Well, I've looked into this more. One of the servers was missing a gateway, which has been corrected. This one doesn't seem to be reporting any issues any longer. The other is a restricted (aging) RDP server with a whitelist. I've whitelisted the following:
ent-shasta-rrs.symantec.com
ent-shasta-mr-clean.symantec.com
This one is still reporting the occasional error. Is it possible that these are not the only two sites the reputation service needs? If anyone knows of others needed for the symantec services I can whitelist these at our proxy.