Looks like it's time to switch to "tech writer" for a few days. Finally figured out why Moloch (think web version of Wireshark) wasn't accepting the network authentication. Moloch is a very nice tool (especially for teaching environments) but the install docs are a bit short.
The "hidden detail" was in how the reverse proxy mangles specific header variables (what goes into the proxy config isn't what is delivered to Moloch). Had to write a variable dump script before that was noticeable.
In any case, TC4 IDS students now have a very nice way to view captured packets.