An admin node manager that can be accessed directly fails when accessing it through a VIP and the node manager trace shows errors like the following:
ERROR 01/Jan/2017:00:00:00.000 [0000:000000000000000000000000
The Node Manager employs CSRF protection that restricts which referrers are permitted on incoming requests. When you access the admin NM through a VIP, it looks like the requests are coming from an outsider and the request is blocked.
The fix is to add a whitelist for the VIP's referer to the servlets in the Node Manager's policy, to let it know that requests coming through the VIP are safe. This is done by opening the files in /apigateway/conf/fed/ in Policy Studio and then adding a CsrfProtectionFilterFactory.refererWhitelist property to both the api and the App Info Service servlets as shown in the screenshot below:
Note that the whitelist property is a Java regex, which is why the periods in the hostname have backslashes in front of them. The Java regex needs to match the referer shown in the trace. Note that the same property must be added to both servlets, or failures will still occur.
Once you have edited the NM policies, the files need to be copied over the ones in /apigateway/conf/fed and the NM must be restarted. Be sure to make a backup before doing this. If you have multiple NMs, you must repeat the entire process for each one because they use different certificates. There is no way to deploy to a NM.