Duo Access Gateway internal and not DMZ

Looking to enable SSO for our backup platform Cohesity. Their solutions guide say to setup Duo Access Gateway (DAG) and create a Duo SSO application using using the Generic Service Provider. Then add as an SSO Provider in Cohesity. Reading the DAG requirements it says to deploy in DMZ. Can the DAG be on internal network if integration is only being configured for an on-prem application?

Since many customers are setting up DAG for both internal and external access (even of on-premises applications), we recommend putting the DAG in a DMZ to avoid opening up ingress for external users to your internal network.

If your DAG SSO site will only be accessed by users on the internal network then yes, you can install it on the internal network.