diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/config/CloudStackComputeServiceContextModule.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/config/CloudStackComputeServiceContextModule.java
index 18964f9e73..e774d04754 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/config/CloudStackComputeServiceContextModule.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/config/CloudStackComputeServiceContextModule.java
@@ -41,6 +41,7 @@ import org.jclouds.cloudstack.compute.strategy.AdvancedNetworkOptionsConverter;
 import org.jclouds.cloudstack.compute.strategy.BasicNetworkOptionsConverter;
 import org.jclouds.cloudstack.compute.strategy.CloudStackComputeServiceAdapter;
 import org.jclouds.cloudstack.compute.strategy.OptionsConverter;
+import org.jclouds.cloudstack.domain.FirewallRule;
 import org.jclouds.cloudstack.domain.IPForwardingRule;
 import org.jclouds.cloudstack.domain.Network;
 import org.jclouds.cloudstack.domain.NetworkType;
@@ -53,6 +54,7 @@ import org.jclouds.cloudstack.domain.Zone;
 import org.jclouds.cloudstack.features.GuestOSClient;
 import org.jclouds.cloudstack.functions.StaticNATVirtualMachineInNetwork;
 import org.jclouds.cloudstack.functions.ZoneIdToZone;
+import org.jclouds.cloudstack.options.ListFirewallRulesOptions;
 import org.jclouds.cloudstack.predicates.JobComplete;
 import org.jclouds.cloudstack.suppliers.GetCurrentUser;
 import org.jclouds.cloudstack.suppliers.NetworksForCurrentUser;
@@ -108,6 +110,8 @@ public class CloudStackComputeServiceContextModule extends
       install(new FactoryModuleBuilder().build(StaticNATVirtualMachineInNetwork.Factory.class));
       bind(new TypeLiteral<CacheLoader<String, Set<IPForwardingRule>>>() {
       }).to(GetIPForwardingRulesByVirtualMachine.class);
+      bind(new TypeLiteral<CacheLoader<String, Set<FirewallRule>>>() {
+      }).to(GetFirewallRulesByVirtualMachine.class);
       bind(new TypeLiteral<CacheLoader<String, Zone>>() {
       }).to(ZoneIdToZone.class);
       bind(new TypeLiteral<Supplier<LoadingCache<String, Zone>>>() {
@@ -204,6 +208,34 @@ public class CloudStackComputeServiceContextModule extends
       }
    }
 
+   @Provides
+   @Singleton
+   protected LoadingCache<String, Set<FirewallRule>> getFirewallRulesByVirtualMachine(
+      CacheLoader<String, Set<FirewallRule>> getFirewallRules) {
+      return CacheBuilder.newBuilder().build(getFirewallRules);
+   }
+
+   @Singleton
+   public static class GetFirewallRulesByVirtualMachine extends CacheLoader<String, Set<FirewallRule>> {
+      private final CloudStackClient client;
+
+      @Inject
+      public GetFirewallRulesByVirtualMachine(CloudStackClient client) {
+         this.client = checkNotNull(client, "client");
+      }
+
+      /**
+       * @throws ResourceNotFoundException
+       *            when there is no ip forwarding rule available for the VM
+       */
+      @Override
+      public Set<FirewallRule> load(String input) {
+          String publicIPId = client.getVirtualMachineClient().getVirtualMachine(input).getPublicIPId();
+          Set<FirewallRule> rules = client.getFirewallClient().listFirewallRules(ListFirewallRulesOptions.Builder.ipAddressId(publicIPId));
+         return rules != null ? rules : ImmutableSet.<FirewallRule>of();
+      }
+   }
+
    @Provides
    @Singleton
    public Map<NetworkType, ? extends OptionsConverter> optionsConverters(){
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/functions/VirtualMachineToNodeMetadata.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/functions/VirtualMachineToNodeMetadata.java
index 193f3812bd..59a4418385 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/functions/VirtualMachineToNodeMetadata.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/functions/VirtualMachineToNodeMetadata.java
@@ -134,6 +134,9 @@ public class VirtualMachineToNodeMetadata implements Function<VirtualMachine, No
             publicAddresses.add(from.getIPAddress());
          }
       }
+      if (from.getPublicIP() != null) {
+          publicAddresses.add(from.getPublicIP());
+      }
       for (NIC nic : from.getNICs()) {
          if (nic.getIPAddress() != null) {
             if (isPrivateIPAddress(nic.getIPAddress())) {
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/AdvancedNetworkOptionsConverter.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/AdvancedNetworkOptionsConverter.java
index d34cdc0238..524aeb7f48 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/AdvancedNetworkOptionsConverter.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/AdvancedNetworkOptionsConverter.java
@@ -20,9 +20,11 @@ package org.jclouds.cloudstack.compute.strategy;
 
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Predicates.and;
+import static com.google.common.base.Predicates.not;
 import static com.google.common.collect.Iterables.filter;
 import static org.jclouds.cloudstack.predicates.NetworkPredicates.defaultNetworkInZone;
 import static org.jclouds.cloudstack.predicates.NetworkPredicates.supportsStaticNAT;
+import static org.jclouds.cloudstack.predicates.NetworkPredicates.isIsolatedNetwork;
 
 import java.util.Map;
 
@@ -50,9 +52,12 @@ public class AdvancedNetworkOptionsConverter implements OptionsConverter {
          checkArgument(!networks.isEmpty(), "please setup a network for zone: " + zoneId);
          Network defaultNetworkInZone = Iterables.getFirst(filter(networks.values(), and(defaultNetworkInZone(zoneId), supportsStaticNAT())), null);
          if(defaultNetworkInZone == null) {
-            throw new IllegalArgumentException("please choose a specific network in zone " + zoneId + ": " + networks);
+             defaultNetworkInZone = Iterables.getFirst(filter(networks.values(), isIsolatedNetwork()), null);
+         }
+         if (defaultNetworkInZone == null) {
+             throw new IllegalArgumentException("please choose a specific network in zone " + zoneId + ": " + networks);
          } else {
-            options.networkId(defaultNetworkInZone.getId());
+             options.networkId(defaultNetworkInZone.getId());
          }
       }
       return options;
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/CloudStackComputeServiceAdapter.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/CloudStackComputeServiceAdapter.java
index 012d630034..bc0313e240 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/CloudStackComputeServiceAdapter.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/compute/strategy/CloudStackComputeServiceAdapter.java
@@ -40,6 +40,8 @@ import javax.inject.Singleton;
 import org.jclouds.cloudstack.CloudStackClient;
 import org.jclouds.cloudstack.compute.options.CloudStackTemplateOptions;
 import org.jclouds.cloudstack.domain.AsyncCreateResponse;
+import org.jclouds.cloudstack.domain.Capabilities;
+import org.jclouds.cloudstack.domain.FirewallRule;
 import org.jclouds.cloudstack.domain.IPForwardingRule;
 import org.jclouds.cloudstack.domain.Network;
 import org.jclouds.cloudstack.domain.NetworkType;
@@ -48,10 +50,12 @@ import org.jclouds.cloudstack.domain.ServiceOffering;
 import org.jclouds.cloudstack.domain.Template;
 import org.jclouds.cloudstack.domain.VirtualMachine;
 import org.jclouds.cloudstack.domain.Zone;
+import org.jclouds.cloudstack.functions.CreateFirewallRulesForIP;
 import org.jclouds.cloudstack.functions.CreatePortForwardingRulesForIP;
 import org.jclouds.cloudstack.functions.StaticNATVirtualMachineInNetwork;
 import org.jclouds.cloudstack.functions.StaticNATVirtualMachineInNetwork.Factory;
 import org.jclouds.cloudstack.options.DeployVirtualMachineOptions;
+import org.jclouds.cloudstack.options.ListFirewallRulesOptions;
 import org.jclouds.cloudstack.strategy.BlockUntilJobCompletesAndReturnResult;
 import org.jclouds.collect.Memoized;
 import org.jclouds.compute.ComputeService;
@@ -89,6 +93,7 @@ public class CloudStackComputeServiceAdapter implements
    private final BlockUntilJobCompletesAndReturnResult blockUntilJobCompletesAndReturnResult;
    private final Factory staticNATVMInNetwork;
    private final CreatePortForwardingRulesForIP setupPortForwardingRulesForIP;
+   private final CreateFirewallRulesForIP setupFirewallRulesForIP;
    private final LoadingCache<String, Set<IPForwardingRule>> vmToRules;
    private final Map<String, Credentials> credentialStore;
    private final Map<NetworkType, ? extends OptionsConverter> optionsConverters;
@@ -99,7 +104,9 @@ public class CloudStackComputeServiceAdapter implements
          @Memoized Supplier<Map<String, Network>> networkSupplier,
          BlockUntilJobCompletesAndReturnResult blockUntilJobCompletesAndReturnResult,
          StaticNATVirtualMachineInNetwork.Factory staticNATVMInNetwork,
-         CreatePortForwardingRulesForIP setupPortForwardingRulesForIP, LoadingCache<String, Set<IPForwardingRule>> vmToRules,
+         CreatePortForwardingRulesForIP setupPortForwardingRulesForIP,
+                                          CreateFirewallRulesForIP setupFirewallRulesForIP,
+                                          LoadingCache<String, Set<IPForwardingRule>> vmToRules,
          Map<String, Credentials> credentialStore, Map<NetworkType, ? extends OptionsConverter> optionsConverters,
          Supplier<LoadingCache<String, Zone>> zoneIdToZone) {
       this.client = checkNotNull(client, "client");
@@ -109,6 +116,7 @@ public class CloudStackComputeServiceAdapter implements
             "blockUntilJobCompletesAndReturnResult");
       this.staticNATVMInNetwork = checkNotNull(staticNATVMInNetwork, "staticNATVMInNetwork");
       this.setupPortForwardingRulesForIP = checkNotNull(setupPortForwardingRulesForIP, "setupPortForwardingRulesForIP");
+      this.setupFirewallRulesForIP = checkNotNull(setupFirewallRulesForIP, "setupFirewallRulesForIP");
       this.vmToRules = checkNotNull(vmToRules, "vmToRules");
       this.credentialStore = checkNotNull(credentialStore, "credentialStore");
       this.optionsConverters = optionsConverters;
@@ -166,6 +174,7 @@ public class CloudStackComputeServiceAdapter implements
       AsyncCreateResponse job = client.getVirtualMachineClient().deployVirtualMachineInZone(zoneId, serviceOfferingId,
             templateId, options);
       VirtualMachine vm = blockUntilJobCompletesAndReturnResult.<VirtualMachine> apply(job);
+      logger.debug("--- virtualmachine: %s", vm);
       LoginCredentials credentials = null;
       if (vm.isPasswordEnabled()) {
          assert vm.getPassword() != null : vm;
@@ -174,15 +183,23 @@ public class CloudStackComputeServiceAdapter implements
          credentials = LoginCredentials.fromCredentials(credentialStore.get("keypair#" + templateOptions.getKeyPair()));
       }
       if (templateOptions.shouldSetupStaticNat()) {
+          Capabilities capabilities = client.getConfigurationClient().listCapabilities();
          // TODO: possibly not all network ids, do we want to do this
          for (String networkId : options.getNetworkIds()) {
             logger.debug(">> creating static NAT for virtualMachine(%s) in network(%s)", vm.getId(), networkId);
             PublicIPAddress ip = staticNATVMInNetwork.create(networks.get(networkId)).apply(vm);
             logger.trace("<< static NATed IPAddress(%s) to virtualMachine(%s)", ip.getId(), vm.getId());
+            vm = client.getVirtualMachineClient().getVirtualMachine(vm.getId());
             List<Integer> ports = Ints.asList(templateOptions.getInboundPorts());
-            logger.debug(">> setting up IP forwarding for IPAddress(%s) rules(%s)", ip.getId(), ports);
-            Set<IPForwardingRule> rules = setupPortForwardingRulesForIP.apply(ip, ports);
-            logger.trace("<< setup %d IP forwarding rules on IPAddress(%s)", rules.size(), ip.getId());
+            if (capabilities.getCloudStackVersion().startsWith("2")) {
+                logger.debug(">> setting up IP forwarding for IPAddress(%s) rules(%s)", ip.getId(), ports);
+                Set<IPForwardingRule> rules = setupPortForwardingRulesForIP.apply(ip, ports);
+                logger.trace("<< setup %d IP forwarding rules on IPAddress(%s)", rules.size(), ip.getId());
+            } else {
+                logger.debug(">> setting up firewall rules for IPAddress(%s) rules(%s)", ip.getId(), ports);
+                Set<FirewallRule> rules = setupFirewallRulesForIP.apply(ip, ports);
+                logger.trace("<< setup %d firewall rules on IPAddress(%s)", rules.size(), ip.getId());
+            }
          }
       }
       return new NodeAndInitialCredentials<VirtualMachine>(vm, vm.getId() + "", credentials);
@@ -241,10 +258,13 @@ public class CloudStackComputeServiceAdapter implements
       // 1) Delete IP forwarding rules associated with IP.
       Set<String> ipAddresses = deleteIPForwardingRulesForVMAndReturnDistinctIPs(virtualMachineId);
 
-      // 2) Disable static nat rule for the IP.
+      // 2) Delete firewall rules associated with IP.
+      ipAddresses.addAll(deleteFirewallRulesForVMAndReturnDistinctIPs(virtualMachineId));
+
+      // 3) Disable static nat rule for the IP.
       disableStaticNATOnIPAddresses(ipAddresses);
 
-      // 3) Only after 1 and 2 release the IP address.
+      // 4) Only after 1 and 2 release the IP address.
       disassociateIPAddresses(ipAddresses);
 
       destroyVirtualMachine(virtualMachineId);
@@ -305,6 +325,26 @@ public class CloudStackComputeServiceAdapter implements
       return ipAddresses;
    }
 
+   public Set<String> deleteFirewallRulesForVMAndReturnDistinctIPs(String virtualMachineId) {
+      // immutable doesn't permit duplicates
+      Set<String> ipAddresses = Sets.newLinkedHashSet();
+
+      String publicIpId = client.getVirtualMachineClient().getVirtualMachine(virtualMachineId).getPublicIPId();
+      if (publicIpId != null) {
+          Set<FirewallRule> firewallRules = client.getFirewallClient()
+              .listFirewallRules(ListFirewallRulesOptions.Builder.ipAddressId(client.getVirtualMachineClient().getVirtualMachine(virtualMachineId).getPublicIPId()));
+          
+          for (FirewallRule rule : firewallRules) {
+              if (!FirewallRule.State.fromValue("DELETING").equals(rule.getState())) {
+                  ipAddresses.add(rule.getIpAddressId());
+                  client.getFirewallClient().deleteFirewallRule(rule.getId());
+                  logger.debug(">> deleting FirewallRule(%s)", rule.getId());
+              }
+          }
+      }
+      return ipAddresses;
+   }
+
    public void awaitCompletion(Iterable<String> jobs) {
       logger.debug(">> awaiting completion of jobs(%s)", jobs);
       for (String job : jobs)
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/FirewallRule.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/FirewallRule.java
index 9c3a188f49..8b94d6796a 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/FirewallRule.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/FirewallRule.java
@@ -55,7 +55,7 @@ public class FirewallRule implements Comparable<FirewallRule> {
                   // Rules in this state can not be sent to network elements.
       ADD,        // Add means the rule has been created and has gone through network rule conflict detection.
       ACTIVE,     // Rule has been sent to the network elements and reported to be active.
-      DELETEING,  // Revoke means this rule has been revoked. If this rule has been sent to the
+      DELETING,   // Revoke means this rule has been revoked. If this rule has been sent to the
                   // network elements, the rule will be deleted from database.
       UNKNOWN;
 
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/GuestIPType.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/GuestIPType.java
index 40a37186f6..60f378f9ce 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/GuestIPType.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/GuestIPType.java
@@ -34,12 +34,19 @@ public enum GuestIPType {
     * network. Dhcp role is played by domain router.
     */
    VIRTUAL,
+
    /**
     * traffic directly to the network and VMs created here are assigned an IP
     * directly from the network as configured
     */
    DIRECT,
 
+   /**
+    * TODO: add comments to explain the meaning (cs3 only)
+    */
+   SHARED,
+   ISOLATED,
+
    UNRECOGNIZED;
 
    @Override
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/PortForwardingRule.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/PortForwardingRule.java
index 7d0daf2dcf..ee7f10c12d 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/PortForwardingRule.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/PortForwardingRule.java
@@ -55,7 +55,7 @@ public class PortForwardingRule implements Comparable<PortForwardingRule> {
                   // Rules in this state can not be sent to network elements.
       ADD,        // Add means the rule has been created and has gone through network rule conflict detection.
       ACTIVE,     // Rule has been sent to the network elements and reported to be active.
-      DELETEING,  // Revoke means this rule has been revoked. If this rule has been sent to the
+      DELETING,  // Revoke means this rule has been revoked. If this rule has been sent to the
                   // network elements, the rule will be deleted from database.
       UNKNOWN;
 
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/Template.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/Template.java
index 2a455212da..52fc1efcf5 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/Template.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/Template.java
@@ -62,6 +62,7 @@ public class Template implements Comparable<Template> {
       // These states are specifically used for extraction of resources out of CS(ironically shown
       // as download template in the UI, API - extractTemplate ). Some of the generic states (like
       // abandoned, unknown) above are used for the extraction tasks as well.
+
       /**
        * the resource has been uploaded
        */
@@ -80,6 +81,9 @@ public class Template implements Comparable<Template> {
       UPLOAD_IN_PROGRESS, UNRECOGNIZED;
 
       public static Status fromValue(String state) {
+         if (state.equals("Download Complete")) {
+            return DOWNLOADED;
+         }
          try {
             return valueOf(checkNotNull(state, "state"));
          } catch (IllegalArgumentException e) {
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/VirtualMachine.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/VirtualMachine.java
index 4a17085b6f..53be570743 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/VirtualMachine.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/domain/VirtualMachine.java
@@ -71,6 +71,8 @@ public class VirtualMachine implements Comparable<VirtualMachine> {
       private Long networkKbsWrite;
       private String password;
       private boolean passwordEnabled;
+      private String publicIP;
+      private String publicIPId;
       private String rootDeviceId;
       private String rootDeviceType;
       private String serviceOfferingId;
@@ -225,6 +227,16 @@ public class VirtualMachine implements Comparable<VirtualMachine> {
          return this;
       }
 
+      public Builder publicIP(String publicIP) {
+         this.publicIP = publicIP;
+         return this;
+      }
+
+      public Builder publicIPId(String publicIPId) {
+         this.publicIPId = publicIPId;
+         return this;
+      }
+
       public Builder rootDeviceId(String rootDeviceId) {
          this.rootDeviceId = rootDeviceId;
          return this;
@@ -294,7 +306,7 @@ public class VirtualMachine implements Comparable<VirtualMachine> {
          return new VirtualMachine(id, account, cpuCount, cpuSpeed, cpuUsed, displayName, created, domain, domainId,
                usesVirtualNetwork, group, groupId, guestOSId, HAEnabled, hostId, hostname, IPAddress, ISODisplayText,
                ISOId, ISOName, jobId, jobStatus, memory, name, networkKbsRead, networkKbsWrite, password,
-               passwordEnabled, rootDeviceId, rootDeviceType, securityGroups, serviceOfferingId, serviceOfferingName,
+                                   passwordEnabled, publicIP, publicIPId, rootDeviceId, rootDeviceType, securityGroups, serviceOfferingId, serviceOfferingName,
                state, templateDisplayText, templateId, templateName, zoneId, zoneName, nics, hypervisor);
       }
    }
@@ -366,6 +378,10 @@ public class VirtualMachine implements Comparable<VirtualMachine> {
    private String password;
    @SerializedName("passwordenabled")
    private boolean passwordEnabled;
+   @SerializedName("publicip")
+   private String publicIP;
+   @SerializedName("publicipid")
+   private String publicIPId;
    @SerializedName("rootdeviceid")
    private String rootDeviceId;
    @SerializedName("rootdevicetype")
@@ -395,7 +411,7 @@ public class VirtualMachine implements Comparable<VirtualMachine> {
          Date created, String domain, String domainId, boolean usesVirtualNetwork, String group, String groupId,
          String guestOSId, boolean hAEnabled, String hostId, String hostname, String iPAddress, String iSODisplayText,
          String iSOId, String iSOName, String jobId, Integer jobStatus, long memory, String name, Long networkKbsRead,
-         Long networkKbsWrite, String password, boolean passwordEnabled, String rootDeviceId, String rootDeviceType,
+                         Long networkKbsWrite, String password, boolean passwordEnabled, String publicIP, String publicIPId, String rootDeviceId, String rootDeviceType,
          Set<SecurityGroup> securityGroups, String serviceOfferingId, String serviceOfferingName, State state,
          String templateDisplayText, String templateId, String templateName, String zoneId, String zoneName, Set<NIC> nics,
          String hypervisor) {
@@ -428,6 +444,8 @@ public class VirtualMachine implements Comparable<VirtualMachine> {
       this.networkKbsWrite = networkKbsWrite;
       this.password = password;
       this.passwordEnabled = passwordEnabled;
+      this.publicIP = publicIP;
+      this.publicIPId = publicIPId;
       this.rootDeviceId = rootDeviceId;
       this.rootDeviceType = rootDeviceType;
       this.securityGroups = ImmutableSet.copyOf(checkNotNull(securityGroups, "securityGroups"));
@@ -659,6 +677,20 @@ public class VirtualMachine implements Comparable<VirtualMachine> {
       return passwordEnabled;
    }
 
+   /**
+    * @return public IP of this virtual machine
+    */
+   public String getPublicIP() {
+      return publicIP;
+   }
+
+   /**
+    * @return ID of the public IP of this virtual machine
+    */
+   public String getPublicIPId() {
+      return publicIPId;
+   }
+
    /**
     * @return device ID of the root volume
     */
@@ -786,6 +818,8 @@ public class VirtualMachine implements Comparable<VirtualMachine> {
       if (!Objects.equal(networkKbsWrite, that.networkKbsWrite)) return false;
       if (!Objects.equal(password, that.password)) return false;
       if (!Objects.equal(passwordEnabled, that.passwordEnabled)) return false;
+      if (!Objects.equal(publicIP, that.publicIP)) return false;
+      if (!Objects.equal(publicIPId, that.publicIPId)) return false;
       if (!Objects.equal(rootDeviceId, that.rootDeviceId)) return false;
       if (!Objects.equal(rootDeviceType, that.rootDeviceType)) return false;
       if (!Objects.equal(securityGroups, that.securityGroups)) return false;
@@ -809,7 +843,7 @@ public class VirtualMachine implements Comparable<VirtualMachine> {
                                domain, domainId, usesVirtualNetwork, group, groupId, guestOSId,
                                HAEnabled, hostId, hostname, IPAddress, ISODisplayText, ISOId,
                                ISOName, jobId, jobStatus, memory, name, networkKbsRead,
-                               networkKbsWrite, password, passwordEnabled, rootDeviceId,
+                               networkKbsWrite, password, passwordEnabled, publicIP, publicIPId, rootDeviceId,
                                rootDeviceType, securityGroups, serviceOfferingId,
                                serviceOfferingName, state, templateDisplayText, templateId,
                                templateName, zoneId, zoneName, nics, hypervisor);
@@ -846,6 +880,8 @@ public class VirtualMachine implements Comparable<VirtualMachine> {
             ", networkKbsWrite=" + networkKbsWrite +
             ", password='" + password + '\'' +
             ", passwordEnabled=" + passwordEnabled +
+            ", publicIP='" + publicIP + '\'' +
+            ", publicIPId='" + publicIPId + '\'' +
             ", rootDeviceId=" + rootDeviceId +
             ", rootDeviceType='" + rootDeviceType + '\'' +
             ", serviceOfferingId=" + serviceOfferingId +
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/features/FirewallAsyncClient.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/features/FirewallAsyncClient.java
index 8adf8ebc7e..c560b5395b 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/features/FirewallAsyncClient.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/features/FirewallAsyncClient.java
@@ -87,6 +87,19 @@ public interface FirewallAsyncClient {
    ListenableFuture<AsyncCreateResponse> createFirewallRuleForIpAndProtocol(@QueryParam("ipaddressid") String ipAddressId,
          @QueryParam("protocol") FirewallRule.Protocol protocol, CreateFirewallRuleOptions... options);
 
+   /**
+    * @see FirewallClient#createFirewallRuleForIpProtocolAndPort
+    */
+   @GET
+   @QueryParams(keys = "command", values = "createFirewallRule")
+   @Unwrap
+   @Consumes(MediaType.APPLICATION_JSON)
+   ListenableFuture<AsyncCreateResponse> createFirewallRuleForIpProtocolAndPort(@QueryParam("ipaddressid") String ipAddressId,
+                                                                            @QueryParam("protocol") FirewallRule.Protocol protocol,
+                                                                            @QueryParam("startPort") int startPort,
+                                                                                @QueryParam("endPort") int endPort);
+                                                                            
+
    /**
     * @see FirewallClient#deleteFirewallRule
     */
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/features/FirewallClient.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/features/FirewallClient.java
index bc2448de77..e1d25031e8 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/features/FirewallClient.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/features/FirewallClient.java
@@ -74,6 +74,13 @@ public interface FirewallClient {
    AsyncCreateResponse createFirewallRuleForIpAndProtocol(String ipAddressId,
          FirewallRule.Protocol protocol, CreateFirewallRuleOptions... options);
 
+    
+    AsyncCreateResponse createFirewallRuleForIpProtocolAndPort(String ipAddressId,
+                                                           FirewallRule.Protocol protocol,
+                                                           int startPort,
+                                                               int endPort);
+
+
    /**
     * Deletes a firewall rule
     *
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/functions/CreateFirewallRulesForIP.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/functions/CreateFirewallRulesForIP.java
new file mode 100644
index 0000000000..913f7cfa11
--- /dev/null
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/functions/CreateFirewallRulesForIP.java
@@ -0,0 +1,96 @@
+/**
+ * Licensed to jclouds, Inc. (jclouds) under one or more
+ * contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  jclouds licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jclouds.cloudstack.functions;
+
+import static com.google.common.base.Preconditions.checkNotNull;
+import static com.google.common.base.Preconditions.checkState;
+
+import java.util.Set;
+
+import javax.annotation.Resource;
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+
+import org.jclouds.cloudstack.CloudStackClient;
+import org.jclouds.cloudstack.domain.AsyncCreateResponse;
+import org.jclouds.cloudstack.domain.FirewallRule;
+import org.jclouds.cloudstack.domain.PublicIPAddress;
+import org.jclouds.cloudstack.options.CreateFirewallRuleOptions;
+import org.jclouds.cloudstack.strategy.BlockUntilJobCompletesAndReturnResult;
+import org.jclouds.compute.reference.ComputeServiceConstants;
+import org.jclouds.logging.Logger;
+
+import com.google.common.cache.LoadingCache;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Iterables;
+import com.google.common.collect.ImmutableSet.Builder;
+
+/**
+ * 
+ * @author Adrian Cole
+ */
+@Singleton
+public class CreateFirewallRulesForIP {
+
+   @Resource
+   @Named(ComputeServiceConstants.COMPUTE_LOGGER)
+   protected Logger logger = Logger.NULL;
+
+   private final CloudStackClient client;
+   private final BlockUntilJobCompletesAndReturnResult blockUntilJobCompletesAndReturnResult;
+   private final LoadingCache<String, Set<FirewallRule>> getFirewallRulesByVirtualMachine;
+
+   @Inject
+   public CreateFirewallRulesForIP(CloudStackClient client,
+         BlockUntilJobCompletesAndReturnResult blockUntilJobCompletesAndReturnResult,
+         LoadingCache<String, Set<FirewallRule>> getFirewallRulesByVirtualMachine) {
+      this.client = checkNotNull(client, "client");
+      this.blockUntilJobCompletesAndReturnResult = checkNotNull(blockUntilJobCompletesAndReturnResult,
+            "blockUntilJobCompletesAndReturnResult");
+      this.getFirewallRulesByVirtualMachine = checkNotNull(getFirewallRulesByVirtualMachine,
+            "getFirewallRulesByVirtualMachine");
+   }
+
+   public Set<FirewallRule> apply(PublicIPAddress ip, Iterable<Integer> ports) {
+      return apply(ip, "tcp", ports);
+   }
+    
+   public Set<FirewallRule> apply(PublicIPAddress ip, String protocol, Iterable<Integer> ports) {
+      checkState(ip.getVirtualMachineId() != null,
+            "ip %s should be static NATed to a virtual machine before applying rules", ip);
+      if (Iterables.size(ports) == 0)
+         return ImmutableSet.<FirewallRule> of();
+      Builder<AsyncCreateResponse> responses = ImmutableSet.builder();
+      for (int port : ports) {
+          AsyncCreateResponse response = client.getFirewallClient().createFirewallRuleForIpAndProtocol(ip.getId(), FirewallRule.Protocol.fromValue(protocol),
+                                                                                                       CreateFirewallRuleOptions.Builder.startPort(port).endPort(port));
+         logger.debug(">> creating firewall rule IPAddress(%s) for protocol(%s), port(%s); response(%s)",
+               ip.getId(), protocol, port, response);
+         responses.add(response);
+      }
+      Builder<FirewallRule> rules = ImmutableSet.builder();
+      for (AsyncCreateResponse response : responses.build()) {
+         FirewallRule rule = blockUntilJobCompletesAndReturnResult.<FirewallRule> apply(response);
+         rules.add(rule);
+         getFirewallRulesByVirtualMachine.asMap().put(ip.getVirtualMachineId(), ImmutableSet.of(rule));
+      }
+      return rules.build();
+   }
+}
\ No newline at end of file
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/handlers/CloudStackErrorHandler.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/handlers/CloudStackErrorHandler.java
index d9cfcd64b5..7c051ec7af 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/handlers/CloudStackErrorHandler.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/handlers/CloudStackErrorHandler.java
@@ -71,8 +71,7 @@ public class CloudStackErrorHandler implements HttpErrorHandler {
             break;
          case 409:
          case 431:
-            if (command.getCurrentRequest().getRequestLine().indexOf("delete") != -1
-                  && message.indexOf("does not exist") != -1) {
+            if (message.contains("does not exist")) {
                exception = new ResourceNotFoundException(message, exception);
             } else {
                exception = new IllegalStateException(message, exception);
diff --git a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/predicates/NetworkPredicates.java b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/predicates/NetworkPredicates.java
index c1d1c06668..1241e4f890 100644
--- a/apis/cloudstack/src/main/java/org/jclouds/cloudstack/predicates/NetworkPredicates.java
+++ b/apis/cloudstack/src/main/java/org/jclouds/cloudstack/predicates/NetworkPredicates.java
@@ -92,7 +92,38 @@ public class NetworkPredicates {
          return isVirtualNetwork.toString();
       }
    }
+    
+   public static enum IsSharedNetwork implements Predicate<Network> {
+      INSTANCE;
 
+      @Override
+      public boolean apply(Network arg0) {
+         boolean network = isSharedNetwork.apply(checkNotNull(arg0, "network").getGuestIPType());
+         return network;
+      }
+
+      @Override
+      public String toString() {
+         return isSharedNetwork.toString();
+      }
+   }
+
+   public static enum IsIsolatedNetwork implements Predicate<Network> {
+      INSTANCE;
+
+      @Override
+      public boolean apply(Network arg0) {
+         boolean network = isIsolatedNetwork.apply(checkNotNull(arg0, "network").getGuestIPType());
+         return network;
+      }
+
+      @Override
+      public String toString() {
+         return isIsolatedNetwork.toString();
+      }
+   }
+
+    
    private static class DefaultNetworkInZone implements Predicate<Network> {
       private final String zoneId;
 
@@ -170,6 +201,10 @@ public class NetworkPredicates {
 
    public static Predicate<GuestIPType> isVirtualNetwork = new GuestIPTypeIs(GuestIPType.VIRTUAL);
 
+   public static Predicate<GuestIPType> isIsolatedNetwork = new GuestIPTypeIs(GuestIPType.ISOLATED);
+
+   public static Predicate<GuestIPType> isSharedNetwork = new GuestIPTypeIs(GuestIPType.SHARED);
+
    /**
     * 
     * @return true, if the network supports static NAT.
@@ -202,6 +237,22 @@ public class NetworkPredicates {
       return IsVirtualNetwork.INSTANCE;
    }
 
+   /**
+    *
+    * @return true, if the network is an isolated network.
+    */
+   public static Predicate<Network> isIsolatedNetwork() {
+      return IsIsolatedNetwork.INSTANCE;
+   }
+
+   /**
+    *
+    * @return true, if the network is a shared network.
+    */
+   public static Predicate<Network> isSharedNetwork() {
+      return IsSharedNetwork.INSTANCE;
+   }
+
    /**
     * Filters for default networks in a specific zone.
     *
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/AccountClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/AccountClientLiveTest.java
index 5bf6d2d3c4..3e1ea3009e 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/AccountClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/AccountClientLiveTest.java
@@ -32,6 +32,7 @@ import org.testng.annotations.Test;
 @Test(groups = "live", singleThreaded = true, testName = "AccountClientLiveTest")
 public class AccountClientLiveTest extends BaseCloudStackClientLiveTest {
 
+   @Test
    public void testListAccounts() throws Exception {
       for (Account securityAccount : client.getAccountClient().listAccounts())
          checkAccount(securityAccount);
@@ -49,14 +50,12 @@ public class AccountClientLiveTest extends BaseCloudStackClientLiveTest {
          assert user.getName() != null : user;
          assert user.getAccountType().equals(account.getType()) : user;
          assert user.getDomain().equals(account.getDomain()) : user;
-         assert user.getDomainId() == account.getDomainId() : user;
-         assert user.getApiKey() != null : user;
+         assert user.getDomainId().equals(account.getDomainId()) : user;
          assert user.getCreated() != null : user;
          assert user.getEmail() != null : user;
          assert user.getLastName() != null : user;
          assert user.getFirstName() != null : user;
          assert user.getId() != null : user;
-         assert user.getSecretKey() != null : user;
          assert user.getState() != null : user;
       }
       assert account.getIPsAvailable() == null || account.getIPsAvailable() >= 0 : account;
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/BaseCloudStackClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/BaseCloudStackClientLiveTest.java
index d153c0719d..16218b0617 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/BaseCloudStackClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/BaseCloudStackClientLiveTest.java
@@ -57,6 +57,7 @@ import org.jclouds.predicates.RetryablePredicate;
 import org.jclouds.rest.RestContext;
 import org.jclouds.ssh.SshClient;
 import org.jclouds.sshj.config.SshjSshClientModule;
+import org.testng.SkipException;
 import org.testng.annotations.AfterGroups;
 import org.testng.annotations.BeforeGroups;
 
@@ -270,6 +271,18 @@ public class BaseCloudStackClientLiveTest extends BaseGenericComputeServiceConte
       return currentUser;
    }
 
+   protected void skipIfNotDomainAdmin() {
+      if (!domainAdminEnabled) {
+         throw new SkipException("Test cannot run without domain admin identity and credentials");
+      }
+   }
+
+   protected void skipIfNotGlobalAdmin() {
+      if (!globalAdminEnabled) {
+         throw new SkipException("Test cannot run without global admin identity and credentials");
+      }
+   }
+
    @AfterGroups(groups = "live")
    protected void tearDown() {
       if (cloudStackContext != null)
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainAccountClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainAccountClientLiveTest.java
index 81b954ddf9..7d433392a2 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainAccountClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainAccountClientLiveTest.java
@@ -38,7 +38,7 @@ public class DomainAccountClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test
    public void testEnableDisableAccount() {
-      assert globalAdminEnabled;
+      skipIfNotGlobalAdmin();
 
       Account testAccount = null;
       try {
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainDomainClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainDomainClientLiveTest.java
index 0d84f24764..cb3ca3681c 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainDomainClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainDomainClientLiveTest.java
@@ -18,9 +18,16 @@
  */
 package org.jclouds.cloudstack.features;
 
+import com.google.common.base.Function;
+import com.google.common.collect.Iterables;
 import static com.google.common.collect.Iterables.find;
+import com.google.common.collect.Sets;
+import static com.google.common.collect.Sets.newHashSet;
+import java.util.NoSuchElementException;
+import static org.jclouds.cloudstack.options.ListDomainChildrenOptions.Builder.name;
 import static org.jclouds.cloudstack.options.ListDomainChildrenOptions.Builder.parentDomainId;
 import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertNotNull;
 import static org.testng.Assert.assertNull;
 import static org.testng.Assert.assertTrue;
 
@@ -43,55 +50,56 @@ public class DomainDomainClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test
    public void testListDomains() {
-      assert domainAdminEnabled;
+      skipIfNotDomainAdmin();
 
-      Set<Domain> allDomains = domainAdminClient.getDomainClient().listDomains();
-
-      Domain root = find(allDomains, withName("ROOT"));
-      assertEquals(root, domainAdminClient.getDomainClient().getDomainById(root.getId()));
-      assertEquals(root.getLevel(), 0);
-      assertEquals(root.getParentDomainId(), 0);
-      assertNull(root.getParentDomainName());
-      if (allDomains.size() > 1) {
-         assertTrue(root.hasChild());
+      Set<Domain> domains = domainAdminClient.getDomainClient().listDomains();
+      for (Domain candidate : domains) {
+         checkDomain(candidate);
       }
+   }
 
-      for (Domain domain : allDomains) {
-         checkDomain(domain, allDomains);
+   private void checkDomain(Domain domain) {
+      assertNotNull(domain.getId());
+      if (domain.getLevel() == 0 /* global ROOT */) {
+         assertNull(domain.getParentDomainName());
+         assertNull(domain.getParentDomainId());
+      } else {
+         assertNotNull(domain.getParentDomainName());
+         assertNotNull(domain.getParentDomainId());
       }
    }
 
    @Test
    public void testListDomainChildren() {
-      assert domainAdminEnabled;
+      skipIfNotDomainAdmin();
 
-      Set<Domain> allDomains = domainAdminClient.getDomainClient().listDomains();
-      Domain root = find(allDomains, withName("ROOT"));
+      Set<Domain> domains = domainAdminClient.getDomainClient().listDomains();
+      Domain root = findRootOfVisibleTree(domains);
+      if (domains.size() > 1) {
+         assertTrue(root.hasChild());
+      }
 
       Set<Domain> children = domainAdminClient.getDomainClient()
          .listDomainChildren(parentDomainId(root.getId()).isRecursive(true));
-      assertEquals(allDomains.size() - 1, children.size());
-
-      for (Domain domain : children) {
-         checkDomain(domain, allDomains);
-      }
+      assertEquals(domains.size() - 1, children.size());
+      assertTrue(Sets.difference(domains, children).contains(root));
    }
 
-   private Predicate<Domain> withName(final String name) {
-      return new Predicate<Domain>() {
-         @Override
-         public boolean apply(@Nullable Domain domain) {
-            return domain != null && domain.getName().equals(name);
+   private Domain findRootOfVisibleTree(Set<Domain> domains) {
+      final Set<String> names = newHashSet(Iterables.transform(domains,
+         new Function<Domain, String>() {
+            @Override
+            public String apply(Domain domain) {
+               return domain.getName();
+            }
+         }));
+
+      for (Domain candidate : domains) {
+         if (candidate.getParentDomainId() == null ||
+            !names.contains(candidate.getParentDomainName())) {
+            return candidate;
          }
-      };
-   }
-
-   private void checkDomain(Domain domain, Set<Domain> allDomains) {
-      assert domain.getId() != null : domain;
-      if (domain.getParentDomainName() != null) {
-         Domain parent = find(allDomains, withName(domain.getParentDomainName()));
-         assertEquals(parent.getId(), domain.getParentDomainId());
-         assertTrue(parent.hasChild());
       }
+      throw new NoSuchElementException("No root node found in this tree");
    }
 }
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainUserClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainUserClientLiveTest.java
index 42e846565d..aa5dfbd664 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainUserClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/DomainUserClientLiveTest.java
@@ -40,7 +40,7 @@ public class DomainUserClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test
    public void testListUsers() {
-      assert domainAdminEnabled;
+      skipIfNotDomainAdmin();
 
       Set<User> users = domainAdminClient.getUserClient().listUsers();
 
@@ -60,7 +60,7 @@ public class DomainUserClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test
    public void testEnableDisableUser() {
-      assert globalAdminEnabled && domainAdminEnabled;
+      skipIfNotGlobalAdmin();
 
       Account testAccount = null;
       User testUser = null;
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalAccountClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalAccountClientLiveTest.java
index 8f1302420f..fca83acc72 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalAccountClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalAccountClientLiveTest.java
@@ -42,7 +42,7 @@ public class GlobalAccountClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test
    public void testCreateAndRemoveAccount() {
-      assert globalAdminEnabled;
+      skipIfNotGlobalAdmin();
 
       Account account = null;
       try {
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalAlertClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalAlertClientLiveTest.java
index 65c0b94811..a51d98394c 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalAlertClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalAlertClientLiveTest.java
@@ -38,7 +38,7 @@ public class GlobalAlertClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test(groups = "live", enabled = true)
    public void testListAlerts() throws Exception {
-      assertTrue(globalAdminEnabled, "Test cannot run without global admin identity and credentials");
+      skipIfNotGlobalAdmin();
 
       final Set<Alert> response = globalAdminClient.getAlertClient().listAlerts(ListAlertsOptions.Builder.id("20"));
       assert null != response;
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalCapacityClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalCapacityClientLiveTest.java
index 590b5d35aa..3b72681e07 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalCapacityClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalCapacityClientLiveTest.java
@@ -36,7 +36,7 @@ public class GlobalCapacityClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test(groups = "live", enabled = true)
    public void testListCapacity() throws Exception {
-      assertTrue(globalAdminEnabled, "Test cannot run without global admin identity and credentials");
+      skipIfNotGlobalAdmin();
 
       final Set<Capacity> response = globalAdminClient.getCapacityClient().listCapacity();
       assert null != response;
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalConfigurationClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalConfigurationClientLiveTest.java
index eb46e3cfaa..64b578d8fa 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalConfigurationClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalConfigurationClientLiveTest.java
@@ -45,7 +45,7 @@ public class GlobalConfigurationClientLiveTest extends BaseCloudStackClientLiveT
 
    @Test
    public void testListConfigurationEntries() {
-      assert globalAdminEnabled;
+      skipIfNotGlobalAdmin();
 
       Set<ConfigurationEntry> entries = globalAdminClient
          .getConfigurationClient().listConfigurationEntries();
@@ -62,7 +62,7 @@ public class GlobalConfigurationClientLiveTest extends BaseCloudStackClientLiveT
 
    @Test
    public void testUpdateConfigurationEntry() {
-      assert globalAdminEnabled;
+      skipIfNotGlobalAdmin();
 
       Set<ConfigurationEntry> entries = globalAdminClient
          .getConfigurationClient().listConfigurationEntries();
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalDomainClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalDomainClientLiveTest.java
index 7e7558a88e..ae848345c4 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalDomainClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalDomainClientLiveTest.java
@@ -55,7 +55,7 @@ public class GlobalDomainClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test
    public void testCreateUpdateDeleteDomain() {
-      assert globalAdminEnabled;
+      skipIfNotDomainAdmin();
 
       Domain domain = null;
       try {
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalHostClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalHostClientLiveTest.java
index 937dd80904..6db852473c 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalHostClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalHostClientLiveTest.java
@@ -40,7 +40,7 @@ public class GlobalHostClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test(groups = "live", enabled = true)
    public void testListHosts() throws Exception {
-      assertTrue(globalAdminEnabled, "Test cannot run without global admin identity and credentials");
+      skipIfNotGlobalAdmin();
 
       Set<Host> hosts = globalAdminClient.getHostClient().listHosts();
       assert hosts.size() > 0 : hosts;
@@ -68,7 +68,7 @@ public class GlobalHostClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test(groups = "live", enabled = true)
    public void testListClusters() throws Exception {
-      assertTrue(globalAdminEnabled, "Test cannot run without global admin identity and credentials");
+      skipIfNotGlobalAdmin();
 
       Set<Cluster> clusters = globalAdminClient.getHostClient().listClusters();
       assert clusters.size() > 0 : clusters;
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalOfferingClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalOfferingClientLiveTest.java
index 76c6a25b42..f3eb1b5db2 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalOfferingClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalOfferingClientLiveTest.java
@@ -50,7 +50,7 @@ public class GlobalOfferingClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test(groups = "live", enabled = true)
    public void testCreateServiceOffering() throws Exception {
-      assertTrue(globalAdminEnabled, "Test cannot run without global admin identity and credentials");
+      skipIfNotGlobalAdmin();
 
       String name = prefix + "-test-create-service-offering";
       String displayText = name + "-display";
@@ -90,7 +90,7 @@ public class GlobalOfferingClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test(groups = "live", enabled = true)
    public void testCreateDiskOffering() throws Exception {
-      assertTrue(globalAdminEnabled, "Test cannot run without global admin identity and credentials");
+      skipIfNotGlobalAdmin();
 
       String name = prefix + "-test-create-disk-offering";
       String displayText = name + "-display";
@@ -127,7 +127,7 @@ public class GlobalOfferingClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test(groups = "live", enabled = true)
    public void testUpdateNetworkOffering() throws Exception {
-      assertTrue(globalAdminEnabled, "Test cannot run without global admin identity and credentials");
+      skipIfNotGlobalAdmin();
 
       NetworkOffering offering = getFirst(globalAdminClient.getOfferingClient().listNetworkOfferings(), null);
       assertNotNull(offering, "Unable to test, no network offering found.");
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalPodClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalPodClientLiveTest.java
index 282db7bdad..9cf1cdf425 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalPodClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalPodClientLiveTest.java
@@ -51,10 +51,13 @@ public class GlobalPodClientLiveTest extends BaseCloudStackClientLiveTest {
    private Pod pod;
 
    public void testListPods() throws Exception {
+      skipIfNotGlobalAdmin();
+
       Set<Pod> response = globalAdminClient.getPodClient().listPods();
       assert null != response;
       long podCount = response.size();
       assertTrue(podCount >= 0);
+
       for (Pod pod : response) {
          Pod newDetails = Iterables.getOnlyElement(globalAdminClient.getPodClient().listPods(
             ListPodsOptions.Builder.id(pod.getId())));
@@ -74,7 +77,7 @@ public class GlobalPodClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test
    public void testCreatePod() {
-      assertTrue(globalAdminEnabled, "Global admin credentials must be given");
+      skipIfNotGlobalAdmin();
 
       zone = globalAdminClient.getZoneClient().createZone(prefix + "-zone", NetworkType.BASIC, "8.8.8.8", "10.10.10.10");
       pod = globalAdminClient.getPodClient().createPod(prefix + "-pod", zone.getId(), "172.20.0.1", "172.20.0.250", "172.20.0.254", "255.255.255.0",
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalStoragePoolClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalStoragePoolClientLiveTest.java
index 35e1baf2b3..c1ba2c0185 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalStoragePoolClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalStoragePoolClientLiveTest.java
@@ -39,7 +39,7 @@ public class GlobalStoragePoolClientLiveTest extends BaseCloudStackClientLiveTes
 
    @Test(groups = "live", enabled = true)
    public void testListStoragePools() throws Exception {
-      assertTrue(globalAdminEnabled, "Test cannot run without global admin identity and credentials");
+      skipIfNotGlobalAdmin();
 
       Set<StoragePool> result = globalAdminClient.getStoragePoolClient().listStoragePools();
       assertNotNull(result);
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalUsageClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalUsageClientLiveTest.java
index 1557fa95f9..c28364628a 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalUsageClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalUsageClientLiveTest.java
@@ -42,6 +42,8 @@ public class GlobalUsageClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test(groups = "live", enabled = true)
    public void testListUsage() {
+      skipIfNotGlobalAdmin();
+
       Calendar c = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
       Date end = c.getTime();
       c.add(Calendar.MONTH, -1);
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalUserClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalUserClientLiveTest.java
index 87f4aab4f1..988d0d18c9 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalUserClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalUserClientLiveTest.java
@@ -50,7 +50,7 @@ public class GlobalUserClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test
    public void testCreateUser() {
-      assert globalAdminEnabled;
+      skipIfNotGlobalAdmin();
 
       Account testAccount = createTestAccount(globalAdminClient, prefix);
       User testUser = null;
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalVlanClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalVlanClientLiveTest.java
index ee2a4ddc6e..0b2fda76d4 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalVlanClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalVlanClientLiveTest.java
@@ -56,11 +56,15 @@ public class GlobalVlanClientLiveTest extends BaseCloudStackClientLiveTest {
 
    private VlanIPRange range;
 
+   @Test
    public void testListVlanIPRanges() throws Exception {
+      skipIfNotGlobalAdmin();
+
       Set<VlanIPRange> response = globalAdminClient.getVlanClient().listVlanIPRanges();
       assert null != response;
       long rangeCount = response.size();
       assertTrue(rangeCount >= 0);
+
       for (VlanIPRange range : response) {
          VlanIPRange newDetails = Iterables.getOnlyElement(globalAdminClient.getVlanClient().listVlanIPRanges(
             ListVlanIPRangesOptions.Builder.id(range.getId())));
@@ -80,7 +84,10 @@ public class GlobalVlanClientLiveTest extends BaseCloudStackClientLiveTest {
       }
    }
 
+   @Test
    public void testCreateVlanIPRange() {
+      skipIfNotGlobalAdmin();
+
       final Zone zone = Iterables.find(client.getZoneClient().listZones(), ZonePredicates.supportsAdvancedNetworks());
       final NetworkOffering offering = find(client.getOfferingClient().listNetworkOfferings(),
          NetworkOfferingPredicates.supportsGuestVirtualNetworks());
@@ -90,7 +97,7 @@ public class GlobalVlanClientLiveTest extends BaseCloudStackClientLiveTest {
          new Predicate<Network>() {
             @Override
             public boolean apply(Network network) {
-               return network.getNetworkOfferingId() == offering.getId();
+               return network.getNetworkOfferingId().equals(offering.getId());
             }
          });
 
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalZoneClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalZoneClientLiveTest.java
index 9309bb3d14..c5a1438f82 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalZoneClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/GlobalZoneClientLiveTest.java
@@ -38,7 +38,7 @@ public class GlobalZoneClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test
    public void testCreateUpdateDeleteZone() {
-      assert globalAdminEnabled;
+      skipIfNotGlobalAdmin();
 
       Zone zone = null;
       String zoneName = prefix + "-zone";
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/NetworkClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/NetworkClientLiveTest.java
index b9943420cc..a122ce1bd3 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/NetworkClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/NetworkClientLiveTest.java
@@ -65,6 +65,7 @@ public class NetworkClientLiveTest extends BaseCloudStackClientLiveTest {
       }
    }
 
+   @Test
    public void testCreateGuestVirtualNetwork() {
       if (!networksSupported)
          return;
@@ -94,13 +95,12 @@ public class NetworkClientLiveTest extends BaseCloudStackClientLiveTest {
       }
    }
 
+   @Test
    public void testCreateVLANNetwork() {
+      skipIfNotDomainAdmin();
       if (!networksSupported)
          return;
-      if (!domainAdminEnabled) {
-         Logger.getAnonymousLogger().log(Level.SEVERE, "domainAdmin credentials not present, skipping test");
-         return;
-      }
+
       final NetworkOffering offering;
       try {
          offering = get(
@@ -130,6 +130,7 @@ public class NetworkClientLiveTest extends BaseCloudStackClientLiveTest {
       }
    }
 
+   @Test
    public void testListNetworks() throws Exception {
       if (!networksSupported)
          return;
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientLiveTest.java
index aa703839b8..0ffc155469 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SessionClientLiveTest.java
@@ -44,11 +44,12 @@ public class SessionClientLiveTest extends BaseCloudStackClientLiveTest {
 
    @Test
    public void testCreateContextUsingUserAndPasswordAuthentication() {
-      String endpoint = cloudStackContext.getProviderMetadata().getEndpoint();
-      assert globalAdminEnabled;
+      skipIfNotGlobalAdmin();
 
+      String endpoint = cloudStackContext.getProviderMetadata().getEndpoint();
       Account testAccount = null;
       User testUser = null;
+
       String prefix = this.prefix + "-session";
       try {
          testAccount = createTestAccount(globalAdminClient, prefix);
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SnapshotClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SnapshotClientLiveTest.java
index 7bfde2e5a8..5a3d427a57 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SnapshotClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/SnapshotClientLiveTest.java
@@ -147,7 +147,7 @@ public class SnapshotClientLiveTest extends BaseCloudStackClientLiveTest {
       return find(client.getSnapshotClient().listSnapshots(), new Predicate<Snapshot>() {
          @Override
          public boolean apply(Snapshot arg0) {
-            return arg0.getId() == id;
+            return arg0.getId().equals(id);
          }
       });
    }
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/TemplateClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/TemplateClientLiveTest.java
index b2f327a7ac..2df4cc8544 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/TemplateClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/TemplateClientLiveTest.java
@@ -90,7 +90,7 @@ public class TemplateClientLiveTest extends BaseCloudStackClientLiveTest {
          assert template.getZone() != null : template;
          assert template.getZoneId() != null : template;
          assert (template.getStatus() == null ||
-            template.getStatus().equals("Download Complete")) : template;
+            template.getStatus() == Template.Status.DOWNLOADED) : template;
          assert template.getType() != null && template.getType() != Template.Type.UNRECOGNIZED : template;
          assert template.getHypervisor() != null : template;
          assert template.getDomain() != null : template;
@@ -110,8 +110,8 @@ public class TemplateClientLiveTest extends BaseCloudStackClientLiveTest {
             return network != null && network.getState().equals("Implemented");
          }
       });
-      assertEquals(Iterables.size(networks), 1);
-      Network network = Iterables.getOnlyElement(networks, null);
+      assertTrue(Iterables.size(networks) >= 1);
+      Network network = Iterables.get(networks, 0);
       assertNotNull(network);
 
       // Create a VM and stop it
@@ -160,7 +160,7 @@ public class TemplateClientLiveTest extends BaseCloudStackClientLiveTest {
       networks = Iterables.filter(networks, new Predicate<Network>() {
          @Override
          public boolean apply(@Nullable Network network) {
-            return network != null && network.getState().equals("Implemented");
+            return network != null && network.getName().equals("Virtual Network");
          }
       });
       assertEquals(Iterables.size(networks), 1);
@@ -184,7 +184,7 @@ public class TemplateClientLiveTest extends BaseCloudStackClientLiveTest {
             if (template == null) return false;
             Template t2 = client.getTemplateClient().getTemplateInZone(template.getId(), zoneId);
             Logger.CONSOLE.info("%s", t2.getStatus());
-            return "Download Complete".equals(t2.getStatus());
+            return t2.getStatus() == Template.Status.DOWNLOADED;
          }
       };
       assertTrue(new RetryablePredicate<Template>(templateReadyPredicate, 60000).apply(registeredTemplate));
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/VirtualMachineClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/VirtualMachineClientLiveTest.java
index a2261ed2b4..fd2a37c6b0 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/VirtualMachineClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/VirtualMachineClientLiveTest.java
@@ -91,7 +91,12 @@ public class VirtualMachineClientLiveTest extends BaseCloudStackClientLiveTest {
          RetryablePredicate<String> jobComplete, RetryablePredicate<VirtualMachine> virtualMachineRunning) {
       Set<Network> networks = client.getNetworkClient().listNetworks(isDefault(true));
       if (networks.size() > 0) {
-         Network network = get(networks, 0);
+         Network network = get(filter(networks, new Predicate<Network>() {
+            @Override
+            public boolean apply(@Nullable Network network) {
+               return network != null && network.getState().equals("Implemented");
+            }
+         }), 0);
          return createVirtualMachineInNetwork(network,
                defaultTemplateOrPreferredInZone(defaultTemplate, client, network.getZoneId()), client, jobComplete,
                virtualMachineRunning);
@@ -174,6 +179,7 @@ public class VirtualMachineClientLiveTest extends BaseCloudStackClientLiveTest {
       return vm;
    }
 
+   @Test
    public void testCreateVirtualMachine() throws Exception {
       String templateId = (imageId != null && !"".equals(imageId)) ? imageId : null;
       vm = createVirtualMachine(client, templateId, jobComplete, virtualMachineRunning);
@@ -185,7 +191,10 @@ public class VirtualMachineClientLiveTest extends BaseCloudStackClientLiveTest {
       checkVm(vm);
    }
 
+   @Test
    public void testCreateVirtualMachineWithSpecificIp() throws Exception {
+      skipIfNotGlobalAdmin();
+
       String templateId = (imageId != null && !"".equals(imageId)) ? imageId : null;
       Network network = null;
 
@@ -327,6 +336,7 @@ public class VirtualMachineClientLiveTest extends BaseCloudStackClientLiveTest {
       super.tearDown();
    }
 
+   @Test
    public void testListVirtualMachines() throws Exception {
       Set<VirtualMachine> response = client.getVirtualMachineClient().listVirtualMachines();
       assert null != response;
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/VolumeClientLiveTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/VolumeClientLiveTest.java
index a6e9d42007..1e422618b3 100644
--- a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/VolumeClientLiveTest.java
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/features/VolumeClientLiveTest.java
@@ -246,7 +246,7 @@ public class VolumeClientLiveTest extends BaseCloudStackClientLiveTest {
 
    static Volume findVolumeWithId(final CloudStackClient client, final String id) {
       for (Volume v: client.getVolumeClient().listVolumes())
-         if (v.getId()==id) return v;
+         if (v.getId().equals(id)) return v;
       throw new NoSuchElementException("no volume with id "+id);
    }
 
diff --git a/apis/cloudstack/src/test/java/org/jclouds/cloudstack/parse/ListVirtualMachinesResponse3xTest.java b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/parse/ListVirtualMachinesResponse3xTest.java
new file mode 100644
index 0000000000..d1a8b6bead
--- /dev/null
+++ b/apis/cloudstack/src/test/java/org/jclouds/cloudstack/parse/ListVirtualMachinesResponse3xTest.java
@@ -0,0 +1,82 @@
+/**
+ * Licensed to jclouds, Inc. (jclouds) under one or more
+ * contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  jclouds licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jclouds.cloudstack.parse;
+
+import java.util.Set;
+
+import org.jclouds.cloudstack.domain.GuestIPType;
+import org.jclouds.cloudstack.domain.NIC;
+import org.jclouds.cloudstack.domain.TrafficType;
+import org.jclouds.cloudstack.domain.VirtualMachine;
+import org.jclouds.date.internal.SimpleDateFormatDateService;
+import org.jclouds.json.BaseSetParserTest;
+import org.jclouds.rest.annotations.SelectJson;
+import org.testng.annotations.Test;
+
+import com.google.common.collect.ImmutableSet;
+
+/**
+ * 
+ * @author Adrian Cole
+ */
+@Test(groups = "unit")
+public class ListVirtualMachinesResponse3xTest extends BaseSetParserTest<VirtualMachine> {
+
+   @Override
+   public String resource() {
+      return "/listvirtualmachinesresponse3x.json";
+   }
+
+   @Override
+   @SelectJson("virtualmachine")
+   public Set<VirtualMachine> expected() {
+      return ImmutableSet.of(VirtualMachine
+            .builder()
+            .id("fee2ccb3-c1f2-4e7b-8465-42b390e10dff")
+            .name("cloudstack-r-611")
+            .displayName("cloudstack-r-611")
+            .account("jcloud2")
+            .domainId("ea66e3a5-d007-42e8-a0de-ec5ce778a1d7")
+            .domain("jCloud")
+            .created(new SimpleDateFormatDateService().iso8601SecondsDateParse("2012-05-22T09:18:28-0700"))
+            .state(VirtualMachine.State.RUNNING)
+            .isHAEnabled(false)
+            .zoneId("1")
+            .zoneName("Santa Clara Zone")
+            .templateId("5c65f152-a4bc-4405-a756-fd10841a9aa7")
+                             .templateName("jclouds-6d4bdc29")
+            .templateDisplayText("jclouds live testCreateTemplate")
+            .passwordEnabled(false)
+            .serviceOfferingId("5305750d-df71-4da9-8cd0-e23c2236a6e2")
+            .serviceOfferingName("Micro Instance")
+            .cpuCount(1)
+            .cpuSpeed(500)
+            .memory(256)
+            .guestOSId("6dcd58ce-1ec6-432c-af0b-9ab4ca9207d9")
+            .rootDeviceId("0")
+            .rootDeviceType("IscsiLUN")
+                             .publicIP("72.52.126.110")
+                             .publicIPId("e202aafb-ab41-4dc0-80e9-9fcd64fbf45c")
+            .nics(ImmutableSet.of(NIC.builder().id("48640c5e-90f3-45bd-abd2-a108ca8957ac").
+                                  networkId("c0d5db5b-f7d5-44e1-b854-21ecd1a09dbf").netmask("255.255.255.0").gateway("10.1.1.1")
+                                  .IPAddress("10.1.1.227").trafficType(TrafficType.GUEST).guestIPType(GuestIPType.ISOLATED)
+                                  .isDefault(true).build())).build());
+   }
+
+}
diff --git a/apis/cloudstack/src/test/resources/listvirtualmachinesresponse3x.json b/apis/cloudstack/src/test/resources/listvirtualmachinesresponse3x.json
new file mode 100644
index 0000000000..5a41ac6e8c
--- /dev/null
+++ b/apis/cloudstack/src/test/resources/listvirtualmachinesresponse3x.json
@@ -0,0 +1 @@
+{ "listvirtualmachinesresponse" : { "count":1 ,"virtualmachine" : [  {"id":"fee2ccb3-c1f2-4e7b-8465-42b390e10dff","name":"cloudstack-r-611","displayname":"cloudstack-r-611","account":"jcloud2","domainid":"ea66e3a5-d007-42e8-a0de-ec5ce778a1d7","domain":"jCloud","created":"2012-05-22T09:18:28-0700","state":"Running","haenable":false,"zoneid":"1","zonename":"Santa Clara Zone","templateid":"5c65f152-a4bc-4405-a756-fd10841a9aa7","templatename":"jclouds-6d4bdc29","templatedisplaytext":"jclouds live testCreateTemplate","passwordenabled":false,"serviceofferingid":"5305750d-df71-4da9-8cd0-e23c2236a6e2","serviceofferingname":"Micro Instance","cpunumber":1,"cpuspeed":500,"memory":256,"guestosid":"6dcd58ce-1ec6-432c-af0b-9ab4ca9207d9","rootdeviceid":0,"rootdevicetype":"IscsiLUN","securitygroup":[],"nic":[{"id":"48640c5e-90f3-45bd-abd2-a108ca8957ac","networkid":"c0d5db5b-f7d5-44e1-b854-21ecd1a09dbf","netmask":"255.255.255.0","gateway":"10.1.1.1","ipaddress":"10.1.1.227","traffictype":"Guest","type":"Isolated","isdefault":true}],"publicipid":"e202aafb-ab41-4dc0-80e9-9fcd64fbf45c","publicip":"72.52.126.110"} ] } }"