Thanks for the response Alberto. I know the VPN needs to terminate at the UC, but I have to pass it
through the SA. But the UC would seem to require a public IP address on the WAN in order for the wizard
to configure the phone. As you run the wizard it lists the remote IP address that the phone needs to connect to, which is the WAN address. If this is a non-routable address, how is this going to work? The wizard does not allow you to change the IP address.
We struggled with this same issue. We had a client with an SA520 single static WAN IP address in front of the UC540 with SSL being used for email traffic forwarding to the mail server. As you have experienced you can't pass SSL VPN traffic to the SA and the UC540. Setup and configure the SSL traffic on the WAN port for your remote client for VPN configuration. Configure the second WAN port with another static IP on the SA. Create a firewall rule on the SA520 to forward SSL traffic to the UC540. Essentially WAN interface one is handling remote VPN the secondary WAN interface is handling the VPN configuration needed for remote SPA525G connectivity.