ADFS 2.0 Proxy Server Vs. Opening ADFS Server to public

Oh hell no!

DO NOT PUT THE PRIMARY ADFS SERVER ON THE INTERNET!

There is a specific reason that the Proxy role was invented and placing your primary ADFS box on the internet is not a smart idea. Primarily because the primary server by default is configured to only allow for windows based authentication which means anyone can submit requests and attempt to brute force their way in. Worse, if they get a password they now have a valid username and password on your domain, the worst kind of pain.

The proxy however uses a web-forms based approach to reduce the threat by forcing users outside of your corporate firewall to login via a web-form. If they pass it returns either a cookie or a redirect token that the trusted service (see O365) uses.

Either way, this directly violates the recommended setup by Microsoft and certainly would not pass security audit validation. Plus, since you only are exposing port 80 and 443 traffic to the proxy it would not be real hard to simply port forward only those two ports over a specific IP to your proxy (or load-balanced proxies). Regardless, a DMZ is the smart move, especially if you have other public facing services.

Depends on what this consultant is doing though. If they handle the firewall in front of the ADFS server with something like TMG, then it is able to perform the role of the proxy and present a webforms auth to an external client instead of just opening a hole directly to 443 on the internal ADFS 2.0 server.

I'm on the same side with absolutely not directly exposing the internal ADFS server to the Internet. No matter how safe someone tries to tell me that is, you are still talking about directly exposing a domain-joined server to the public Internet.

The proxy servers are not required to be joined to the domain. Another advantage of using them.

-E