This deployment was set up with a IIS ARR for reverse proxy. I searched for the 502 (502.3 to be exact) on forums and internet in general, but could not find any answer to my exact issue.
I verified firewall ports and connectivity was ok. I also checked the web sites on port 4443 and 8080 from a client inside, and saw no apparent errors.
I went through the deployment guide one more time (step by step), and discovered I had forgotten to import the internal CA ROOT to the Reverse Proxy machine. Once this was installed, it all worked just fine.
The reason I decided to write this post, is because the root cause was not very obvious to me (only after reading tracing logs and checking the step by step guide again, was I able to figure out the problem). And I wanted to write a reminder to myself, and maybe help somebody else if they happened to forget to import the ROOT CA.
The 502 "invalid response" can be a lot of things. Certificate error being one of them. Now I know.
For those looking for a guide to set this up, I have two links for you:
This is the one I used: http://uclobby.wordpress.com/2013/08/02/configuring-arr-for-lync-server/
And here is one from nexthop: http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
I preferred the first one, as it was a more "general" rule to catch all. But it might not suit all scenarios. The one from nexthop is much more detailed, and will have you set up a rule for each URL.
