Fully working, with additional configuration (listed below).
Add firewall rules allowing traffic to the following IP addresses:
Puffin Academy makes HTTPS connections which contain an invalid Server Name Indication (*.flashbrowser.com) and the transparent proxy is therefore unable to validate the connections. The invalid connections are blocked, as the system considers them to be an attempt to bypass the usual filtering. Adding the above firewall rules allows Puffin Academy to bypass the transparent proxy. Note that this problem does not affect devices which are configured to use the non-transparent proxy.
Puffin Academy does not utilise the device's trusted certificate store and therefore the standard Disable HTTPS interception override contains rules to disable HTTPS interception.
Some of this information is from the Puffin Academy website: http://www.flashbrowser.com/pconnect/faq.php#202
Vendor Contact Log
The following log summarises discussions with the vendor of Puffin Academy (CloudMosa) regarding the problems listed above.
- 2016-07-06 - Reported to vendor.
- 2016-07-07 - Vendor responded, stating that the problems would not be resolved.