Remove Web Application Proxy Server From Cluster

# List all proxy trusts
Get-ADFSWebApplicationProxy
Before removing any node, complete the following assessment to understand the impact.
| Check | Action | Tool/Command |
|-----------|------------|------------------|
| Current cluster size | Identify how many active WAP nodes exist | WAP PowerShell: Get-WebApplicationProxyConfiguration |
| Active sessions per node | Determine if node has long-lived sessions | Load balancer logs or netstat -an |
| Backend application health | Ensure target apps have alternate proxy routes | Health check via curl/browser |
| AD FS/WAP synchronization | Verify config sync between WAP and AD FS | Event Viewer: AD FS Admin events |
| SSL certificate status | Ensure remaining nodes have valid bound certs | Get-WebApplicationProxySslCertificate |
✅ Always maintain an odd number of WAP nodes (1, 3, 5) when using default load balancer session persistence. Even-numbered clusters can cause split-brain conditions during AD FS proxy trust certificate renewal. remove web application proxy server from cluster
✅ Document the removal in your CMDB – including dates, who performed the removal, and the reason.
✅ Update your disaster recovery plan – change the recovery order to exclude the removed server. Perform the following checks:
✅ Monitor remaining node capacity. If total CPU on remaining nodes exceeds 70% sustained, add a replacement node before removing a second one.
✅ Schedule certificate rollover after removal. The AD FS proxy trust certificate (default 1-year) does not need immediate reissue, but after a cluster size change, run: who performed the removal
Update-AdfsCertificate -CertificateType Proxy-Trust


Perform the following checks: