DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 02/16/2021 has been entered.


Response to Amendments
This communication is in response to the amendments filed on 30 December 2020:
	Claims 1, 7 and 14 are amended.
	Claims 8, 11, 13, 20, 24 and 26 are canceled.
	Claims 1-7, 9-10, 12, 14-19, 21-23 and 25 are pending.


Response to Arguments
In response to Applicant’s remarks filed on 30 December 2020:
a.	Applicant’s arguments that Mont fails to disclose, teach or suggest, “whereby the authentication server reprograms the network node through software-defined networking, SDN, mechanisms so that the communication device is connected with correct virtual instances serving group of customers, wherein the Paragraph [0025], see “The remediation system (110) further deploys, via a SDN controller, a SDN flow rule based on the at least one SDN flow rule template in the network (106) to remediate the security threat by altering a control path of the network (106)…the user may authorize the remediation system (110) to deploy the SDN flow rule based on the at least one SDN flow rule template in the network (106) to remediate the security threat”, where “a SDN flow rule based on the at least one SDN flow rule template in the network to remediate the security threat by altering a control path of the network” is analogous to reprogramming the network node through SDN mechanisms so that the communication device is connected with correct virtual instances. Applicant’s attention is further directed to Mont, Paragraph [0111], see “The security threat identifier (708) represents programmed instructions that, when executed, cause the processing resources (702) to identify, based on the traffic patterns of the network, a security threat to the network”, where “security threat to the network” is analogous to a first identifier as described below. Applicant’s attention is further directed to Mont, Paragraph [0055], see “security threat A (302-1) may be a source device that threatens the network”, where “security threat” is analogous to comprising a first identifier, which identifies the source device. Applicant’s attention is also directed to Mont, Paragraph [0057], see “the SDN flow rule templates (304) may be used to create the SDN flow rules…a workflow manager instantiates a workflow template, based on a selected security threat and parameters…the parameters may include an internet protocol (IP) address of a device in the network, an electronic mail (email) address of a user…”, where “internet protocol (IP) address of a device in the network” is also analogous to a first identifier identifying a user or device identifier unique to the device. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 4, 6-7, 10, 14, 17, 19 and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Harris et al. (U.S. PGPub. 2010/0242105), hereinafter Harris, in view of Anton JR., et al. (U.S. PGPub. 2007/0124802), hereinafter Anton, in further view of Mont et al. (U.S. PGPub. 2017/0223039), hereinafter Mont.

	Regarding claim 1, Harris teaches A method for routing traffic originating from a communication device, the method comprising (Harris, Paragraph [0025], see "FIG. 2B is a block diagram of another embodiment of an appliance for optimizing, accelerating, load-balancing and routing communications between a client and a server", where "routing communications between a client and a server" is being read as routing traffic originating from a communication device, where "client" is being read as a communication device):
		receiving, at an authentication server, a first message comprising information indicating that the communication device or a user of the communication device is requesting access to a resource (Harris, Paragraph [0006], see ''The authentication virtual server may receive a second request from the client. The second request identifies the first URL. The authentication virtual server may then authenticate credentials received from the client", where a "second request" is being read as a first message comprising information indicating that the communication device or a user of the communication device is requesting access to a resource);
		authenticating, by the authentication server, the communication device or the user of the communication device in accordance with an authentication protocol (Harris, Paragraph [0004], see "Furthermore, in order to determine whether to grant access to a client machine requesting access to the service, authentication may be performed against the user operating the client machine. This authentication process may be provided by an authentication server in the network, such as a RADIUS server, and initiated by the access request", where "This authentication process may be provided by an authentication server in the network" is being read as authenticating, by the authentication server, the communication device or the user of the communication device and where "such as a RADIUS server" is being read as an authentication protocol); and
		after the device or the user is authenticated, establishing a traffic flow rule for traffic transmitted by the device based on a first identifier (Harris, Paragraph [0297], see "In still another embodiment, the method 600 includes...validating the authentication session 567 identified by the identifier 546 (step 627), applying the one or more policies 568 of the authentication session 567 to the request 513 (step 629), and forwarding traffic authorized by the one or more policies 568 from the client 102 to the server identified by the URL 545 via the authentication session 567 (step 631)", where "...applying the one or more policies 568 of the authentication session 567" is being read as after the device or the user is authenticated, establishing a traffic flow rule for traffic transmitted by the device and where "identifier 546" is being read as a first identifier), wherein
		the first identifier is one of a user identifier identifying a user, an application identifier identifying an application, and a device identifier unique to the device (Harris, Paragraph [0111], see "The client 102 has a local network identifier, such as an internet protocol (IP) address and/or host name on the first network 104", where "client 102" is being read as the user and where "local network identifier" is being read as identifying a user), and
	(Harris, Paragraph [0276], see “the authentication virtual server stores the URL 545 and domain of the traffic management virtual server with the authentication session 567. The authentication vServer may store one or both of the URL 545 and domain of the traffic management virtual server in association with the authentication session 567…the authentication vServer can store any type or form of information, from the request 512 or otherwise, in association with the authentication session 567”, where “authentication vServer can store any type or form of information…” is being read as the traffic flow being stored in the network node for routing traffic for the communication device through a virtual infrastructure), wherein the network node is a virtual switch in the virtual network in which multiple operators run separate virtual machines (Harris, Paragraph [0087], see “the appliance 200 may comprise a server, gateway, router, switch, bridge or other type of computing or network device, and have any hardware and/or software elements associated therewith”) (Harris, Paragraph [0105], see “The appliance 200 comprises one or more virtual servers or virtual internet protocol servers, referred to as a vServer, VIP server, or just VIP…the vServer 275 receives, intercepts or otherwise processes communications between a client 102 and a server 106 in accordance with the configuration and operations of the appliance 200”) (Harris, Paragraph [0252], see “this switch can enable or disable the authentication functionality for the traffic management vServer”, where “switch” is being read as comprising a virtual switch in a virtual network, due to the traffic management server being virtual itself).
	Harris does not teach the following limitation(s) as taught by Anton: 
	(Anton, Claim 19, see “said network monitoring device further inserting said second identification code in said message before forwarding said message to said authentication server; said authentication server responding to receipt of said forwarded message from said network monitoring device by decoding said hardware address from said second identification code; generating and transmitting a third identification code based on said hardware address along with an unblock message to said network monitoring device”, where “network monitoring device” is analogous to a network node, where “generating and transmitting a third identification code based on said hardware address along with an unblock message to said network monitoring device” is analogous to the authentication server transmitting to a network node a second message comprising the device identifier, where “hardware address” is analogous to a device identifier).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris, by implementing techniques for distributed network authentication and access control, comprising of the authentication server transmitting to a network node a second message comprising the device identifier, disclosed of Anton. 
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of a message sent between the authentication server and network node, comprising of a device identifier. Having the authentication server and network node share information regarding the device identifier allows for a more organized method of routing traffic received from the communication device, by introducing a more simplified process of determining which devices have already been authenticated (based on the 1st identifier), as well as, keeping track of the devices that have previously been authenticated, by utilizing the devices' unique identifier (Anton, Claim 19).
	Harris as modified by Anton do not teach the following limitation(s) as taught by Mont: whereby the authentication server reprograms the network node through software-defined networking, SDN, mechanisms so that the communication device is connected with correct virtual instances serving group of customers, wherein the reprogram of the network node through SDN mechanisms is based on the first identifier received by the authentication server.
	(Mont, Paragraph [0025], see “The remediation system (110) further deploys, via a SDN controller, a SDN flow rule based on the at least one SDN flow rule template in the network (106) to remediate the security threat by altering a control path of the network (106)…the user may authorize the remediation system (110) to deploy the SDN flow rule based on the at least one SDN flow rule template in the network (106) to remediate the security threat”, where “a SDN flow rule based on the at least one SDN flow rule template in the network to remediate the security threat by altering a control path of the network” is analogous to reprogramming the network node through SDN mechanisms so that the communication device is connected with correct virtual instances) (Mont, Paragraph [0055], see “security threat A (302-1) may be a source device that threatens the network”, where “security threat” is analogous to comprising a first identifier, which identifies the source device) (Mont, Paragraph [0057], see “the SDN flow rule templates (304) may be used to create the SDN flow rules…a workflow manager instantiates a workflow template, based on a selected security threat and parameters…the parameters may include an internet protocol (IP) address of a device in the network, an electronic mail (email) address of a user…”, where “internet protocol (IP) address of a device in the network” is also analogous to a first identifier identifying a user or device identifier unique to the device) (Mont, Paragraph [0111], see “The security threat identifier (708) represents programmed instructions that, when executed, cause the processing resources (702) to identify, based on the traffic patterns of the network, a security threat to the network”, where “security threat to the network” is analogous to a first identifier).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris and techniques disclosed of Anton, by implementing techniques for remediating a security threat to a network, comprising of reprogramming the network node through SDN mechanisms so that the communication device is connected with correct virtual instances, disclosed of Mont.  
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of reprogramming the network node through SDN mechanisms so that the communication device is connected with correct virtual instances. This allows for better security management for techniques for routing traffic originating from a communication device, due to SDN mechanisms providing traffic programmability, agility and the ability to create policy driven network supervision and implementing network automation. Software defined networking allows for controlling data traffic by having the ability to direct and automate data traffic and make sure the communication device(s) are connected with correct virtual instances (Mont, Paragraph [0025]). 

	Regarding claim 4, Harris as modified by Anton and further modified by Mont teaches The method of claim 1, wherein
	the second message further comprises the user identifier and/or the application identifier (Harris, Paragraph [0015], see "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client as the result. The authentication virtual server can also provide the result as input to the one or more traffic management policies of the traffic management virtual server", where "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client" is being read as the second message comprising the user identifier, where “expressions identifying one or more attributes of the client” is being read as comprising a user identifier); and
	the step of establishing the traffic flow rule further comprises the network node using the user or application identifier to obtain the traffic flow rule (Harris, Paragraph [0014], see ''The traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary", where "traffic management virtual server" is being read as the network node) (Harris, Paragraph [0015], see "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client as the result. The authentication virtual server can also provide the result as input to the one or more traffic management policies of the traffic management virtual server", where "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client" is being read as the second message comprising the first identifier, where "evaluation" is being read as the second message, where "one or more expressions identifying one or more attributes of the client" is being read as comprising the first identifier and where the traffic management virtual server (network node) is using the first identifier (one or more attributes of the client), provided by the authentication virtual server, to obtain the traffic flow rule).

	Regarding claim 6, Harris as modified by Anton and further modified by Mont teaches The method of claim 1, wherein the second message further comprises at least one of a user preference, a priority parameter, a quality of service parameter, a tunneling parameter, a device type parameter, a device identifier and a time-to-live parameter (Harris, Paragraph [0015], see "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client as the result. The authentication virtual server can also provide the result as input to the one or more traffic management policies of the traffic management virtual server", where "evaluation" is being read as a second message and where "evaluation of one or more expressions identifying one or more attributes of the client" is being read as a second message comprising a quality of service parameter, a user preference and/or a device identifier (due to normal evaluations being capable of comprising a QoS parameter, a user preference and/or a device identifier)).

	Regarding claim 7, Harris as modified by Anton and further modified by Mont teaches The method of claim 1, wherein the first identifier is one of the user identifier and the application identifier (Harris, Paragraph [0111 ], see ''The client 102 has a local network identifier, such as an internet protocol (IP) address and/or host name on the first network 104", where "local network identifier" is being read as a first identifier which identifies the user, based on his network).

	Regarding claim 10, Harris as modified by Anton and further modified by Mont teaches The method of claim 1, further comprising:
	receiving, at the authentication server, a third message providing an indication to terminate a user session of the device (Harris, Paragraph [0288], see "In some embodiments, the traffic management vServer does not validate the authentication session 567. Responsive to a failure to validate the authentication session 567, the traffic management or authentication vServer may reject the client request by sending the client 102 a message of any type and form", where "Responsive to a failure to validate the authentication session 567" is being read as the network node (traffic management vServer) sending a third message providing an indication to terminate a user session of the device, where the authentication vServer may reject the client request subsequent to the indication of failure to validate the authentication session 567"); and
	transmitting, by the authentication server, a fourth message to the network node comprising instructions to modify one or more routing rules for the device (Harris, Paragraph [0288], see ''The traffic management or authentication vServer may terminate the authentication session 567 ... The traffic management or authentication vServer may also update and/or remove one or more session tables (e.g., from storage device 560), such as the AAA-TM session table", where the "authentication vServer" is being read as terminating the authentication session and notifying the network node via a fourth message that comprises of instructions to modify one or more routing rules for the device, where "The traffic management. .. may also update and/or remove one or more session tables...such as the AAA-TM session table" is being read as the one or more routing rules for the device that is being modified by the network node) (Paragraph [0289], see "For any communication traversing the traffic management vServer, the traffic management vServer may use any information about a client or a session available from the authentication vServer, such as any collected end point information. In some embodiments, the values of any portion of a policy expression may be obtained or derived from any data, values or information available via the authentication vServer, such as via an authenticated session. In some embodiments, the input to a condition, action or rule of a policy may be value from end point collected information stored by the authentication vServer", where "the traffic management vServer may use any information about a client or a session available from the authentication vServer, such as any collected end point information" is being read as the fourth message, comprising instructions to modify one or more routing rules for the device and where "In some embodiments, the input to a condition, action or rule of a policy ... " is being read as comprising the instructions and actions to take, in regards to the modification of the rules and/or policies, provided by the authentication server to the network node, via a subsequent (fourth) message).

	Regarding claim 14, Harris teaches An authentication server comprising:
	a data processing system; and
	a network interface coupled to the data processing system (Harris, Paragraph [0156], see "A traffic management vServer 275tv may include and/or operate a network engine 240...The network engine 240 may include a transceiver for receiving and transmitting network traffic. In some embodiments, the network engine 240 may also incorporate a hardware interface, from the appliance 200 for example, to connect with the network 104 and other network components. In one embodiment, the network engine 240 interfaces with the client 102 and/or the authentication vServer 275av. The network engine 240 can perform any type or form of data processing, such as compression, encryption...redirection, and protocol processing", where the "network engine 240" is being read as a data processing system, where "the network engine 240 interfaces with the client 102 and/or the authentication vServer 275av'' is being read as an authentication server comprising of a data processing system (network engine 240), and where "the network engine 240 may also incorporate a hardware interface...to connect with the network 104 and other network components" is being read as the data processing system being coupled to a network interface), wherein the data processing system is configured such that, in response to receiving a first message comprising information indicating that a communication device or a user of the communication device is requesting access to a resource, the data processing system (Harris, Paragraph [0006], see ''The authentication virtual server may receive a second request from the client. The second request identifies the first URL. The authentication virtual server may then authenticate credentials received from the client", where a "second request" is being read as a first message comprising information indicating that the communication device or a user of the communication device is requesting access to a resource):
	authenticates the communication device or the user of the communication device in accordance with an authentication protocol (Harris, Paragraph [0004], see "Furthermore, in order to determine whether to grant access to a client machine requesting access to the service, authentication may be performed against the user operating the client machine. This authentication process may be provided by an authentication server in the network, such as a RADIUS server, and initiated by the access request", where "This authentication process may be provided by an authentication server in the network" is being read as authenticating, by the authentication server, the communication device or the user of the communication device and where "such as a RADIUS server" is being read as an authentication protocol) (Paragraph [0156], see "In one embodiment, the network engine 240 interfaces with the client 102 and/or the authentication vServer 275av. The network engine 240 can perform any type or form of data processing, such as compression, encryption ... redirection, and protocol processing", where the "network engine 240" is being read as the data processing system, which can perform any type or form of data processing, such as protocol processing (authenticating the communication device or the user of the communication device in accordance with an authentication protocol)); and
	after the communication device or the user is authenticated, establishes a traffic flow rule for traffic transmitted by the communication device based on a first identifier (Harris, Paragraph [0297], see "In still another embodiment, the method 60 includes...validating the authentication session 567 identified by the identifier 546 (step 627), applying the one or more policies 568 of the authentication session 567 to the request 513 (step 629), and forwarding traffic authorized by the one or more policies 568 from the client 102 to the server identified by the URL 545 via the authentication session 567 (step 631)", where "...applying the one or more policies 568 of the authentication session 567" is being read as after the device or the user is authenticated, establishing a traffic flow rule for traffic transmitted by the device and where "identifier 546" is being read as a first identifier) (Paragraph [0156], see ''The network engine 240 can include or communicate with a policy engine 236 and access one or more policies. In one embodiment, the network engine 240 can provide and/or apply the one or more policies accessed. In some embodiments, the network engine 240 may provide some or all of the functions of the traffic management vServer 275tv", where "The network engine 240 can include or communicate with a policy engine 236 and access one or more policies..." is being read as the data processing system establishing a traffic flow rule for traffic transmitted by the communication device based on a first identifier),
	wherein the first identifier is one of a user identifier identifying a user, an application identifier identifying an application, and a device identifier unique to the device (Harris, Paragraph [0111], see "The client 102 has a local network identifier, such as an internet protocol (IP) address and/or host name on the first network 104", where "client 102" is being read as the user and where "local network identifier" is being read as identifying a user), (Harris, Paragraph [0276], see “the authentication virtual server stores the URL 545 and domain of the traffic management virtual server with the authentication session 567. The authentication vServer may store one or both of the URL 545 and domain of the traffic management virtual server in association with the authentication session 567…the authentication vServer can store any type or form of information, from the request 512 or otherwise, in association with the authentication session 567”, where “authentication vServer can store any type or form of information…” is being read as the traffic flow being stored in the network node for routing traffic for the communication device through a virtual infrastructure), wherein the network node is a virtual switch in the virtual network in which multiple operators run separate virtual machines (Harris, Paragraph [0087], see “the appliance 200 may comprise a server, gateway, router, switch, bridge or other type of computing or network device, and have any hardware and/or software elements associated therewith”) (Harris, Paragraph [0105], see “The appliance 200 comprises one or more virtual servers or virtual internet protocol servers, referred to as a vServer, VIP server, or just VIP…the vServer 275 receives, intercepts or otherwise processes communications between a client 102 and a server 106 in accordance with the configuration and operations of the appliance 200”) (Harris, Paragraph [0252], see “this switch can enable or disable the authentication functionality for the traffic management vServer”, where “switch” is being read as comprising a virtual switch in a virtual network, due to the traffic management server being virtual itself).
	Harris does not teach the following limitation(s) as taught by Anton: and the establishing a traffic flow rule comprises the data processing system using the network interface to transmit to a network node a second message comprising the device identifier.
	(Anton, Claim 19, see “said network monitoring device further inserting said second identification code in said message before forwarding said message to said authentication server; said authentication server responding to receipt of said forwarded message from said network monitoring device by decoding said hardware address from said second identification code; generating and transmitting a third identification code based on said hardware address along with an unblock message to said network monitoring device”, where “network monitoring device” is analogous to a network node, where “generating and transmitting a third identification code based on said hardware address along with an unblock message to said network monitoring device” is analogous to the authentication server transmitting to a network node a second message comprising the device identifier, where “hardware address” is analogous to a device identifier).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris, by implementing techniques for distributed network authentication and access control, comprising of the authentication server transmitting to a network node a second message comprising the device identifier, disclosed of Anton. 
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of a message sent between the authentication server and network node, comprising of a device identifier. Having the authentication server and network node share information regarding the device identifier allows for a more organized method of routing traffic received from the communication device, by introducing a more simplified process of determining which devices have already been authenticated (based on the 1st identifier), as well as, keeping track of the devices that have previously been authenticated, by utilizing the devices' unique identifier (Anton, Claim 19).
	Harris as modified by Anton do not teach the following limitation(s) as taught by Mont: whereby the authentication server reprograms the network node through software-defined networking, SDN, mechanisms so that the communication device is connected with correct virtual instances serving group of customers, wherein the reprogram of the network node through the SDN mechanisms is based on the first identifier received by the authentication server.
	(Mont, Paragraph [0025], see “The remediation system (110) further deploys, via a SDN controller, a SDN flow rule based on the at least one SDN flow rule template in the network (106) to remediate the security threat by altering a control path of the network (106)…the user may authorize the remediation system (110) to deploy the SDN flow rule based on the at least one SDN flow rule template in the network (106) to remediate the security threat”, where “a SDN flow rule based on the at least one SDN flow rule template in the network to remediate the security threat by altering a control path of the network” is analogous to reprogramming the network node through SDN mechanisms so that the communication device is connected with correct virtual instances) (Mont, Paragraph [0055], see “security threat A (302-1) may be a source device that threatens the network”, where “security threat” is analogous to comprising a first identifier, which identifies the source device) (Mont, Paragraph [0057], see “the SDN flow rule templates (304) may be used to create the SDN flow rules…a workflow manager instantiates a workflow template, based on a selected security threat and parameters…the parameters may include an internet protocol (IP) address of a device in the network, an electronic mail (email) address of a user…”, where “internet protocol (IP) address of a device in the network” is also analogous to a first identifier identifying a user or device identifier unique to the device) (Mont, Paragraph [0111], see “The security threat identifier (708) represents programmed instructions that, when executed, cause the processing resources (702) to identify, based on the traffic patterns of the network, a security threat to the network”, where “security threat to the network” is analogous to a first identifier).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris and techniques disclosed of Anton, by implementing techniques for remediating a security threat to a network, comprising of reprogramming the network node through SDN mechanisms so that the communication device is connected with correct virtual instances, disclosed of Mont.  
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of reprogramming the network node through SDN mechanisms so that the communication device is connected with correct virtual instances. This allows for better security management for techniques for routing traffic originating from a communication device, due to SDN mechanisms providing traffic programmability, agility and the ability to create policy driven network supervision and implementing network automation. Software defined networking allows for controlling data traffic by having the ability to direct and automate data traffic and make sure the communication device(s) are connected with correct virtual instances (Mont, Paragraph [0025]). 

	Regarding claim 17, Harris as modified by Anton and further modified by Mont teaches The authentication server of claim 14, wherein
	the second message further comprises the user identifier and/or the application identifier (Harris, Paragraph [0015], see "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client as the result. The authentication virtual server can also provide the result as input to the one or more traffic management policies of the traffic management virtual server", where "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client" is being read as the second message comprising the user identifier, where “expressions identifying one or more attributes of the client” is being read as comprising a user identifier), and
	the step of establishing the traffic flow rule further comprises the network node using the user identifier or application identifier to obtain the traffic flow rule (Harris, Paragraph [0014], see ''The traffic management virtual server can obtain the result from the authentication virtual server. Further, the traffic management virtual server may apply the result in one or more traffic management policies to manage network traffic of a connection of the client traversing the intermediary", where "traffic management virtual server" is being read as the network node) (Harris, Paragraph [0015], see "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client as the result. The authentication virtual server can also provide the result as input to the one or more traffic management policies of the traffic management virtual server", where "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client" is being read as the second message comprising the first identifier, where "evaluation" is being read as the second message, where "one or more expressions identifying one or more attributes of the client" is being read as comprising the first identifier and where the traffic management virtual server (network node) is using the first identifier (one or more attributes of the client), provided by the authentication virtual server, to obtain the traffic flow rule).

	Regarding claim 19, Harris as modified by Anton and further modified by Mont teaches The authentication server of claim 14, wherein the second message further comprises at least one of a user preference, a priority parameter, a quality of service parameter, a tunneling parameter, a device type parameter, a device identifier and a time-to-live parameter (Harris, Paragraph [0015], see "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client as the result. The authentication virtual server can also provide the result as input to the one or more traffic management policies of the traffic management virtual server", where "evaluation" is being read as a second message and where "evaluation of one or more expressions identifying one or more attributes of the client" is being read as a second message comprising a quality of service parameter, a user preference and/or a device identifier (due to normal evaluations being capable of comprising a QoS parameter, a user preference and/or a device identifier)).

	Regarding claim 21, Harris as further modified by Mont teaches The authentication server of claim 14, wherein
	the authentication server is an Authentication, Authorization, and Accounting (AAA) server (Harris, Paragraph [0004], see "other authorization, authentication and auditing/accounting (AAA) services may also be provided to establish and monitor each client-server connection"),
	the authentication protocol comprises at least one of a RADIUS or Diameter protocol (Harris, Paragraph [0004], see “in order to determine whether to grant access to a client machine requesting access to the service, authentication may be performed against the user operating the client machine. This authentication process may be provided by an authentication server in the network, such as a RADIUS server, and initiated by the access request), 
	
	Harris as further modified by Mont does not teach the following limitation(s) as taught by Anton: the device identifier is one of an IP address and a MAC address.
	(Anton, Paragraph [0040], see “the sent messages are encapsulated with  header information including the hardware and IP address of the source node and the hardware and IP address of the destination, or target, node”, where “hardware and IP address” is analogous to the device identifier being one of an IP address).
 	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris, and techniques disclosed of Mont, by implementing techniques for distributed network authentication and access control, comprising of the device identifier being one of an IP address and a MAC address, disclosed of Anton. 
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of the device identifier being one of an IP address and a MAC address. This allows for a more efficient method for routing traffic originating from a communication device, due to the IP address being a unique identifier for the device, which allows for the communication device to send and receive information to and from specific devices in a given network (Anton, Paragraph [0040]). 

	Regarding claim 22, Harris as modified by Anton and further modified by Mont teaches The authentication server of claim 14, wherein
	the network node is configured to receive traffic transmitted by the communication device, and
	the traffic flow rule identifies a node to which the network ndoe should forward the received traffic (Harris, Paragraph [0105], see "The vServer 275 receives, intercepts or otherwise processes communications between a client 102 and a server 106 in accordance with the configuration and operations of the appliance 200", where the "vServer 275" is being read as the network node and where ''The vServer 275 receives, intercepts or otherwise processes communications between a client 102 and a server 106..." is being read as the network node being configured to receive traffic transmitted by the communication device, where "client 102" is being read as the communication device) (Paragraph [0258], see "At step 631, the traffic management virtual server forwards traffic authorized by the one or more policies 568 from the client 102 to the server 106", where "the traffic management virtual server" is being read as the network node and where "forwards traffic authorized by the one or more policies 568" is being read as the network node obtaining a traffic flow rule that identifies a node (destination) to which the network node should forward the received traffic).

	Regarding claim 23, Harris as modified by Anton and further modified by Mont teaches The authentication server of claim 14, the data processing system further configured to:
	receive a third message providing an indication to terminate a user session of the communication device (Harris, Paragraph [0288], see "In some embodiments, the traffic management vServer does not validate the authentication session 567. Responsive to a failure to validate the authentication session 567, the traffic management or authentication vServer may reject the client request by sending the client 102 a message of any type and form", where "Responsive to a failure to validate the authentication session 567" is being read as the network node (traffic management vServer) sending a third message providing an indication to terminate a user session of the device, where the authentication vServer may reject the client request subsequent to the indication of failure to validate the authentication session 567"); and
	transmit, via the network interface, a fourth message to the network node comprising instructions to modify one or more routing rules for the communication device (Harris, Paragraph [0288], see ''The traffic management or authentication vServer may terminate the authentication session 567...The traffic management or authentication vServer may also update and/or remove one or more session tables (e.g., from storage device 560), such as the AAA-TM session table", where the "authentication vServer" is being read as terminating the authentication session and notifying the network node via a fourth message that comprises of instructions to modify one or more routing rules for the device, where "The traffic management. .. may also update and/or remove one or more session tables...such as the AAA-TM session table" is being read as the one or more routing rules for the device that is being modified by the network node) (Paragraph [0289], see "For any communication traversing the traffic management vServer, the traffic management vServer may use any information about a client or a session available from the authentication vServer, such as any collected end point information. In some embodiments, the values of any portion of a policy expression may be obtained or derived from any data, values or information available via the authentication vServer, such as via an authenticated session. In some embodiments, the input to a condition, action or rule of a policy may be value from end point collected information stored by the authentication vServer", where "the traffic management vServer may use any information about a client or a session available from the authentication vServer, such as any collected end point information" is being read as the fourth message, comprising instructions to modify one or more routing rules for the device and where "In some embodiments, the input to a condition, action or rule of a policy ... " is being read as comprising the instructions and actions to take, in regards to the modification of the rules and/or policies, provided by the authentication server to the network node, via a subsequent (fourth) message).


Claims 2-3 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Harris, in view of Anton, in further view of Mont, in further view of VACHIRAVEL et al. (U.S. PGPub. 2016/0226869), hereinafter Vachiravel. 

	Regarding claim 2, Harris as modified by Anton and further modified by Mont teaches The method of claim 1, wherein
	the step of establishing the traffic flow rule further comprises the authentication server using the first identifier to obtain the traffic flow rule (Harris, Paragraph [0258], see "At step 619, the authentication virtual server authenticates credentials received from the client 102. At step 621, the traffic management virtual server applies one or more policies 568 of an authentication session 567 to the request 511. At step 623, the authentication virtual server transmits a response 522 to the client 102 to redirect the client 102 to the traffic management virtual server. The response 522 identifies the authentication session 567. At step 625, the traffic management virtual server receives a request 513 from the client 102. The request 513 includes an identifier 546 of the authentication session 567. At step 627, the traffic management virtual server validates the authentication session 567 identified by the identifier 546. At step 629, the traffic management virtual server applies the one or more policies 568 of the authentication session 567 to the request 513", where "the authentication virtual server authenticates credentials received from the client 102" is being read as using the first identifier to obtain the traffic flow rule and where "the authentication virtual server transmits a response 522 to the client. .. The response 522 identifies the authentication session 567 ... the traffic management virtual server applies the one or more policies 568 of the authentication session 567" is being read as the authentication session 567 comprising of the traffic flow rules established by the authentication virtual server, which was generated based off the (first identifier) clients credentials),
	the second message further comprises the obtained traffic flow rule (Harris, Paragraph [0015], see ''The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client as the result. The authentication virtual server can also provide the result as input to the one or more traffic management policies of the traffic management virtual server", where the "evaluation" is being read as the second message and where "one or more expressions identifying one or more attributes of the client as the result...can also provide the result as input to the one or more traffic management policies..." is being read as the evaluation (second message) comprising the obtained traffic flow rule), and
	
	Harris as modified by Anton and further modified by Mont do not teach the following limitation(s) as taught by Vachiravel: the obtained traffic flow rule comprises traffic flow information identifying one or more traffic flows and traffic routing information for the identified traffic flows for enabling the network node to route traffic transmitted by the communication device and corresponding to one of the identified traffic flows to an appropriate network entity.
	(Vachiravel, Paragraph [0038], see “The message granting the user device 102 access to the enterprise network system 100 includes an indication of network access associated with the user device. The indication of network access can be an indication of network access classification and/or an indication of a user classification…After the network access node 104 receives the VSA and Filter-Id attributes, the results associated with the VSA and Filter-Id attributes allow the network access node 104 to apply the corresponding classifications and/or policies regarding network access to the user device 102”, where “corresponding classifications and/or policies regarding network access” is analogous to the message comprising traffic flow information and traffic routing information for enabling the network node to route traffic to an appropriate network entity).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris, techniques disclosed of Anton, and techniques disclosed of Mont, by implementing a system and method of controlling network access, comprising of transmitting a second message from the authentication server to a network node, where the second message comprises traffic flow information and traffic routing information for enabling the network node to route traffic to an appropriate network entity, disclosed of Vachiravel.  
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of transmitting a second message from the authentication server to a network node, where the second message comprises traffic flow information and traffic routing information for enabling the network node to route traffic to an appropriate network entity. Having the authentication server transmit a message that indicates the appropriate traffic flow information and traffic routing information to the network node, allows for an improvement in security within the system. This allows for the authentication server to validate the appropriate traffic flow information and traffic routing information to make sure traffic is properly routed in the network (Vachiravel, Paragraph [0038]). 

	Regarding claim 3, Harris as modified by Anton and further modified by Mont and Vachiravel teaches The method of claim 2, wherein using the first identifier to obtain the traffic flow rule comprises:
	the authentication server providing to a rules function the first identifier, wherein the rules function is configured to obtain a rule based on the first identifier and provide the selected rule to the authentication server; and
	the authentication server receiving the traffic flow rule obtained by the rules function based on the first identifier (Harris, Paragraph [0157], see "Further, the authentication vServer 275av can include and/or operate with any embodiment of the policy engine 236 described above in connection with FIG. 2A, where the "policy engine 236" is being read as the rules function, Paragraph [0182], see "The TM vServer and/or the authentication vServer may include or communicate with the one or more policy engines 236") (Harris, Paragraph [0183], see "In other embodiments, the one or more policy engines 236 sends the one or more identified policies to the TM vServer and/or the authentication vServer", where "the one or more policy engines 236 sends the one or more identified policies to ... the authentication vServer" is being read as the rules function (policy engine 236) being configured to obtain a rule and providing the selected rule to the authentication server) (Harris, Paragraph [0263], see "In yet another embodiment, traffic management virtual server identifies the policy based at least in part on the collected information from the client 102. Further, the policy may be identified from the traffic management policies 586, the authentication policies 568, or any other policies. Any policy may be applied through a policy engine, such as any embodiment of the policy engine 236 discussed above in connection with FIG. 2A, where "the policy may be identified from the traffic management policies 586, the authentication policies 568, or any other policies" is being read as the authentication server providing the first identifier to a rules function (policy engine 236), where the policy is identified based at least in part on the collected information from the client 102 (where the "collected information" is being read as comprising of the first identifier.)
	On a side note, Harris, Paragraph [0134], see ''The collection agent 304 comprises an application, program, process, service, task or executable instructions for identifying, obtaining and/or collecting information about the client 102 ... In one embodiment, the policy engine 236 of the appliance 200 uses the collected information to determine and provide access, authentication and authorization control of the client's connection to a network 104") (Harris, Paragraph [0135], see "The policy engine 236 may have one or more policies based on any one or more of the attributes or characteristics of the client or client-side attributes", where "one or more of the attributes or characteristics of the client or client-side attributes" are provided by the authentication virtual server) (Harris, Paragraph [0015], see "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client as the result. The authentication virtual server can also provide the result as input to the one or more traffic management policies of the traffic management virtual server"), therefore, the authentication server is providing the first identifier (contained within the evaluation identifying one or more attributes of the client) to the rules function (policy engine 236), where the rules function is configured to obtain the rule based on the client attributes (first identifier)) (Harris, Paragraph [0179], see "a collection agent 304 may obtain information from the client 102 for one or both of the TM vServer and the authentication vServer", where the authentication vServer retrieves the information (first identifier) about the client 102 from the collection agent, forwards the first identifier to the rules function (policy engine 236), where the policy engine uses the collected information to determine and provide access (determine the traffic flow rule), and send it to the authentication vServer).

	Regarding claim 15, Harris as modified by Anton and further modified by Mont teaches The authentication server of claim 14, wherein
	the data processing system is configured such that the establishing a traffic flow rule further comprises using the first identifier to obtain the traffic flow rule (Harris, Paragraph [0258], see "At step 619, the authentication virtual server authenticates credentials received from the client 102. At step 621, the traffic management virtual server applies one or more policies 568 of an authentication session 567 to the request 511. At step 623, the authentication virtual server transmits a response 522 to the client 102 to redirect the client 102 to the traffic management virtual server. The response 522 identifies the authentication session 567. At step 625, the traffic management virtual server receives a request 513 from the client 102. The request 513 includes an identifier 546 of the authentication session 567. At step 627, the traffic management virtual server validates the authentication session 567 identified by the identifier 546. At step 629, the traffic management virtual server applies the one or more policies 568 of the authentication session 567 to the request 513", where "the authentication virtual server authenticates credentials received from the client 102" is being read as using the first identifier to obtain the traffic flow rule and where "the authentication virtual server transmits a response 522 to the client. .. The response 522 identifies the authentication session 567 ... the traffic management virtual server applies the one or more policies 568 of the authentication session 567" is being read as the authentication session 567 comprising of the traffic flow rules established by the authentication virtual server, which was generated based off the (first identifier) clients credentials),
	the second message further comprises the obtained traffic flow rule (Harris, Paragraph [0015], see ''The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client as the result. The authentication virtual server can also provide the result as input to the one or more traffic management policies of the traffic management virtual server", where the "evaluation" is being read as the second message and where "one or more expressions identifying one or more attributes of the client as the result...can also provide the result as input to the one or more traffic management policies..." is being read as the evaluation (second message) comprising the obtained traffic flow rule), and
	
	Harris as modified by Anton and further modified by Mont do not teach the following limitation(s) as taught by Vachiravel: the obtained traffic flow rule comprises traffic flow information identifying one or more traffic flows and traffic routing information for the identified traffic flows for enabling the network node to route traffic transmitted by the communication device and corresponding to one of the identified traffic flows to an appropriate network entity.
	(Vachiravel, Paragraph [0038], see “The message granting the user device 102 access to the enterprise network system 100 includes an indication of network access associated with the user device. The indication of network access can be an indication of network access classification and/or an indication of a user classification…After the network access node 104 receives the VSA and Filter-Id attributes, the results associated with the VSA and Filter-Id attributes allow the network access node 104 to apply the corresponding classifications and/or policies regarding network access to the user device 102”, where “corresponding classifications and/or policies regarding network access” is analogous to the message comprising traffic flow information and traffic routing information for enabling the network node to route traffic to an appropriate network entity).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris, techniques disclosed of Anton, and techniques disclosed of Mont, by implementing a system and method of controlling network access, comprising of transmitting a second message from the authentication server to a network node, where the second message comprises traffic flow information and traffic routing information for enabling the network node to route traffic to an appropriate network entity, disclosed of Vachiravel.  
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of transmitting a second message from the authentication server to a network node, where the second message comprises traffic flow information and traffic routing information for enabling the network node to route traffic to an appropriate network entity. Having the authentication server transmit a message that indicates the appropriate traffic flow information and traffic routing information to the network node, allows for an improvement in security within the system. This allows for the authentication server to validate the appropriate traffic flow information and traffic routing information to make sure traffic is properly routed in the network (Vachiravel, Paragraph [0038]). 

	Regarding claim 16, Harris as modified by Anton and further modified by Mont and Vachiravel teaches The authentication server of claim 15, wherein the data processing system is configured such that, the using the first identifier to obtain the traffic flow rule further comprises:
	providing to a rules function the first identifier, wherein the rules function is configured to select a rule based on the first identifier and provide the selected rule to the authentication server; and
	receiving the traffic flow rule selected by the rules function based on the first identifier (Harris, Paragraph [0157], see "Further, the authentication vServer 275av can include and/or operate with any embodiment of the policy engine 236 described above in connection with FIG. 2A, where the "policy engine 236" is being read as the rules function, Paragraph [0182], see "The TM vServer and/or the authentication vServer may include or communicate with the one or more policy engines 236") (Harris, Paragraph [0183], see "In other embodiments, the one or more policy engines 236 sends the one or more identified policies to the TM vServer and/or the authentication vServer", where "the one or more policy engines 236 sends the one or more identified policies to ... the authentication vServer" is being read as the rules function (policy engine 236) being configured to obtain a rule and providing the selected rule to the authentication server) (Harris, Paragraph [0263], see "In yet another embodiment, traffic management virtual server identifies the policy based at least in part on the collected information from the client 102. Further, the policy may be identified from the traffic management policies 586, the authentication policies 568, or any other policies. Any policy may be applied through a policy engine, such as any embodiment of the policy engine 236 discussed above in connection with FIG. 2A, where "the policy may be identified from the traffic management policies 586, the authentication policies 568, or any other policies" is being read as the authentication server providing the first identifier to a rules function (policy engine 236), where the policy is identified based at least in part on the collected information from the client 102 (where the "collected information" is being read as comprising of the first identifier.)
	On a side note, Harris, Paragraph [0134], see ''The collection agent 304 comprises an application, program, process, service, task or executable instructions for identifying, obtaining and/or collecting information about the client 102 ... In one embodiment, the policy engine 236 of the appliance 200 uses the collected information to determine and provide access, authentication and authorization control of the client's connection to a network 104") (Harris, Paragraph [0135], see "The policy engine 236 may have one or more policies based on any one or more of the attributes or characteristics of the client or client-side attributes", where "one or more of the attributes or characteristics of the client or client-side attributes" are provided by the authentication virtual server) (Harris, Paragraph [0015], see "The authentication virtual server may provide an evaluation of one or more expressions identifying one or more attributes of the client as the result. The authentication virtual server can also provide the result as input to the one or more traffic management policies of the traffic management virtual server"), therefore, the authentication server is providing the first identifier (contained within the evaluation identifying one or more attributes of the client) to the rules function (policy engine 236), where the rules function is configured to obtain the rule based on the client attributes (first identifier)) (Harris, Paragraph [0179], see "a collection agent 304 may obtain information from the client 102 for one or both of the TM vServer and the authentication vServer", where the authentication vServer retrieves the information (first identifier) about the client 102 from the collection agent, forwards the first identifier to the rules function (policy engine 236), where the policy engine uses the collected information to determine and provide access (determine the traffic flow rule), and send it to the authentication vServer).


Claims 5 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Harris, in view of Anton, in further view of Mont, in further view of Guichard et al. (U.S. PGPub. 2005/0083955), hereinafter Guichard.
	Regarding claim 5, Harris as modified by Anton and further modified by Mont do not teach the following limitation(s) as taught by Guichard: The method of claim 4, wherein
	the method further comprises the network node or the authentication server transmitting the traffic flow rule to a second network node,
	wherein the second network node is configured to receive traffic transmitted by the communication device, and
	the traffic flow rule identifies a destination to which the second network node should forward the received traffic.
	(Guichard, Paragraph [0016], see "After the downstream policy information is populated in the first node for a new client, the first node may distribute the network address information populated in the downstream policy information (at the first node) to other nodes via use of a notification message distributed according to a system routing protocol such as BGP (Border Gateway Protocol)...Generally, the network address information sent to the second node...is used to update routing policy information at the second node. The routing policy information at the second node is used in turn to identify a route on which to forward appropriately destined traffic to the clients coupled to the first provider edge node", where "client" is analogous to the communication device and/or the user, where "the first node may distribute the network address information populated in the downstream policy information...to other nodes" is analogous to the network node transmitting the traffic flow rule to a second network node and where ''The routing policy information at the second node is used in turn to identify a route on which to forward appropriately destined traffic to the clients..." is analogous to the second node being configured to receive the traffic transmitted by the communication device and identify a destination to which the second network node should forward the received traffic).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris, the techniques disclosed of Anton, and techniques disclosed of Mont, by implementing a system and method to support routing of information, comprising of a second network node receiving the traffic flow regulations, in order to help determine the destination to which the second network node should forward the received traffic, disclosed of Guichard.
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of a second network node receiving the traffic flow regulations, in order to help determine the destination to which the second network node should forward the received traffic. Having a method for routing traffic originating from a communication device comprising of a second node, benefits the system by introducing an additional connection point that can receive, create, store or send data along distributed network routes. The first network node transmitting the traffic flow rules to a second network node, allows for the second network node to familiarize itself with its destination points in regards to where the network node should forward the received traffic. Implementing the system with an additional node that receives the traffic flow rule and learns where to forward the received traffic, could allow for a faster transmission time, based on which network node is closest to the destination, as well as, prevent data loss, in cases where one of the network nodes fail to forward the received traffic, the other node is able to receive traffic communicated by the communication device, and forward it to the appropriate destination (Guichard, Paragraph [0016]).

	Regarding claim 18, Harris as modified by Anton and further modified by Mont do not teach the following limitation(s) as taught by Guichard: The authentication server of claim 17, wherein
	the network node or authentication server transmits the traffic flow rule to a second network node,
	the second network node is configured to receive traffic transmitted by the communication device, and
	the traffic flow rule identifies a node to which the second network node should forward the received traffic.
	(Guichard, Paragraph [0016], see "After the downstream policy information is populated in the first node for a new client, the first node may distribute the network address information populated in the downstream policy information (at the first node) to other nodes via use of a notification message distributed according to a system routing protocol such as BGP (Border Gateway Protocol)...Generally, the network address information sent to the second node...is used to update routing policy information at the second node. The routing policy information at the second node is used in turn to identify a route on which to forward appropriately destined traffic to the clients coupled to the first provider edge node", where "client" is analogous to the communication device and/or the user, where "the first node may distribute the network address information populated in the downstream policy information...to other nodes" is analogous to the network node transmitting the traffic flow rule to a second network node and where ''The routing policy information at the second node is used in turn to identify a route on which to forward appropriately destined traffic to the clients..." is analogous to the second node being configured to receive the traffic transmitted by the communication device and identify a destination to which the second network node should forward the received traffic).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris, the techniques disclosed of Anton, and the techniques disclosed of Mont, by implementing a system and method to support routing of information, comprising of a second network node receiving the traffic flow regulations, in order to help determine the destination to which the second network node should forward the received traffic, disclosed of Guichard.
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of a second network node receiving the traffic flow regulations, in order to help determine the destination to which the second network node should forward the received traffic. Having a method for routing traffic originating from a communication device comprising of a second node, benefits the system by introducing an additional connection point that can receive, create, store or send data along distributed network routes. The first network node transmitting the traffic flow rules to a second network node, allows for the second network node to familiarize itself with its destination points in regards to where the network node should forward the received traffic. Implementing the system with an additional node that receives the traffic flow rule and learns where to forward the received traffic, could allow for a faster transmission time, based on which network node is closest to the destination, as well as, prevent data loss, in cases where one of the network nodes fail to forward the received traffic, the other node is able to receive traffic communicated by the communication device, and forward it to the appropriate destination (Guichard, Paragraph [0016]).


Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Harris, in view of Anton, in further view of Mont, in further view of Vachiravel, in further view of Dunbar et al. (U.S. PGPub. 2014/0307744), hereinafter Dunbar. 

	Regarding claim 9, Harris as modified by Anton and further modified by Mont and Vachiravel do not teach the following limitation(s) as taught by Dunbar: The method of claim 2, wherein
	the network node is a gateway,
	the gateway is configured to receive a packet transmitted by the communication device,
	the traffic flow rule identifies a destination to which the gateway should forward the received packet,
	the gateway determines the destination identified by the traffic flow rule, and
	the gateway forwards the received packet to the destination identified by the traffic flow rule.
	(Dunbar, Paragraph [0028], see “a distributed gateway 116 may receive traffic from tenant end point and perform inter-network forwarding to route traffic between the two virtual overlay networks. In instances where the distributed gateway 116 does not store the inter-network forwarding policy, the distributed gateway 116 may forward data traffic to the default gateway 112 for inter-network based forwarding and policy checking”, where “distributed gateway 116” is analogous to the network node being a gateway, where “receive traffic from tenant end point” is analogous to the gateway receiving a packet transmitted by the communication device, where “inter-network forwarding policy” is analogous to the traffic flow rule identifying a destination to which the gateway should forward the received packet and where “the distributed gateway 116 may forward data traffic to the default gateway 112…” is analogous to the gateway determining the destination identified by the traffic flow rule and forwarding the received packet to the destination identified by the traffic flow rule. In this instance, the distributed gateway 116 forwards the data traffic to the default gateway 112 due to the distributed gateway 116 not storing the inter-network forwarding policies, but in other embodiments, the distributed gateway 116 determines the destination and forwards the packet to the destination identified by the traffic flow rule).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris, techniques disclosed of Anton, techniques disclosed of Mont and techniques of controlling network access, disclosed of Vachiravel, by implementing a service chain policy for distributed gateways in virtual overlay networks, comprising of the network node being a gateway, where the gateway is configured to receive traffic from the communication device, identify a destination to which the gateway should forward the received packet and forwarding the received packet to the identified destination according to the traffic flow rule, disclosed of Dunbar. 
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of the network node being a gateway, where the gateway is configured to receive traffic from the communication device, identify a destination to which the gateway should forward the received packet and forwarding the received packet to the identified destination according to the traffic flow rule. The node being a gateway allows for the received traffic to be evaluated before it is sent to the destination, which ultimately reduces error within the communication network by having the traffic properly routed. The gateway provides for a key stopping point for traffic on its way to/from other nodes/devices. Instead of the network node simply being a redistribution point or a communication endpoint, implementing the network node as a gateway, allows for the network node to act as a proxy server and/or firewall, which ultimately improves the overall security within the system (Dunbar, Paragraph [0028]). 


Claims 12 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Harris, in view of Anton, in further view of Mont, in further view of Dunbar.

	Regarding claim 12, Harris as modified by Anton and further modified by Mont teaches The method of claim 1, wherein
	
	
	the method further comprises the authentication server transmitting a message to an access point for permitting the communication device to access the resource (Harris, Paragraph [0009], see "Further, the authentication virtual server can authenticate credentials received from the client and establish an authentication session for the client. The authentication session may identify one or more policies. In addition, the authentication virtual server may transmit a second response to redirect the client to the traffic management virtual server. The second response identifies the authentication session", where "the authentication virtual server may transmit a second response to redirect the client to the traffic management virtual server" is being read as the authentication server transmitting a message to an access point for permitting the communication device to access the resource, where "traffic management virtual server" is being read as the access point for permitting the communication device to access the resource, due to the traffic management virtual server receiving the identifier of the authentication session, and utilizing the identifier to forward traffic authorized by the one or more policies).
	Harris as modified by Anton and further modified by Mont do not teach the following limitation(s) as taught by Dunbar: the network node is one of: a gateway and a node comprising a rules function,
	the network comprises a virtual switch.
	(Dunbar, Paragraph [0006], see "The service chain policy may identify a sequence of network nodes (e.g. one or more network nodes) that may have the needed service functions attached and/or have the needed treatment policies to properly route the packets", where the "service chain policy" is analogous to a rules function and where "a sequence of network nodes...that may have the needed service functions attached..." is analogous to a node comprising a rules function) (Dunbar, Paragraph [0020], see "The service chain policies may be distributed to the distributed gateways, NVEs, default gateways, and/or other network nodes such that a data packet may be forwarded in a designated sequence of nodes to receive network service function processing prior to forwarding the packet to the destination tenant end point", where "The service chain policies may be distributed to the distributed gateways, NVEs, default gateways, and/or other network nodes..." is analogous to the network node being a gateway comprising a rules function) (Dunbar, Paragraph [0024], see "A virtual switching node, such as a virtual switch and/or router, can be created to route traffic amongst the tenant end points within a single server 108", where a “virtual switching node, such as a virtual switch” is analogous to the network comprising a virtual switch).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris, techniques disclosed of Anton, and techniques disclosed of Mont, by implementing a service chain policy for distributed gateways in virtual overlay networks, comprising of a rules function associated with the routing of traffic and a virtual switch, disclosed of Dunbar. 
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of a rules function associated with the routing of traffic and a virtual switch. Having a method for routing traffic, where the network node comprises of a rules function, allows for the network node to learn the policies for properly routing the packets to the designated destination. Implementing this method with a virtual switch allows network administrators to manage virtual switch deployed through a hypervisor, which ultimately makes it easier to roll out new functionalities within the system, as opposed to a physical switch. Also, implementing a method for routing traffic with a virtual switch, as opposed to a physical switch, creates an active mesh between the server and switches, which helps to increase bandwidth (Dunbar, Paragraph [0006]).

	Regarding claim 25, Harris as modified by Anton and further modified by Mont teaches The authentication server of claim 14, wherein
	
	
	the data processing system is further configured to use the network interface to transmit a message to an access point for permitting the communication device to access the resource (Harris, Paragraph [0009], see "Further, the authentication virtual server can authenticate credentials received from the client and establish an authentication session for the client. The authentication session may identify one or more policies. In addition, the authentication virtual server may transmit a second response to redirect the client to the traffic management virtual server. The second response identifies the authentication session", where "the authentication virtual server may transmit a second response to redirect the client to the traffic management virtual server" is being read as the authentication server transmitting a message to an access point for permitting the communication device to access the resource, where "traffic management virtual server" is being read as the access point for permitting the communication device to access the resource, due to the traffic management virtual server receiving the identifier of the authentication session, and utilizing the identifier to forward traffic authorized by the one or more policies).
	Harris as modified by Anton and further modified by Mont do not teach the following limitation(s) as taught by Dunbar: the network node is one of: a gateway and a node comprising a rules function;
	the network comprises a virtual switch.
	(Dunbar, Paragraph [0006], see "The service chain policy may identify a sequence of network nodes (e.g. one or more network nodes) that may have the needed service functions attached and/or have the needed treatment policies to properly route the packets", where the "service chain policy" is analogous to a rules function and where "a sequence of network nodes...that may have the needed service functions attached..." is analogous to a node comprising a rules function) (Dunbar, Paragraph [0020], see "The service chain policies may be distributed to the distributed gateways, NVEs, default gateways, and/or other network nodes such that a data packet may be forwarded in a designated sequence of nodes to receive network service function processing prior to forwarding the packet to the destination tenant end point", where "The service chain policies may be distributed to the distributed gateways, NVEs, default gateways, and/or other network nodes..." is analogous to the network node being a gateway comprising a rules function) (Dunbar, Paragraph [0024], see "A virtual switching node, such as a virtual switch and/or router, can be created to route traffic amongst the tenant end points within a single server 108", where a “virtual switching node, such as a virtual switch” is analogous to the network comprising a virtual switch).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the systems and methods for selective authentication, authorization, and auditing in connection with traffic management, disclosed of Harris, techniques disclosed of Anton, and techniques disclosed of Mont, by implementing a service chain policy for distributed gateways in virtual overlay networks, comprising of a rules function associated with the routing of traffic and a virtual switch, disclosed of Dunbar. 
	One of ordinary skill in the art would have been motivated to make this modification to implement a system and method for routing traffic originating from a communication device, comprising of a rules function associated with the routing of traffic and a virtual switch. Having a method for routing traffic, where the network node comprises of a rules function, allows for the network node to learn the policies for properly routing the packets to the designated destination. Implementing this method with a virtual switch allows network administrators to manage virtual switch deployed through a hypervisor, which ultimately makes it easier to roll out new functionalities within the system, as opposed to a physical switch. Also, implementing a method for routing traffic with a virtual switch, as opposed to a physical switch, creates an active mesh between the server and switches, which helps to increase bandwidth (Dunbar, Paragraph [0006]).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747.  The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RODMAN ALEXANDER MAHMOUDI/Examiner, Art Unit 2433                                                 

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433