Does ADFS server require Internet access?

Hello,

I have two Adfs 3.0  server in intranet and two adfs proxy in DMZ. For the firewall setting in two adfs 3.0 server, I set the default outbound connection as block and create a custom outbound rules allow the connection to intranet. 

When I add new relying party, ADFS can not verify the certification of the RP. The certificate of the relying party is wildcase cert and issued by DigiCert. I have already install the root CA cert in trusted root certification authorities of two ADFS server. But ADFS still can not recognize the certification path. After I change the default outbound connection as allow in firewall setting, ADFS can verify the certificate. I continues the process and close internet access after user can successful login.

A few days later, user can not login. The following error log exit in ADFS log:

Event ID 317:

An error occurred during an attempt to build the certificate chain for the relying party trust 'https://xxxx.xxxx.xxx.xx' certificate identified by thumbprint 'xxxxxxxxx'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period. 

You can use Windows PowerShell commands for AD FS to configure the revocation settings for the relying party encryption certificate. 
Relying party trust's encryption certificate revocation settings: CheckChainExcludeRoot 
The following errors occurred while building the certificate chain:  
The revocation function was unable to check revocation for the certificate.

The revocation function was unable to check revocation because the revocation server was offline.

 

User Action: 
Ensure that the relying party trust's encryption certificate is valid and has not been revoked. 
Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. 
Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).

I reopen the firewall in outbound rule. then everything run as normal, user can login again. 

Does ADFS require internet access for certification path checking? If I really want to block the internet access, which port I need to open in order to allow ADFS check the certificate?

Thank you very much.