ISA 2004 and Norton LiveUpdate

A problem

I had been getting this error when running Norton LiveUpdate. It just started happening. This page is about the actions I took to stop it.

My setup.

I run a network based on Microsoft's Small Business Server 2003 (SBS 2003). I also run Internet Security and Acceleration (ISA) Server 2004. This problem occurs on all PCs on the network; they run Windows Vista and Windows 7.


The problem

When running Norton LiveUpdate I kept getting the error "Failed to complete"

I then ran "Norton Autofix" and got this:


A Google search for the error code revealed that I was not the only person suffering from this error, although I didn't find anyone else using SBS.

The Norton support web site gave little help and I eventually managed to contact a "real" person. He, and a colleague, remotely took over my machine to try and resolve the issue. After two hours I was bored, needed to eat (and other things), so I called a temporary halt to the matter.

Later that evening, a bit more research led me to believe that the problem could be resolved by creating a rule within ISA. That is what I did. It resolved the immediate issue but has left me with another couple of issues (commented on at the end of this page).


This shows the rule I created in ISA 2004.

Open ISA 2004


Expand the server


Click on Firewall Policy so you can see all the current rules


Clicking on "Create New Access Rule", starts the wizard.

Give the rule a name and click "Next"


In "Rule Action", click on "Allow" and click "Next"


On the Protocols screen in the "This rule applies to" box, click on "This rule applies to"

.. and from the list ..

.. select "Selected protocols"



To select the protocols, click on "Add" to bring up the "Add Protocols" dialog.



Expand "All Protocols"


Select FTP and click "Add", HTTP and click "Add" and HTTPS and click "Add", and click on "Close"


.. and the "Protocols" dialog now looks like this:

Click on "Next"


For "Access Rule Sources" click on "Add"

.. expand "Networks" and click on "Internal"

Click "Next"


In "Access Rule Destinations", click "Add"

From the "Add Network Entries" box, expand "Domain Name Sets"

select the set you want to use (here I've create one called "Norton Live Update Site") and click "Add"



How to create a Domain Name Set

Click on "New"


Click on "Domain Name Set"

In "New Domain" type "*.symantechliveupdate.com"

NOTE (13/2/2013): Oops .. my spelling leaves a lot to be desired; try ... "symantecliveupdate" .. there's no "h"
Also, since this page went live it would seem that "liveupdate.symantec.com" should also be part of the domain name set.


Click on "OK"


Click on "Next"


In "User Sets" you will see "All Users". Click "Next"


Click on "Finish"



Back in ISA, right click on the new rule and ensure it's positioned before the internet access rule.


Click on "Apply" (or "Discard" if you've changed your mind)


Click on "OK"

And you are done.



To amend the settings, right click on the rule, click on Properties


That's it. Now go back to the PC and run Norton LiveUpdate.
When Norton LiveUpdate is run, we get the result we want (well, I did. If you don't you might need to keep searching for a solution elsewhere .. sorry)




This link gave me a clue to the way forward:

1. Create a new domain name set with *.symantecliveupdate.com entry.
2. Create a new firewall policy and allow FTP, HTTP, HTTPS for All Users from internal to the new domain name set above.
3. Move this rule above your standard internet access rule.

Above is how I implemented the suggestion.


This one also helped, but was more orientated to Symantec Enterprise

And a few more:


General Observation

I am somewhat surprised that Symantec, a company that makes a living out of preventing malicious attacks on computers, has so many issues understanding and solving the issue I encountered. My brief search showed me that I'm not the only one who has had this sort of problem.


Oh, by the way, here's my latest problem with Symantec:

Yes, I am connected ...

Here we go, again ;-)


And another one:

I wanted to try "Norton Management"


"Doh" (Homer Simpson, et al, since 1987)




Published: 17-Aug-2012
Last edited: 13-Feb-2013 17:43