I cannot believe nobody answered your post for almost a year!
That must be laziness, or despise or ignorance...
Or you have asked too many questions for a novice.
In case you gave up, here's some from me.
1. SSG-5 is an edge firewall, it is not for "router on the stick" configuration.
2. There's no tagging on its ports. It simply can't - it's a VLAN per a port. Hence 1. You have to route on a stick somewhere else, SSG5 can transparently accept the packets but it will forward them based on routing, not tagging. And possible return packets will not be tagged.
3. Did you mention a VLAN for your REED.LOCAL? Or do you want it isolated, on a separate equipment?
4. Joining a Windows AD is a user privilege, nothing to do with your network.
Unfortunately I see no picture attached but...
5. Gateways for VLAN management addresses have to correspond to your routing design and possible manager's network.
6. STP is not needed in your case, IMHO - you do not have loops. (sorry no picture)
And most of all,
7. There's no business objectives defined - what do you want to achieve and why? (not HOW, and just verifying if it's right or not)