Well, there is no direct authentication with AADConnect. You authenticate with Azure. ( and no, publishing of the AADConnect server on the internet is not required)
When you transition from a federated to managed scenario using SSO/PHS, you are setting AADConnect to handle the PHS and SSO configuration, not so you can authenticate to AADConnect.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/plan-migrate-adfs-password-hash-sync