Here's the scenario:
I'm thinking this could be achieved by placing a reverse proxy in front of ArcGIS Server. Only non-secured services would be available externally, so my assumption is ArcGIS server would never need to delegate authentication to Portal.
Anyone see any problems with this?