While deploying an Endpoint Protection service on NSX-T, one will encounter the requirement for a Service Segment regardless of whether one will utilize functionality beyond EPP, such as IDS/IPS Service Insertion capabilities.

VMware NSX-T Data Center 3.x
VMware NSX

To resolve this issue, create an ‘empty’ Service Segment to be used if they are using only Endpoint Protection (Guest Introspection) functionality in the Service Deployment.
This Service Segment does not impact Endpoint Protection functionality and allows you to add additional Service Insertion capabilities later, without a redeployment.   

Notes:  

1. Creation of this empty Service Segment for Endpoint Protection only use cases, does NOT require Overlay networking or TEP configuration on the ESXi host(s). If there is a need to use Service Insertion capabilities in the future, one will need to enable Overlay networking and TEP configuration on the ESXi hosts.  
2. Ensure that the Transport zone selected for creating the segment, is the same that was used while creating transport node profile, attached to the respective VC Cluster.  
   
   Example configuration for how to create an empty Service Segment:
   • Access the NSX-T Manager.
   • Navigate to Security > Network Introspection Settings > Add Service Segment .
   • Name – EPP-SRV-SEG .
   • Transport Zone - ‘nsx-overlay-transportzone’,
   • Connected To – Leave blank.

This new Service Segment can now be selected when performing a new Service Deployment for Endpoint Protection.