Scenario 1: For 2000 endpoints (Z3C's), will I be hitting a limit for the MX250 (HA) as the gateway? Don't believe will have room to grow. Maybe better to go with the MX450?
Well, it depends.
According to MX Sizing Guide, MX250 could accept maximum 3000 concurrent VPN tunnels. So 2000 endpoints are about 60% of capacity, so it could be ok. But you must consider how much VPN traffic will occur. If 1000 endpoints are generating more than 1Gbps, MX250 will max out even concurrent VPN tunnels are way below it's capacity. Therefore, if 2000 endpoints generates more that MX250's VPN throughput, you have to consider going to MX450.
Scenario 2: For 6000 endpoints (Z3C's), should be ok with MX450 (HA) as the gateway?
Might be okay, but I recommend to use two MX450 HA sets.
Although you use HA pair, only primary MX will do everything. That means all 6000 tunnels will be handled by single MX450, and it's about 20% more than MX450's maximum capacity. Therefore, use two MX450 and connect 3000 endpoints per one MX. (I'm using this method one of my organizations with one MX100 pair and one MX84 pair to split traffic that MX have to deal with.)
