# For Windows WAP Get-WebApplicationProxyApplication | Select-Object ExternalURL, BackendServerURL, ExternalCertificateThumbprint If your cluster sits behind a hardware or software load balancer (F5, AWS NLB, HAProxy), verify the health probe settings. Does the balancer use a simple TCP handshake, or does it probe a specific URL ( /wap/health )? Removing the node before updating the LB will cause traffic to route to a black hole. Part 2: Graceful Quiescing – Draining the Traffic A hard shutdown is the enemy of production stability. You must "drain" the node. 2.1 Stop New Sessions (The "Drain" Step) Instruct the load balancer or the proxy itself to stop accepting new connections while finishing existing ones.
If the proxy node had a dedicated Virtual IP (VIP) using keepalived, handle the VRRP: remove web application proxy server from cluster
If you removed the WAP without uninstalling first, the proxy remains in the ADFS configuration. Force remove it: Part 2: Graceful Quiescing – Draining the Traffic
$proxy = Get-AdfsProxy -Name "wap-node-01.contoso.com" Remove-AdfsProxy -TargetProxy $proxy If you skip Step 2, the ADFS server will still attempt to send "relying party trust" updates to the removed proxy, causing event ID 364 and proxy sync timeouts in the event log. Scenario B: NGINX Reverse Proxy Cluster Assuming you have an active-passive or active-active cluster managed via a configuration management tool (Ansible, Puppet) or shared storage. If the proxy node had a dedicated Virtual
Use the socket CLI to set the server state to maint (maintenance):
Edit /etc/nginx/conf.d/upstreams.conf and remove the server line for the target IP.
WAP, particularly in Microsoft-centric environments (acting as a reverse proxy for Active Directory Federation Services - ADFS), is not a stateless load balancer. It holds specific configuration ties, certificate dependencies, and publishing rules. This guide provides a comprehensive, vendor-agnostic approach with specific emphasis on ADFS/WAP, NGINX, and HAProxy clusters.