Strange URL / link issue with TFS / DevOps server

Hi,

A colleague reported a strange issue with our internal DevOps (old TFS) server. One of the links appears to malfunction. My testing indicates that this link only malfunctions when the UTM is used as the middle-man for accessing the server (i.e. if I create a HOSTS file entry and attempt to connect to the target server directly using the same URL the issue is gone).

The link in question looks similar to this (note that the example has been "anonymized"; I've also replaced https with hxxps to prevent this community forum from formatting the text as links):

hxxps://devops.local/ARP/ProjectXYZ/_build%2Fresults?buildId=1160&_a=summary

Note the %2F in the link, which is a URL-encoded dash symbol. Why it's encoded in this way, I have no idea. Perhaps unsurprisingly the same page can be accessed via:

hxxps://devops.local/ARP/ProjectXYZ/_build/results?buildId=1160&_a=summary

So in other words, DevOps IIS can handle both version of the dash - unencoded as well as encoded.

Unfortunately, this seems to be UTM-related since the target server itself can handle its own weird link fine, and I have no idea how to potentially tackle this one (outside of not using the Webserver Protection feature at all, and just giving direct access to the server via a NAT rule).

EDIT:
I've managed to resolve the issue using URL Rewrite on the DevOps IIS server. But I would still like to know if there's a potential fix on UTM-side of things...?

EDIT 2:

Note that the error message when attempting to access the link without URL Rewrite seems to be from UTM (I think?) and already formats the %2F into a dash. In other words, accessing the initial link would result in a "The requested URL /ARP/ProjectXYZ/_build/results was not found on this server." error message.

Also, I found that any dash after the host name can be replaced with %2F and IIS will treat it correctly, while UTM's proxy will fail.

EDIT 3:
Apparently I'm not the first person to discover this issue, and the above is likely similar to the following:

https://community.sophos.com/products/unified-threat-management/f/web-server-security/94853/encoded-uri-being-broken-by-waf

Unfortunately I'm not 100% sold on the suggested "fix" described in that thread. I would feel a lot better if the setting was available from the UI itself.