Remove Web Application Proxy Server From Cluster ((top)) -
To remove a Web Application Proxy (WAP) server from a cluster, you must update the ConnectedServers list in the proxy configuration and then decommission the role from the physical server. 1. Remove the Server from the Cluster List
The primary WAP configuration maintains a list of all servers in the cluster. Simply uninstalling the role does not always clear the server from the management console. You must use PowerShell on an active node to update the ConnectedServersName property. View current cluster members: powershell (Get-WebApplicationProxyConfiguration).ConnectedServersName Use code with caution. Copied to clipboard
Remove a specific server: Execute the following, replacing '://domain.com' with the target FQDN: powershell
Set-WebApplicationProxyConfiguration –ConnectedServersName ((Get-WebApplicationProxyConfiguration).ConnectedServersName –ne '://domain.com') Use code with caution. Copied to clipboard 2. Uninstall the Remote Access Role
After removing the server from the cluster configuration, log into the target server to remove the software components.
Using PowerShell: Run this command to remove the WAP role and related management tools: powershell remove web application proxy server from cluster
Uninstall-WindowsFeature Web-Application-Proxy, RSAT-RemoteAccess Use code with caution. Copied to clipboard
Using Server Manager: Go to Manage > Remove Roles and Features, uncheck Web Application Proxy under the Remote Access role, and follow the wizard to complete the removal. 3. Clean Up External Dependencies
To ensure no traffic is incorrectly routed to the decommissioned server:
Load Balancer: Remove the server's IP address from any internal or external load balancer pools.
DNS Entries: Delete any DNS records (like A or CNAME records) pointing to the old server's IP. To remove a Web Application Proxy (WAP) server
Certificates: If the server is being fully decommissioned, remove its SSL certificates from the local store. AI responses may include mistakes. Learn more
6.1 Microsoft AD FS / WAP (Common Scenario)
Step 1: Remove from AD FS Trust Relationship On the AD FS server (primary):
# List all WAP servers Get-WebApplicationProxyEndpointTest a sample Relying Party (e.g., Office 365)
Test-AdfsWebApplicationProxyConnection -ProxyUrl "https://sts.contoso.com" -RelyingPartyIdentifier "urn:federation:MicrosoftOnline"
Alternative: Demoting vs. Forced Removal
What if the WAP server is offline and unrecoverable (e.g., dead disk, ransomware-locked)? Alternative: Demoting vs
Forced removal from AD FS (without touching the dead server):
# On AD FS primary
Remove-AdfsWebApplicationProxyRelyingPartyTrust -TargetName "WAP-DEAD-SRV" -Force
Then, manually delete the computer object from the DMZ OU in Active Directory. The WAP role itself is gone forever. No further cleanup on the dead machine is possible – just physically decommission it.
Do NOT simply reinstall Windows on the same hostname and rejoin it to the cluster without first removing the trust. A reused hostname with an orphaned trust will cause a “duplicate proxy” error during reconfiguration.
Step 4: Purge Local WAP Artifacts (Security Measure)
Even after role removal, some artifacts persist. Delete manually:
# Certificates used for proxy trust certlm.msc → Personal → Certificates → Delete any issued by "AD FS Proxy Trust CA"Backup SSL certificate thumbprints and bindings
netsh http show sslcert > C:\Backup\ssl-bindings.txt
5.2 External Functional Testing
From an external client (not internal corporate network), test your primary application URLs:
- Standard page load:
curl -I https://app.contoso.com-> Expect HTTP 200. - Authentication flow: Open a private/incognito browser. Navigate to the app. Complete SSO (SAML/OAuth). Verify redirection works.
- WebSocket/API test: If your proxy handles WebSockets, use a tool like
wscatto verify upgrade headers.