Aug 122020

There has been some recent change to the LTSR article around Local Host Cache upgrades

  • When upgrading Delivery Controllers to Citrix Virtual Apps and Desktops version 1912 or 2003: Upgrading SQL Server Express LocalDB is optional. Local Host Cache works properly, with no loss of functionality, regardless of whether you upgrade SQL Server Express LocalDB. We added the option to move to a newer version of SQL Server Express LocalDB in case there are concerns about end of support from Microsoft for SQL Server Express LocalDB 2014.
  • When upgrading Delivery Controllers to Citrix Virtual Apps and Desktops versions newer than 2003: The minimum supported version is SQL Server Express 2017 LocalDB Cumulative Update (CU) 16. If you originally installed a Delivery Controller earlier than version 1912, and have not replaced SQL Server Express LocalDB with a newer version since then, you must replace that database software now. Otherwise, Local Host Cache will not work.

As you can see here, at one time it stated you needed to upgrade, or it would not work. However, it doesn’t seem that it 100% anymore. I think that’s why Citrix updated the doc. 

As can see here some had the same concerns or questions around it. I most certainly did. 

  1. So, let’s get started. I always do a snapshot first. Which is completed. 
  1. Complete the upgrade of your Citrix Virtual Apps and Desktops components, databases, and site. (Those database upgrades affect the site, monitoring, and configuration logging databases. They do not affect the Local Host Cache database that uses SQL Server Express LocalDB.)
  1. As you can see, I am on 1912 CU1 and have MSQL Express 2014
  1. On the Delivery Controller, download PsExec from Microsoft. See the Microsoft document PsExec v2.2.
  1. Stop the Citrix High Availability Service
  1. Open CMD as Admin and open PsExec.exe


  1. Move to the folder containing SqlLocalDB.

cd “C:\Program Files\Microsoft SQL Server\120\Tools\Binn”

  1. Stop and delete CitrixHA (LocalDB).

If you don’t stop is you will get this error  ( Me not paying attention)

SqlLocalDB stop CitrixHA

SqlLocalDB delete CitrixHA

  1. Remove the related files in C:\Windows\ServiceProfiles\NetworkService
  1. Uninstall SQL Server Express LocalDB 2014 from the server, using the Windows feature for removing programs
  1. Install SQL Server Express LocalDB 2017. In the Support > SQLLocalDB folder on the Citrix Virtual Apps and Desktops installation media, double-click sqllocaldb.msi
  1. Reboot the server and make sure this is started “Citrix High Availability Service”.
  1. Logged on and it took about 15 seconds to show up
  1. Then 60 seconds or so on this

11. Check if the CitrixHA Db is created.

 CitrixHA is re-created the next time a configuration sync occurs. After a minute or two, use the SqlLocalDB utility to confirm that CitrixHA has been re-created.

SqlLocalDB i




While still in the PsExec session run this

C:\Program Files\Microsoft SQL Server\120\Tools\Binn>SqlLocalDB i



  1. You will see this until you do the second broker
  1. After I did my second Broker this was in the logs
  1. But then I see this almost ever 2 minutes. I remember reading about this. But I thought it was fixed many versions ago. 

Did some google on the Errors and came up with the 2 links below.

  1. LHC DB upgrade reference

  1. Turns out some AD account were deleted over time, and it had some bad SIDs.
  2. So, I ran the quick script, to get the output.

Get-BrokerApplication |foreach {if ($_.AssociatedUserNames -match “S-1-5-21”) {$_.Name; $_.AssociatedUserNames -match “S-1-5-21”; “”}}

  1. Went into Studio and deleted them from the location it displayed above. Which was in a Published application visibility.
  1. Then based on CTX230775 had needed to redo the LHC DB. So quickly ran through the process and it fixed the error. 

So, in summary, this is how I upgraded the LHC DB and some minor troubleshooting. Hope it helps someone

Aug 102020

I recently tried to figure out how to block non-USA countries from accessing my NetScaler Gateway page on my ADC. I tried to follow some old documentation. This Citrix Article, this, this, etc, all have old, outdated information. I will put together this quick post on how I got this accomplished.

First, I had to sign up for a Maxmind account. I used this link to sign up for Geolite2.

Then, I downloaded the database file in CSV format.

Next, I downloaded the script from GitHub here. I have added this file to my website just in case that GitHub repo disappears on us. Download here if previous link doesn’t work.

SSH into your ADC and go to shell

# mkdir /var/geoip

Unzip the files. I then used WinSCP to copy all of them up to the ADC into /var/geoip

Go back to the SSH shell.
# chmod +x

Then convert the files. I’m from USA, so I used the -en file.

# perl -b GeoLite2-Country-Blocks-IPv4.csv -i GeoLite2-Country-Blocks-IPv6.csv -l GeoLite2-Country-Locations-en.csv

This spits out two .gz files.  Unzip them to .csv files.
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv4.csv.gz
# gunzip Netscaler_Maxmind_GeoIP_DB_IPv6.csv.gz

Exit Shell and go back to the NSShell (Notice I’m not using -format GeoIP-Country)

> add locationfile /var/geoip/Netscaler_Maxmind_GeoIP_DB_IPv4.csv

Then check it and make sure there are no Errors

> show locationparameter

Lines: 307344 Warnings: 0 Errors: 0

Next, create a responder policy. In my example I’m just using .US.

> add responder policy Drop_non_US “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.US.*.*.*.*\”).NOT” DROP
> set locationParameter -matchWildcardtoany YES

Lastly, bind it to your vServer. My example is for a Citrix Gateway vServer

> bind vpn vserver LAB_AG -policy Drop_non_US -priority 100 -gotoPriorityExpression END -type REQUEST