Fischer I didn't understand at all what you're going for.
However, do you realize how difficult it would be to have the client contact the server without knowing its url? This has nothing to do with securing the server, HTTPS, VB, PHP or REST. It would be like sending something through the mail without knowing the address of your recipient.
That being said, with a clever play of redirection and a few servers acting as middleware between your client and your endpoint, you devise a scheme that would obfuscate enough your target url so that it's practically impossible to know where the end data is ultimately headed. However the client (the VB program) needs to know at least the first address to connect to. How does it connect to the PHP server in the first place?
What I understand it's doing now
+-----------+ +-----------+
| +---+1.request+----------> known URL |
| client <---+2.secretURL+--------+ |
| | | PHP server|
+-----------+ +-----------+
|
|
|
|
| +-----------+
| | unkown URL|
+---+3.request+--------->| |
| secret! |
+-----------+
Why don't you try doing this?
+-----------+ +-----------+ +-----------+
| +---+1.request+----------> known URL +-----+2.getHTML+--->| unkown URL|
| client <---+4.forwardHTML+------+ <-----+3. HTML+------+ |
| | | PHP server| | secret! |
+-----------+ +-----------+ +-----------+
The user will most likely never get access to unkownURL, but it needs to know known URL.
Obviously the schema is a small simplification, and your business case might be more complicated than that. But the point is, you should never implement this sort of obfuscation client-side. It's absolutely useless. (That's the first rule of web security. You would think that by now you won't come across client-side data validation anymore!)