"Error on DNS mismatch" Access Gateway setting fails to work as expected in NAM 4.3 when disabled

  • 7020722
  • 07-Jun-2017
  • 09-Jun-2017


NetIQ Access Manager 4.3
NetIQ Access Gateway


Access Gateway (AG) Administrator wants multiple DNS names to resolve to the IP address of a proxy service. To avoid any errors sent back to users, the option for Web server configuration under the AG proxy has an option 'Error on DNS mismatch' which is enabled by default. Whenever a HTTP request comes into this proxy server where the HTTP host header does not match the published DNS name of the proxy service, an error will be returned by default.

To avoid this in the above use case, the 'Error on DNS mismatch' flag was disabled, enabling users with different Host HTTP headers resolving to this proxy service to be handled without error. Making these changes however always triggers the 403 error on browser eg.

- create an RP with valid name eg. www.novell.com
- under web server config, disable the 'error on DNS mismatch' flag
- under web server config, select to forward web server hostname
- modify /etc/hosts so that www2.novell.com resolves to IP address of above RP
- access the www2.novell.com hostname and confirm you see 403 mismatch error


Apply NAM 4.3 SP2.


Host header check for DNS mismatch was done even though error on DNS mismatch option was disabled at proxy service level during request for pr and LAGBroker request.

Additional Information

here’s what I see in the error_log, where DNS mismatch error is reported.

Apr  7 06:43:18 agsvc01 httpd[18670]: [debug] ../prerror.cpp(637): AM#604600000 AMDEVICEID#ag-517EA0B600EA9C47: A
MAUTHID#e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855: AMEVENTID#2370: Requ: GET http://jp.am3
.com:8080/path01/IDMProv/iisstart.htm  service:gd_path01 (>
Apr  7 06:43:18 agsvc01 httpd[18670]: [info] AM#504600100 AMDEVICEID#ag-517EA0B600EA9C47: AMAUTHID#e3b0c44298fc1c
149afbf4c8996fb92427ae41e4649b934ca495991b7852b855: AMEVENTID#2370: Restricted URL
Apr  7 06:43:18 agsvc01 httpd[18670]: [info] AM#504600000 AMDEVICEID#ag-517EA0B600EA9C47: AMAUTHID#e3b0c44298fc1c
149afbf4c8996fb92427ae41e4649b934ca495991b7852b855: AMEVENTID#2370: matched PR:IDMProv
Apr  7 06:43:18 agsvc01 httpd[18670]: [warn] AM#304600404 AMDEVICEID#ag-517EA0B600EA9C47: AMAUTHID#e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855: AMEVENTID#2370: url http://jp.am3.com:8080/path01/IDMProv/iisstart.htm requires login, but, having DNS mismatch. So, returning 403.
Apr  7 06:43:18 agsvc01 httpd[18670]: [debug] ../mod_auth_liberty.c(739): AMEVENTID#2371: Host Header is jp.am3.com:8080
Apr  7 06:43:18 agsvc01 httpd[18670]: [debug] ../prerror.cpp(637): AM#604600001 AMDEVICEID#ag-517EA0B600EA9C47: AMAUTHID#e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855: AMEVENTID#2370: status:403 GET http://jp.am3.com:8080/path01/IDMProv/iisstart.htm <e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855> X-Mag: <517EA0B600EA9C47;3f228bc8;2370;usrLkup->0;usrBase->0;getPRBefFind->0;getPRBefFind->0;PRAfterFind->0;IDMProv;publicUser->0;DNS_MisMatch;FP4->0;FP4->1;FP4->1;> [>]service:gd_path01 (362:0) –

If I look at the config for this proxy service, I clearly see that the flag is set

                                                            <HTTP_PathSubservice SubserviceID="sspath_14913912550
27" Name="gd_path01" Enable="1" EnableBrowserCaching="0" EnableRemovePathOnFill="1" Description="" EnableRemoveSu
bpathInCookie="1" UserInterfaceID="sspath_1491391255027" LastModified="1491538992654" LastModifiedBy="cn=admin,o=
novell" MultiHomeType="path" MultiHomeMasterSubserviceIDRef="sshost_1491391229398" DisableSessionAssurance="0">
                                                              <HTTPOptions EnableXForwarded="1">
                                                              <Webserver WebserverHostName="userapp.am3.com" FillHostHeaderType="webserver-hostname" EnableForceHTTP10ToOrigin="0" EnableEncodingHeaderForwarding="0" ErrorOnDNSMismatch="0" EnableSessionStickiness="1" EnableWebserverOrder="1" IsWebserverGroupSpecific="1">
                                                                  <ServerAddress UserInterfaceID="" Order="1" isAddressAddedByGroupConfig="1">
                                                                    <IPv4Address IPv4Address="" />
                                                                <Port Port="8080" />

This happens with parent proxy as well as path based child.