I am currently looking for some best practices installing a SharePoint 2013 farm (two WFEs, one App Server, one OWA, two SQL Server in failover cluster) in a DMZ.
Both farms (internal and the one in the DMZ) shall be completely seperate from each other with one exception: Internal users should access both farms with the same user account.
Am I right that I only need to install an ADFS proxy in the DMZ Or do I need more to achieve this?
DMZ is poor placement practice for a SharePoint farm. The reason is in a typical deployment you need to authenticate to Active Directory which is most often kept internal. This means there are numerous ports you must open to each DC within the internal network.
The best practice would be to use a pre-auth reverse proxy, such as WAP + ADFS. WAP is the only service that needs to reside in the DMZ.
You should also consider using Azure AD Application Proxy instead of the OnPrem ADFS + WebApplicationProxy combination.
AAD-Proxy completely eliminates the need of any inbound ports. It also enables Kerberos-Authentication, which does not bring the bunch of drawbacks that come with ADFS&WAP&SAML.
