Currently the DPI web classification seems to go out from the individual APs ip address and not from the VC address. Is there a trigger somewhere that would make it use the VC address? Might be helpfull allowing it through firewall settings.
Furthermore it seems to use an unencrypted http connection to verify the websites. Is there a way to switch this to https so not everyone in the APs subnet can see the addresses being requested?