Remove Web Application Proxy Server From Cluster Instant

Before removing any node, complete the following assessment to understand the impact.

| Check | Action | Tool/Command | |-----------|------------|------------------| | Current cluster size | Identify how many active WAP nodes exist | WAP PowerShell: Get-WebApplicationProxyConfiguration | | Active sessions per node | Determine if node has long-lived sessions | Load balancer logs or netstat -an | | Backend application health | Ensure target apps have alternate proxy routes | Health check via curl/browser | | AD FS/WAP synchronization | Verify config sync between WAP and AD FS | Event Viewer: AD FS Admin events | | SSL certificate status | Ensure remaining nodes have valid bound certs | Get-WebApplicationProxySslCertificate |

For native WAP clustering without external LB, use Windows Network Load Balancing (NLB) or DNS round-robin:

# Suspend NLB node
Suspend-NlbNode -HostName <WAP_node_name>
# Export WAP configuration (Microsoft-specific)
Export-WebApplicationProxyConfiguration -Path C:\Backup\wap-config-backup.json
To remove a Windows Web Application Proxy (WAP) server from a cluster, you must update the configuration on the remaining active node. Because WAP is not a standard Failover Cluster role, you cannot simply use the Failover Cluster Manager; you must use PowerShell to redefine the list of connected servers. Quick PowerShell Removal
If you have a server named server2 that you want to remove, run these commands from an elevated PowerShell prompt on a different active WAP server in the cluster: powershell
# 1. Get the current list and filter out the server to be removed $newServerList = (Get-WebApplicationProxyConfiguration).ConnectedServersName -ne "server2.domain.local" # 2. Update the configuration with the new list Set-WebApplicationProxyConfiguration -ConnectedServersName $newServerList  Use code with caution. Copied to clipboard Step-by-Step Decommissioning
If you are completely retiring the server, follow these steps to ensure a clean removal:
Remove from Load Balancer: Before taking the server offline, remove it as an endpoint from your Azure Traffic Manager or local load balancer pool.
Update Cluster Configuration: Use the PowerShell commands above to tell the remaining nodes to stop looking for the old server.
Uninstall the Role: On the server being removed, open Server Manager, go to Manage > Remove Roles and Features, and uncheck the Remote Access role.
Alternatively, use PowerShell: Uninstall-WindowsFeature Web-Application-Proxy,CMAK,RSAT-RemoteAccess.
Clean up DNS: Remove any host (A) records or service (SRV) records in your private and public DNS that point to the decommissioned server. Common Issues
Server still appears in console: If the server name persists in the Remote Access Management console after uninstalling the role, it is because the "primary" node still has it in its configuration list. Re-running the Set-WebApplicationProxyConfiguration command from a healthy node usually fixes this.
Synchronization Errors: Ensure the clocks on all remaining WAP servers and the AD FS server are synchronized to avoid trust relationship failures.
To remove a Web Application Proxy (WAP) server from a cluster, you must first update the cluster's configuration list via PowerShell and then decommission the specific server by uninstalling its roles. 1. Remove the Server from the Cluster List
Even if you shut down or uninstall a server, it may still appear in the Remote Access Management Console of the remaining nodes. Use PowerShell on a remaining "healthy" WAP server to remove the old node from the list of connected servers.
View current servers:Get-WebApplicationProxyConfiguration | Select-Object -ExpandProperty ConnectedServersName
Remove the specific server:Set-WebApplicationProxyConfiguration -ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName -ne '://domain.com') 2. Uninstall the WAP Role from the Target Server
On the server you are removing, follow these steps to clean up the roles and features:
Remove Published Applications: Open the Remote Access Management Console, go to Web Application Proxy, and delete any published applications that were specifically tied to this node.
Uninstall the Role: Use Server Manager to "Remove Roles and Features" or run the following PowerShell command:Uninstall-WindowsFeature Web-Application-Proxy, CMAK, RSAT-RemoteAccess
Restart: A reboot is required to complete the uninstallation process. 3. Final Cleanup
To ensure the cluster continues to function smoothly without the removed node: WAP – How to remove a WAP Server from WAP clusters
To remove a Web Application Proxy (WAP) server from a cluster (or "farm"), you must update the cluster configuration to exclude the decommissioned server and then uninstall the Remote Access role from the server itself. 1. Update the Cluster Configuration
When a server is decommissioned or fails, it often still appears in the WAP cluster list. You must manually update the ConnectedServersName property to remove the stale entry. View current servers : Open PowerShell as an Administrator and run: powershell
(Get-WebApplicationProxyConfiguration).ConnectedServersName
``` Use code with caution. Copied to clipboard Remove the specific server : Execute the following command, replacing 'ServerToRemove.domain.local' with the FQDN of the server you want to remove: powershell
Set-WebApplicationProxyConfiguration –ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName –ne 'ServerToRemove.domain.local')
```
*Note: `Swpc` and `gwpc` are common aliases
`Set-WebApplicationProxyConfiguration` and `Get-WebApplicationProxyConfiguration` respectively.* Use code with caution. Copied to clipboard 2. Decommission the Server Role remove web application proxy server from cluster
Once the server is no longer recognized as part of the cluster, you should uninstall the WAP services from the physical or virtual machine. Via PowerShell powershell
Uninstall-WindowsFeature Web-Application-Proxy, CMAK, RSAT-RemoteAccess
``` Use code with caution. Copied to clipboard Via Server Manager (GUI) Server Manager and select Remove Roles and Features Select the server and uncheck the Remote Access Confirm the removal of features and click 3. Post-Removal Cleanup Load Balancers
: Remove the decommissioned server's IP address from any external or internal Load Balancer pools DNS Records : Delete any DNS A or AAAA records that point to the removed server. Certificates : If the server is being permanently decommissioned, delete the SSL certificates from its local store to ensure security. Microsoft Learn Are you removing a server to replace it with a newer version , or are you shrinking the cluster permanently?
Decommissioning a Web Application Proxy - Packt Subscription
To remove a Web Application Proxy (WAP) server from a cluster, you can use either PowerShell to clean up the configuration or the Server Manager wizard to decommission the server role entirely.
Option 1: Using PowerShell (Quickest for Configuration Cleanup)
If the server has already been decommissioned or if you just want to remove its entry from the management console's cluster list, use the following commands on a remaining healthy WAP server:
List existing servers:Identify the exact name of the server you wish to remove. powershell (Get-WebApplicationProxyConfiguration).ConnectedServersName  Use code with caution. Copied to clipboard
Update the cluster list:Run this command to keep only the servers you want. Replace the names in the list with your actual healthy servers. powershell
Set-WebApplicationProxyConfiguration -ConnectedServersName "HealthyServer1.domain.com", "HealthyServer2.domain.com"  Use code with caution. Copied to clipboard
Note: In some scenarios, you can also filter out the unwanted server dynamically: powershell
Set-WebApplicationProxyConfiguration -ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName -ne 'ServerToRemove.domain.local')  Use code with caution. Copied to clipboard Option 2: Using Server Manager (Full Role Uninstallation)
To properly decommission a server and remove the WAP role from the machine itself, follow these steps:
Remove Published Applications: Open the Remote Access Management Console and delete any web applications published specifically through this node. Uninstall the Role:
Open Server Manager and select Manage > Remove Roles and Features. Follow the wizard to the Server Roles page.
Uncheck Remote Access (or specifically the Web Application Proxy sub-role). Restart the server when prompted to complete the removal.
Clean up AD FS Trust (Optional): If you are retiring the server permanently, you can also remove its proxy trust certificate from the local store. Important Considerations
Permissions: You must have Local Administrator permissions on the WAP server and sufficient privileges on the AD FS server to modify the configuration.
Version Compatibility: Configuration changes must generally be made from a WAP server running the oldest version if you are in a mixed-version cluster environment.
External Access: Removing a node might impact external access if your Network Load Balancer (NLB) is not updated to stop sending traffic to the removed IP.
Abstract
Web Application Proxy (WAP) servers play a crucial role in providing secure and reliable access to web applications. In a clustered environment, multiple WAP servers work together to ensure high availability and scalability. However, there may be situations where a WAP server needs to be removed from the cluster, such as when a server is decommissioned or replaced. This paper provides a detailed guide on how to remove a Web Application Proxy server from a cluster, including the necessary steps, considerations, and best practices.
Introduction
Web Application Proxy (WAP) servers are used to provide an additional layer of security and functionality to web applications. In a clustered environment, multiple WAP servers are configured to work together, ensuring that if one server becomes unavailable, the other servers can continue to provide access to the web application. This ensures high availability and scalability. However, there may be situations where a WAP server needs to be removed from the cluster, such as:

Pre-Removal Considerations
Before removing a WAP server from a cluster, consider the following:

Step-by-Step Removal Process
The following steps outline the process to remove a WAP server from a cluster:
Step 1: Prepare the WAP Server for Removal

Step 2: Remove the WAP Server from the Cluster

Step 3: Update the Remaining WAP Servers

Step 4: Verify Cluster Functionality

Best Practices
When removing a WAP server from a cluster, follow these best practices:

Conclusion
Removing a Web Application Proxy server from a cluster requires careful planning and execution. By following the steps outlined in this paper, you can ensure a smooth and successful removal process. Remember to consider the impact on availability, session persistence, and configuration settings, and to follow best practices to minimize downtime and ensure cluster functionality.
References

How to Remove a Web Application Proxy Server from a Cluster Managing a Remote Access deployment often requires scaling your infrastructure down or replacing aging nodes. When using Web Application Proxy (WAP) in a cluster, simply shutting down a server isn't enough; you must gracefully remove it to maintain the integrity of your AD FS (Active Directory Federation Services) publishing environment.
This guide provides a step-by-step walkthrough on how to properly remove a Web Application Proxy server from a cluster using both the graphical interface and PowerShell. Prerequisites Before you begin, ensure you have:
Administrator privileges on the WAP server you intend to remove.
Connectivity to the other nodes in the cluster to ensure the configuration update propagates.
Updated Load Balancer settings: If you are using a hardware load balancer (HLB), remember to drain connections and remove the node from the rotation before proceeding with the software removal. Method 1: Using the Remote Access Management Console (GUI)
For those who prefer a visual interface, the Remote Access Management Console is the standard tool for managing WAP clusters.
Open the Console: Log on to any server in the WAP cluster and open the Remote Access Management Console.
Select the Server: In the left-hand navigation pane, click on Configuration and then select Web Application Proxy.
Locate the Node: In the center pane, you will see a list of the servers currently participating in the cluster. Remove the Server: Right-click the name of the server you wish to remove. Select Remove.
Confirm: A warning dialog will appear asking you to confirm the action. Click Yes.
Verify: The console will update, and the server should no longer appear in the list of cluster nodes. Method 2: Using PowerShell (Recommended)
PowerShell is often the most reliable method, especially if the GUI is unresponsive or if you are automating your infrastructure management.
To remove the local server from a cluster, run the following command in an elevated PowerShell window: powershell Uninstall-WebApplicationProxy  Use code with caution. Why use this command?
Clean Departure: It unconfigures the Web Application Proxy role on the local machine.
Service Cleanup: It stops the relevant services and removes the configuration held in the local web.config and registry.
Cluster Awareness: It informs the remaining nodes that this specific server is no longer part of the deployment.
Note: If you want to remove a remote server from the cluster without logging into it, you would typically use the management console or a remote PowerShell session to run the uninstall command on that specific target. Post-Removal Best Practices Before removing any node, complete the following assessment
Removing the server from the WAP logic is only half the battle. To ensure your network remains clean, follow these post-removal steps: 1. Update DNS Records
If you are using DNS Round Robin instead of a dedicated Load Balancer, ensure you remove the A-record associated with the decommissioned server’s IP address. Failure to do this will result in intermittent "Page Cannot Be Displayed" errors for users. 2. Decommission the Virtual Machine/Hardware Once the role is uninstalled, you can safely: Disjoin the server from the domain (if it was joined).
Power down and delete the virtual machine or re-purpose the physical hardware. 3. Monitor the Remaining Nodes
After removal, check the Event Viewer on the remaining WAP nodes (under Applications and Services Logs > Microsoft > Windows > Web Application Proxy). Ensure there are no synchronization errors or warnings indicating that the cluster is looking for the missing member.
Removing a Web Application Proxy server from a cluster is a straightforward process, but it requires precision to avoid service interruptions. Whether you use the Remote Access Management Console or the Uninstall-WebApplicationProxy PowerShell cmdlet, always remember to update your external networking components (Load Balancers and DNS) to reflect the change.
By following these steps, you ensure that your AD FS traffic continues to flow smoothly through your remaining healthy nodes.

For enterprises, manual removal is a liability. Here is an Ansible snippet to idempotently remove a WAP node.
- name: Gracefully remove WAP node from cluster
  hosts: wap_removal_target
  become: yes
  tasks:
    - name: Stop web application proxy service
      service:
        name: W3SVC
        state: stopped
      ignore_errors: yes
- name: Remove server from load balancer pool via API (F5 example)
  uri:
    url: "https://lb-manager/mgmt/tm/ltm/pool/wap_pool/members"
    method: DELETE
    body: '"name":" ansible_default_ipv4.address :443"'
    headers:
      Authorization: "Bearer  f5_token "
  delegate_to: localhost
- name: Uninstall WAP feature
  win_feature:
    name: Web-Application-Proxy
    state: absent
- name: Clean ADFS trust (run on ADFS server)
  win_shell: |
    Remove-WebApplicationProxyEndpoint -TargetProxyFQDN " ansible_fqdn "
  delegate_to: adfs_internal_server


Error ID: Event ID 374, 381

Cause: A load balancer or DNS still points to the removed WAP IP.

Fix: Remove A/PTR records from DNS. Flush ARP cache on the load balancer. Use netsh int ipv4 show neighbors to verify ARP entries.
"To remove a Web Application Proxy server from the cluster, log in to the specific server and open PowerShell as an Administrator. Run the command Remove-WebApplicationProxyServer and confirm the prompt. Once complete, verify the removal by running Get-WebApplicationProxyServer on a remaining node to ensure the list no longer includes the decommissioned server. Finally, update the external load balancer to stop forwarding traffic to that IP address."
To remove a Web Application Proxy (WAP) server from a cluster, you must perform two primary tasks: update the WAP configuration to remove the server's record and then decommission the server itself by uninstalling its roles. Operational Report: WAP Server Decommissioning
1. Update Cluster ConfigurationThe first step is to remove the specific server name from the cluster's list of connected servers. This ensures the primary management console no longer attempts to sync with the decommissioned node. Command: Run the following PowerShell on an active node: powershell
Set-WebApplicationProxyConfiguration -ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName -ne 'ServerToRemove.domain.local')  Use code with caution. Copied to clipboard
Verification: Use (Get-WebApplicationProxyConfiguration).ConnectedServersName to confirm the list is updated.
2. Remove from Network Load Balancer (NLB)Before making hardware or software changes, you must stop traffic from reaching the node.
Remove the server as an endpoint from your Azure Traffic Manager profile or the backend pool of your internal load balancer.
Monitor traffic to ensure no new authentication requests are being sent to the host.
3. Uninstall Published ApplicationsIf you are decommissioning the server entirely, you should first remove all published web applications via the Remote Access Management Console.
Manual Removal: Right-click each application in the console and select Remove.
PowerShell: Use Remove-WebApplicationProxyApplication to drop current connections and remove configurations.
4. Role DeinstallationOnce applications are cleared, uninstall the WAP role and its dependencies.
Server Manager: Navigate to Manage > Remove Roles and Features, then uncheck Web Application Proxy and RAS Connection Manager Administration Kit (CMAK). PowerShell: powershell
Uninstall-WindowsFeature Web-Application-Proxy, CMAK, RSAT-RemoteAccess  Use code with caution. Copied to clipboard
Post-Removal: Restart the server to complete the uninstallation.
5. Clean Up AD FS Trust (Optional)If this was the last proxy or if you need to refresh the trust, you may need to manage the trust object in Active Directory Federation Services (AD FS).
Use Remove-AdfsWebApplicationProxyRelyingPartyTrust to delete the trust object entirely if the proxy is no longer needed. Remove-WebApplicationProxyApplication - Microsoft Learn Pre-Removal Considerations Before removing a WAP server from

After removal, perform exhaustive testing.
| Test | Expected Result | Command/Method |
|----------|---------------------|--------------------|
| Published app access | Successful login and page load | Browser access from external network |
| Health check of remaining nodes | All return 200 OK | curl -I https://remaining-node.fqdn/health |
| Load distribution | Traffic only to remaining nodes | Check LB logs |
| AD FS endpoint response | Returns proper metadata | https://adfs.fqdn/FederationMetadata/2007-06/FederationMetadata.xml |
| Event logs (no errors) | No 130, 131, or 249 errors in AD FS Admin log | Get-WinEvent -LogName "AD FS/Admin" |
| SSL/TLS handshake | Valid cert chain presented | openssl s_client -connect remaining-node:443 |