From an SSL point of view the MAG and the SA boxes are pretty much the same. There are some older features that ran on the SA platform that are not continued on the MAG platform but for a new customer that should not matter and they run the same code.
You license the total number of concurrent users, regardless of the end user platform - IE PC or I@ or Android. You mentioned AV - there is no facility in the SSL code to handle AV on mobile devices. If you want to do that you would need to look into the Mobile Security Suite to add those features - they are supported on a device by device basis - IE there is not AV for IOS at this point in time.
NOTE - this is NOT Pulse. Pulse is free and is the replacement for Network Connect (long term).
As for box licensing. Somebody could write a book on that one 🙂
If you want all the in-depth details I would recommend going to www.kevpeterson.com - he is the Product Manager and has a wealth of details on licensing. But the short answer is:
You would buy licenses for each box. Say 25 each. You would then have a total of 50 "usable" licenses (sum of the 25x2) - if a box fails you would still have 50 licenses for a preset time period (5 days) during which you need to replace the broken box. NOW - it does get funky if you were to buy 10 licenses for box "A" and 50 for box "B" - if box "B" failed you would only have 20 licenses.
Again, this is just a summary - due to all the ways these guys can be deployed licensing can be very complex.
Hope this answers some of your questions - Also - SSL stuff is best posted in the SSL Forum.