Symantec Endpoint Protection (SEP) faces connectivity issues with LiveUpdate Servers when configured to use Windows Internet proxy settings with a PAC file containing multiple proxies for failover.  The failure occurs when the first proxy server in the list is unreachable.

Here's an example of a simple PAC file configuration with a proxy server list:

function FindProxyForURL(url, host) {
    return "PROXY <proxy_address_1>:<port>; PROXY <proxy_address_2>:<port>";
}

SEP does not attempt a connection to proxy_address_2 if the first proxy in the list is unavailable.

SEP's LiveUpdate component (LUE) utilizes WinHTTP to connect and download content.  It also supports the use of AutoConfigUrl PAC.  However, there is a limitation with WinHTTP where it does not support a proxy server list with multiple servers. It will only attempt to connect to the first server and won't fallback to the next one.

Additional information about this limitation can be found in the following Microsoft documentation:

https://learn.microsoft.com/en-us/windows/win32/winhttp/autoproxy-issues-in-winhttp

Due to this Microsoft limitation, this configuration is unsupported.  Consider using a supported method for configuring a proxy server in the LiveUpdate policy. 

CRE-15931