Receiving http 502 BadGateway Response Error when testing Lync 2013 using iis arr RRS feed

  • Question

  • I'm currently getting this error when i use

    Testing HTTP authentication methods for URL

    HTTP authentication test failed.

    Additional Details
    A web exception occurred because an HTTP 502 - BadGateway response was received from IIS7.
    Content-Length: 1477
    Content-Type: text/html
    Date: Tue, 23 Jul 2013 16:15:57 GMT
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET

    What I've tried/works so far:

    lyncdiscover resolves, the port opens, and the ssl cert validates.

    When I try and get to from an ipad (externally) i get another 502 error. It says:

    502 - Web server received an invalid response while acting as a gateway or proxy server. 

    There is a problem with the page you are looking for, and it cannot be displayed. When the Web Server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

    I think it might be something on the external web site on the front end, but it's already certed with the appropriate SANs and I don't know what else it could be regarding that.

    Another possibility which i found was to check the enable proxy box under the application request routing module under the iis manager.  This seems like it could be my problem, but I found no mention of it in any of the guides I've looked at.

    I mainly used the NextHop guide by Koen Wagenveld

    Tuesday, July 23, 2013 5:00 PM


  • Issue has been resolved. My was entered for the front end in internal DNS and not the proxy.  And the server in the server farm was misspelled.
    • Marked as answer by lhenrickson Tuesday, August 6, 2013 1:20 PM
    Tuesday, August 6, 2013 1:19 PM

All replies

  • Is your IIS ARR server able to resolve your Lync Pool? (either using DNS or host file entries)? and can you browse to it from your IIS ARR server using Internet explorer?

    Blog | Twitter @georgathomas

    Tuesday, July 23, 2013 5:38 PM
  • i can ping and it resolves when i nslookup but when I browse to it i get 403 - Forbidden: Access is denied.

    • Edited by lhenrickson Tuesday, July 23, 2013 7:40 PM grammar
    Tuesday, July 23, 2013 7:38 PM
  • Also, I'm using Standard Edition so my front end FQDN is the same as my internal web services.
    Tuesday, July 23, 2013 7:43 PM
  • Have you created all the relevant DNS entries externally too? The one I am mainly thinking of is the external pool FQDN in your public/external DNS.

    Blog | Twitter @georgathomas

    Tuesday, July 23, 2013 7:48 PM
  • I have the following external dns entries. They're all listed under one external ip address and NATed to the servers external NIC at our firewall. Should they be on more than one IP?

    Type of Record






    Tuesday, July 23, 2013 7:55 PM
  • One IP address is fine.

    When you browse to from the IIS box you don't receive any errors?

    Blog | Twitter @georgathomas

    Tuesday, July 23, 2013 8:01 PM
  • Also if you try your pool URL externally does it return data?

    Blog | Twitter @georgathomas

    Tuesday, July 23, 2013 8:07 PM
  • It says this page cannot be displayed for the
    • Edited by lhenrickson Tuesday, July 23, 2013 8:25 PM correction
    Tuesday, July 23, 2013 8:19 PM
  • Is that error what you get externally or from the IIS box (using the 4443 url)? 

    Where is the enable proxy checkbox?

    Blog | Twitter @georgathomas

    Tuesday, July 23, 2013 8:23 PM
  • i was trying to hit lyncdiscover from the iis box. and the enbale proxy checkbox is under the iis manager. from the server module, click application request routing under iis and then on the right under Proxy click server proxy settings
    Tuesday, July 23, 2013 8:31 PM
  • Ah ok, that's not on in my environment and mine is working fine so I'd say that isn't required.

    Did you create an internal LyncDiscover DNS entry?

    I realised I should have had you try to go to not Lyncdiscover.

    Blog | Twitter @georgathomas

    Tuesday, July 23, 2013 8:45 PM
  • Yes, I have a entry and if i browse to it, i get the xml file.  I cannot browse to I don't have an entry for it internally. My understanding is that internally it shouldn't be reachable and the front end fqdn should be the internal web services url.
    Wednesday, July 24, 2013 12:16 PM
  • Run Get-CsMcxConfiguration - you should have ExposedWebURL as external.

    In my configuration through topology builder you can see the Web Services URL and ports as below (4443 is the default for external webservices

    Basically my IIS ARR box accepts (443) and routes it to (4443) on my Lync Front End servers

    Blog | Twitter @georgathomas

    Wednesday, July 24, 2013 1:00 PM

  • I have the Standard Edition so mine doesn't have the Override FQDN option but it's the same besides that. And my exposed web url is external as well.

    Wednesday, July 24, 2013 1:37 PM
  • I'm getting 2 types of errors depending on what I am doing.  If i go to internalwebFQDN:4443 from the proxy I get a 403 error. If i try and access anything externally i get a 502 bad gateway response.  So I think i need to resolve the 403 error before i can solve the 502.
    Wednesday, July 24, 2013 3:42 PM
  • The 403 is fine because there's no page (or directory tree to display on the destination IIS) but this will mean that you are getting a response back from the server. (try this instead

    In your IIS ARR are you routing to 4443 when you add the servers to the farm? 

    Blog | Twitter @georgathomas

    Wednesday, July 24, 2013 5:28 PM
  • If I go to I get page not found as it is not resolvable internally, but if I go to https://internalwebFQDN:4443/GroupExpansion/Service.svc/mex?wsdl the internal site I get the xml file, and yes I have the ports set to 8080 and 4443.

    I was confused when initially using the guide.  It doesn't explicitly say to have a separate server farm for each address but in order for my URL rewrite page to match up to his, that's how i did it. Is that correct?

    Wednesday, July 24, 2013 6:42 PM
  • That's correct you end up with a separate server farm for each URL. 

    Blog | Twitter @georgathomas

    Wednesday, July 24, 2013 7:08 PM
  • I'm confused as to how the proxy knows to route traffic to the FE server. I didn't have to enter the FE fqdn or ip anywhere as I went through the guide. Does it get it from DNS?
    Wednesday, July 24, 2013 7:30 PM
  • It does it in the rewrite rules.

    When you select "Server" in IIS Manager, URL Rewrite and double click the rule, there's a section down the bottom that says "Action" it allows you to pick where to route it there

    Blog | Twitter @georgathomas

    Thursday, July 25, 2013 3:11 PM
  • Check the similar thread at

    Check the required SANs in the certificate for Reverse Proxy Server are added.

    For the needed SANs for Reverse Proxy Server, see

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, July 26, 2013 4:43 AM
  • Hi,

    Maybe an unneeded reply but did you add you're internal certificate's (of the front=end server) trusted root certification authority to the trusted root certification authorities on you IIS ARR server?

    You can find this certificate on \\CAFQDN\CertEnroll.

    You'll need to add this certificate to the local computer store in order to verify the certificate. The proxy server reroutes your request to your internal Front-End server (pool) and verifies the certificate published on this server.

    If you don't add the certificate of your internal CA to the trusted root certification authorities store you will get a 502.


    Technical Consultant Exchange | MCP, MCSA, MCSE, MCTS, MCITP | Blog: | Follow me on twitter: correinhard | Please, feel free to nominate me for MVP @

    Monday, July 29, 2013 10:27 AM
  • Issue has been resolved. My was entered for the front end in internal DNS and not the proxy.  And the server in the server farm was misspelled.
    • Marked as answer by lhenrickson Tuesday, August 6, 2013 1:20 PM
    Tuesday, August 6, 2013 1:19 PM
  • If you are using Windows 2012 Server for IIS ARR, then kindly use ARR 3.0.  I have faced URL rewrite issue if I use Windows 2012 with ARR 2.6.

    Check below guide,

    Wednesday, November 20, 2013 11:35 AM
  • This did the trick.

    I had the same error was running ARR 2.5 on Win 2016. All configuration I did in 2.5. All did work just not sign in from outside with iphone or mac.

    I then installed ARR 3.0 rebooted and all devices could connect from external. Nothing more todo.

    Thank you

    Friday, February 1, 2019 7:29 AM