Web Application Proxy servers rely on a certificate-based trust relationship with your backend AD FS servers. Log into your primary AD FS server. Open as an Administrator. Run Get-AdfsWebApplicationProxy to view registered proxies.
In modern, high-availability IT infrastructures, Web Application Proxy (WAP) servers are critical components that bridge internal applications with external users, offering pre-authentication, load balancing, and security. However, situations arise where a proxy server needs to be removed from a cluster—due to server decommission, maintenance, or infrastructure reconfiguration.
Ensure external/internal records no longer point to the removed IP. Certificate Authority
Change the status of the target WAP node to or Disabled . Monitor active connections until they drop to zero.
Note: This command clears the local proxy settings and stops the Web Application Proxy service ( WAPCS ), removing its relationship with the AD FS federation service. 4. Step 3: Remove the Remote Access Role remove web application proxy server from cluster
When working with Active Directory Federation Services (ADFS), removing a Web Application Proxy (WAP) server can be done in several ways, often with a focus on zero downtime.
: Update your hardware load balancer or DNS round-robin configuration. Stop directing client traffic to the target node.
Note: You will be prompted to confirm the action. Press and hit Enter. Step 3: Verify Removal Success
Step 1: assess impact. Priya checked active sessions and recent authentications. Only a small percentage of traffic had routed to node 03 in the last 10 minutes. No ongoing sign-ins were mid-flight. Good—she could safely drain it. Web Application Proxy servers rely on a certificate-based
If the server is still running and accessible, follow these steps to cleanly uninstall the role: Remove Published Applications : Open the Remote Access Management Console and remove any web applications assigned to this server. Uninstall Features
On the server you are removing, follow these steps to clean up the roles and features:
Locate the or Pool Members section matching your WAP cluster.
Set-WebApplicationProxyConfiguration -ConnectedServersName $updatedServers ``` Use code with caution. Copied to clipboard 2. Decommission the Target Server Perform these steps on the server being removed to fully clean up its configuration. Remove Remote Access settings: Remote Access Management console DirectAccess and VPN , and click Remove Configuration Settings in the Tasks pane. Uninstall the WAP role: Run Get-AdfsWebApplicationProxy to view registered proxies
Click in the top right corner and select Remove Roles and Features . Click Next until you reach the Server Roles page.
From an external client (not internal corporate network), test your primary application URLs:
Before running any commands, understand how WAP clustering operates. WAP servers do not hold a local primary configuration database. Instead, they use a local visual proxy configuration that synchronizes periodically with the AD FS primary federation server. Verify Farm Health
Never assume removal worked. You must prove that the cluster is fully functional without the node.