having a real issue with TMG publishing ADFS 2012 R2 certificate authentication. I have successfully published NLB WAP servers and everything works fine to the ADFS NLB servers internally. But when I try to publish 49443 (certificate authentication) it hits the WAP servers with no issues, then gets blocked from the WAP servers to the ADFS servers as unidentified TCP traffic. I have created a separate access rule for this as I can see ti creates a new connection. Just unsure as to how it sees 49443 as definied traffic in one rule and blocked the next! 

TMG is behind a firewall so internet trafficis NAT'd to TMFG external non-web rule allows access to WAP server NLB address. WAP servers are single NIC and send traffic from TMG DMZ to TGM Internal to hit internal ADFS servers.

any help appreciated, I know this is a non-standard install but I am lacking choices from the client. I have seen this article but is it applicabel to ADFS 3.0 as well which lacks IIS?

http://social.technet.microsoft.com/wiki/contents/articles/11185.adfs-publishing-rule-in-tmg.aspx