I am pretty confident that Liveupdate has nothing to do with ActiveX at all.
It will use http but will then fall back to ftp if it can't connect.
Are you talking about liveupdate administrator?
Or liveupdate on the SEPM server?
Or liveupdate on a SEP client?
I would be going over your firewall rules to work out exactly what is going on.
Liveupdate on the SEPM tries the following:
HOSTS\0\ACCESS2=http://liveupdate.symantecliveupdate.com
HOSTS\0\TYPE=HTTP
HOSTS\1\ACCESS2=http://liveupdate.symantec.com
HOSTS\1\TYPE=HTTP
HOSTS\2\ACCESS2=ftp://update.symantec.com/opt/content/onramp
HOSTS\2\TYPE=FTP