"Thumbs Up" to the posts above
Just to add to the list of useful resources, the below article discusses how to troubleshoot SEP client update issues:
http://www.symantec.com/docs/TECH106034
Also, as you mentioned port 7070, I wanted to add that Symantec recommend against sticking the LUA and the SEPM on the same box:
http://www.symantec.com/docs/TECH93409
Easiest tests for either SEPM or LUA connectivity though, is to just try and telnet the relevant port from the client. If it fails to connect from the clients in the alternate VLAN but works locally and/or for other networks, then have another little look at the FW rules