- name: Clean ADFS trust (run on ADFS server) win_shell: | Remove-WebApplicationProxyEndpoint -TargetProxyFQDN " ansible_fqdn " delegate_to: adfs_internal_server Removing a web application proxy server from a cluster is not merely a matter of turning off a switch. It is a process of quiescing, disconnecting, cleaning, and validating . The difference between a professional team and an amateur one is visible in the post-removal state.
Edit /etc/nginx/conf.d/upstreams.conf and remove the server line for the target IP. remove web application proxy server from cluster
# View current WAP endpoints Get-WebApplicationProxyEndpoint Remove-WebApplicationProxyEndpoint -TargetProxyFQDN "wap-node-01.contoso.com" - name: Clean ADFS trust (run on ADFS
An amateur leaves orphaned configuration entries, stale DNS records, and broken health checks. A professional leaves a cluster that is smaller, faster, and healthier than before. Edit /etc/nginx/conf
# Temporarily mark the server as down in the upstream block upstream backend_wan server 10.0.0.10:80; # Keep this server 10.0.0.11:80 down; # Mark removal node as down
| Pitfall | Symptom | Solution | | :--- | :--- | :--- | | | Clients intermittently fail to reach the site; ping works sometimes. | Clear neighbor cache: arp -d <removed_node_ip> on routers. | | Orphaned ADFS Proxy Trust | Event ID 102 on internal ADFS: "The proxy was unreachable." | Run Get-AdfsProxy | Remove-AdfsProxy on ADFS server. | | SSL Session Resumption | Some browsers connect fine; others (older) hang. | Remaining nodes must share the same SSL session cache (Redis/Memcached). Reconfigure after removal. | | Sticky Sessions (Persistence) | Users suddenly see "Your session has expired." | The removed node held memory-based session data. Migrate to distributed cache (Redis) before removal. | Part 7: Automating the Removal (Ansible Playbook Example) For enterprises, manual removal is a liability. Here is an Ansible snippet to idempotently remove a WAP node.
Reload NGINX gracefully: nginx -s reload . Existing persistent connections will finish; new ones bypass it.