Hi,
It's generally better to place the Gateway Server in the untrusted forest/domain.
By placing the Gateway Server in the untrusted domain, you only need to manage certificates and firewall rules for the Gateway Server and the Management Server, rather than for each individual agent.