Environment
Access Manager 4.3
Access Manager 4.2
Situation
Access Manager setup. Multiple proxy services (domain based multihomed - dbmh - and path based multihomed - pbmh) listening on the same TCP port and IP address.
Each proxy service has Error on DNS mismatch set to No.
When a user hits proxy IP address and TCP port via IP address (Host header does not match any proxy published DNS name), users seem to be redirected to one of the path based proxy services unexpectedly which does not have the requird authorization policies enabled we need checking for certain conditions.
As the 'error on DNS mismatch' is disabled, we would expect resolve to the parent proxy service but we resolve to a different proxy service. In fact, based on testing, we resolve to the proxy service whose logical name is alphabetically the lowest eg. starting with a.
To implement the same checks, we need to go into debug mode, identify which proxy service we resolve to and add the Authz policy to that proxy service. It could be that another proxy service gets added which then changes the behaviour, and breaks the existing environment.
Resolution
Apply NAM 4.4. This now selects the parent proxy when no matching Host HTTP header is found and 'error on DNS mismatch' is enabled.