 1. Enter a name for the flow, configure the `Permission Groups` and click `OK` to create the flow.
-1. The flow should be displayed with a start flow block and end flow block. A list of block palettes should be displayed down the left hand side:
+1. The flow should be displayed with a start flow block and end flow block, if those blocks are not displayed see [Troubleshooting][Troubleshooting Flow No Blocks]. A list of block palettes should be displayed down the left hand side:
     {{< figure src="/images/New Innovation Flow View.PNG" title="New Flow - Number of palettes may differ" >}}
 1. Add a `Set Variable` block and connect it between the start and end blocks.
 1. Click the `Set Variable` block to open the Property Editor.
 1. Set the `Value` property to the expression `DateTimeOffset.Now`.
 1. Type `Result` into the `Variable` property and click `Create Result`.
 1. In the Variable Editor, set `Is Output Variable?` to `true` for the new `Result` variable.
-1. Set a breakpoint on the end block and start the flow. An execution token should appear, the `Result` variable should show the current time. If the token does not appear, try refreshing the page.
+1. Set a breakpoint on the end block and start the flow. An execution token should appear, the `Result` variable should show the current time. If the token does not appear, try refreshing the page. Failing that, see [Troubleshooting][Troubleshooting Flow Not Starting].
 1. Continue or stop the execution.
 1. Commit the flow.
 
@@ -55,6 +55,8 @@ Test the platform by creating a new flow and executing it using the following st
 1. {{% ctx %}} Innovation has now been verified and is ready to use.
 
 [Troubleshooting During Installation]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingDuringInstallation" >}}
+[Troubleshooting Flow Not Starting]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingFlowNotStarting" >}}
+[Troubleshooting Flow No Blocks]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingFlowNoBlocks" >}}
 [Troubleshooting No Innovation]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoInnovation" >}}
 [Troubleshooting No Publish]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoPublish" >}}
 [Troubleshooting Root Certificate Error]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoRootCertificate" >}}
diff --git a/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server.md b/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server.md
index c65c60c6c..496903b93 100644
--- a/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server.md
+++ b/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server.md
@@ -182,9 +182,9 @@ To install the components required for debugging, perform the steps detailed in
     |`ServiceFabricApiGatewayBasicAuthUsername`      | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Application Servers][Configure Installation Script]; if so, this value must be configured to the one used.<br /><br />This will set the `ServiceFabricApiGatewayBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
     |`ServiceFabricApiGatewayBasicAuthPassword`      | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Application Servers][Configure Installation Script]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `ServiceFabricApiGatewayBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
     |`DotNetFlowDebuggerEndpoint`                    | Replace `server.domain.com` with the fully qualified domain name of the Web Application Server.<br /><br />This will set the `DotNetFlowDebuggerEndpoint` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthUsername`; if so, this value must be configured to the one used.<br /><br />This will set the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthPassword`; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the site containing {{% ctx %}} Gateway, `$true` if using self-signed certificates.<br /><br />This will set the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used.<br /><br />This will set the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the communication between {{% ctx %}} Gateway and the Debugger, `$true` if using self-signed certificates.<br /><br />This will set the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
     |`GatewayApplicationPoolUsername`                | Replace `Domain\Username` with the user that should be used to run the {{% ctx %}} Gateway application pool as configured in [Get {{% ctx %}} Gateway Application Pool User][Get CORTEX Gateway Application Pool User].|
     |`WebRootFolder`                                 | Replace this with the correct path for the Web Root Folder on the server. Typically this will be  `C:\inetpub\wwwroot`.|
     |`WebsitePort`                                   | Replace this with the port that you wish the website to use. Typically this will be `443`.|
diff --git a/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md b/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md
index 89877e15d..0f8eae029 100644
--- a/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md
+++ b/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md
@@ -170,9 +170,9 @@ Once the certificate has been imported, a `Friendly Name` should be assigned whi
     |`ServiceFabricApiGatewayBasicAuthUsername`      | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Application Server][Configure Installation Script]; if so, this value must be configured to the one used.<br /><br />This will set the `ServiceFabricApiGatewayBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
     |`ServiceFabricApiGatewayBasicAuthPassword`      | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Application Server][Configure Installation Script]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `ServiceFabricApiGatewayBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
     |`DotNetFlowDebuggerEndpoint`                    | Replace `server.domain.com` with the fully qualified domain name of the Web Application Server.<br /><br />This will set the `DotNetFlowDebuggerEndpoint` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthUsername`; if so, this value must be configured to the one used.<br /><br />This will set the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthPassword`; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the site containing {{% ctx %}} Gateway, `$true` if using self-signed certificates.<br /><br />This will set the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used.<br /><br />This will set the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the communication between {{% ctx %}} Gateway and the Debugger, `$true` if using self-signed certificates.<br /><br />This will set the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
     |`GatewayApplicationPoolUsername`                | Replace `Domain\Username` with the user that should be used to run the {{% ctx %}} Gateway application pool as configured in [Get {{% ctx %}} Gateway Application Pool User][Get CORTEX Gateway Application Pool User].|
     |`WebRootFolder`                                 | Replace this with the correct path for the Web Root Folder on the server. Typically this will be  `C:\inetpub\wwwroot`.|
     |`WebsitePort`                                   | Replace this with the port that you wish the website to use. Typically this will be `443`.|
diff --git a/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/try-it-out.md b/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/try-it-out.md
index e2ce3a111..5bec699f1 100644
--- a/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/try-it-out.md
+++ b/content/en/docs/2023.7/getting-started/on-premise/install-innovation-only/single-server-without-ha/try-it-out.md
@@ -18,14 +18,14 @@ Test the platform by creating a new flow and executing it using the following st
 1. Click on the group to open it (refresh the page if it does not appear).
 1. Inside the group, click the `+` button again and click on `Flow` to open a dialog. If the menu item is not present, it means that the `FeatureFlags` in the `CortexGateway.SetParameters.xml` file was not set properly when installing Gateway. See [Troubleshooting][Troubleshooting No Innovation] for more information.
 1. Enter a name for the flow, configure the `Permission Groups` and click `OK` to create the flow.
-1. The flow should be displayed with a start flow block and end flow block. A list of block palettes should be displayed down the left hand side:
+1. The flow should be displayed with a start flow block and end flow block, if those blocks are not displayed see [Troubleshooting][Troubleshooting Flow No Blocks]. A list of block palettes should be displayed down the left hand side:
     {{< figure src="/images/New Innovation Flow View.PNG" title="New Flow - Number of palettes may differ" >}}
 1. Add a `Set Variable` block and connect it between the start and end blocks.
 1. Click the `Set Variable` block to open the Property Editor.
 1. Set the `Value` property to the expression `DateTimeOffset.Now`.
 1. Type `Result` into the `Variable` property and click `Create Result`.
 1. In the Variable Editor, set `Is Output Variable?` to `true` for the new `Result` variable.
-1. Set a breakpoint on the end block and start the flow. An execution token should appear, the `Result` variable should show the current time. If the token does not appear, try refreshing the page.
+1. Set a breakpoint on the end block and start the flow. An execution token should appear, the `Result` variable should show the current time. If the token does not appear, try refreshing the page. Failing that, see [Troubleshooting][Troubleshooting Flow Not Starting].
 1. Continue or stop the execution.
 1. Commit the flow.
 
@@ -55,6 +55,8 @@ Test the platform by creating a new flow and executing it using the following st
 1. {{% ctx %}} Innovation has now been verified and is ready to use.
 
 [Troubleshooting During Installation]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingDuringInstallation" >}}
+[Troubleshooting Flow Not Starting]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingFlowNotStarting" >}}
+[Troubleshooting Flow No Blocks]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingFlowNoBlocks" >}}
 [Troubleshooting No Innovation]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoInnovation" >}}
 [Troubleshooting No Publish]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoPublish" >}}
 [Troubleshooting Root Certificate Error]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoRootCertificate" >}}
diff --git a/content/en/docs/2023.9/Reference/troubleshooting/installation.md b/content/en/docs/2023.9/Reference/troubleshooting/installation.md
index 6f07e3ce7..52dcf393b 100644
--- a/content/en/docs/2023.9/Reference/troubleshooting/installation.md
+++ b/content/en/docs/2023.9/Reference/troubleshooting/installation.md
@@ -159,6 +159,87 @@ To work around this error, either uninstall the platform and reinstall it using
 
 Check that the `Feature Flags` Guid in the `CortexGateway.SetParameters.xml` file used for installing {{% ctx %}} Gateway is correct. If it is not, update it and reinstall {{% ctx %}} Gateway or update the value in the `web.config` file and restart the website. If the value is correct, please contact [{{% ctx %}} Service Portal][CORTEX Service Portal] for assistance.
 
+### {{% ctx %}} Innovation blocks not visible in {{% ctx %}} Studio {#ts-no-blocks}
+
+#### Application Pool user does not have Modify rights to the Roaming folder
+
+The following folders require `Modify` permission to allow creating the `NuGet` folders and its `NuGet.Config` file within:
+
+* `C:\Windows\System32\config\systemprofile\AppData\Roaming`
+* `C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming`
+
+For each folder, perform the following steps:
+
+1. Navigate to the `AppData` folder.
+1. Right-click on the `Roaming` folder and click `Properties`.
+1. In the dialog, click the `Security` tab.
+1. Check the `Application Pool` user for Gateway is listed in the `Group or user names` and has `Modify` permissions.
+1. If the `Application Pool` user for Gateway is not listed:
+   1. Click the `Edit...` button.
+   1. Click the `Add...` button.
+   1. Enter the username of the application pool user and click `OK`.
+   1. In the `Permissions` section at the bottom, check `Modify`.
+   1. Click `OK`.
+   1. Click `Yes` to change the permission to the folder.
+1. If the `Application Pool` user for Gateway is listed but does not have permissions:
+   1. Click the `Edit...` button.
+   1. Select the `Application Pool` user.
+   1. Check `Modify`.
+   1. Click `OK`.
+   1. Click `Yes` to change the permission to the folder.
+
+#### Application Pool user does not have rights to the Cortex Blocks Provider Host folder
+
+Perform the following steps:
+
+1. Navigate to `C:\ProgramData\Cortex`
+1. Right-click on the `Cortex Blocks Provider Host` folder and click `Properties`.
+1. In the dialog, click the `Security` tab.
+1. Check the `Application Pool` user for Gateway is listed in the `Group or user names` and has `Modify` permissions.
+1. If the `Application Pool` user for Gateway is not listed:
+   1. Click the `Edit...` button.
+   1. Click the `Add...` button.
+   1. Enter the username of the application pool user and click `OK`.
+   1. In the `Permissions` section at the bottom, check `Modify`.
+   1. Click `OK`.
+1. If the `Application Pool` user for Gateway is listed but does not have permissions:
+   1. Click the `Edit...` button.
+   1. Select the `Application Pool` user.
+   1. Check `Modify`.
+   1. Click `OK`.
+
+#### Perform an IIS reset
+
+1. Open a Windows PowerShell (x64) window as administrator.
+1. Run the following command: `iisreset`.
+1. Wait for the action to complete.
+
+### Flow not starting in {{< ctx >}} Gateway {#ts-flow-not-starting}
+
+#### Application Pool user does not have rights to the Repo folder
+
+Check that the `Application Pool` user has rights to the `Repo` folder using the following steps:
+
+1. Check where the `Repo` folder is located
+   1. Navigate to the `gateway` IIS folder (usually `%SystemDrive%\inetpub\wwwroot\Cortex\gateway`, e.g. `C:\inetpub\wwwroot\Cortex\gateway`)
+   1. Open the `web.config` file.
+   1. Find the value of the `connectionString` named `CortexRepositories`
+1. Navigate to the `Repo` folder, not opening it.
+1. Right-click on the `Repo` folder and click `Properties`.
+1. In the dialog, click the `Security` tab.
+1. Check the `Application Pool` user for Gateway is listed in the `Group or user names` and has `Modify` permissions.
+1. If the `Application Pool` user for Gateway is not listed:
+   1. Click the `Edit...` button.
+   1. Click the `Add...` button.
+   1. Enter the username of the application pool user and click `OK`.
+   1. In the `Permissions` section at the bottom, check `Modify`.
+   1. Click `OK`.
+1. If the `Application Pool` user for Gateway is listed but does not have permissions:
+   1. Click the `Edit...` button.
+   1. Select the `Application Pool` user.
+   1. Check `Modify`.
+   1. Click `OK`.
+
 ### Cannot publish a package {#ts-no-publish}
 
 Check that the `Service Fabric Api Gateway Endpoint`, `Service Fabric Using Self Signed Certificates`, `Service Fabric ApiGateway Basic Auth Username` and `Service Fabric ApiGateway Basic Auth Password` in the `CortexGateway.SetParameters.xml` file used for installing {{% ctx %}} Gateway are correct. If any of them are not, update them and reinstall {{% ctx %}} Gateway or update the value in the "web.config" file and restart the website. If the value is correct, please contact [{{% ctx %}} Service Portal][CORTEX Service Portal] for assistance.
@@ -254,3 +335,4 @@ If this occurs on your server it is important to update your certificates as soo
 
 [CORTEX Service Portal]: {{< url path="Cortex.ServicePortal.MainDoc" >}}
 [Rollover Certificates]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.RolloverCertificates" >}}
+[add rights to nuget folder]: {{< ref "#ts-add-rights-to-nuget-folder" >}}
diff --git a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/architecture.md b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/architecture.md
index 698ebd2ba..d78d3397b 100644
--- a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/architecture.md
+++ b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/architecture.md
@@ -25,10 +25,10 @@ The installation process is the same, regardless of which architecture is used;
 
 The recommended architecture for adding Innovation to a v7.2 Dual Site, Dual Server system requires 8 servers in total; the 4 existing servers, plus 4 new servers:
 
-* 2x Existing Application Servers for v7.2, one of these will also act as the Web Application Server for Innovation. For Innovation, the existing Gateway will be upgraded.
-* 2x Existing Database Servers, used for v7.2 and Gateway databases.
-* 1x New Load Balancer Server for Innovation.
-* 3x New Application Servers for Innovation.
+* 2x Existing Application Servers for v7.2, one of these will also act as the Web Application Server for Innovation. For Innovation, the existing Gateway will be upgraded and a new Debug Node will be added
+* 2x Existing Database Servers, used for v7.2 and Gateway databases
+* 1x New Load Balancer Server for Innovation
+* 3x New Application Servers for Innovation
 
 {{< figure src="/images/editable/Cortex Innovation and v7.2 Best Architecture.png" class="centre" title="8 Server, Recommended Architecture Diagram" >}}
 
@@ -36,11 +36,12 @@ The recommended architecture for adding Innovation to a v7.2 Dual Site, Dual Ser
 
 ### Minimum Architecture
 
-The minimum architecture requires only the 4 existing servers:
+The minimum architecture requires 5 servers:
 
-* 2x Application Servers for v7.2, each of these will also host one of the three Application Servers for Innovation.
-* 1x Database Server for v7.2, which will also host the remaining Application Server for Innovation.
-* 1x Database Server for v7.2, which will also host the Load Balancer for Innovation.
+* 1x Web Application Server, which contains Gateway. For Innovation, the existing Gateway will be upgraded and a new Debug Node will be added
+* 2x Application Servers for v7.2, each of these will also host one of the three Application Servers for Innovation
+* 1x Database Server for v7.2, which will also host the remaining Application Server for Innovation
+* 1x Database Server for v7.2, which will also host the Load Balancer for Innovation
 
 {{< figure src="/images/editable/Cortex Innovation and v7.2 Min Architecture.png" class="centre" title="4 Server, Minimum Architecture Diagram" >}}
 
diff --git a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server.md b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server.md
index e29eb1603..e9da93e16 100644
--- a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server.md
+++ b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/install-web-application-server.md
@@ -11,10 +11,15 @@ This guide describes how to upgrade Gateway on v7.2 to include Innovation. Pleas
 
 The steps to add Innovation functionality to 7.2 are:
 
+1. Install local instance of the Application Server components
 1. Upgrade {{% ctx %}} Gateway
 
 ## Make Installation Artefacts Available
 
+{{% alert title="Note" %}}
+We recommend that the single-node Service Fabric instance, used by {{% ctx %}} Gateway as a Debugger instance, and {{% ctx %}} Gateway are installed on the same Web Application Server.
+{{% /alert %}}
+
 1. Copy the following artefacts to a folder on the machine:
 
    * Cortex Innovation {{< version >}} - Block Packages.zip
@@ -45,7 +50,17 @@ A Friendly Name should be assigned to the certificate being used for the Cortex
 1. On the `General` tab in the `Friendly Name` text box, enter a name to be used for the certificate.
 1. Click `OK`.
 
-## Perform Installation
+## Perform Debugger Installation
+
+{{% alert title="Important" color="warning" %}}
+{{< ctx >}} Gateway requires a local instance of the Application Server components to enable the debugging of flows.
+{{% /alert %}}
+
+### Install Debugger
+
+To install the components required for debugging, perform the steps detailed in [Install Application Server][] on the Web Application Server.
+
+## Perform Gateway Installation
 
 ### Configure {{% ctx %}} Gateway Installation Script
 
@@ -86,9 +101,9 @@ A Friendly Name should be assigned to the certificate being used for the Cortex
     |`ServiceFabricApiGatewayBasicAuthUsername`      | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Application Servers][Configure Installation Script]; if so, this value must be configured to the one used.<br /><br />This will overwrite the `ServiceFabricApiGatewayBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
     |`ServiceFabricApiGatewayBasicAuthPassword`      | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Application Servers][Configure Installation Script]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `ServiceFabricApiGatewayBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
     |`DotNetFlowDebuggerEndpoint`                    | Replace `server.domain.com` with the fully qualified domain name of the Web Application Server.<br /><br />This will overwrite the `DotNetFlowDebuggerEndpoint` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthUsername`; if so, this value must be configured to the one used.<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthPassword`; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the site containing {{% ctx %}} Gateway, `$true` if using self-signed certificates.<br /><br />This will overwrite the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used.<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the communication between {{% ctx %}} Gateway and the Debugger, `$true` if using self-signed certificates.<br /><br />This will overwrite the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
     |`GatewayApplicationPoolUsername`                | Replace `Domain\Username` with the user that is used to run the {{% ctx %}} Gateway application pool currently.|
     |`WebRootFolder`                                 | Replace this with the correct path for the Web Root Folder on the server. Typically this will be  `C:\inetpub\wwwroot`.|
     |`WebsitePort`                                   | Replace this with the port that you wish the website to use. Typically this will be `443`.|
@@ -153,3 +168,4 @@ Ensure that the installation files are backed up or kept on the server, especial
 [Licensing Requirements]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.LicensingRequirements" >}}
 [Security Best Practices]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.SSLBestPractices" >}}
 [Try it out]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.TryItOut" >}}
+[Install Application Server]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.SingleServerWithoutHA.InstallApplicationServer" >}}
\ No newline at end of file
diff --git a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md
index 0f0eb74f7..9052fc9b2 100644
--- a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md
+++ b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/multiple-server-with-ha/prerequisites.md
@@ -25,7 +25,7 @@ Use these hardware requirements if using the [Recommended Architecture][].
 |------------------|-----------------------|-----------------------------------|---------------|----------------------|
 | New Innovation Load&nbsp;Balancer | 1[^1] | 4+&nbsp;*Recommended*<br>2&nbsp;*Minimum* | 8+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 50+&nbsp;*Recommended*<br>30&nbsp;*Minimum*<br>5+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive |
 | New Innovation Application&nbsp;Server | 3&nbsp;*Bronze&nbsp;availability*[^2]<br>5&nbsp;*Silver&nbsp;availability*<br>7&nbsp;*Gold&nbsp;availability*<br>9&nbsp;*Platinum&nbsp;availability* | 4+&nbsp;*Recommended*<br>2&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>8&nbsp;*Minimum* | 75+&nbsp;*Recommended*<br>60&nbsp;*Minimum*<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive |
-| Existing V7.2 Application Server with Gateway<br>+ Upgrade to Innovation Web Application Server | 1 | 4+&nbsp;*Recommended*<br>2&nbsp;*Minimum* | 8+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 75+&nbsp;*Recommended*<br>50&nbsp;*Minimum*<br>30+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive |
+| Existing V7.2 Application Server with Gateway<br>+ Upgrade to Innovation Web Application Server | 1 | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 160+&nbsp;*Recommended*<br>135&nbsp;*Minimum*<br>30+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive  |
 
 ### Minimum Architecture
 
@@ -35,8 +35,8 @@ Use these hardware requirements if using the [Minimum Architecture][] and instal
 |------------------|-----------------------|-----------------------------------|---------------|----------------------|
 | Existing V7.2 Database Server <br>+ Innovation Load Balancer| 1[^1] | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 8+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 300+&nbsp;*Recommended*<br>70&nbsp;*Minimum*<br>5+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive |
 | Existing V7.2 Database Server <br>+ Innovation Application Server | 1 | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 300+&nbsp;*Recommended*<br>100&nbsp;*Minimum*<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive|
-| Existing V7.2 Application Server <br>+ Innovation Application Server | 1 | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 120+&nbsp;*Recommended*<br>100&nbsp;*Minimum*<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive|
-| Existing V7.2 Application Server with Gateway<br>+ Innovation Application Server<br>+ Upgrade to Innovation Web Application Server | 1 | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 120+&nbsp;*Recommended*<br>100&nbsp;*Minimum*<br>30+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive |
+| Existing V7.2 Application Server <br>+ Innovation Application Server | 2 | 4+&nbsp;*Recommended*<br>4&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 120+&nbsp;*Recommended*<br>100&nbsp;*Minimum*<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive|
+| Existing V7.2 Web Application Server<br>+ Innovation Application Server<br>+ Upgrade to Innovation Web Application Server | 1 | 4+&nbsp;*Recommended*<br>2&nbsp;*Minimum* | 16+&nbsp;*Recommended*<br>12&nbsp;*Minimum* | 150+&nbsp;*Recommended*<br>100&nbsp;*Minimum*<br>30+&nbsp;free&nbsp;on&nbsp;installation&nbsp;drive<br>40+&nbsp;free&nbsp;on&nbsp;%ProgramData%&nbsp;drive |
 
 [^1]: A software-based load balancer called [gobetween][] is provided with the platform. This must be installed on its own server as it doesn't support routing traffic to itself. It also doesn't currently support HA, but it may be possible to use multiple gobetween load balancers with Anycast network addressing and routing to provide high availability, as described in [https://en.wikipedia.org/wiki/Anycast][Anycast]; however, this has not been verified yet. It is possible to use an [alternative load balancer][] to the one provided.
 [^2]: Application Servers support HA via clustering. A cluster must consist of a minimum of 3 nodes, and the number of nodes must be an odd number to ensure a quorum. Currently only the Bronze availability (3 nodes) is supported. Silver, Gold and Platinum support will be added in future.
@@ -70,6 +70,24 @@ This table displays the additional resources required when adding an Innovation
 
 All servers must be on the same domain and cannot be domain controllers.
 
+## Active Directory Requirements
+
+For Gateway, only Windows domains with an Active Directory domain controller running Active Directory Domain Services are supported.
+
+Supported versions of Active Directory are listed below:
+
+| Version                    | Verified?      | Supported From | Supported Until  |  
+|----------------------------|----------------|----------------|------------------|
+| Windows Server 2003        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2003 R2     |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2008        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2008 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2012        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2012 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2016        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2019        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2022        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+
 ## DNS Requirements
 
 The installation requires IP to hostname resolution to be available. Please ensure that you have the appropriate pointer (PTR) records configured  on the DNS server for all of your servers (Web, Application and Load Balancer).
@@ -133,35 +151,14 @@ Gateway supports the latest versions of the following browsers:
 * Edge
 * Firefox
 
-## Additional Load Balancer Server Requirements
-
-### Filesystem Requirements
-If using the included [gobetween][] load balancer, Network Discovery and File Sharing must be enabled on the Load Balancer Server:
-
-1. Open File Explorer.
-1. Click `Network` on the left.
-1. A banner similar to the following will appear if Network Discovery and File Sharing is turned off:
-    {{< figure src="/images/Network Discovery 1.png" title="Network and File Discovery Disabled" >}}
-1. Click the banner.
-1. Click `Turn on network discovery and file sharing`:
-    {{< figure src="/images/Network Discovery 2.png" title="Enable Network and File Discovery" >}}
+## Filesystem Requirements
 
-### Alternative Load Balancer Requirements
+The Web Application Server, each Application Server and [gobetween][] Load Balancer Server (if used) must:
 
-Innovation has a [gobetween][] load balancer included that isn't highly available; It is possible to use an alternative. The requirements for installing an alternative load balancer are as follows:
+* use an NTFS filesystem.
+* enable Network Discovery and File Sharing
 
-* Must support a round robin (or similar) method of load balancing to specified ports on 3 nodes.
-* Must be able to health check each node by running a predefined batch script (`ApiGatewayTypeHealthcheck.bat`, which resides in the `gobetween` folder of the `Cortex Innovation {{< version >}} - App Server Install Scripts`) that returns 1 for healthy and 0 for unhealthy.
-* Must be able to access each of the Application Servers via HTTPS.
-* Ideally it should be highly available to avoid a single point of failure in the system.
-
-## Additional Application Server Requirements
-
-### Filesystem Requirements
-
-All Application Servers must use an NTFS filesystem.
-
-Network Discovery and File Sharing should be enabled on each Application Server:
+To enable  Network Discovery and File Sharing:
 
 1. Open File Explorer.
 1. Click `Network` on the left.
@@ -171,23 +168,23 @@ Network Discovery and File Sharing should be enabled on each Application Server:
 1. Click `Turn on network discovery and file sharing`:
     {{< figure src="/images/Network Discovery 2.png" title="Enable Network and File Discovery" >}}
 
-### Service Requirements
+## Service Requirements
 
-The following Windows Services must be running on all Application Servers:
+On the Web Application Server and each Application Server, the following Windows Services must be running:
 
 * Remote Registry
 * Windows Event Log
 * Performance Logs & Alerts
 
-### Security Requirements
+## Security Requirements
 
-#### Installation User
+### Installation User
 
-A domain user which is a member of the Local Administrators group on all Application Servers and Load Balancer Server must be available to run the installation scripts. This is a prerequisite of Microsoft Service Fabric, which is the HA platform that {{% ctx %}} Innovation is built upon.
+On all Application Servers, Web Application Server and Load Balancer Server, a domain user, which is a member of the Local Administrators group, must be available to run the installation scripts. This is a prerequisite of Microsoft Service Fabric, which is the HA platform that {{% ctx %}} Innovation is built upon.
 
-#### Antivirus Exclusions
+### Antivirus Exclusions
 
-It is advised (by Microsoft Service Fabric) that the following antivirus exclusions are created on each Application Server to reduce antivirus processing on Service Fabric artefacts:
+It is advised (by Microsoft Service Fabric) that the following antivirus exclusions are created on the Web Application Server and each Application Server to reduce antivirus processing on Service Fabric artefacts:
 
 Folder Exclusions:
 
@@ -214,15 +211,19 @@ A script is provided during installation to add these exclusions for Windows Def
 
 If adding the exclusions manually, the Process Exclusions should be done before installation occurs, as the processes will be used during installation of the application and antivirus software can cause the installation to fail or timeout. Folder Exclusions may need to be added after installation has occurred as some antivirus software needs the folders to exist.
 
-#### Port Requirements
+### Port Requirements
 
 {{% ctx %}} Innovation and Microsoft Service Fabric require a range of [firewall ports to be opened][Port Requirements] between the servers and specific services.
 
 If you are using Windows Firewall, some ports are opened during installation and others are opened dynamically as needed. If any other firewall is used, it will be necessary to add the rules described in [Port Requirements][] to open the correct ports.
 
-The `Cortex.Innovation.Test.PortUsage.ps1` script is provided during installation to test the ports on each Application Server and make sure they do not overlap with any other programs; most ports may be altered if this is the case, the description will say if this is not possible.
+The `Cortex.Innovation.Test.PortUsage.ps1` script is provided during installation to test the ports on the Web Application Server and each Application Server and make sure they do not overlap with any other programs; most ports may be altered if this is the case, the description will say if this is not possible.
+
+### Certificate Requirements
 
-#### Certificate Requirements
+{{< alert title="Important" color="warning" >}}It is critical to set a reminder to {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.RolloverCertificates" title="update certificates" >}} in good time before they expire. If they expire then the platform will cease to function and {{< ahref path="Cortex.ServicePortal.MainDoc" title="CORTEX Service Portal" >}} must be contacted for support.{{< /alert >}}
+
+#### Application Servers
 
 {{% alert title="Note" %}}
 For production systems it is recommended that X.509 SSL wildcard certificates are obtained from a Certificate Authority and used for installation. For non-production systems, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service.
@@ -250,42 +251,7 @@ This file should be placed in a known location on the Application Server where t
 
 If required, a separate X.509 SSL certificate can be obtained to be used by the load balancer to communicate with the Application Services. It must meet all of the other requirements laid out above, except the subject field can also be the FQDN of the load balancer (e.g. `CN=machine-name.domain.com`).
 
-#### TLS Requirements
-
-There is a set of non-compulsory security measures, recommended to be applied to the Application Servers, in order to prevent potential attacks that exploit known industry security vulnerabilities. This includes disabling all versions of SSL and TLS apart from TLS 1.2. And disabling all cipher suites apart from the following:
-
-* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
-See [SSL Best Practices][] for a full list of the security changes which will be applied. The `Cortex.Innovation.Install.Multiple.SSLBestPractices.ps1` script is provided during installation to apply these security changes to the Application Servers.
-
-## Additional Web Application Server Requirements
-
-### Security Requirements
-
-#### Installation User
-
-A domain user must be available to run the Application Pools for Gateway. This user must be given `Log on as a service` and `Log on as a batch job` permissions otherwise the Application Pools will not be able to run. Information about how to do this will be given during installation.
-
-#### Domain Requirements
-
-For Gateway, only Windows domains with an Active Directory domain controller running Active Directory Domain Services are supported.
-
-Supported versions of Active Directory are listed below:
-
-| Version                    | Verified?      | Supported From | Supported Until  |  
-|----------------------------|----------------|----------------|------------------|
-| Windows Server 2003        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2003 R2     |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2008        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2008 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2012        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2012 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2016        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2019        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2022        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-
-#### Certificate Requirements
+#### Web Application Server
 
 {{% ctx %}} Gateway requires an X.509 SSL certificate to be installed on the Web Application Server. The certificate must have the following properties:
 
@@ -294,24 +260,42 @@ Supported versions of Active Directory are listed below:
 
 If the user tries to navigate to an address not in the SAN list, then they will receive a certificate error.
 
-Wildcard certificates and self-signed certificates can also be used. However, self-signed certificates are not recommended for production instances. Details on how to create a self-signed certificate can be found at [Create Self-Signed Certificates][].
-
-The certificate may be the same one used for the Application Server installation.
+{{% alert title="Important" color="warning" %}}
+Do not reuse any auto-generated self-signed certificates as they do not meet the requirements for Gateway.  
+<br />
+Certificates, wildcard certificates and manually created self-signed certificates can be used. However, the latter are not recommended for production instances.  
+Details on how to create a self-signed certificate can be found at {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" title="Create Self-Signed Certificates" >}}.
+{{% /alert %}}
 
 More information about importing the certificate is given during installation.
 
-#### TLS Requirements
+### TLS Requirements
 
-There is a set of non-compulsory security measures, recommended to be applied to the Web Application Server, in order to prevent potential attacks that exploit known industry security vulnerabilities. This includes disabling all versions of SSL and TLS apart from TLS 1.2. And disabling all cipher suites apart from the following:
+There is a set of non-compulsory security measures, recommended to be applied to the Web Application Server and each Application Server, in order to prevent potential attacks that exploit known industry security vulnerabilities. This includes disabling all versions of SSL and TLS apart from TLS 1.2. And disabling all cipher suites apart from the following:
 
 * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 
-See [SSL Best Practices][] for a full list of the security changes which will be applied. The `Cortex.Innovation.Install.SSLBestPractices.ps1` script is provided during installation to apply these security changes to the Web Application Server.
+See [SSL Best Practices][] for a full list of the security changes which will be applied.
+
+A script is provided during installation to apply these security changes:
+
+* For the Application servers: `Cortex.Innovation.Install.Multiple.SSLBestPractices.ps1`
+* For the Web Application Server: `Cortex.Innovation.Install.SSLBestPractices.ps1`
+
+## Alternative Load Balancer Requirements
+
+Innovation has a [gobetween][] load balancer included that isn't highly available; It is possible to use an alternative. The requirements for installing an alternative load balancer are as follows:
+
+* Must support a round robin (or similar) method of load balancing to specified ports on 3 nodes.
+* Must be able to health check each node by running a predefined batch script (`ApiGatewayTypeHealthcheck.bat`, which resides in the `gobetween` folder of the `Cortex Innovation {{< version >}} - App Server Install Scripts`) that returns 1 for healthy and 0 for unhealthy.
+* Must be able to access each of the Application Servers via HTTPS.
+* Ideally it should be highly available to avoid a single point of failure in the system.
 
 ## Next Steps?
 
 Application Servers and Load Balancer server are installed in the same way regardless of whether new or existing hardware is being used:
+
 1. [Install Application Servers and Load Balancer][]
 
 [Port Requirements]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.PortRequirements" >}}
@@ -321,7 +305,6 @@ Application Servers and Load Balancer server are installed in the same way regar
 [Recommended Architecture]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.RecommendedArchitecture" >}}
 [Minimum Architecture]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.MinimumArchitecture" >}}
 [Alternative Architectures]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.MultipleServerWithHA.AlternativeArchitectures" >}}
-[Create Self-Signed Certificates]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" >}}
 [SSL Best Practices]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.SSLBestPractices" >}}
 [gobetween]: {{< url path="GoBetween.MainDoc" >}}
 [CORTEX Service Portal]: {{< url path="Cortex.ServicePortal.MainDoc" >}}
@@ -336,7 +319,6 @@ Application Servers and Load Balancer server are installed in the same way regar
 [IIS Url Rewrite]: {{< url path="IIS.Downloads.UrlRewrite-2_1" >}}
 [Web Deploy]: {{< url path="MSDownload.WebDeploy" >}}
 [C++ Redistributable]: {{< url path="MSDownload.CPlusPlusRedistributable.2013" >}}
-[Requirements For Minimum Architecture]: {{< ref "#minimum-architecture" >}}
 [Requirements For Recommended Architecture]: {{< ref "#recommended-architecture" >}}
 [Requirements For Alternative Architectures]: {{< ref "#alternative-architectures" >}}
 [Transparent Data Encryption]: {{< url path="MSDocs.SqlServer.TransparentDataEncryption" >}}
diff --git a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/install-web-application-server.md b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/install-web-application-server.md
index cdd6b50be..cb36dc6ab 100644
--- a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/install-web-application-server.md
+++ b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/install-web-application-server.md
@@ -87,9 +87,9 @@ A Friendly Name should be assigned to the certificate being used for the Cortex
     |`ServiceFabricApiGatewayBasicAuthUsername`      | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Application Server][Configure Installation Script]; if so, this value must be configured to the one used.<br /><br />This will overwrite the `ServiceFabricApiGatewayBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
     |`ServiceFabricApiGatewayBasicAuthPassword`      | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Application Server][Configure Installation Script]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `ServiceFabricApiGatewayBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
     |`DotNetFlowDebuggerEndpoint`                    | Replace `server.domain.com` with the fully qualified domain name of the server.<br /><br />This will overwrite the `DotNetFlowDebuggerEndpoint` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthUsername`; if so, this value must be configured to the one used.<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthPassword`; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the site containing {{% ctx %}} Gateway, `$true` if using self-signed certificates.<br /><br />This will overwrite the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used.<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will overwrite the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the communication between {{% ctx %}} Gateway and the Debugger, `$true` if using self-signed certificates.<br /><br />This will overwrite the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
     |`GatewayApplicationPoolUsername`                | Replace `Domain\Username` with the user that is used to run the {{% ctx %}} Gateway application pool currently.|
     |`WebRootFolder`                                 | Replace this with the correct path for the Web Root Folder on the server. Typically this will be  `C:\inetpub\wwwroot`.|
     |`WebsitePort`                                   | Replace this with the port that you wish the website to use. Typically this will be `443`.|
diff --git a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
index 6371ef0fa..c743c4d43 100644
--- a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
+++ b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/prerequisites.md
@@ -34,6 +34,24 @@ The prerequisites required for a single server (as described in [Architecture][]
 
 The server must be on a domain and cannot be a domain controller.
 
+## Active Directory Requirements
+
+For Gateway, only Windows domains with an Active Directory domain controller running Active Directory Domain Services are supported.
+
+Supported versions of Active Directory are listed below:
+
+| Version                    | Verified?      | Supported From | Supported Until  |  
+|----------------------------|----------------|----------------|------------------|
+| Windows Server 2003        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2003 R2     |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2008        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2008 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2012        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2012 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2016        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2019        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+| Windows Server 2022        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+
 ## DNS Requirements
 
 The installation requires IP to hostname resolution to be available. Please ensure that you have the appropriate pointer (PTR) records configured  on the DNS server for the server.
@@ -54,7 +72,7 @@ To get a licence file and feature identifier take the following steps:
     Please also include a suitable {{% ctx %}} Innovation feature identifier.
     ```
 
-1. Extract `Cortex Innovation 2022.9 - Licence Fingerprint Generator.zip`.
+1. Extract `Cortex Innovation {{< version >}} - Licence Fingerprint Generator.zip`.
 1. From that folder, copy `Cortex.Licensing.FingerprintGeneration.exe` to the server.
 1. Double-click `Cortex.Licensing.FingerprintGeneration.exe` to run it. A command line window will appear, containing a machine identifier and fingerprint, e.g:
 
@@ -75,52 +93,11 @@ Gateway supports the latest versions of the following browsers:
 * Edge
 * Firefox
 
-## Certificate Requirements
-
-{{% alert title="Note" %}}
-For production systems it is recommended that an X.509 SSL certificate is obtained from a Certificate Authority and used for installation. For non-production systems, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service.
-{{% / alert %}}
-
-An X.509 SSL certificate (standard or wildcard) should be used to:
-
-* Allow Application Services to identify themselves to clients such as Gateway.
-* Prevent unauthorised nodes from joining the single node cluster.
-* Connect to Service Fabric Explorer from the Application Server.
-* Connect to Gateway.
-
-The certificate can be obtained from a Certificate Authority, such as [Let’s Encrypt](<https://letsencrypt.org/>), and must meet the following requirements:
-
-* Subject field must be in one of the following formats, depending on the certificate type:
-  * Standard certificates must use the standard format (e.g. `CN=host.domain.com`).
-  * Wildcard certificates must use the wildcard format, pertaining to the domain of the server (e.g. `CN=*.domain.com`).
-* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service.
-* Subject Alternative Names (SAN): At minimum the FQDN of the server. It can also include NetBIOS Name, IP address, localhost, 127.0.0.1. It must include any additional host names that should be able to be used to access the API Gateway Service.
-* Certificate file must be in a .PFX file format, with a known password.
-* Certificate file must contain the full chain of certificates.
-* Certificate file must include the private key.
-* Key Usage extension must have a value of `Digital Signature, Key Encipherment (a0)`.
-* Enhanced Key Usage must include `Server Authentication` and `Client Authentication`.
-
-This file should be placed in a known location on the server. This location will be required when running the Application Server installation script.
-
-{{< alert type="warning" title="Warning" >}}It is critical to set a reminder to {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.RolloverCertificates" title="update certificates" >}} in good time before they expire. If they expire then the platform will cease to function and {{< ahref path="Cortex.ServicePortal.MainDoc" title="CORTEX Service Portal" >}} must be contacted for support.{{< /alert >}}
-
-## TLS Requirements
-
-There is a set of non-compulsory security measures, recommended to be applied to the server, in order to prevent potential attacks that exploit known industry security vulnerabilities. This includes disabling all versions of SSL and TLS apart from TLS 1.2, and disabling all cipher suites apart from the following:
-
-* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
-See [SSL Best Practices][] for a full list of the security changes which will be applied. The `Cortex.Innovation.Install.SSLBestPractices.ps1` script is provided during installation to apply these security changes to the server.
-
-## Additional Application Server Requirements
-
-### Filesystem Requirements
+## Filesystem Requirements
 
 The server must use an NTFS filesystem.
 
-### Service Requirements
+## Service Requirements
 
 The following Windows Services must be running on the server:
 
@@ -128,13 +105,13 @@ The following Windows Services must be running on the server:
 * Windows Event Log
 * Performance Logs & Alerts
 
-### Security Requirements
+## Security Requirements
 
-#### Installation User
+### Installation User
 
 A domain user which is a member of the Local Administrators group on the server must be available to run the installation scripts. This is a prerequisite of Microsoft Service Fabric, which is the platform that {{% ctx %}} Innovation is built upon.
 
-#### Antivirus Exclusions
+### Antivirus Exclusions
 
 It is advised (by Microsoft Service Fabric) that the following antivirus exclusions are created on the server to reduce antivirus processing on Service Fabric artefacts:
 
@@ -163,7 +140,7 @@ A script is provided during installation to add these exclusions for Windows Def
 
 If adding the exclusions manually, the Process Exclusions should be done before installation occurs, as the processes will be used during installation of the application and antivirus software can cause the installation to fail or timeout. Folder Exclusions may need to be added after installation has occurred as some antivirus software needs the folders to exist.
 
-#### Port Requirements
+### Port Requirements
 
 {{% ctx %}} Innovation and Microsoft Service Fabric require a range of [firewall ports to be opened][Port Requirements] between the server and specific services.
 
@@ -171,31 +148,44 @@ If you are using Windows Firewall, some ports are opened during installation and
 
 The `Cortex.Innovation.Test.PortUsage.ps1` script is provided during installation to test the ports on the server and make sure they do not overlap with any other programs; most ports may be altered if this is the case, the description will say if this is not possible.
 
-## Additional Web Application Server Requirements
+### Certificate Requirements
 
-### Security Requirements
+{{< alert title="Important" color="warning" >}}It is critical to set a reminder to {{< ahref path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.RolloverCertificates" title="update certificates" >}} in good time before they expire. If they expire then the platform will cease to function and {{< ahref path="Cortex.ServicePortal.MainDoc" title="CORTEX Service Portal" >}} must be contacted for support.{{< /alert >}}
 
-#### Installation User
+{{% alert title="Note" %}}
+For production systems it is recommended that an X.509 SSL certificate is obtained from a Certificate Authority and used for installation. For non-production systems, certificates can be omitted from installation and it will create and use self-signed certificates. This may prevent 3rd parties that require valid certificate verification to access the API Gateway Service.
+{{% / alert %}}
 
-A domain user must be available to run the Application Pools for Gateway. This user must be given `Log on as a service` and `Log on as a batch job` permissions otherwise the Application Pools will not be able to run. Information about how to do this will be given during installation.
+An X.509 SSL certificate (standard or wildcard) should be used to:
 
-#### Domain Requirements
+* Allow Application Services to identify themselves to clients such as Gateway.
+* Prevent unauthorised nodes from joining the single node cluster.
+* Connect to Service Fabric Explorer from the Application Server.
+* Connect to Gateway.
 
-For Gateway, only Windows domains with an Active Directory domain controller running Active Directory Domain Services are supported.
+The certificate can be obtained from a Certificate Authority, such as [Let’s Encrypt](<https://letsencrypt.org/>), and must meet the following requirements:
 
-Supported versions of Active Directory are listed below:
+* Subject field must be in one of the following formats, depending on the certificate type:
+  * Standard certificates must use the standard format (e.g. `CN=host.domain.com`).
+  * Wildcard certificates must use the wildcard format, pertaining to the domain of the server (e.g. `CN=*.domain.com`).
+* Subject alternative names must include any additional host names that should be able to be used to access the API Gateway Service.
+* Subject Alternative Names (SAN): At minimum the FQDN of the server. It can also include NetBIOS Name, IP address, localhost, 127.0.0.1. It must include any additional host names that should be able to be used to access the API Gateway Service.
+* Certificate file must be in a .PFX file format, with a known password.
+* Certificate file must contain the full chain of certificates.
+* Certificate file must include the private key.
+* Key Usage extension must have a value of `Digital Signature, Key Encipherment (a0)`.
+* Enhanced Key Usage must include `Server Authentication` and `Client Authentication`.
 
-| Version                    | Verified?      | Supported From | Supported Until  |  
-|----------------------------|----------------|----------------|------------------|
-| Windows Server 2003        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2003 R2     |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2008        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2008 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2012        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2012 R2     |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2016        |      ✓        | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2019        |                | {{% ctx %}} v2022.9 | To be evaluated  |
-| Windows Server 2022        |                | {{% ctx %}} v2022.9 | To be evaluated  |
+This file should be placed in a known location on the server. This location will be required when running the Application Server installation script.
+
+## TLS Requirements
+
+There is a set of non-compulsory security measures, recommended to be applied to the server, in order to prevent potential attacks that exploit known industry security vulnerabilities. This includes disabling all versions of SSL and TLS apart from TLS 1.2, and disabling all cipher suites apart from the following:
+
+* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+
+See [SSL Best Practices][] for a full list of the security changes which will be applied. The `Cortex.Innovation.Install.SSLBestPractices.ps1` script is provided during installation to apply these security changes to the server.
 
 ## Next Steps?
 
@@ -204,7 +194,6 @@ Supported versions of Active Directory are listed below:
 [Architecture]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.SingleServerWithoutHA.Architecture" >}}
 [Install Application Server]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.SingleServerWithoutHA.InstallApplicationServer" >}}
 [Upgrading Gateway]: {{< url path="Cortex.GettingStarted.OnPremise.AddInnovationTo72.SingleServerWithoutHA.ConfigureCortexGatewayInstallationScript" >}}
-[Create Self-Signed Certificates]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.CreateSelfSignedCertificates" >}}
 [Port Requirements]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.PortRequirements" >}}
 [SSL Best Practices]: {{< url path="Cortex.GettingStarted.OnPremise.InstallInnovationOnly.Advanced.SSLBestPractices" >}}
 [CORTEX Service Portal]: {{< url path="Cortex.ServicePortal.MainDoc" >}}
diff --git a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/try-it-out.md b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/try-it-out.md
index eab0c08c4..fac624592 100644
--- a/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/try-it-out.md
+++ b/content/en/docs/2023.9/getting-started/on-premise/add-innovation-to-72/single-server-without-ha/try-it-out.md
@@ -16,16 +16,16 @@ Test the platform by creating a new flow and executing it using the following st
 1. Click on the `Flows` charm, then the `+` button and click `Group` to open a dialog.
 1. Enter a name for the group, configure the `Permission Groups` and click `OK` to create the group.
 1. Click on the group to open it (refresh the page if it does not appear).
-1. Inside the group, click the `+` button again and click on <code>Flow<sup>(Innovation)</sup></code> to open a dialog. If the menu item is not present, it means that the `FeatureFlags` in the `CortexGateway.SetParameters.xml` file was not set properly when installing Gateway. See [Troubleshooting][Troubleshooting No Innovation] for more information.
+1. Inside the group, click the `+` button again and click on <code>Flow<sup>(Innovation)</sup></code> to open a dialog. If the menu item is not present, it means that the `FeatureFlags` in the `CortexGateway.SetParameters.xml` file was not set properly when updating Gateway. See [Troubleshooting][Troubleshooting No Innovation] for more information.
 1. Enter a name for the flow, configure the `Permission Groups` and click `OK` to create the flow.
-1. The flow should be displayed with a start flow block and end flow block. A list of block palettes should be displayed down the left hand side:
+1. The flow should be displayed with a start flow block and end flow block, if those blocks are not displayed see [Troubleshooting][Troubleshooting Flow No Blocks]. A list of block palettes should be displayed down the left hand side:
     {{< figure src="/images/New Innovation Flow View.PNG" title="New Flow - Number of palettes may differ" >}}
 1. Add a `Set Variable` block and connect it between the start and end blocks.
 1. Click the `Set Variable` block to open the Property Editor.
 1. Set the `Value` property to the expression `DateTimeOffset.Now`.
 1. Type `Result` into the `Variable` property and click `Create Result`.
 1. In the Variable Editor, set `Is Output Variable?` to `true` for the new `Result` variable.
-1. Set a breakpoint on the end block and start the flow. An execution token should appear, the `Result` variable should show the current time. If the token does not appear, try refreshing the page.
+1. Set a breakpoint on the end block and start the flow. An execution token should appear, the `Result` variable should show the current time. If the token does not appear, try refreshing the page. Failing that, see [Troubleshooting][Troubleshooting Flow Not Starting].
 1. Continue or stop the execution.
 1. Commit the flow.
 
@@ -55,6 +55,8 @@ Test the platform by creating a new flow and executing it using the following st
 1. {{% ctx %}} Innovation has now been verified and is ready to use.
 
 [Troubleshooting During Installation]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingDuringInstallation" >}}
+[Troubleshooting Flow Not Starting]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingFlowNotStarting" >}}
+[Troubleshooting Flow No Blocks]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingFlowNoBlocks" >}}
 [Troubleshooting No Innovation]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoInnovation" >}}
 [Troubleshooting No Publish]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoPublish" >}}
 [Troubleshooting Root Certificate Error]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoRootCertificate" >}}
diff --git a/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server.md b/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server.md
index c65c60c6c..496903b93 100644
--- a/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server.md
+++ b/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/multiple-server-with-ha/install-web-application-server.md
@@ -182,9 +182,9 @@ To install the components required for debugging, perform the steps detailed in
     |`ServiceFabricApiGatewayBasicAuthUsername`      | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Application Servers][Configure Installation Script]; if so, this value must be configured to the one used.<br /><br />This will set the `ServiceFabricApiGatewayBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
     |`ServiceFabricApiGatewayBasicAuthPassword`      | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Application Servers][Configure Installation Script]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `ServiceFabricApiGatewayBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
     |`DotNetFlowDebuggerEndpoint`                    | Replace `server.domain.com` with the fully qualified domain name of the Web Application Server.<br /><br />This will set the `DotNetFlowDebuggerEndpoint` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthUsername`; if so, this value must be configured to the one used.<br /><br />This will set the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthPassword`; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the site containing {{% ctx %}} Gateway, `$true` if using self-signed certificates.<br /><br />This will set the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used.<br /><br />This will set the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the communication between {{% ctx %}} Gateway and the Debugger, `$true` if using self-signed certificates.<br /><br />This will set the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
     |`GatewayApplicationPoolUsername`                | Replace `Domain\Username` with the user that should be used to run the {{% ctx %}} Gateway application pool as configured in [Get {{% ctx %}} Gateway Application Pool User][Get CORTEX Gateway Application Pool User].|
     |`WebRootFolder`                                 | Replace this with the correct path for the Web Root Folder on the server. Typically this will be  `C:\inetpub\wwwroot`.|
     |`WebsitePort`                                   | Replace this with the port that you wish the website to use. Typically this will be `443`.|
diff --git a/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md b/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md
index 89877e15d..0f8eae029 100644
--- a/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md
+++ b/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/install-web-application-server.md
@@ -170,9 +170,9 @@ Once the certificate has been imported, a `Friendly Name` should be assigned whi
     |`ServiceFabricApiGatewayBasicAuthUsername`      | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Application Server][Configure Installation Script]; if so, this value must be configured to the one used.<br /><br />This will set the `ServiceFabricApiGatewayBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
     |`ServiceFabricApiGatewayBasicAuthPassword`      | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Application Server][Configure Installation Script]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `ServiceFabricApiGatewayBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
     |`DotNetFlowDebuggerEndpoint`                    | Replace `server.domain.com` with the fully qualified domain name of the Web Application Server.<br /><br />This will set the `DotNetFlowDebuggerEndpoint` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthUsername`; if so, this value must be configured to the one used.<br /><br />This will set the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `FlowDebuggerBasicAuthPassword`; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
-    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the site containing {{% ctx %}} Gateway, `$true` if using self-signed certificates.<br /><br />This will set the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthUsername`           | This must be changed if you used a non-default `ApiGatewayBasicAuthUsername` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used.<br /><br />This will set the `DotNetFlowDebuggerBasicAuthUsername` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerBasicAuthPassword`           | This must be changed if you used a non-default `ApiGatewayBasicAuthPassword` when [installing the Debugger on the Web Application Server][Install Application Server]; if so, this value must be configured to the one used. It can be [{{% ctx %}} Encrypted][CORTEX Encrypted].<br /><br />This will set the `DotNetFlowDebuggerBasicAuthPassword` value in the {{% ctx %}} Gateway web.config.|
+    |`DotNetFlowDebuggerUsingSelfSignedCertificates` | Configure the value as `$false` if you are using valid CA certificates to secure the communication between {{% ctx %}} Gateway and the Debugger, `$true` if using self-signed certificates.<br /><br />This will set the `DotNetFlowDebuggerUsingSelfSignedCertificates` value in the {{% ctx %}} Gateway web.config.|
     |`GatewayApplicationPoolUsername`                | Replace `Domain\Username` with the user that should be used to run the {{% ctx %}} Gateway application pool as configured in [Get {{% ctx %}} Gateway Application Pool User][Get CORTEX Gateway Application Pool User].|
     |`WebRootFolder`                                 | Replace this with the correct path for the Web Root Folder on the server. Typically this will be  `C:\inetpub\wwwroot`.|
     |`WebsitePort`                                   | Replace this with the port that you wish the website to use. Typically this will be `443`.|
diff --git a/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/try-it-out.md b/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/try-it-out.md
index e2ce3a111..5bec699f1 100644
--- a/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/try-it-out.md
+++ b/content/en/docs/2023.9/getting-started/on-premise/install-innovation-only/single-server-without-ha/try-it-out.md
@@ -18,14 +18,14 @@ Test the platform by creating a new flow and executing it using the following st
 1. Click on the group to open it (refresh the page if it does not appear).
 1. Inside the group, click the `+` button again and click on `Flow` to open a dialog. If the menu item is not present, it means that the `FeatureFlags` in the `CortexGateway.SetParameters.xml` file was not set properly when installing Gateway. See [Troubleshooting][Troubleshooting No Innovation] for more information.
 1. Enter a name for the flow, configure the `Permission Groups` and click `OK` to create the flow.
-1. The flow should be displayed with a start flow block and end flow block. A list of block palettes should be displayed down the left hand side:
+1. The flow should be displayed with a start flow block and end flow block, if those blocks are not displayed see [Troubleshooting][Troubleshooting Flow No Blocks]. A list of block palettes should be displayed down the left hand side:
     {{< figure src="/images/New Innovation Flow View.PNG" title="New Flow - Number of palettes may differ" >}}
 1. Add a `Set Variable` block and connect it between the start and end blocks.
 1. Click the `Set Variable` block to open the Property Editor.
 1. Set the `Value` property to the expression `DateTimeOffset.Now`.
 1. Type `Result` into the `Variable` property and click `Create Result`.
 1. In the Variable Editor, set `Is Output Variable?` to `true` for the new `Result` variable.
-1. Set a breakpoint on the end block and start the flow. An execution token should appear, the `Result` variable should show the current time. If the token does not appear, try refreshing the page.
+1. Set a breakpoint on the end block and start the flow. An execution token should appear, the `Result` variable should show the current time. If the token does not appear, try refreshing the page. Failing that, see [Troubleshooting][Troubleshooting Flow Not Starting].
 1. Continue or stop the execution.
 1. Commit the flow.
 
@@ -55,6 +55,8 @@ Test the platform by creating a new flow and executing it using the following st
 1. {{% ctx %}} Innovation has now been verified and is ready to use.
 
 [Troubleshooting During Installation]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingDuringInstallation" >}}
+[Troubleshooting Flow Not Starting]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingFlowNotStarting" >}}
+[Troubleshooting Flow No Blocks]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingFlowNoBlocks" >}}
 [Troubleshooting No Innovation]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoInnovation" >}}
 [Troubleshooting No Publish]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoPublish" >}}
 [Troubleshooting Root Certificate Error]: {{< url path="Cortex.Reference.Troubleshooting.Installation.TroubleshootingNoRootCertificate" >}}
diff --git a/data/urls.toml b/data/urls.toml
index 274997460..f935e00ed 100644
--- a/data/urls.toml
+++ b/data/urls.toml
@@ -1911,6 +1911,8 @@
             [Cortex.Reference.Troubleshooting.Installation]
                 TroubleshootingDuringInstallation= "/docs/reference/troubleshooting/installation#ts-during-installation"
                 TroubleshootingNoInnovation = "/docs/reference/troubleshooting/installation#ts-no-innovation"
+                TroubleshootingFlowNotStarting = "/docs/reference/troubleshooting/installation#ts-flow-not-starting"
+                TroubleshootingFlowNoBlocks = "/docs/reference/troubleshooting/installation#ts-no-blocks"
                 TroubleshootingAfterInstallation= "/docs/reference/troubleshooting/installation#ts-after-installation"
                 TroubleshootingNoBlocks = "/docs/reference/troubleshooting/installation#ts-no-blocks"
                 TroubleshootingNoPublish = "/docs/reference/troubleshooting/installation#ts-no-publish"