Hello,
Could you please check the Location Liveupdate Policy is properly configured.
Secondly, check if the policy serial number on SEPM group is same as the one applied to the SEP client.
There are several ways you could perform this depending on what the end results are that you desire.
When users VPN into the network clients should be able to communicate with the SEPM server. This means they should be able to download updates from the SEPM. The drawback here is that as you have seen if they are not connected to the SEPM at all they won't update. Once they do connect if it has been several days since they last updated they will need to download a full definitions package. Full definitions packages can be quite large and thus have a negative impact on your network.
The following document will provide you with the simplest location switching configuration to allow users to run LiveUpdate when they are not connected to the SEPM server, however this may not completely meet your desires. As such I would recommend to review the other documentation that I have provided below related to location awareness. There is also a good amount of information in the Administrator Guide included with the downloaded installation files.
Check these Articles:
How to configure mobile computers to automatically download virus definitions when disconnected from the Symantec Endpoint Protection Management console
http://www.symantec.com/business/support/index?pag...
Understanding the Default location setting and creating unambiguous location switching criteria
http://www.symantec.com/business/support/index?pag...
Best Practices for Symantec Endpoint Protection Location Awareness
http://www.symantec.com/docs/TECH98211
Location Awareness Logic
http://www.symantec.com/docs/TECH97097
More about Location Awareness in Symantec Endpoint Protection (SEP)
http://www.symantec.com/docs/TECH97369
Hope this helps!!!