If the app supports RADIUS or LDAP authentication and can still contact the Authentication proxy it should be OK. It is hard to give an authoritative answer without knowing your applicaton’s network architecture.
client > intranet > app > intranet Duo Authentication Proxy RADIUS or LDAP > your primary auth server wherever it is (optional depending on the app) > internet > Duo’s cloud service for 2FA
and
client > internetv> app > intranet Duo Authentication Proxy RADIUS or LDAP > your primary auth server wherever it is (optional depending on the app) > internet > Duo’s cloud service for 2FA
are both possible (you would need to create your firewall egress rules accordingly).