In order to comply with some PCI-DSS requirements, we moved a pair of servers behind a hardware firewall. We used fairly identical configuration settings to our DMZ configuration but the two servers for whatever reason have stopped receiving vDef updates. They are 100% connected to the SEPM. We are currently allowing the servers to communicate with the SEPM on the following ports:

• 8014
• 80
• 443
• 2967

Again, this configuration appears to work for our DMZ, but it doesn't appear to be working for this other zone. I have reviewed the following documentation (https://support.symantec.com/en_US/article.TECH163787.html) and everything seems to be in order. 

Any ideas?

As long as 8014 is open that's what they need for updates. Same for 2967 with GUPs:

About the communication ports that Symantec Endpoint Protection uses

What does your log show on the firewall for blocks?

I am actually not seeing any active blocks across the firewall. I do see successful TCP connection setups

Run the symdiag tool on it to see if anything shows up:

Download SymDiag to detect Symantec product issues

Also, did the SEPM server names or IP change after the move?

whats the result of this?

Testing Communication from an Endpoint Protection client to the Endpoint Protection Manager

Okay, so after some research here's the situation. I am using Group Update Providers. The new subnet that I placed the servers on is outside of the SEPM subnet. All the other servers don't recieve their updates from the defined GUPs, they recieve their definitions from the SEPM because the SEPM is on the same subnet as the other servers. The few servers that I transferred over to the new protected networks are still techincially on the "inside" of the network, but are not on the same subnet as the servers managed by the SEPM. The default behavior then is for the 2 servers behind the firewall to get their updates from the GUPs which, are currently blocked from communicating with the 2 servers behind the new PCI-DSS related network. So the current options are as follows:

• Unblock communication from the GUPs to the new subnets in the firewall.
  • Not optimal
  • Creates security issues
  • GUPs are located across remote WAN links and not a great use of bandwidth
• Designate one of the servers as a GUP
  • New GUP would get vDefs from SEPM which is allowed firewall communication
  • New GUP would have to make sure C: drive has enough space
  • High priority server so C: drive space is very important - Not optimal
• Create new group and new LiveUpdate Policy
  • New group would be created
  • Place new servers in new group
  • Remove option to use GUPs
  • Bandwidth isn't an issue as servers are in the same facility.
  • Optimum option I think

What are your opinions?

Based on what you have there, the last option is probably the easiest way to go.

Thanks Brian. Appreciate your assistance.