Setting up MFA for RD Web Access and RD Web Client using ADFS

All servers in our Remote Desktop Gateway (RDG) environment are running Windows Server 2022 (Datacenter and Standard).

The RDG environment is fully operational. Users can successfully authenticate to RD Web Access and the RD Web Client, and all published folders and servers are visible as expected. Most servers are configured for direct access, with a few configured as Session Hosts. Overall, everything is functioning correctly except the MFA.

Based on my research into integrating ADFS MFA with RD Web Access / RD Web Client, it appears that MFA is only triggered when authentication flows through Web Application Proxy (WAP).

Question:

To support MFA for internal users without exposing RD Web externally, I’m considering creating a separate WAP cluster dedicated to internal traffic that would proxy authentication requests to the ADFS servers and trigger MFA.

Since I’m still building familiarity with WAP and ADFS, is it supported for ADFS to work with two WAP clusters one handling internal traffic and another handling external traffic against the same ADFS farm?

-Larry