As a DMZ environment, I'm guessing that there are (or I hope there are) firewalls or routers or other security things in place to most definitely wall your DMZ off from your production environment.
There are possibly some ports which will need to be opened up in those firewalls/routers to allow for communication to the CM Servers from your DMZ to production environment.
Have you, and your network team, reviewed the ports needed: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/ports
You might need to engage your network team to use some sort of 'sniffing' tool to see what ports the client is attempting to use to communicate, and failing, so they know which ones to allow traffic over. Make sure you and they document, document, document which ones are needed in YOUR environment... because most likely "one day" you might have to add or replace servers, and different ip addresses would need to be allowed for traffic.