Hi,
It uses following specific websites which uses dynamic IP addressess.
liveupdate.symantecliveupdate.com, liveupdate.symantec.com, and akamai.net . You need to allow these hostnames on external firewall.
It depends where you have placed primary SEPM who is pulling definitions from global symantec server.
If the SEPM in the DMZ is the first of multiple SEPMs in a site, Symantec recommends modifying the Replication Management Server List and nominating a different SEPM to process the replication events.
Best Practices: Configuring a Symantec Endpoint Protection environment in a DMZ
http://www.symantec.com/docs/TECH178325