We had NetWare 5.1 SP8 with TCP587i applied, BM3.7 SP3 with BM37FP4D
applied. And we had the following ACL rules:

Deny HTTP Port:443 Any
Allow URL SpecifiedNDSObjects http://*:443/*

It worked fine before, i.e. noone could connect by IP, but connections
by name were granted. Yesterday evening I've applied BM37FP4E and this
morning problems started to appear - nobody could connect by https at
all. Changing order of the rules fixed it, but now the second rule is

It seems that this patch changed the way how URLs are processed: the
host names are resolved first and then their IP addresses checked
against the rules. Why this is not documented anywhere? And why there is
no switch in proxy.cfg to turn it off? We already had DonotSendIPToACL=1
but it doesn't seem to affect this case.

BTW we have a related problem with another rule: there is a host name
for a server which hosts many different virtual Web servers, now all of
them are denied and not only this particular host name.

This sudden change of behaviour is very unfortunate and we would like to
turn it off, but is it possible without backing out the whole patch?

With best regards,
Victor Shkamerda