For integrated windows authentication (i.e. seamless SSO without a login prompt), what is the best practice?
Should internal users hit the ADFS servers instead of the ADFS proxies? and if yes, does the ADFS traffic go through the site-to-site VPN or over the Internet to the public VIP of the ADFS servers.
It seems in Azure the endpoints for the ADFS servers is a publicly accessible VIP and not an internal one.