Think about the destinations from the clients. You don't need to explicitly allow access to the gateway or the firewall unless those are the intended destinations. The clients will use DNS to resolve a URL name and then build a packet to that destination. Say www.google.com will go to 74.125.226.18. It will hit the gateway but in the packet, the destination IP will be 74.125.226.18 and therefore be allowed by the role in the IAP.
Something else may be blocking this. Try SSH'ing to the VC and then issue a "show datapath session" and look for the client's traffic. Pay particular attention to the last column for any D flags which indicate denied packets because of the rules.