If you ping the same URL from inside and outside, the resolve to different IPs, internal to an internal IP and external to an internet facing relay. This has worked very well.
However, I now know, thanks to you, the issue is the Last Fallback Relay. Yes, we set it and that relay is internal, happens to be the internal relay these systems are sitting at trying to connect. It is an IP address, not a URL.
So my last question would be, is there a reg key we can change on the endpoints to remove the last fallback relay without requiring them to check in and get it from the console?
It would be difficult to connect to 300+ machines manually to get them to check in somehow. They can use something like inTune to deploy a key change though.
Is there some way to get the besclient.exe -register to work? When we tried it the return was that the certificate already existed so the relay rejected the registration.