A CEM policy was enabled in the console listing the Internet Gateway by external IP rather than external FQDN. The IP address is correct and externally resolvable. However, when a CEM-enabled agent attempts to connect to the gateway, logs show that it fails to resolve the CEM gateway address.
In one instance of this issue, we found that the CEM Gateway policy used an external IP address that had a hidden extra character entered before the start of the IP.
This was validated by selecting the external IP entry in the CEM policy, and then editing the entry. We noticed that when attempting to arrow over from the start of the line to the first character it took two keystrokes when it should have taken one
After removing the entire line and re-entering the external IP address, CEM-enabled agents were then able to successfully resolve and connect through the gateway