We had similar issues with IIS Reverse Proxy setup.
One of my colleagues enabled “Allow Double Escaping” but then IIS was rejecting ‘dangerous characters’. Then he removed the value from “request Path Invaild Charaters” and things work correctly now.
Our main issue was with Notifications not showing up when using the domain name externally. They work locally using the IP. The notifications dialog would open but show either no entries if there were notifications, or Not show the “There are no notification” message inside it.
This is what he change in IIS
<system.webServer>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
</system.webServer>
<system.web>
<httpRuntime requestPathInvalidCharacters="" />
</system.web>
So all dangerous requests are handled by xWiki. I don’t know what handling it does for a dangerous character, but if anyone can shed some light on that would be good.
*Edited code formatting