I have a stateful firewall rules that allows access to a list of names and networks in order to allow users to access the Google Play store from a captive role. The list seems overly-exhaustive compared to suggested names found on other Airhead posts, but nonetheless we're continuing to see access problems from Android devices. If the device switches to cellular data, it connects and downloads Google Play applications with no problem. When connected to the wireless network and in a captive role, the store is inaccessible.
Below is the list of names/networks allowed to no avail:
name android.clients.google.com
name *.gvt1.com
name *.ggpht.com
name *.clients.google.com
name *.play.google.com
name *.googleusercontent.com
name *.cloud.google.com
name mst-ext.amazon.com
name mas-ext.amazon.com
name images-amazon.com
name amzadsi-a.akamaihd.net
name *.l.google.com
name play.google.com
name *.gstatic.com
name *.appengine.google.com
name *.googleapis.com
name *.1e100.net
name *.digicert.com
name *.android.clients.google.com
name *.geotrust.com
name *.settings.crashlytics.com
name *.amazon.com
name *.akamaiedge.net
name *.akamaitechnologies.com
name *.msftncsi.com
name *.msftncsi.com.edgesuite.net
name Dig0kk115kms0.cloudfront.net
name *.akamaihd.net
name *.cloudpath.net
name android.l.google.com
name photos-ugc.l.google.com
name *.android.com
network 172.217.0.0 255.255.0.0
network 74.125.228.0 255.255.255.0