basic newbie question: The default ruleset puts the SSL-Scanner rules in front of the Authentication rules. That doesn't compute in my brain. Why would you do this? Wouldn't authentication be the very first thing you want to do (except for global white/blacklists maybe)?
In case of any transparent method (bridge, router, wccp) you need SSL prior to doeing auth as you need to open up the data to inject authentication elements (cookie, auth server, etc).