AFAIK, the GW Enforcer will still operate as normal even after the maintenance subscription has expired. That said, you may want to contact Symantec about renewing it (if possible) so that you can still get access to support in case anything goes wrong between now and the End of Support Life.
HI works fine without an enforcer, and can be used in conjunction with normal SEP policies (usually the FW policy) to perform self-enforcement if required.
Self-enforcement only applies to managed SEP Client however, so you may still need an alternative form of NAC to protect your network from unmanaged devices (guest machines, etc).