Q: I'm trying to use Certificate Authentication or Device Registration with Active Directory Federation Services on Windows Server 2012 R2, but it fails when connecting externally from the network. Why?

A: A change was made in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 related to device registration; those changes also affect Certificate Authentication (CA). When a TCP connection is initiated to the AD FS or Web Application Proxy (WAP) server, the connection uses port 49443 instead of 443. This means you need firewall exceptions and publishing for TCP port 49443 in addition to 443 for the AD FS or WAP server (if used). Microsoft documents this change in "Preparing to Migrate the AD FS Federation Server."