Since you are keeping two applications normally public and only moving one behind the SA, you must setup a new ip address to point to your SA login page.
You will then delete the secured application DNS entry so this will no longer forward or work without using the SA.
The SA does allow you to create custom host entries.
But the better solution is to use your internal Microsoft AD DNS domain. In most MS networks you have a domain controller with DNS for an non-internet domain such as mycompany.local. You web server can have a DNS entry here created that can be added to the host header on your web server and remove the old external name. Now both internal clients and the SA use these DNS servers and no host files are needed anymore. These are not visible outside the network and then the site can only be used by the SA or internal domain computers.
yes, i think your opinion to setup new public ip address for this domain: my.abc.com that pointing to SA login page is best solution and then SA will forwarding to web app server when user click on bookmarks defined on SA and dns ip must be configured on SA so it can resolve this domain.
like your said "You will then delete the secured application DNS entry so this will no longer forward or work without using the SA" could you explain more details about the meaning?
Since you have three applications on the web server and two remain public, you must delete the DNS entry for the secured application. If you do not, then the same forwarding rules that allow the two public sites to work will continue to allow access to the third secured site.
Ideally, you also remove the original host header and setup a new one on that internal AD domain name. This way the outside world does not know the host header. They cannot get around the lack of the DNS entry by creating a host file on their private computer to continue to access the site without logging in.