Remove Web Application Proxy Server From Cluster May 2026
After removal, your cluster is permanently smaller. Validate that the remaining WAP servers can still handle the load.
Before surgery, check the patient’s vitals. Run these commands on any AD FS server in the farm (preferably the primary):
# View all registered WAP servers
Get-WebApplicationProxyConfiguration
Removing a web application proxy server from a cluster is a high-risk, low-frequency operation that demands careful planning, traffic draining, configuration synchronization, and thorough validation. Following the structured methodology outlined in this paper — from assessment through decommissioning — ensures minimal user impact and maintains the security and availability of published web applications.
For organizations running critical federated services, always test the removal procedure in a staging environment that mirrors production. Automation tools (Ansible, Terraform, or PowerShell DSC) can codify this process, turning a manual, error-prone task into a repeatable, auditable operation.
Appendix A: Sample Pre-Removal Checklist (PDF format available internally)
Appendix B: Emergency Contact List for AD FS/WAP Support
Appendix C: Script to Auto-Drain and Remove WAP Node (Python/PowerShell)
This paper is maintained by the Infrastructure Engineering team. Last reviewed: [Current Date]. Next scheduled review: 6 months.
To remove a Web Application Proxy (WAP) server from a cluster (or "farm"), you must update the cluster configuration to exclude the decommissioned server and then uninstall the Remote Access role from the server itself. 1. Update the Cluster Configuration
When a server is decommissioned or fails, it often still appears in the WAP cluster list. You must manually update the ConnectedServersName property to remove the stale entry. View current servers : Open PowerShell as an Administrator and run: powershell
(Get-WebApplicationProxyConfiguration).ConnectedServersName
``` Use code with caution. Copied to clipboard Remove the specific server : Execute the following command, replacing 'ServerToRemove.domain.local' with the FQDN of the server you want to remove: powershell
Set-WebApplicationProxyConfiguration –ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName –ne 'ServerToRemove.domain.local')
```
*Note: `Swpc` and `gwpc` are common aliases
`Set-WebApplicationProxyConfiguration` and `Get-WebApplicationProxyConfiguration` respectively.* Use code with caution. Copied to clipboard 2. Decommission the Server Role
Once the server is no longer recognized as part of the cluster, you should uninstall the WAP services from the physical or virtual machine. Via PowerShell powershell
Uninstall-WindowsFeature Web-Application-Proxy, CMAK, RSAT-RemoteAccess
``` Use code with caution. Copied to clipboard Via Server Manager (GUI) Server Manager and select Remove Roles and Features Select the server and uncheck the Remote Access Confirm the removal of features and click 3. Post-Removal Cleanup Load Balancers
: Remove the decommissioned server's IP address from any external or internal Load Balancer pools DNS Records : Delete any DNS A or AAAA records that point to the removed server. Certificates : If the server is being permanently decommissioned, delete the SSL certificates from its local store to ensure security. Microsoft Learn Are you removing a server to replace it with a newer version , or are you shrinking the cluster permanently?
Decommissioning a Web Application Proxy - Packt Subscription
Removing a Web Application Proxy (WAP) server from a cluster involves both decommissioning the role on the specific server and ensuring the remaining cluster "forgets" the removed node. If a server is simply shut down or the role is uninstalled without updating the cluster configuration, it may still appear as a "ghost" entry in management consoles. 1. Remove the Server from the Cluster List
The most common issue is that uninstalled servers remain in the WAP connected servers list. You must update this list from a remaining active WAP node using PowerShell.
View Current Servers: Run this command to see which servers the cluster still thinks are active: powershell (Get-WebApplicationProxyConfiguration).ConnectedServersName Use code with caution. Copied to clipboard
Remove the Dead Server: Update the configuration to include only the servers that should remain. For example, if you want to keep WAP-01 and remove WAP-02: powershell
Set-WebApplicationProxyConfiguration -ConnectedServersName "://domain.com" Use code with caution. Copied to clipboard remove web application proxy server from cluster
Note: You can also use a filter to remove a specific name from the current list automatically: powershell
Set-WebApplicationProxyConfiguration –ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName –ne '://domain.com') Use code with caution. Copied to clipboard 2. Uninstall the WAP Role
Once the cluster no longer expects the server, you can safely remove the role from the target server itself. Via PowerShell: powershell
Uninstall-WindowsFeature Web-Application-Proxy, CMAK, RSAT-RemoteAccess Use code with caution. Copied to clipboard Via Server Manager:
Open Server Manager and select Manage > Remove Roles and Features.
Follow the wizard and uncheck the Remote Access role (which includes WAP). Confirm and restart the server to complete the removal. PowerShell: Reset WAP Configuration - Master & CmdR
How to Remove a Web Application Proxy Server from a Cluster Managing a Remote Access deployment often requires scaling your infrastructure down or replacing aging nodes. When using Web Application Proxy (WAP) in a cluster, simply shutting down a server isn't enough; you must gracefully remove it to maintain the integrity of your AD FS (Active Directory Federation Services) publishing environment.
This guide provides a step-by-step walkthrough on how to properly remove a Web Application Proxy server from a cluster using both the graphical interface and PowerShell. Prerequisites Before you begin, ensure you have:
Administrator privileges on the WAP server you intend to remove.
Connectivity to the other nodes in the cluster to ensure the configuration update propagates.
Updated Load Balancer settings: If you are using a hardware load balancer (HLB), remember to drain connections and remove the node from the rotation before proceeding with the software removal. Method 1: Using the Remote Access Management Console (GUI)
For those who prefer a visual interface, the Remote Access Management Console is the standard tool for managing WAP clusters.
Open the Console: Log on to any server in the WAP cluster and open the Remote Access Management Console.
Select the Server: In the left-hand navigation pane, click on Configuration and then select Web Application Proxy.
Locate the Node: In the center pane, you will see a list of the servers currently participating in the cluster. Remove the Server: Right-click the name of the server you wish to remove. Select Remove.
Confirm: A warning dialog will appear asking you to confirm the action. Click Yes.
Verify: The console will update, and the server should no longer appear in the list of cluster nodes. Method 2: Using PowerShell (Recommended)
PowerShell is often the most reliable method, especially if the GUI is unresponsive or if you are automating your infrastructure management.
To remove the local server from a cluster, run the following command in an elevated PowerShell window: powershell Uninstall-WebApplicationProxy Use code with caution. Why use this command? After removal, your cluster is permanently smaller
Clean Departure: It unconfigures the Web Application Proxy role on the local machine.
Service Cleanup: It stops the relevant services and removes the configuration held in the local web.config and registry.
Cluster Awareness: It informs the remaining nodes that this specific server is no longer part of the deployment.
Note: If you want to remove a remote server from the cluster without logging into it, you would typically use the management console or a remote PowerShell session to run the uninstall command on that specific target. Post-Removal Best Practices
Removing the server from the WAP logic is only half the battle. To ensure your network remains clean, follow these post-removal steps: 1. Update DNS Records
If you are using DNS Round Robin instead of a dedicated Load Balancer, ensure you remove the A-record associated with the decommissioned server’s IP address. Failure to do this will result in intermittent "Page Cannot Be Displayed" errors for users. 2. Decommission the Virtual Machine/Hardware Once the role is uninstalled, you can safely: Disjoin the server from the domain (if it was joined).
Power down and delete the virtual machine or re-purpose the physical hardware. 3. Monitor the Remaining Nodes
After removal, check the Event Viewer on the remaining WAP nodes (under Applications and Services Logs > Microsoft > Windows > Web Application Proxy). Ensure there are no synchronization errors or warnings indicating that the cluster is looking for the missing member.
Removing a Web Application Proxy server from a cluster is a straightforward process, but it requires precision to avoid service interruptions. Whether you use the Remote Access Management Console or the Uninstall-WebApplicationProxy PowerShell cmdlet, always remember to update your external networking components (Load Balancers and DNS) to reflect the change.
By following these steps, you ensure that your AD FS traffic continues to flow smoothly through your remaining healthy nodes.
Abstract
Web Application Proxy (WAP) servers play a crucial role in providing secure and reliable access to web applications. In a clustered environment, multiple WAP servers work together to ensure high availability and scalability. However, there may be situations where a WAP server needs to be removed from the cluster, such as when a server is decommissioned or replaced. This paper provides a detailed guide on how to remove a Web Application Proxy server from a cluster, including the necessary steps, considerations, and best practices.
Introduction
Web Application Proxy (WAP) servers are used to provide an additional layer of security and functionality to web applications. In a clustered environment, multiple WAP servers are configured to work together, ensuring that if one server becomes unavailable, the other servers can continue to provide access to the web application. This ensures high availability and scalability. However, there may be situations where a WAP server needs to be removed from the cluster, such as:
Pre-Removal Considerations
Before removing a WAP server from a cluster, consider the following:
Step-by-Step Removal Process
The following steps outline the process to remove a WAP server from a cluster:
Step 1: Prepare the WAP Server for Removal This paper is maintained by the Infrastructure Engineering
Step 2: Remove the WAP Server from the Cluster
Step 3: Update the Remaining WAP Servers
Step 4: Verify Cluster Functionality
Best Practices
When removing a WAP server from a cluster, follow these best practices:
Conclusion
Removing a Web Application Proxy server from a cluster requires careful planning and execution. By following the steps outlined in this paper, you can ensure a smooth and successful removal process. Remember to consider the impact on availability, session persistence, and configuration settings, and to follow best practices to minimize downtime and ensure cluster functionality.
References
Managing a high-availability environment often requires scaling back or replacing aging infrastructure. When you need to remove a Web Application Proxy (WAP) server from a cluster, simply turning off the machine isn't enough; the configuration will still exist in the AD FS database, leading to management errors and synchronization issues.
This guide outlines the standard procedures to gracefully decommission a WAP node using PowerShell and Server Manager. 1. Removing the WAP Node via PowerShell
The most direct way to remove a specific server from the WAP cluster list is through PowerShell. This method updates the ConnectedServersName property across the entire cluster. Steps: Log into a different, active WAP server in the cluster. Open PowerShell as an Administrator.
Use the following command to filter out the decommissioned server (replace 'ServerToRemove' with the FQDN of the node you are removing): powershell
Set-WebApplicationProxyConfiguration –ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName -ne '://domain.com') Use code with caution.
Note: Using the aliases swpc (Set) and gwpc (Get) is also common in technical documentation. Verify the server is gone by running: powershell (Get-WebApplicationProxyConfiguration).ConnectedServersName Use code with caution. 2. Decommissioning the Server Role
Once the node is removed from the cluster's configuration, you must officially uninstall the role from the server itself to clean up local binaries and services. Using Server Manager:
Open Server Manager and click Manage > Remove Roles and Features. Select the target server and uncheck Remote Access.
In the sub-features, ensure Web Application Proxy is selected for removal. Complete the wizard and restart the server if prompted. 3. Cleaning Up AD FS Relying Party Trusts
If you are completely dismantling the WAP infrastructure rather than just removing one node, you may need to remove the proxy trust on the AD FS side. Command: Remove-AdfsWebApplicationProxyRelyingPartyTrust.
Warning: Only do this if you intend to block all external access through proxies or are rebuilding the trust from scratch. Summary Checklist Update Cluster List PowerShell (Set-WAPConfig) Prevents "Server Down" errors in the management console. Uninstall Role Server Manager Frees up system resources and removes the WAP service. Cleanup DNS DNS Manager
Ensure external/internal records no longer point to the removed IP. Revoke Certificates Certificate Authority
Best practice for security if the server is permanently retired. WAP – How to remove a WAP Server from WAP clusters