ADFS needs port 49443
ADFS 2.1 User Certificate Authentication and/or Device Registration Authentication Fails with Server 2012 R2
Problem: Using Certificate Authentication or Device Registration with ADFS on Server 2012 R2 fails when published externally. Internally it works, externally it fails.
Cause: Changes were made in ADFS on Windows Server 2012 R2 to support Device registration. These same changes apply certificate authentication, where the client (machine and / or web browser) initiates a TCP connection to the ADFS or WAP server on destination port 49443. This design change is documented here: https://technet.microsoft.com/en-us/library/dn486819.aspx.
Solution: On your external Firewall, in addition to TCP port 443, publish TCP port 49443 for ADFS or the WAP (preferred method).