No the STS is not publicly visible. There are two main components of CAM. The STS and the Proxy. The STS component sits in the internal network and communicates with Active Directory. The proxy is hosted in the DMZ and is the only part exposed to the outside world. All traffic between the proxy and the STS happens over HTTPS on port 443.