It has been confirmed that the Auth Connector is working correctly but users show up as an "unauthenticated user" when going through an IPSEC tunnel.
The exception page for blocked websites show the client IP address as the router or firewalls address
In Sept 2011 the Cloud Security Service was upgraded with an end result of providing the possibility of more firewalls/routers to connect IPSEC to the Cloud Security Service. Part of this change now allows for internal IP addresses to be NAT'ed before placed into the IPSEC tunnel (if the device allows it).
If traffic is NAT'ed before being placed into the tunnel it will break the ability for the Cloud service to identify the user. It is required for the Cloud service to see the real IP address of the workstation making the HTTP or HTTPS request.