The answer is in 2 parts and depends.

You are right in assuming what the Policy states will happen with the HI Check, BUT, if the client is outside the Intranet and trying to connect to your internal network thru the Gateway Enforcer, then the Gateway Enforcer will be the sole authority to determine the HI Check.

If the clients are already on the Intranet, then they will have the HI check done by the DHCP enforcer only. In case the DHCP enforcer is not reachable, then the clients MAY failover for the HI check to the Gateway enforcer if you have it configured.

Hope this answers the query.

 The Symantec Integrated Enforcer for Microsoft DHCP Servers ensures that
endpoints attempting to connect to the enterprise network comply with the
security policies set on the Symantec Policy Manager. Before the Integrated
Enforcer allows an endpoint to access the network, it authenticates the endpoint
by verifying the following conditions:
■ The Symantec Agent is running on the endpoint
■ The Symantec Agent has the correct Globally Unique Identifier (GUID)
■ The endpoint is in compliance with the latest Host Integrity policies
■ The security policy is up to date
If the Integrated Enforcer does not authenticate the endpoint, the endpoint is
given access to a quarantined area with limited network resources.

That means once the policy is applied by the policy manager it gets stord in the DHCP enforcer.
However the DHCP enforcer will keep communicating with the Policy Manager for regular policy updates.But since it uses UDP packets to communicate between NAC enforcer and Policy Manager or even the clients so the Traffic used is very less. almost Neglegible