Support for the Network Service Insertion feature (SI) at NSX-T was implemented from Deep Security 12.0 FR 2020-06-17 (Build 12.5.985) and Deep Security 20.0. This enhancement has enabled the GI and SI to co-exist when Deep Security registers to NSX-T.
Below is the Deep Security 12.5 reference and Deep Security 20.0 release note:
When GI+SI co-exist, the "overlay transport zone" will be required because deploying the Deep Security Virtual Appliance (DSVA) will need to have a service segment, and the service segment requires the "overlay transport zone".
This requirement is for DSVA deployment with NSX-T since GI+SI co-exist during registration. If you will use the Anti-Malware function only, this setting is still required even if you will not use the network feature, the DSVA deployment will need it. For reference, look at this article.
The Service Segment is required to deploy the Trend Micro Deep Security Service in NSX-T:
- Click Action and then click ADD SERVICE SEGMENT.
- Under Name, enter a name e.g. service-segment.
- Under Transport Zone (Overlay), select "transport-zone-overlay" or whichever overlay transport zone you are using.
- Leave "Connected To" empty.
- Click SAVE and then CLOSE.
A service segment should be created.
- From the Service Segments dropdown list, select the service segment you just created.
The service segment needs to have a transport zone.
Below is the LSW limitation: