We want our domain users to authenticate to 3rd party websites we will create a ADFS federation with.
When they launch the website from our own domain SSO should be used, when they launch the site from the internet MFA should be included as well.
Now ALL best practice topologies I find on the internet include a Web Application Proxy in the DMZ, like this one over here : https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/media/best-practices-securing-ad-fs/adfssec1.png
Am I missing something here ? I dont think we need WAP for our scenario, we will use our own loadbalancer (Netscaler) just as a reverse proxy to hide the adfs address.
Shortly said, I leave ADFS in our INTRANET close to the domain controller and our LB has a virtual ip which points to the adfs server. Is this correct ?