If you are completely dismantling the WAP infrastructure rather than just removing one node, you may need to remove the proxy trust on the AD FS side. Remove-AdfsWebApplicationProxyRelyingPartyTrust .
Here is a quick-reference table for common environments. These commands are a great starting point but should always be adjusted based on your specific setup and documentation.
Remove the target WAP server from your hardware load balancer (HLB) or Windows Network Load Balancing (NLB) cluster. Allow existing sessions to drain naturally.
Regardless of the reason, improperly removing a WAP server can lead to authentication failures, orphaned endpoints, and security blind spots. This guide walks you through a meticulous, step-by-step removal process.
Note: If you want to remove a server from the cluster without logging into it, you would typically use the management console or a remote PowerShell session to run the uninstall command on that specific target. Post-Removal Best Practices remove web application proxy server from cluster
Get-EventLog -LogName "AD FS/Admin" -EntryType Error | Select-Object -First 20
: Update your load balancer to stop sending traffic to the target WAP node.
This removal was performed to [Reason, e.g., decommission outdated hardware / address performance issues / re-provision the server].
To remove a specific server (e.g., ://domain.com ), run the following command. This filters the current list and re-saves it without the target server: powershell If you are completely dismantling the WAP infrastructure
Run a full suite of authentication flows:
: Log in with local administrative rights on the WAP server. You also need local administrator rights on the AD FS servers.
Ensure your PowerShell console is running under elevated privileges (Run as Administrator) and that your account belongs to the local Administrators group on both the WAP and AD FS systems.
Ensure remaining nodes hold valid SSL certificates to handle redirected traffic. Step 1: Drain Traffic from the Server These commands are a great starting point but
It stops the relevant services and removes the configuration held in the local web.config and registry.
Run the following deployment command to remove the remote access routing service: powershell
Set-WebApplicationProxyConfiguration -ConnectedServersName "://domain.com" Use code with caution. Copied to clipboard