Skip to content

Remove Web Application Proxy Server From Cluster < Authentic >

Ensure that all published applications remain visible and accessible from an external network connection. To help tailor any further troubleshooting, let me know:

Open Server Manager and click > Remove Roles and Features . Select the target server and uncheck Remote Access .

: If the server name persists in the Remote Access Management console after uninstalling the role, it is because the "primary" node still has it in its configuration list. Re-running the Set-WebApplicationProxyConfiguration command from a healthy node usually fixes this.

Web Application Proxy (WAP) servers are commonly deployed in pairs or larger clusters to provide reverse proxy functionality, pre-authentication, and published application access (e.g., Active Directory Federation Services (AD FS), Exchange, or internal web apps). Removing a node from such a cluster is a critical maintenance operation that, if performed incorrectly, can lead to authentication failures, session interruptions, or a complete outage of published applications. remove web application proxy server from cluster

If your cluster sits behind a hardware or software load balancer (F5, AWS NLB, HAProxy), verify the health probe settings. Does the balancer use a simple TCP handshake, or does it probe a specific URL ( /wap/health )? Removing the node before updating the LB will cause traffic to route to a black hole.

: Export the current WAP configuration via PowerShell.

AD FS removes the OAuth2 client configuration for that proxy. The WAP server will no longer receive valid proxy trust certificates. Any future connection attempts from that server will be rejected with HTTP 401 or 503 errors. Ensure that all published applications remain visible and

: Remove the decommissioned server's IP address from any external or internal Load Balancer pools DNS Records : Delete any DNS A or AAAA records that point to the removed server. Certificates : If the server is being permanently decommissioned, delete the SSL certificates from its local store to ensure security. Microsoft Learn Are you removing a server to replace it with a newer version , or are you shrinking the cluster permanently?

Removing the role from the server does not automatically delete its trust certificate from the AD FS configuration. You must remove it manually. Log into your primary or a remaining WAP node. Open PowerShell as an Administrator.

Once the server is no longer recognized as part of the cluster, you should uninstall the WAP services from the physical or virtual machine. Via PowerShell powershell : If the server name persists in the

If the server is being permanently decommissioned, it is best practice to remove the WAP configuration from the server itself. This unregisters the server from the AD Application Proxy Connector Group, as detailed in documentation for managing connectors like in this Microsoft Entra PowerShell guide . Open PowerShell as Administrator. Run the command: powershell Uninstall-WebApplicationProxy Use code with caution.

How to Remove a Web Application Proxy (WAP) Server from a Cluster Removing a Web Application Proxy (WAP)

Before you issue a single command, you must understand the current state. Blindly pulling a node out of a load balancer pool is easy; removing its configuration from the federation trust is not.