Click in the top right corner and select Remove Roles and Features . Click Next until you reach the Server Roles page. Uncheck Remote Access .
The you are using (e.g., 2016, 2019, 2022).
On an internal AD FS server, use PowerShell to forcibly remove the orphaned entry:
Note: Using the aliases swpc (Set) and gwpc (Get) is also common in technical documentation. Verify the server is gone by running: powershell (Get-WebApplicationProxyConfiguration).ConnectedServersName Use code with caution. 2. Decommissioning the Server Role remove web application proxy server from cluster
Ensure external/internal records no longer point to the removed IP. Certificate Authority
netsh http show sslcert > C:\Backup\ssl-bindings.txt
# Export WAP configuration (Microsoft-specific) Export-WebApplicationProxyConfiguration -Path C:\Backup\wap-config-backup.json Click in the top right corner and select
Verify that the removed server's hostname no longer appears in the cluster configuration or connected operational statuses. 3. Post-Removal Cleanup Tasks
The process to remove a web application proxy server from a cluster requires careful execution to maintain stability and avoid downtime. While the specific steps differ across platforms like Kubernetes, ADFS, or WebSphere, the underlying principles remain the same. By following this comprehensive guide and adhering to best practices—from planning and validation to cleanup—system administrators can perform this operation with confidence, keeping clusters efficient, secure, and well-maintained.
| | Expected Result | Command/Method | |----------|---------------------|--------------------| | Published app access | Successful login and page load | Browser access from external network | | Health check of remaining nodes | All return 200 OK | curl -I https://remaining-node.fqdn/health | | Load distribution | Traffic only to remaining nodes | Check LB logs | | AD FS endpoint response | Returns proper metadata | https://adfs.fqdn/FederationMetadata/2007-06/FederationMetadata.xml | | Event logs (no errors) | No 130, 131, or 249 errors in AD FS Admin log | Get-WinEvent -LogName "AD FS/Admin" | | SSL/TLS handshake | Valid cert chain presented | openssl s_client -connect remaining-node:443 | The you are using (e
The next time you see an over-provisioned WAP cluster or a failing node, remember:
Removing a node might impact external access if your Network Load Balancer (NLB) is not updated to stop sending traffic to the removed IP.
Do not disconnect a server while it is actively handling user requests. You must gracefully stop new connections from reaching the node. Log into your external network load balancer.
Tonight, the physician had to become the executioner.
Uncheck (which automatically includes Web Application Proxy).
