You are correct. When the VLAN feature is enabled your scanner should act as if it's sitting in the same subnet as the hosts your scanning.
A couple of things we need to make sure of are:
1. The scanner is on Version 2.1 or higher.
2. The VLAN option has been turned on for your account.
3. Your scanner must be using a Statis IP (you stated this was done)
If the above are all true, I have a couple of questions:
1. you said the DMZ VLAN was not configured on the appliance. Does this mean it was configured in the QualysGuard Web Portal?
2. You said that all the appliances were configured for VLAN Trunking, but are the ports they are attached too on the switch set to Trunking mode?
3. Does the appliance your scanning with have a Trunked path to the VLAN where the hosts are?
I would not suggest opening a hole in the firewall as this should not be necessary.
Something I forgot to mention is that you can look for QID 45006 (Traceroute) in your report. If you show a Tracerounte your not using the VLAN, if there's no Traceroute that means you should be setup correctly and local to the segment your scanning.
Thank you for your responses. It seems the network admin thought there was a path to the DMZ hosts but there was not. It was fixed from a network change standpoint. It is working now. Thanks for your help.
No problem at all. Glade to have been able to help.