Is it acceptable to simply deploy ADFS, and expose 80/443 to the Internet, opposed to deploying redundant Front End and Back End servers?
I understand that I'm missing out on Token Replay Attack prevention, but I also notice that different endpoints are available on the internal vs external proxy.... namely kerberos and "trusttcp" are disabled externally. Should I disable these when exposing the internal ADFS server to the Internet?
It's certainly not required, but it does change the attack surface significantly. It switches from having a domain-joined server publicly accessible to having a server a DMZ hop away from a domain-joined server.
The proxy explicitly disables Windows Integrated auth because the assumption is that 1) the client machine won't have access to AD to request a ticket, and 2) the proxy is in a DMZ that won't have access to AD to validate the ticket. If WIA was attempted it would fallback to something far less secure.
It is definitely wise to disable those endpoints since they probably wont work from the internet.
