Exchange 2013 using IISARR for all external client connectivity- EAS and OWA Internal error 500

I have set up the IISARR as per recommended documents I have found on the web. It is currently set up for both Lync and Exchange. Lync works beautifully.

The exchange flow is:  external port 443->firewall NAT-> IISARR DMZ IP address (10.10.10.21:443)->both autodiscover and Mail farms setup->HLB VIP 192.168.1.69->(2) Exchange servers.

Internally a user can successfully reach OWA and authenticate by hitting the HLB VIP for the Exchange.

Externally the user gets a 500 internal server error.

Lync has one binding for DMZ 10.10.10.20 port 443 and Exchange has DMZ 10.10.10.21 port 443. Both have separate certificates assigned.

ServerFarms:

Autodiscover.company.com-> server 192.168.1.69
Mail.company.com-> server 192.168.1.69

URL ReWrite for the mail.company.com (matches subject on the certificate):

Requested URL: Matches Pattern
Using: Wildcards
Pattern: *

Conditions:
Local grouping: Match ALL
Input: {HTTPS}   Type:  Matches the Pattern   Pattern: on
Input: {HTTP_HOST}   Type:  Matches the Pattern   Pattern: mail.company.com/*  (have also tried mail.company.com)

Action:
Action type:  Route to Server farm
Action Properties:
Scheme:  https://    Server Farm: mail.company.com   path:  /{R:0}

URL ReWrite for the autodiscover.company.com:

Requested URL: Matches Pattern
Using: Wildcards
Pattern: *

Conditions:
Local grouping: Match ALL
Input: {HTTPS}   Type:  Matches the Pattern   Pattern: on
Input: {HTTP_HOST}   Type:  Matches the Pattern   Pattern: autodiscover.company.com/*  (have also tried autodiscover.company.com)

Action:
Action type:  Route to Server farm
Action Properties:
Scheme:  https://    Server Farm: autodiscover.company.com   path:  /{R:0}

Order of Rules is:(Inbound)
Lync13_LoadBalance_SSL
Mail.company.com_LoadBalance_SSL
Autodiscover.company.com_LoadBalance_SSL

Routing rules for both are set to use URL ReWrite to inspect incoming requests but no SSL Offloading.

I have tried pointing a specific server instead of the HLB as well.

I have the Failed requests logging on, but do not show any errors in the folder for them.

I see the request hitting the IISARR in the IIS logs.

I am at a loss at this point.  Any ideas?