Remove Web Application Proxy Server From Cluster May 2026

Even though you already drained traffic, now remove the server completely from the load balancer configuration:

After removal, test using a curl command forced to the LB’s VIP – you should only see the remaining WAP nodes responding.

After the server is removed, perform these checks to ensure stability:

To remove a Web Application Proxy (WAP) server from a cluster, you must update the cluster's configuration to exclude the target node and then decommission the server's roles. 1. Update the Cluster Configuration Run these commands from a

WAP server to ensure the cluster no longer attempts to communicate with the decommissioned node. View current cluster members: powershell

(Get-WebApplicationProxyConfiguration).ConnectedServersName ``` Use code with caution. Copied to clipboard Remove the specific server: remove web application proxy server from cluster

Define a new list that excludes the problematic or old server ( ://domain.com powershell

$updatedServers = (Get-WebApplicationProxyConfiguration).ConnectedServersName | Where-Object $_ -ne "://domain.com"

Set-WebApplicationProxyConfiguration -ConnectedServersName $updatedServers ``` Use code with caution. Copied to clipboard 2. Decommission the Target Server Perform these steps on the server being removed to fully clean up its configuration. Remove Remote Access settings: Remote Access Management console DirectAccess and VPN , and click Remove Configuration Settings in the Tasks pane. Uninstall the WAP role:

Use PowerShell for a clean removal of the feature and associated RSAT tools: powershell

Uninstall-WindowsFeature Web-Application-Proxy, RSAT-RemoteAccess ``` Use code with caution. Copied to clipboard Microsoft Learn 3. Post-Removal Cleanup Update Load Balancer: Even though you already drained traffic, now remove

Remove the server's IP address from any external or internal load balancer pools to prevent traffic being routed to a dead node. DNS Records:

Delete any specific A-records or host file entries that point to the decommissioned server. SSL Certificates:

If the server is being fully retired, remove sensitive SSL certificates from the local computer store to prevent theft. Microsoft Learn PowerShell script

to automate the removal across the entire farm simultaneously? Best Practices for securing AD FS and Web Application Proxy

On an internal AD FS server, use PowerShell to forcibly remove the orphaned entry: After removal, test using a curl command forced

# List all proxies to find the ID of the dead server
Get-AdfsWebApplicationProxy
This method ensures the trust relationship between the WAP server and the internal AD FS farm is cleanly revoked before the server is taken offline.
Never assume removal worked. You must prove that the cluster is fully functional without the node.
Removing a web application proxy server from a cluster is not merely a matter of turning off a switch. It is a process of quiescing, disconnecting, cleaning, and validating. The difference between a professional team and an amateur one is visible in the post-removal state.
An amateur leaves orphaned configuration entries, stale DNS records, and broken health checks. A professional leaves a cluster that is smaller, faster, and healthier than before.
Before you remove that node, write a runbook. Quiesce the traffic. Clean the control plane. Verify the certificates. And always, always test the authentication flow afterward. Your users—and your on-call pager—will thank you.