Remove Web: Application Proxy Server From Cluster

If using a custom proxy cluster with shared configuration:

# 1. Remove node from configuration management (Ansible/Puppet)
# 2. Delete node definition from load balancer config
# Example: Remove upstream server from nginx.conf
upstream wap_backend 
    # server 10.0.0.10:443;  # Removed node
    server 10.0.0.11:443;
    server 10.0.0.12:443;

On remaining nodes, flush any cached references to the removed node:


Do not proceed without the following:




  • Backups (minimum):


    • 

  • Credentials: A domain account with local admin on WAP and admin rights on AD FS.
    • 

  • Maintenance window – because you will disrupt traffic to the removed node.
    • 


    

    ⚠️ Warning: Removing a WAP server is not as simple as shutting it down. Orphaned configuration objects in AD FS can cause certificate validation errors and proxy trust issues for months.
    

    

    

    Once removal is confirmed safe, decommission the physical/virtual server. remove web application proxy server from cluster
    

    Before surgery, check the patient’s vitals. Run these commands on any AD FS server in the farm (preferably the primary):
    

    # View all registered WAP servers
Get-WebApplicationProxyConfiguration

    Even after role removal, some artifacts persist. Delete manually: If using a custom proxy cluster with shared
    

    # Certificates used for proxy trust
certlm.msc → Personal → Certificates → Delete any issued by "AD FS Proxy Trust CA"

    For enterprises, manual removal is a liability. Here is an Ansible snippet to idempotently remove a WAP node.
    

    - name: Gracefully remove WAP node from cluster
  hosts: wap_removal_target
  become: yes
  tasks:
    - name: Stop web application proxy service
      service:
        name: W3SVC
        state: stopped
      ignore_errors: yes

    - name: Remove server from load balancer pool via API (F5 example)
  uri:
    url: "https://lb-manager/mgmt/tm/ltm/pool/wap_pool/members"
    method: DELETE
    body: '"name":" ansible_default_ipv4.address :443"'
    headers:
      Authorization: "Bearer  f5_token "
  delegate_to: localhost
- name: Uninstall WAP feature
  win_feature:
    name: Web-Application-Proxy
    state: absent
- name: Clean ADFS trust (run on ADFS server)
  win_shell: |
    Remove-WebApplicationProxyEndpoint -TargetProxyFQDN " ansible_fqdn "
  delegate_to: adfs_internal_server

    

    

    | Issue | Solution |
|-------|----------|
| “Proxy trust cannot be removed because the server is still reachable” | Ensure the WAP server is offline or firewalled from AD FS. Then use Remove-ADFSWebApplicationProxy -Force. |
| Event 250: “WAP server failed to unregister” | Manually delete the service connection point in AD using ADSI Edit (CN=Web Application Proxy, CN=Service Connection Point). |
| Load balancer still sends traffic | Double-check load balancer configuration and clear any connection persistence/cookies. | Backups  (minimum):