diff --git a/api/src/com/cloud/agent/api/SecStorageFirewallCfgCommand.java b/api/src/com/cloud/agent/api/SecStorageFirewallCfgCommand.java
old mode 100644
new mode 100755
index d1e23b2dc5a..c51dc8566ce
--- a/api/src/com/cloud/agent/api/SecStorageFirewallCfgCommand.java
+++ b/api/src/com/cloud/agent/api/SecStorageFirewallCfgCommand.java
@@ -52,16 +52,24 @@ public class SecStorageFirewallCfgCommand extends Command {
 	}
 	
 	private List<PortConfig> portConfigs = new ArrayList<PortConfig>();
+	private boolean isAppendAIp = false;
+	
 	
 	public SecStorageFirewallCfgCommand() {
-		
+	}
+	
+	public SecStorageFirewallCfgCommand(boolean isAppend) {
+    	this.isAppendAIp = isAppend;
+	}
+	
+	public boolean getIsAppendAIp() {
+		return isAppendAIp;
 	}
     
     
     public void addPortConfig(String sourceIp, String port, boolean add, String intf) {
     	PortConfig pc = new PortConfig(sourceIp, port, add, intf);
     	this.portConfigs.add(pc);
-    	
     }
 
 	@Override
diff --git a/console-proxy/scripts/ipfirewall.sh b/console-proxy/scripts/ipfirewall.sh
index b7e545a4bd7..2c421951714 100755
--- a/console-proxy/scripts/ipfirewall.sh
+++ b/console-proxy/scripts/ipfirewall.sh
@@ -38,12 +38,17 @@ config_htaccess() {
 
 ips(){
   echo "allow from $1" >> $HTACCESS
+  public_ip=`ip addr show eth2|grep "inet "|sed "s/^ *//"|cut -d "/" -f 1|cut -d " " -f 2`
+  ip route add $1 via $public_ip
   result=$?
   return $result
 }
 
-
-config_htaccess
+is_append="$1"
+shift
+if [ $is_append != "true" ]; then
+	config_htaccess
+fi
 for i in $@
 do
         ips "$i"
diff --git a/core/src/com/cloud/storage/resource/NfsSecondaryStorageResource.java b/core/src/com/cloud/storage/resource/NfsSecondaryStorageResource.java
index 336dddb362c..57068b18ecd 100755
--- a/core/src/com/cloud/storage/resource/NfsSecondaryStorageResource.java
+++ b/core/src/com/cloud/storage/resource/NfsSecondaryStorageResource.java
@@ -301,7 +301,7 @@ public class NfsSecondaryStorageResource extends ServerResourceBase implements S
 		}
 		boolean success = true;
 		String result;
-		result = configureIpFirewall(ipList);
+		result = configureIpFirewall(ipList, cmd.getIsAppendAIp());
 		if (result !=null)
 			success = false;
 
@@ -658,8 +658,9 @@ public class NfsSecondaryStorageResource extends ServerResourceBase implements S
 		return result;
 	}
 	
-	private String configureIpFirewall(List<String> ipList){
+	private String configureIpFirewall(List<String> ipList, boolean isAppend){
 		Script command = new Script(_configIpFirewallScr);		
+		command.add(String.valueOf(isAppend));
 		for (String ip : ipList){
 			command.add(ip);
 		}		
diff --git a/server/src/com/cloud/host/dao/HostDao.java b/server/src/com/cloud/host/dao/HostDao.java
index 17f540c0402..c65f7327b52 100755
--- a/server/src/com/cloud/host/dao/HostDao.java
+++ b/server/src/com/cloud/host/dao/HostDao.java
@@ -180,5 +180,5 @@ public interface HostDao extends GenericDao<HostVO, Long> {
 
     List<HostVO> listByClusterStatus(long clusterId, Status status); 
     
-    List<HostVO> listSecondaryStorageVMInUpAndConnecting(long dcId);
+    List<HostVO> listSecondaryStorageVMInUpAndConnecting();
 }
diff --git a/server/src/com/cloud/host/dao/HostDaoImpl.java b/server/src/com/cloud/host/dao/HostDaoImpl.java
index 00a04864e45..603459dd17b 100755
--- a/server/src/com/cloud/host/dao/HostDaoImpl.java
+++ b/server/src/com/cloud/host/dao/HostDaoImpl.java
@@ -803,11 +803,10 @@ public class HostDaoImpl extends GenericDaoBase<HostVO, Long> implements HostDao
     }
     
     @Override
-    public List<HostVO> listSecondaryStorageVMInUpAndConnecting(long dcId) {
+    public List<HostVO> listSecondaryStorageVMInUpAndConnecting() {
         SearchCriteria<HostVO> sc = SecondaryStorageVMSearch.create();
         sc.setParameters("type", Type.SecondaryStorageVM);
         sc.setParameters("status", Status.Up, Status.Connecting);
-        sc.setParameters("dc", dcId);
 
         return listBy(sc);
     }
diff --git a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
index 1485b9cc324..fd7cd4f7af2 100755
--- a/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
+++ b/server/src/com/cloud/storage/secondary/SecondaryStorageManagerImpl.java
@@ -363,12 +363,21 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
     }
 
     @Override
+    /**
+     * two things:
+     * 1. generate a IP list of all SSVM across all zones, set this IP list to my .htaccess allowable from.
+     *    so other SSVMs get privilege to access me.
+     * 2. broadcast my IP to other SSVMs instructing them set me to theirs .htacess allowable from. so I get
+     *    privilege to access others
+     *    
+     * NOTE: given in basic zone the public IP is in same subnet with private IP, we set both of them to .htaccess
+     * because traffic may go through either public IP or private IP, for the default route in SSVM is gateway.
+     */
     public boolean generateFirewallConfiguration(Long ssAHostId) {
         if ( ssAHostId == null ) {
             return true;
         }
         HostVO ssAHost = _hostDao.findById(ssAHostId);
-        Long zoneId = ssAHost.getDataCenterId();
         SecondaryStorageVmVO thisSecStorageVm = _secStorageVmDao.findByInstanceName(ssAHost.getName());
         
         if (thisSecStorageVm == null) {
@@ -377,12 +386,14 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
         }
 
         String copyPort = _useSSlCopy? "443" : Integer.toString(TemplateConstants.DEFAULT_TMPLT_COPY_PORT);
-        SecStorageFirewallCfgCommand cpc = new SecStorageFirewallCfgCommand();
-        SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand();
+        SecStorageFirewallCfgCommand thiscpc = new SecStorageFirewallCfgCommand(true);
         thiscpc.addPortConfig(thisSecStorageVm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
         
-        List<HostVO> ssvms = _hostDao.listSecondaryStorageVMInUpAndConnecting(zoneId);
+        List<HostVO> ssvms = _hostDao.listSecondaryStorageVMInUpAndConnecting();
         for (HostVO ssvm : ssvms) {
+        	if (ssvm.getId() == ssAHostId) {
+        		continue;
+        	}
             Answer answer = _agentMgr.easySend(ssvm.getId(), thiscpc);
             if (answer != null && answer.getResult()) {
                 if (s_logger.isDebugEnabled()) {
@@ -395,7 +406,14 @@ public class SecondaryStorageManagerImpl implements SecondaryStorageVmManager, V
             }
         }
         
-        Answer answer = _agentMgr.easySend(ssAHostId, cpc);
+        SecStorageFirewallCfgCommand allSSVMIpList = new SecStorageFirewallCfgCommand(false);
+        for (HostVO ssvm : ssvms) {
+        	if (ssvm.getId() == ssAHostId) {
+        		continue;
+        	}
+        	allSSVMIpList.addPortConfig(ssvm.getPublicIpAddress(), copyPort, true, TemplateConstants.DEFAULT_TMPLT_COPY_INTF);
+        }
+        Answer answer = _agentMgr.easySend(ssAHostId, allSSVMIpList);
         if (answer != null && answer.getResult()) {
             if (s_logger.isDebugEnabled()) {
                 s_logger.debug("Successfully programmed firewall rules into " + thisSecStorageVm.getHostName());