Finished migrating all portals from the existing IIS 6/Win2003 to IIS 7.5/Win2008 and all looked to be functioning correctly, but started to notice the occasional 404 error. Further investigation revealed that this was URL's with one or more "+" characters, which had been used to replace spaces in parameters (which are used to form the URL in DotNetNuke). As well as the server move, the existing DotNetNuke sites had been upgraded to 4.9.5 from 4.3.7 to resolve other issues encountered during the upgrade.
So where to start, first thoughts was something in the DNN URL rewriter creating an invalid real URL, and as we also upgraded DNN this was quite possible. First step was to recode the URL generation to use "-" not "+" as this worked OK. This resolved the issue with the live site, but there were still some 404 errors. These were being caused by cached links in the search engines and which we need to work as a lot of effort had gone into SEO. Further reserach uncovered a change in IIS 7:
Request URLs containing unencoded “+” characters in the path (not querystring) is rejected by default
Some confusion here as the change note implies this applies only to sites in Integrated Pipeline mode, not Classic Mode as these sites are running. But the workaround seems to work, which is to add the following extra section to web.config.
1) Applications that require the use of the “+” character in the URL path can disable this validation by setting the allowDoubleEscaping attribute in the system.webServer/security/requestFiltering configuration section in the application’s web.config. However, this may make your application more vulnerable to malicious URLs:
<requestFiltering allowDoubleEscaping="true" />
At least all now works and we can manage the migration away from "+" in the parameter strings without creating duplicate pages for the search engines.