diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java
index ec4d26edf5b..57555a1cc37 100755
--- a/server/src/com/cloud/network/NetworkManagerImpl.java
+++ b/server/src/com/cloud/network/NetworkManagerImpl.java
@@ -1854,6 +1854,7 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
 
         } else if (zone.getNetworkType() == NetworkType.Advanced) {
             if (zone.isSecurityGroupEnabled()) {
+<<<<<<< HEAD
             	if (ipv6) {
             		throw new InvalidParameterValueException("IPv6 is not supported with security group!");
             	}
@@ -1867,6 +1868,15 @@ public class NetworkManagerImpl extends ManagerBase implements NetworkManager, L
                 }
                 if ( ! _networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SecurityGroup)) {
                     throw new InvalidParameterValueException("network must have SecurityGroup provider in security group enabled zone");
+=======
+                // Only Account specific Isolated network with sourceNat service disabled are allowed in security group
+                // enabled zone
+                boolean allowCreation = (ntwkOff.getGuestType() == GuestType.Isolated 
+                        && !_networkModel.areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat));
+                if (!allowCreation) {
+                    throw new InvalidParameterValueException("Only Account specific Isolated network with sourceNat " +
+                            "service disabled are allowed in security group enabled zone");
+>>>>>>> parent of d7201df... CLOUDSTACK-737
                 }
             }
 
diff --git a/server/src/com/cloud/resource/ResourceManagerImpl.java b/server/src/com/cloud/resource/ResourceManagerImpl.java
index 55e377d7906..82013d4380d 100755
--- a/server/src/com/cloud/resource/ResourceManagerImpl.java
+++ b/server/src/com/cloud/resource/ResourceManagerImpl.java
@@ -427,12 +427,6 @@ public class ResourceManagerImpl extends ManagerBase implements ResourceManager,
 					+ cmd.getHypervisor() + " to a supported ");
         }
 
-        if (zone.isSecurityGroupEnabled()) {
-            if( hypervisorType != HypervisorType.KVM && hypervisorType != HypervisorType.XenServer ) {
-                throw new InvalidParameterValueException("Don't support hypervisor type " + hypervisorType + " in advanced security enabled zone");
-            }
-        }
-
         Cluster.ClusterType clusterType = null;
         if (cmd.getClusterType() != null && !cmd.getClusterType().isEmpty()) {
             clusterType = Cluster.ClusterType.valueOf(cmd.getClusterType());
diff --git a/ui/scripts/zoneWizard.js b/ui/scripts/zoneWizard.js
index 141cd6dd24a..26838a173c3 100755
--- a/ui/scripts/zoneWizard.js
+++ b/ui/scripts/zoneWizard.js
@@ -373,6 +373,7 @@
 									var nonSupportedHypervisors = {};									
 									if(args.context.zones[0]['network-model']	== "Advanced" && args.context.zones[0]['zone-advanced-sg-enabled'] ==	"on") {
 									  firstOption = "KVM";
+										nonSupportedHypervisors["XenServer"] = 1;  //to developers: comment this line if you need to test Advanced SG-enabled zone with XenServer hypervisor
 										nonSupportedHypervisors["VMware"] = 1;
 										nonSupportedHypervisors["BareMetal"] = 1;
 										nonSupportedHypervisors["Ovm"] = 1;