Remove Web Application Proxy Server From Cluster Direct
To remove a Web Application Proxy (WAP) server from a cluster, you must first update the cluster's configuration list via PowerShell and then decommission the specific server by uninstalling its roles. 1. Remove the Server from the Cluster List
Even if you shut down or uninstall a server, it may still appear in the Remote Access Management Console of the remaining nodes. Use PowerShell on a remaining "healthy" WAP server to remove the old node from the list of connected servers.
View current servers:Get-WebApplicationProxyConfiguration | Select-Object -ExpandProperty ConnectedServersName
Remove the specific server:Set-WebApplicationProxyConfiguration -ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName -ne '://domain.com') 2. Uninstall the WAP Role from the Target Server
On the server you are removing, follow these steps to clean up the roles and features:
Remove Published Applications: Open the Remote Access Management Console, go to Web Application Proxy, and delete any published applications that were specifically tied to this node. remove web application proxy server from cluster
Uninstall the Role: Use Server Manager to "Remove Roles and Features" or run the following PowerShell command:Uninstall-WindowsFeature Web-Application-Proxy, CMAK, RSAT-RemoteAccess
Restart: A reboot is required to complete the uninstallation process. 3. Final Cleanup
To ensure the cluster continues to function smoothly without the removed node: WAP – How to remove a WAP Server from WAP clusters
Step 1: Remove from AD FS
On an internal AD FS server, use PowerShell to forcibly remove the orphaned entry:
# List all proxies to find the ID of the dead server Get-AdfsWebApplicationProxyRegistry keys (if present)
reg delete "HKLM\SOFTWARE\Microsoft\Web Application Proxy" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WAPAdminService" /fTo remove a Web Application Proxy (WAP) server
🔐 Security note: These certificates, if compromised, cannot be used without the AD FS trust – but removing them is still a defense-in-depth best practice.
Update DNS TTL to 60 seconds, then remove A record for node
How to Safely Remove a Web Application Proxy Server from a Cluster: A Step-by-Step Guide
Introduction: The Art of Surgical Infrastructure Removal
In the lifecycle of any production environment, change is inevitable. Scaling down, hardware retirement, traffic pattern shifts, or security overhauls often necessitate the removal of a node from a cluster. While adding resources is exciting, removing a Web Application Proxy (WAP) server from a cluster is a delicate surgical procedure. Done incorrectly, it can orphan authentication requests, break Single Sign-On (SSO), and leave your external users staring at a cryptic 503 error. 🔐 Security note : These certificates, if compromised,
WAP, particularly in Microsoft-centric environments (acting as a reverse proxy for Active Directory Federation Services - ADFS), is not a stateless load balancer. It holds specific configuration ties, certificate dependencies, and publishing rules. This guide provides a comprehensive, vendor-agnostic approach with specific emphasis on ADFS/WAP, NGINX, and HAProxy clusters.
By the end of this article, you will understand the prerequisites, the dismantling process, and the post-removal validation steps required to keep your cluster healthy.
1.1 Identify the Node’s Role
Not all proxies are equal. Determine:
- Is it the primary configuration master? (Some WAP clusters have a primary node that syncs config to secondary nodes).
- What is its current connection count? Use
netstatorssto see active tunnels. - What applications does it publish? Is it the only node publishing a legacy app?
Functional test:
From an external client (outside your network), browse to a published application:
https://passive.contoso.com/adfs/ls/idpinitiatedsignon- Authenticate using a test account.
- Verify the token issuance and redirect.
If successful, the removal had no negative effect on the remaining cluster.