– On a remaining WAP server, run:
netstat -an | find ":443" | find /c "ESTABLISHED"
Event ID 374, 381 Cause: A load balancer or DNS still points to the removed WAP IP. Fix: Remove A/PTR records from DNS. Flush ARP cache on the load balancer. Use netsh int ipv4 show neighbors to verify ARP entries.
: Delete any DNS records (like A or CNAME records) pointing to the old server's IP. remove web application proxy server from cluster
Remove the server's IP address from any external or internal load balancers (e.g., Azure Traffic Manager or F5).
Note: You will be prompted to confirm the removal. Type 'Y' to proceed.
Common scenarios include:
Log into one of your remaining Web Application Proxy servers and check the status of the synchronization: powershell Get-WebApplicationProxyConfiguration Use code with caution.
After the node is removed from the cluster configuration, it is safe to uninstall the proxy software from the server. On a Windows server, this is done through the "Remove Roles and Features" wizard in Server Manager. Simply deselect the "Remote Access" role to remove the Web Application Proxy components. For Linux-based proxies, you might need to stop the service, disable it from starting on boot, and remove the relevant packages with your distribution's package manager.
Web Application Proxy (WAP) servers are commonly deployed in pairs or larger clusters to provide reverse proxy functionality, pre-authentication, and published application access (e.g., Active Directory Federation Services (AD FS), Exchange, or internal web apps). Removing a node from such a cluster is a critical maintenance operation that, if performed incorrectly, can lead to authentication failures, session interruptions, or a complete outage of published applications. – On a remaining WAP server, run: netstat
It unconfigures the Web Application Proxy role on the local machine.
Removing a node might impact external access if your Network Load Balancer (NLB) is not updated to stop sending traffic to the removed IP.
| Issue | Solution | |-------|----------| | “Proxy trust cannot be removed because the server is still reachable” | Ensure the WAP server is offline or firewalled from AD FS. Then use Remove-ADFSWebApplicationProxy -Force . | | Event 250: “WAP server failed to unregister” | Manually delete the service connection point in AD using ADSI Edit (CN=Web Application Proxy, CN=Service Connection Point). | | Load balancer still sends traffic | Double-check load balancer configuration and clear any connection persistence/cookies. | Use netsh int ipv4 show neighbors to verify ARP entries
# 1. Remove node from configuration management (Ansible/Puppet) # 2. Delete node definition from load balancer config # Example: Remove upstream server from nginx.conf upstream wap_backend # server 10.0.0.10:443; # Removed node server 10.0.0.11:443; server 10.0.0.12:443;
