I have a RMS on the internal network, a Gateway Server in the DMZ with the RootCA, SubCA, and an IPSec certificate issued as per Microsoft documentation for configuring a SCOM Gateway Server. The Gateway server is showing as Healthy in the SCOM console.
For DMZ agents I've imported the RootCA, SubCA, and issued the IPSec certificate to them as well. During the SCOM Agent installation I put in the Management Group name (there is only one) and used the DMZ Gateway server as the Management Server and left the port default (5723).
Port 5723 is open inbound and outbound on Windows Firewall on all servers and the firewall between the RMS and the Gateway Server. Certificates are loaded successfully on agents and on the DMZ.
The Health Service event logs on the client agents show eventids 21016 and 20071. They are in a "Not Monitored" state in the SCOM Console.
I just can't figure out what I might have missed. Any assistance would be appreciated.