502_3 bad gateway IIS AAR RP for Lync

I encountered a "new" error message this week, as I was finalizing a Lync 2013 deployment for a customer. When I say new, it was new to me, as I had not seen this before. Everything was set up for remote access and federations, but certain features, such as mobility did not work right away. I decided to test the URL's from the outside, and was surprised to find the following error message:

This deployment was set up with a IIS ARR for reverse proxy. I searched for the 502 (502.3 to be exact) on forums and internet in general, but could not find any answer to my exact issue.

I verified firewall ports and connectivity was ok. I also checked the web sites on port 4443 and 8080 from a client inside, and saw no apparent errors.

I went through the deployment guide one more time (step by step), and discovered I had forgotten to import the internal CA ROOT to the Reverse Proxy machine. Once this was installed, it all worked just fine.

The reason I decided to write this post, is because the root cause was not very obvious to me (only after reading tracing logs and checking the step by step guide again, was I able to figure out the problem). And I wanted to write a reminder to myself, and maybe help somebody else if they happened to forget to import the ROOT CA.

The 502 "invalid response" can be a lot of things. Certificate error being one of them. Now I know.

For those looking for a guide to set this up, I have two links for you:
This is the one I used: http://uclobby.wordpress.com/2013/08/02/configuring-arr-for-lync-server/

And here is one from nexthop: http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx

I preferred the first one, as it was a more "general" rule to catch all. But it might not suit all scenarios. The one from nexthop is much more detailed, and will have you set up a rule for each URL.