For SSO to work, you still need the server in AD
Whilst you can find out the firewall ports needed to make this work, it is a VERY bad idea - if your server is compromised, the fact it can talk to AD (and NTLM for SSO) means that someone could roam around your network and you may not have a clue.
We had to move our server out of the DMZ to make SSO work internally, on the above security grounds. We then use a Reverse Proxy to publish the site.
Note, when our server was in the DMZ we just had an LDAP lookup to AD - which was deemed acceptable and necessary.