I realized that you must have got an answer in the meantime but for the interest of other people looking for a similar solution, here is an answer: it depends :-)
Every customer would have his own view about Security, what degree of security is required and where to place the different pieces of equipment. The good news is that we can accommodate all kind of deployment.
The most common deployment with a Firewall I have seen is to have the following setup:
LAN <-> SH-SD <-> FW <-> Internet.
In that setup, there is nothing tricky about SteelHead configuration as traffic destined to remote sites will be encrypted by SteelConnect GW and the firewall will not be able to inspect or filter it. There is no risk of having Auto-discovery probes stripped by the Firewall.
We need the firewall to NAT traffic on port UDP 4500 and provide Internet access to the GW.
I would disable NAT on the SteelConnect GW and have the firewall doing it for the traffic LAN-> Internet.
Other customers may consider our solution good enough as a perimeter firewall to deploy it directly on the Internet and that's fine. LAN <-> SH-SD <-> Internet.
Finally, we have customers deploying SteelConnect or SteelHead-SH between two firewalls (or using virtual domains/context/firewall) : LAN <-> FW <-> SH-SD <-> FW <-> Internet.
BTW, we have updated the SteelConnect deployment guide and you can download it from the support website: