diff --git a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
index eade195620e..d0ca59ca39c 100644
--- a/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
+++ b/core/src/com/cloud/hypervisor/xen/resource/CitrixResourceBase.java
@@ -1092,13 +1092,23 @@ public abstract class CitrixResourceBase implements ServerResource, HypervisorRe
             if (_canBridgeFirewall) {
                 String result = null;
                 if (vmSpec.getType() != VirtualMachine.Type.User) {
-                    result = callHostPlugin(conn, "vmops", "default_network_rules_systemvm", "vmName", vmName);
-                    
-                    if (result == null || result.isEmpty() || !Boolean.parseBoolean(result)) {
-                        s_logger.warn("Failed to program default network rules for " + vmName);
-                    } else {
-                        s_logger.info("Programmed default network rules for " + vmName);
+                    NicTO[] nics = vmSpec.getNics();
+                    boolean secGrpEnabled = false;
+                    for (NicTO nic : nics) {
+                        if (nic.getIsolationUri() != null && nic.getIsolationUri().getScheme().equalsIgnoreCase(IsolationType.Ec2.toString())) {
+                            secGrpEnabled = true;
+                            break;
+                        }
                     }
+                    if (secGrpEnabled) {
+                        result = callHostPlugin(conn, "vmops", "default_network_rules_systemvm", "vmName", vmName);
+                        if (result == null || result.isEmpty() || !Boolean.parseBoolean(result)) {
+                            s_logger.warn("Failed to program default network rules for " + vmName);
+                        } else {
+                            s_logger.info("Programmed default network rules for " + vmName);
+                        }
+                    }
+
                 } else {
                 	//For user vm, program the rules for each nic if the isolation uri scheme is ec2
                 	NicTO[] nics = vmSpec.getNics();
diff --git a/patches/systemvm/debian/config/root/loadbalancer.sh b/patches/systemvm/debian/config/root/loadbalancer.sh
index 4a7d2c7cd48..adbd764ea8d 100755
--- a/patches/systemvm/debian/config/root/loadbalancer.sh
+++ b/patches/systemvm/debian/config/root/loadbalancer.sh
@@ -164,8 +164,9 @@ iflag=
 aflag=
 dflag=
 fflag=
+sflag=
 
-while getopts 'i:a:d:f:' OPTION
+while getopts 'i:a:d:f:s:' OPTION
 do
   case $OPTION in
   i)	iflag=1
@@ -180,6 +181,8 @@ do
   f)	fflag=1
 		cfgfile="$OPTARG"
 		;;
+
+  s)	sflag=1;;
   ?)	usage
 		exit 2
 		;;
diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
index 3bb0b11afdb..83bb612e6df 100755
--- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
+++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java
@@ -391,7 +391,6 @@ public class LoadBalancingRulesManagerImpl implements LoadBalancingRulesManager,
         
         IPAddressVO ipAddr = _ipAddressDao.findById(lb.getSourceIpAddressId());
         Long networkId = ipAddr.getSourceNetworkId();
-        NetworkVO network = _networkDao.findById(networkId);
         // make sure ip address exists
         if (ipAddr == null || !ipAddr.readyToUse()) {
             throw new InvalidParameterValueException("Unable to create load balancer rule, invalid IP address id" + ipId);
@@ -405,6 +404,7 @@ public class LoadBalancingRulesManagerImpl implements LoadBalancingRulesManager,
             throw new InvalidParameterValueException("Unable to create load balancer rule ; ip id=" + ipId + " is not associated with any network");
 
         }
+        NetworkVO network = _networkDao.findById(networkId);
 
         _accountMgr.checkAccess(caller.getCaller(), ipAddr);