ASA Firewall Rules need to do the following. (Using Cisco ASDM 6.3 console)
1 x ADFS Proxy server (192.168.x.x) needs to see the internal ADFS server (172.x.x.x)
(I can't currently join the ADFS Proxy server to the domain)
1 x Front End Web server (192.168.x.x) needs to see the internal CRM server (172.x.x.x)
(I can't currently join the Front End Web server to the domain)
External end users with AD accounts to enter a CRM URL (crm.domain.co.uk) via browser on tablet
URL points to Front End Web server in the DMZ, then redirects to the ADFS server via the ADFS proxy in the DMZ
ADFS authenticates the user against the internal DC, and then the Front End Web server in the DMZ redirects to the internal CRM SQL boxes rendering CRM to the external users/s.