Remove Web Application Proxy Server From Cluster !!better!! Instant
To remove a Web Application Proxy (WAP) server from a cluster, you must update the ConnectedServersName property on the remaining active node(s) and then decommission the target server.
Simply uninstalling the role from the server does not automatically remove it from the cluster's configuration list, which often leads to orphaned entries in the management console. 🛠️ Removal Process 1. Identify Current Nodes
Run this command on an active WAP server to see the current list of cluster members: powershell (Get-WebApplicationProxyConfiguration).ConnectedServersName Use code with caution. Copied to clipboard 2. Remove Server from Configuration
To remove a specific server (e.g., ://domain.com), run the following command. This filters the current list and re-saves it without the target server: powershell
Set-WebApplicationProxyConfiguration -ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName -ne '://domain.com') Use code with caution. Copied to clipboard 3. Decommission the Physical Server
Once the cluster no longer recognizes the node, you can safely decommission the machine:
Remove Role: Use the Remove Roles and Features Wizard in Server Manager to uninstall Remote Access and the Web Application Proxy feature.
Load Balancer: Remove the server's IP address from any external or internal load balancers (e.g., Azure Traffic Manager or F5).
Active Directory: Unjoin the server from the domain and delete its computer account from AD and DNS. ⚠️ Important Considerations
Verify Traffic: Ensure no active authentication requests are hitting the host before removal by monitoring traffic.
Impact: Removing a node reduces your high-availability (HA) capacity. If this is your last proxy, external users will lose access to all published applications. remove web application proxy server from cluster
Metadata Access: Removing all proxies prevents relying parties from accessing IDP metadata externally unless your federation servers are configured to publish it directly. If you'd like, I can help you with: The exact PowerShell syntax for bulk removal
Troubleshooting if the server still appears in the console after running the commands
Setting up a new WAP node to replace the one you're removing Let me know how you'd like to proceed! Upgrade Web Application Proxy (WAP) for ADFS to 2016/2019
To remove a Windows Web Application Proxy (WAP) server from a cluster, you must update the configuration on the remaining active node. Because WAP is not a standard Failover Cluster role, you cannot simply use the Failover Cluster Manager; you must use PowerShell to redefine the list of connected servers. Quick PowerShell Removal
If you have a server named server2 that you want to remove, run these commands from an elevated PowerShell prompt on a different active WAP server in the cluster: powershell
# 1. Get the current list and filter out the server to be removed $newServerList = (Get-WebApplicationProxyConfiguration).ConnectedServersName -ne "server2.domain.local" # 2. Update the configuration with the new list Set-WebApplicationProxyConfiguration -ConnectedServersName $newServerList Use code with caution. Copied to clipboard Step-by-Step Decommissioning
If you are completely retiring the server, follow these steps to ensure a clean removal:
Remove from Load Balancer: Before taking the server offline, remove it as an endpoint from your Azure Traffic Manager or local load balancer pool.
Update Cluster Configuration: Use the PowerShell commands above to tell the remaining nodes to stop looking for the old server.
Uninstall the Role: On the server being removed, open Server Manager, go to Manage > Remove Roles and Features, and uncheck the Remote Access role. To remove a Web Application Proxy (WAP) server
Alternatively, use PowerShell: Uninstall-WindowsFeature Web-Application-Proxy,CMAK,RSAT-RemoteAccess.
Clean up DNS: Remove any host (A) records or service (SRV) records in your private and public DNS that point to the decommissioned server. Common Issues
Server still appears in console: If the server name persists in the Remote Access Management console after uninstalling the role, it is because the "primary" node still has it in its configuration list. Re-running the Set-WebApplicationProxyConfiguration command from a healthy node usually fixes this.
Synchronization Errors: Ensure the clocks on all remaining WAP servers and the AD FS server are synchronized to avoid trust relationship failures.
To remove a Web Application Proxy (WAP) server from a cluster, you must first update the cluster's configuration list via PowerShell and then decommission the specific server by uninstalling its roles. 1. Remove the Server from the Cluster List
Even if you shut down or uninstall a server, it may still appear in the Remote Access Management Console of the remaining nodes. Use PowerShell on a remaining "healthy" WAP server to remove the old node from the list of connected servers.
View current servers:Get-WebApplicationProxyConfiguration | Select-Object -ExpandProperty ConnectedServersName
Remove the specific server:Set-WebApplicationProxyConfiguration -ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName -ne '://domain.com') 2. Uninstall the WAP Role from the Target Server
On the server you are removing, follow these steps to clean up the roles and features:
Remove Published Applications: Open the Remote Access Management Console, go to Web Application Proxy, and delete any published applications that were specifically tied to this node. What this does: AD FS removes the OAuth2
Uninstall the Role: Use Server Manager to "Remove Roles and Features" or run the following PowerShell command:Uninstall-WindowsFeature Web-Application-Proxy, CMAK, RSAT-RemoteAccess
Restart: A reboot is required to complete the uninstallation process. 3. Final Cleanup
To ensure the cluster continues to function smoothly without the removed node: WAP – How to remove a WAP Server from WAP clusters
Confirm removal
Get-AdfsEndpoint -Proxy $true | Where-Object $_.ProxyTrust -eq "WAP-SRV-02.contoso.com"
What this does:
AD FS removes the OAuth2 client configuration for that proxy. The WAP server will no longer receive valid proxy trust certificates. Any future connection attempts from that server will be rejected with HTTP 401 or 503 errors.
1. Executive Summary
Web Application Proxy (WAP) servers are commonly deployed in pairs or larger clusters to provide reverse proxy functionality, pre-authentication, and published application access (e.g., Active Directory Federation Services (AD FS), Exchange, or internal web apps). Removing a node from such a cluster is a critical maintenance operation that, if performed incorrectly, can lead to authentication failures, session interruptions, or a complete outage of published applications.
This paper provides a comprehensive, vendor-agnostic methodology for safely removing a WAP server from a cluster, with specific attention to Microsoft Web Application Proxy (commonly used with AD FS) as the primary use case. The document covers pre-removal assessment, traffic draining, configuration backup, node removal, post-removal validation, and decommissioning.
Conclusion: Cluster Hygiene is Production Health
Removing a web application proxy server from a cluster is not merely a matter of turning off a switch. It is a process of quiescing, disconnecting, cleaning, and validating. The difference between a professional team and an amateur one is visible in the post-removal state.
An amateur leaves orphaned configuration entries, stale DNS records, and broken health checks. A professional leaves a cluster that is smaller, faster, and healthier than before.
Before you remove that node, write a runbook. Quiesce the traffic. Clean the control plane. Verify the certificates. And always, always test the authentication flow afterward. Your users—and your on-call pager—will thank you.