Edit /etc/nginx/conf.d/upstreams.conf and remove the server line for the target IP.
- name: Gracefully remove WAP node from cluster hosts: wap_removal_target become: yes tasks: - name: Stop web application proxy service service: name: W3SVC state: stopped ignore_errors: yes - name: Remove server from load balancer pool via API (F5 example) uri: url: "https://lb-manager/mgmt/tm/ltm/pool/wap_pool/members" method: DELETE body: '"name":" ansible_default_ipv4.address :443"' headers: Authorization: "Bearer f5_token " delegate_to: localhost remove web application proxy server from cluster
$proxy = Get-AdfsProxy -Name "wap-node-01.contoso.com" Remove-AdfsProxy -TargetProxy $proxy If you skip Step 2, the ADFS server will still attempt to send "relying party trust" updates to the removed proxy, causing event ID 364 and proxy sync timeouts in the event log. Scenario B: NGINX Reverse Proxy Cluster Assuming you have an active-passive or active-active cluster managed via a configuration management tool (Ansible, Puppet) or shared storage. Edit /etc/nginx/conf
- name: Clean ADFS trust (run on ADFS server) win_shell: | Remove-WebApplicationProxyEndpoint -TargetProxyFQDN " ansible_fqdn " delegate_to: adfs_internal_server Removing a web application proxy server from a cluster is not merely a matter of turning off a switch. It is a process of quiescing, disconnecting, cleaning, and validating . The difference between a professional team and an amateur one is visible in the post-removal state. - name: Clean ADFS trust (run on ADFS
If the proxy node had a dedicated Virtual IP (VIP) using keepalived, handle the VRRP:
Reload NGINX gracefully: nginx -s reload . Existing persistent connections will finish; new ones bypass it.
In the lifecycle of any production environment, change is inevitable. Scaling down, hardware retirement, traffic pattern shifts, or security overhauls often necessitate the removal of a node from a cluster. While adding resources is exciting, removing a Web Application Proxy (WAP) server from a cluster is a delicate surgical procedure. Done incorrectly, it can orphan authentication requests, break Single Sign-On (SSO), and leave your external users staring at a cryptic 503 error.