top of page

Remove Web Application Proxy Server From Cluster

To remove a Web Application Proxy (WAP) server from a cluster, you can use PowerShell to update the connected servers list or uninstall the feature from the specific node. Method 1: Remove via PowerShell (Recommended)

If you have a multi-server WAP deployment and want to remove a specific node from the management list, run the following command from an active WAP server: Remove a specific server from the list:

Set-WebApplicationProxyConfiguration -ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName -ne 'ServerToRemove.domain.local') Verify the update: Get-WebApplicationProxyConfiguration WordPress.com Method 2: Decommission the Server Node

To completely remove the WAP role from a specific server (e.g., if you are retiring it), follow these steps: Remove Published Applications: Remote Access Management Console , locate any published applications, and remove them. Uninstall the WAP Feature:

Run the following PowerShell command on the server you want to remove:

Uninstall-WindowsFeature Web-Application-Proxy, RSAT-RemoteAccess Clean up DNS: Remove any DNS entries Load Balancer configurations pointing to the retired server. Microsoft Learn

Method 3: Remove from Windows Failover Cluster (If applicable) If your WAP servers are also nodes in a Windows Failover Cluster , you must "evict" the node: Failover Cluster Manager Navigate to Right-click the server name → More Actions Optionally, run Clear-ClusterNode -Force on the removed server to wipe residual metadata. this server permanently, or just troubleshooting a connection issue within the cluster? WAP – How to remove a WAP Server from WAP clusters

Managing a high-availability environment often requires scaling back or replacing aging infrastructure. When you need to remove a Web Application Proxy (WAP) server from a cluster, simply turning off the machine isn't enough; the configuration will still exist in the AD FS database, leading to management errors and synchronization issues.

This guide outlines the standard procedures to gracefully decommission a WAP node using PowerShell and Server Manager. 1. Removing the WAP Node via PowerShell

The most direct way to remove a specific server from the WAP cluster list is through PowerShell. This method updates the ConnectedServersName property across the entire cluster. Steps: Log into a different, active WAP server in the cluster. Open PowerShell as an Administrator.

Use the following command to filter out the decommissioned server (replace 'ServerToRemove' with the FQDN of the node you are removing): powershell

Set-WebApplicationProxyConfiguration –ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName -ne '://domain.com') Use code with caution. remove web application proxy server from cluster

Note: Using the aliases swpc (Set) and gwpc (Get) is also common in technical documentation. Verify the server is gone by running: powershell (Get-WebApplicationProxyConfiguration).ConnectedServersName Use code with caution. 2. Decommissioning the Server Role

Once the node is removed from the cluster's configuration, you must officially uninstall the role from the server itself to clean up local binaries and services. Using Server Manager:

Open Server Manager and click Manage > Remove Roles and Features. Select the target server and uncheck Remote Access.

In the sub-features, ensure Web Application Proxy is selected for removal. Complete the wizard and restart the server if prompted. 3. Cleaning Up AD FS Relying Party Trusts

If you are completely dismantling the WAP infrastructure rather than just removing one node, you may need to remove the proxy trust on the AD FS side. Command: Remove-AdfsWebApplicationProxyRelyingPartyTrust.

Warning: Only do this if you intend to block all external access through proxies or are rebuilding the trust from scratch. Summary Checklist Update Cluster List PowerShell (Set-WAPConfig) Prevents "Server Down" errors in the management console. Uninstall Role Server Manager Frees up system resources and removes the WAP service. Cleanup DNS DNS Manager

Ensure external/internal records no longer point to the removed IP. Revoke Certificates Certificate Authority

Best practice for security if the server is permanently retired. WAP – How to remove a WAP Server from WAP clusters

Removing a Web Application Proxy Server from a Cluster: A Comprehensive Review

Introduction

A Web Application Proxy (WAP) server is a crucial component of a cluster infrastructure, providing secure and reliable access to web applications. However, there may be situations where a WAP server needs to be removed from a cluster, such as planned maintenance, upgrades, or replacement with a new server. In this review, we will discuss the process of removing a WAP server from a cluster, its implications, and best practices to ensure a smooth transition. To remove a Web Application Proxy (WAP) server

Understanding Web Application Proxy Server Clusters

Before diving into the removal process, it's essential to understand the basics of WAP server clustering. A cluster is a group of servers that work together to provide a single, unified service, such as web application proxying. Clustering provides high availability, scalability, and fault tolerance, ensuring that if one server fails, the other servers can take over its responsibilities.

Reasons for Removing a WAP Server from a Cluster

There are several reasons why a WAP server might need to be removed from a cluster:

  1. Hardware upgrades or replacement: The server hardware may be outdated, and it's time to upgrade or replace it with newer, more efficient equipment.
  2. Software updates or patches: The server may require significant software updates or patches that cannot be applied while it's still part of the cluster.
  3. Maintenance or decommissioning: The server may need to be taken offline for maintenance, or it may be decommissioned due to changes in business requirements.
  4. Capacity adjustments: The cluster may need to be adjusted to accommodate changes in traffic or workload, requiring the removal of underutilized servers.

Preparation Steps

Before removing a WAP server from a cluster, it's essential to:

  1. Verify cluster configuration: Review the cluster configuration to ensure that the WAP server is not critical to the cluster's operation.
  2. Check server dependencies: Identify any dependencies on the WAP server, such as downstream servers or applications that rely on it.
  3. Notify stakeholders: Inform stakeholders, including administrators, developers, and end-users, about the planned removal and potential impact on services.
  4. Backup configuration and data: Backup the WAP server's configuration and data to prevent loss during the removal process.

Removing the WAP Server from the Cluster

The steps to remove a WAP server from a cluster vary depending on the specific clustering technology and configuration. However, the general process involves:

  1. Drain the server: Gradually move all connections and traffic away from the WAP server to be removed.
  2. Remove server from cluster: Use the clustering software or management tools to remove the WAP server from the cluster.
  3. Update cluster configuration: Update the cluster configuration to reflect the changes and ensure that the remaining servers can continue to provide services.

Post-Removal Tasks

After removing the WAP server from the cluster:

  1. Verify cluster health: Check the cluster's health and ensure that all servers are functioning correctly.
  2. Test services: Test services and applications to ensure they are still accessible and functioning as expected.
  3. Decommission or repurpose the server: Decommission the removed server or repurpose it for other uses.

Best Practices

To ensure a smooth transition when removing a WAP server from a cluster:

  1. Plan ahead: Schedule the removal during a maintenance window to minimize impact on services.
  2. Communicate with stakeholders: Keep stakeholders informed throughout the process.
  3. Test thoroughly: Verify that services and applications are functioning correctly after the removal.
  4. Document changes: Update documentation to reflect changes to the cluster configuration.

Conclusion

Removing a WAP server from a cluster requires careful planning, preparation, and execution to ensure minimal disruption to services. By following best practices and understanding the implications of removal, administrators can ensure a smooth transition and maintain the high availability and scalability of their web application proxy services.

Identify the one to remove by name or ID

Remove-ADFSWebApplicationProxy -Name "WAP-Server-01"

Alternatively, you can remove it using the AD FS management console under Service > Web Application Proxies.

Prerequisites & Pre-Work

Before initiating the removal, ensure the following steps are taken to mitigate risk:

  1. Verify Cluster Health: Ensure the remaining nodes in the cluster are healthy and online. If you remove the only healthy node, service will be interrupted.
  2. Drain Connections: If possible, configure the load balancer to stop sending new connections to the target server. Allow existing sessions to time out gracefully.
  3. Administrative Privileges: Ensure you have local administrator rights on the WAP server and administrative rights on the AD FS farm.
  4. Backup: Take a snapshot or backup of the server state (registry/configuration) in case a rollback is required.

Phase 2: Graceful Removal – Step by Step

We will execute removal in a specific order: AD FS → Load Balancer → WAP Server.

6. Removing the WAP Server from the Cluster

The removal method depends on the cluster technology.

Using PowerShell

Run as Administrator:

Uninstall-WindowsFeature -Name Web-Application-Proxy

2. Introduction & Background

5.2 External Functional Testing

From an external client (not internal corporate network), test your primary application URLs:

  1. Standard page load: curl -I https://app.contoso.com -> Expect HTTP 200.
  2. Authentication flow: Open a private/incognito browser. Navigate to the app. Complete SSO (SAML/OAuth). Verify redirection works.
  3. WebSocket/API test: If your proxy handles WebSockets, use a tool like wscat to verify upgrade headers.

5. Draining Traffic from the Target Node

Draining prevents new connections while allowing existing sessions to complete. Hardware upgrades or replacement : The server hardware

Copyright 2026, Cameron Vault.

bottom of page