Try the following -

Make sure that the option - "Bypass Proxy Server for local addresses" is unchecked on the clients in Internet Explorer.

Also, I'm assuming that you are getting this issue when you try to get updates on a CLIENT, and from the SEPM, so try the following - Create a new Host Rule, and Add the SEPM Server to that, and allow all traffic on Port 80 to & From that server from all clients on the intranet.

Additionally, whats the mode your ISA firewall running on ? - Edge, 3-Way, etc..... 

as Abhishek says, you need to create a rule in ISA that allows the SEPM server out to the Internet explicitly, as we can't currently work with Integrated/NTLM authentication to ISA, since the process is java.  If you still want to authenticate based on user account, then we need Basic authentication enabled.

Bypass Proxy Server for local addresses" is unchecked on the clients in Internet Explorer from the very beginning.

I created a new rule in ISA Server and pushed it to the top

From SEPM SERVER to External ,all outbound connections and chose all users. Now under servers in server properties checked the proxy server

Address: 192.168.0.250

Port: 8080

Requires Authentication: (Checked) and entered username and password.

When i run live update from console, i see lot of green entries in ISA, however still i get live update failed as it exited with error code 4.

--------------------------------------

Removed the entire settings of proxy and also from internet explorer and tested: Result- Failed

Kept Internet explorer settings and added proxy settings without authentication and tested: Result- Failed

Kept Internet explorer settings and added proxy settings with authentication and tested: Result- Failed

--------------------------------------

Should i enable basic authentication on both internal and local host? Could give me an example of the rule in ISA.

----------------------------------------

Forgot to mention that when i try to update without using the console and opening the luall.exe from symantec folder, it will download catalogs for the first 2 and then failed as no connection to the host.

Although from the console i get a bunch of lines telling me that each category is upto date but in the end it fails.

You said -

Bypass Proxy Server for local addresses" is unchecked on the clients in Internet Explorer from the very beginning.

The box for Bypass Proxy Server for Local Addresses SHOULD BE CHECKED :D

Checked or unchecked it does not make any difference, i still cant get live update to work. But in the first place why should it be checked? on the clients machines. The clients are getting the updates from the symantec endpoint manager installed on a server.

Bypassing proxy and downloading the updates work fine and now all the clients are updated. Dont want to do this all the time. There must be something done wrong here; some setting either with the rule or authentication is the problem

I need to know whether or not i need basic authentication for both local host and internal or not

SEPM needs direct access or through Basic authentication to internet. I suggest that you create a rule from IP of your SEPM server to external and for "all users" to avoid authentication problems. If you want to have authentication you need to enable it for internal (I assume your SEPM is not your ISA server).

By the way, when setting proxy you must set both proxy settings in SEPM (under properities of your server) and in "Symantec liveupdate" control panel applet. Sometimes setting it only in SEPM does not work. (Maybe a bug.....Paul? where are you? )

In my experience it's best to avoid authentication, sometimes SEPM behind authenticated ISA does not get update with no reason.

"create a rule from IP of your SEPM server to external and for "all users" to avoid authentication problems" well this is already done. I have allowed all outbound connections. Just to see if other rules are an issue, i disabled all checked same crappy result.

When i set the proxy settings for the server in the console, they automatically come for the live update in the control panel.

The only thing is basic authentication is not enabled at all, only the default integrated is set on ISA server and Internal network.

Im royally fedup, there must be something to be done here; isnt there a guide book or something to deal with ISA server for liveupdate. There is a post for liveupdate and ISA 2000 (pretty outdated)

Hoping for the best.......

Tried everthing and failed; live update will generate logs of what it downloads.

Could someone tell me where is the log files stored for the symantec manager when connecting to live updates (on the server pc) . I can then post it here and possibly get a response

In my setup the SEPM server has its gateway set to the ISA server, no proxy stuff entered.  So it just goes straight out via the ISA server to external.  The rule is a simple from SEPM to External - ftp,http,https.  Works fine

r

Just installed MR3 (fresh install) in order to transfer some client from SAV 9.0.

I had the same problem with liveupdate from SEPM. The problem as I found out is that although you setup credentials for communicating, SEPM liveupdate needs basic authentication (figured it out looking isa server logs and seeing some requests comming from the user i set up in the options an all other requests for updates with anonymous-the anonymous comming from the SEPM service which runs with a system account thus not a user of the domain) in order for the proxy settings to work in its configuration.

Since that is not an option I want to take for security reasons I had only two options to resolve this.

a. install ISA Client software and let it take over all communication and authentication problems but with unforeseable other network problems and

b. (WHICH I WISELY CHOSE) change the account that SEPM starts in services to an administrator account thus solving the authentication problem instantly.