I am getting error while accessing url of lyncweb.domain.com, dialin.domain.com and meet.domain.com pointing to RP server.

502 - Web server received an invalid response while acting as a gateway or proxy server.

There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

For this issue, you can refer below link

http://support.microsoft.com/kb/2455129

I tried to apply hotfix, but it shows it is not supported.

Elapsed Time: 669 ms.

Sorry for the delay here, which hotfix did you attempt to load? The one I posted (http://www.microsoft.com/en-us/download/details.aspx?id=30333) definitely works on Windows 2012 (I've had to apply it a few times)

The second one that was posted applies to Windows 2008, so don't use that one.

I am getting error while trying to install the above mentioned hotfix. 

My server configuration is : 

Did you install IIS ARR2.5 or 3.0? If you installed 3, that would explain that.

Can I ask are you able to visit https://yourlyncfrontend.yourdomain.com:4443 from Internet Explorer on your Reverse proxy? Are you receiving any certificate errors? (if so, did you install the root certificate from your CA onto your Reverse Proxy)

When i try with https://lyncfrontend.domain.local:4443 and https://lyncfrontend.domain.com:4443 both opens but when i open the external domain name i get certificate .

ARR version installed is 3.0



To throw more light on the configuration:

Lync 2013 implemented, internal domain name is : domain.local and external domain name is : domain.com

All servers in VMs are with 4 core processor, 24gb ram, 1TB drive.

Frontend : Windows 2012r2 with Lync 2012 Standard Edition - 1 No (192.168.10.100)

Edge : Windows 2012 with Lync 2012 Std - 1 No 
(192.168.11.101 DMZ) in workgroup

ISS ARR Reverse Proxy 3.0 : Windows 2012 with ARR and IIS configured. (192.168.11.102)

Certificate : Internal Domain root CA for internal and External (Digicert).

Internal Network : 192.168.10.x /24

External Network (DMZ) : 192.168.11.x /24

Public Firewall NAT to DMZ ip for firewall and RP server. So having two public IP facing external network.

Edge has : sip.domain.com, webconf.domain.com, av.domain.com

IIS ARR RP server has : lyncdiscover.domain.com, lyncweb.domain.com, meet.domain.com, dialin.domain.com

Have created SRV record in public : _sip.tls.domain.com >5061>sip.domain.com, _sipfederationtls._tcp.domain.com>5061>sip.domain.com, _xmpp-server._tcp.domain.com>5269>sip.domain.com

Installed frontend server using MS Lync server 2013 step by step for anyone by Matt Landis, Lync MVP.

Internal AD Integrated DNS pointing Front-end
Type of Record FQDN IP Description 
A sip.domain.com 192.168.10.100 Address internal Front End  or Director for internal network clients 
A admin.domain.com 192.168.10.100 URL Administration pool
A DialIn.domain.com 192.168.10.100 URL Access to Dial In 
A meet.domain.com 192.168.10.100 URL of Web services meeting
A lyncdiscoverinternal.domain.com 192.168.10.100 Register for Lync AutoDiscover service to internal users
A lyncdiscover.domain.com 192.168.10.100 Register for Lync AutoDiscover service to external users  
SRV Service: _sipinternaltls Protocol: _tcp Port: 5061 sip.domain.com Record pointer services to internal customer connections using TLS 
External DNS pointing Edge & Proxy

Type of Record FQDN IP Endpoint
A sip.domain.com x.x.x.100 Edge
A webconf.domain.com x.x.x.100 Edge
A av.domain.com x.x.x.100 Edge
SRV _sip._tls.domain.com sip.domain.com: 443 Edge
SRV _sipfederationtls._tcp.domain.com sip.domain.com:5061 Edge
A Meet.domain.com x.x.x.110 Reverse Proxy
A Dialin.domain.com x.x.x.110 Reverse Proxy
A lyncdiscover.domain.com x.x.x.110 Reverse Proxy
A lyncweb.domain.com x.x.x.110 Reverse Proxy
In IIS ARR proxy server following server farms are added and configured as per link ttp://y0av.me/2013/07/22/lync2013_iisarr/

In proxy server had setup only following server farm : While running remote connectivity web service test : meet, dialin, lyncdiscover and lyncweb.

The client inside works fine internally and through vpn. Login with external client also working fine. But we are getting error in MRCA as follows.

a) While testing remote connectivity for lync getting error : The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation. Certificate was installed properly.

b) For remote web test under Lync throws error : A Web exception occurred because an HTTP 502 - BadGateway response was received from IIS7.
HTTP Response Headers:
Content-Length: 1477
Content-Type: text/html
Date: Wed, 14 May 2014 10:03:40 GMT
Server: Microsoft-IIS/8.0
Elapsed Time: 1300 ms.

Hello, I'm new to the party but why would you be using both: https://lyncfrontend.domain.local:4443 and https://lyncfrontend.domain.com:4443?

If this is Standard edition https://lyncfrontend.domain.com would not be defined in the topology so will always give you certificate errors and should not be used. Looking at your first post lyncweb.aig.sa seems to be your defined External Web Services URL.

The Reverse Proxy should be receiving: lyncdiscovery.aig.sa, lyncweb.aig.sa, dialin.aig.sa and meet.aig.sa (which looks to be valid on the certificate) and then proxy to the Front End server on 4443. The Reverse Proxy will need host file entries to resolve any of the "Server Address" defined when creating the IIS/AAR farm to the Front End's IP (example meet.aig.sa 192.168.10.100).

Host file entries are already in place on the RP server.  Yes standard edition. 

My issue is this while trying from internet lync client is not connecting with the server but while using vpn it works fine. So when i tried browsing the lyncdiscover  url from internet i am getting this error:

502 - Web server received an invalid response while acting as a gateway or proxy server.

There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

IN IIS ARR WE HAVE CREATED the external domain name instead of creating domain.local. So is this the issue which is not allowing the routing request?

Now I have created for internal domain.local ARR and removed the old server farm in the ARR.  After changing it have rebooted the reverse proxy and checked. I get the same

Yes lyncweb.domain.com is my lync external web services url defined in the lync topology builder.

From Internet : When i tried to browse the webpage from external internet lyncdiscover.domain.com, lyncweb.domain.com and dialin.domain.com and meet.domain.com it throws the same error page.

From LAN network : lyncfrontend.domain.local it opens properly. When i tried to open all the url with same network it opens properly.

when i tried from RP server for the following url :

https://meet.domain.com  or https://meet.domain.local or https://meet.domain.local:4443 or https://meet.domain.com:4443

https://dialin.domain.com or https://dialin.domain.local or https://dialin.domain.local:4443 or https://dialin.domain.com:4443

After accepting certificate it shows Blank page

https://lyncweb.domain.com or https://lyncweb.domain.local or https://lyncweb.domain.local:4443 or https://lyncweb.domain.com:4443

After accepting certificate it shows Blank page

Use logparser: http://www.microsoft.com/download/en/details.aspx?id=24659

And query the IIS logs:

SELECT 
Date, 
STRCAT(TO_STRING(sc-status), STRCAT('.', TO_STRING(sc-substatus))) As Status, 
COUNT(*) AS Hits 
FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log
WHERE (sc-status = 502) 
GROUP BY Date, Status 
ORDER BY Date ASC

Have you run the Health Test in IIS/ARR ? : http://unifiedme.co.uk/2013/07/iis-arr-reverse-proxy-502-error/

Hi Michael,

My apology for the delayed response, Have run the logparser, but couldn't succeed. It throws error on select date. 

Also have gone through the http://unifiedme.co.uk/2013/07/iis-arr-reverse-proxy-502-error/ url and checked all the configurations and seems everything appears fine.

i couldn't get the error log, i am getting error when i execute the command. 

SELECT Date, STRCAT(TO_STRING(sc-status), STRCAT('.', TO_STRING(sc-substatus))) As Status, COUNT(*) AS Hits FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE (sc-status = 502) GROUP BY Date, Status ORDER BY Date ASC

Error: detected extra argument "STRCAT('.'," after query

Clear your IIS logs, access the site again externally, provide the logs here for review.

Also provide the details of the applicationhost.config file in %WINDIR%\system32\inetsrv\config

Have attached the link of applicationhost.config file https://www.hightail.com/download/ZUcwYUord0E0b0E4RmNUQw
IIS Log file
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2014-08-27 00:01:46
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2014-08-27 00:01:46 10.4.60.166 GET /WebTicket/Issuer/ purpose=cwt 443 - 10.4.60.166 - - 200 0 0 41
2014-08-27 00:06:57 10.4.60.166 POST /locationinformation/liservice.svc/WebTicket_Bearer - 443 - 10.62.0.196 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 246
2014-08-27 00:07:15 10.4.60.166 POST /WebTicket/WebTicketService.svc/cert - 443 - 10.62.0.28 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 88
2014-08-27 00:07:15 10.4.60.166 POST /locationinformation/liservice.svc/WebTicket_Bearer - 443 - 10.62.0.28 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 256
2014-08-27 00:12:56 10.4.60.166 POST /locationinformation/liservice.svc/WebTicket_Bearer - 443 - 10.62.1.4 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 228
2014-08-27 00:25:58 10.4.60.166 POST /WebTicket/WebTicketService.svc/cert - 443 - 10.62.0.243 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 291
2014-08-27 00:26:00 10.4.60.166 POST /locationinformation/liservice.svc/WebTicket_Bearer - 443 - 10.62.0.243 OC/15.0.4420.1017+(Microsoft+Lync) - 200 0 0 258
2014-08-27 00:39:43 10.4.60.166 POST /CertProv/CertProvisioningService.svc/WebTicket_Proof - 443 - 10.62.0.196 OC/15.0.4420.1017+(Microsoft+Lync) - 500 0 64 41
2014-08-27 00:40:56 10.4.60.166 GET /WebTicket/Issuer/ purpose=cwt 443 - 10.4.60.166 - - 200 0 0 50
 
		
		

We were able to resolve it by importing the internal CA's root certificate on the reverse proxy.

Hope this helps others.

Already had tried this one, we imported the internal CA root cert on reverse proxy. There is nothing blocked, pinging, able to reach lync server. Its weird one, i couldn't solve this issue.

a) The only stuff works is lync clients able to connect from internet.

b) Meeting url throws the same error which was mentioned in this thread.

c) Voice calls not working from external.

Hello,

Why do you say if you installed IIS ARR3 this would explain it? I have IIS ARR3 and am running into this issue....

Thanks

Hello,

I have the same issue for Shrepoint, but when I do a refresh page, it works. I think its some kind of timeout?

Regards