I have made some more tests, resulting in the following:
1. All files in admin-root. No crossdomain.xml needed.
2. All files located on separate Apache server. FirePlay.html edited with the FireFly server address and port. No crossdomain.xml needed.
It’s still the same physical server though, so these test are quite useless for you, jennytoo.
If you can, try running FirePlay in old Flash Player version 6. It is not equipped with the crossdomain security checks: