DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 16-32 are pending in this application.
Claims 16, 22, 25, 30 and 32 are currently amended.
Claims 1-15 were previously cancelled.
No new IDS was submitted by the Applicant.

Claim Objections
The amendments and/or arguments filed on 10/06/2020 have been considered and are persuasive; thus the previous claim objection(s) have been withdrawn.

Claim Rejections – 35 USC 112 
The amendments and/or arguments filed on 10/06/2020 have been considered and are persuasive; thus the previous claim rejection(s) have been withdrawn.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.

Claims 16-18, 22-23, 27, 30 and 32 are rejected under 35 U.S.C. 103 as being unpatentable over Dustin Doloff,  (U.S. Patent US 10505925 B1, hereinafter Doloff), (the following publication is used for Doloff which has similar content, Dustin Doloff,  (U.S. Application US 20200092278 A1, hereinafter Doloff)), and in view of Yuhua Wu,  (U.S. Patent US 8132242 B1, hereinafter Wu)
claim 16, Doloff teaches a method for identification, the method comprising the steps of: (a) receiving via a shared virtual private network (VPN) a first request, said first request from a user on a first side of said shared VPN, said receiving at a second side of said shared VPN, and said first request including a reference to a resource to be accessed by said user; (See Doloff: Abstract, receiving, from a requestor, a request for access to one or more resources).
(See also Doloff: Paragraph 0027 and FIG. 3: element 302 “Receive request for access resources (VPN)”, FIG. 3 illustrates an example process 300 for authenticating a request that can be used in accordance with various embodiments. It should be understood that for this and other processes discussed herein that additional, fewer, or alternative steps can be performed in similar or alternative steps, or in parallel, within the scope of the various embodiments unless otherwise stated. In this example, a request for access to a set of resources is received 302). 
(See also Doloff: Paragraph 0015 and FIG. 1, In the case of a VPN request, the resource manager can allocate and configure a VPN connection such that VPN software 122 executing on the client device 102 (equivalent to user on a first side) can access the resources (equivalent to reference to a resource to be accessed by said user) in the provider environment 106 (equivalent to second side) as if the client were directly connected to those resources inside the provider environment. 
(See also Doloff: Paragraph 0013 and FIG. 1, The sharing of these multi-tenant resources from a provider environment is often referred to as resource sharing, Web services, or “cloud computing,” among other such terms and depending 114 of one or more types). 

Doloff also teaches (b) evaluating said first request to determine whether said first request includes a first token, said first token authenticating said user, and if said first request lacks said first token: (See Doloff: FIG. 4: Element 402 “Receive information for request to be authenticated”, 404 “Determine first set of authentication information for request” and 406 “Analyze authentication information to determine whether request is invalid per denial criterion”).
(See also Doloff: Paragraph 0015 and FIG. 1, The token or ticket can be passed with requests on the VPN session in order to indicate authentication (i.e., first token) and obtain permitted access to the resources).
(See also Doloff: Paragraph 0027 and FIG. 3, for example, with the information being contained in the request, associated with a source of the request, or otherwise determined. In some embodiments, the request may include a credential or user identifier that can be used to obtain other authentication information relevant for the request. In this example process, a first set of authentication checks is performed 306 with respect to the request information).
(See also Doloff: Paragraph 0027 and FIG. 4: Element 408 “Invalid?” and 410 “Deny request”, Based at least in part upon any or all of these criteria, a determination can be made 408 whether the request is invalid, or at least unable to be authenticated. If so, the request can be denied 410 or other actions can be taken, such as to notify a user of an issue with the request that a valid user could remedy).

Doloff also teaches (i) generating said first token authenticating said user, (See Doloff: Paragraph 0029 and FIG. 4, a first authentication token or ticket can be generated 412).
Doloff also teaches (ii) registering said user, said registration including associating said user with said first token, (See Doloff: Paragraph 0014 and FIG. 1,The identity provider can provide the credentials to the resource provider environment 106 and/or to the client device 102, whereby the client device can utilize those credentials to obtain access or use of various resources in the provider environment, where the type and/or scope of access can depend upon factors such as a type of user, a type of user account, a role associated with the credentials, or a policy associated with the user and/or credentials, among other such factors).
(See also Doloff: Paragraph 0019 and FIG. 1, As mentioned, the authentication for internal services, as may provide websites or other content access, can involve an authentication mechanism that provides tokens that identifies the users associated with requests, where those tokens can only be obtained from a specific service, such as a corporate token granting service).

Doloff  does not teach (ii) issuing said first request further including said first token, said registration identifying, at said second side of said shared VPN, said user based on said first token.  
issuing said first request further including said first token, said registration identifying, at said second side of said shared VPN, said user based on said first token, 
(See Wu: Column 2, lines 1-14 and FIG. 1, For example, a web browser may establish a secure sockets layer virtual private network (SSL VPN) session with a SSL VPN gateway by providing one or more authentication credentials to the SSL VPN gateway. When the user of the web browser sends a request to access one of the resources (i.e., issuing said first request) provided by a resource server protected by the SSL VPN gateway, the request is intercepted, either by specialized software executing on the client device or by the SSL VPN gateway. In either case, the SSL VPN gateway issues a temporary token to the client device when the requested resource is associated with a software application that is external to the web browser. This temporary token includes temporary credential information that can subsequently be used by the SSL VPN gateway to authenticate the external application (i.e., second side)).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu to issuing said first request further including said first token, said registration identifying, at said second side of said shared VPN, said user based on said first token. The motivation for doing so would be to have a virtual private network (VPN) in enterprise environment to protect one or more network resource. The motivation for doing so would be to access these VPN-protected resources through a web browser, a 

As per claim 17, Doloff in view of Wu teaches the method of claim 16.
Doloff does not teach evaluating said first request to determine whether said first request includes a second token, said second token authenticating said user to said resource, and if said first request lacks said second token: 	 (i) generating said second token authenticating said user to said resource, and (ii) issuing said first request further including said second token.  
However, in the same field of endeavor, Wu teaches evaluating said first request to determine whether said first request includes a second token, said second token authenticating said user to said resource, and if said first request lacks said second token: (See Wu: Column 8, lines 12-16 and FIG. 2, token verification module 40 determines that the temporary token is valid (“YES” of 69), SSL VPN manager 38 creates an application-specific cookie, i.e., a session cookie that cannot be accessed by other applications, and stores the actual credentials of user 4 within the cookie (72)).
(See also Wu: Column 7, lines 52-57 and FIG. 3 and FIG. 4, If the resource request does not include a user credentials (“NO” of 52), (i.e., determine whether said first request includes a second token) SSL VPN manager 38 determines whether the intercepted request includes a temporary token (68). If the request does not include a temporary token (“NO” of 68), (i.e., first request lacks said second token) SSL VPN manager 38 requests that user 17 supply a username and password for the requesting application (70). … 
(See also Wu: Column 8, lines 1-3 and FIG. 3 and FIG. 4, If the temporary token is not valid (“NO” of 69), token verification module 40 alerts SSL VPN manager 38 to this fact. 
Wu also teaches (i) generating said second token authenticating said user to said resource, 
(See also Wu: Column 10, lines 12-19, FIG. 3 and FIG. 4, When token creation module 44 (i.e., generating said second token) receives a resource request from SSL VPN manager 38, token creation module 44 extracts the URL and hostname portions of the resource request. For example, the URL portion of the resource request may be “/docs/myDoc.doc” and the hostname portion may be “www.ex.com”. The combination of the URL portion and the hostname portion of the resource request identifies which resource is requested.
Wu also teaches (ii) issuing said first request further including said second token, (See Wu: Column 5, lines 63-67, FIG. 3 and FIG. 4, On the other hand, if SSL VPN manager 38 determines that the intercepted resource request will result in the launch of an application 8, SSL VPN manager 38 requests that token creation module 44 issue a temporary token).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of 

As per claim 18, Doloff in view of Wu teaches the method of claim 17.
Doloff also teaches evaluating said first request to determine whether said first request includes a second token, and if said first request includes said second token then allowing said user access to said resource, (See Doloff: Paragraph 0030 and FIG. 4,  If is determined 422 that the request is not authenticated, then the request can be denied 424 or otherwise processed. If the request is authenticated, a second token (or ticket, credential, etc.) can be generated 426 that can enable subsequent requests or actions for that user, device, or account to be granted without additional authentication, at least during a current session or active lifetime of the second token. An authentication response, as well as the second token, can then be provided 428 to a source of the request, or other destination, enabling the requested access to be obtained using the second credential).

As per claim 19, Doloff in view of Wu teaches the method of claim 16.
Doloff in view of Wu does not teach wherein said user is selected from the group consisting of: (a) a person;(b) a person using an application on a client computer;(c) a person using a web browser on a client computer; and (d) a software process.  
However, in the same field of endeavor, Drozd teaches wherein said user is selected from the group consisting of:(a) a person;(b) a person using an application on a client computer;(c) a person using a web browser on a client computer; and (d) a software process.  
Referring to FIG. 1B, of Drozd, system 100 includes, but is not limited to, one or more client systems 101-102 (equivalent to person) communicatively coupled to cloud storage server 160, identity provider server 170, and authentication/authorization (AUTH) server 180 (equivalent to software process) over network 103. Clients 101-102 may be any type of clients (equivalent to person using an application on a client computer) such as a host or server, a personal computer (e.g., desktops, laptops, and tablets), a “thin” client, a personal digital assistant (PDA), a Web enabled appliance (equivalent to person using a web browser on a client computer), or a mobile phone (e.g., Smartphone), etc. As used herein, a client may also refer to a user/principal, a principal tenant, a child tenant, and/or a component in a multi-tenant environment, see [Drozd: Column 6: lines 4-15; 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu and also with the teaching of Drozd wherein said user is selected from the group consisting of: a person; a person using an application on a client computer; a person using a web browser on a client computer; and 	a software process. The motivation for doing so would be to have authentication, authorization, and managing access control of users in a multi-tenant environment via a command line interface, (See Drozd: Column 1, lines 11-13).

As per claim 22, Doloff in view of Wu teaches the method of claim 16.
Doloff does not teach wherein said first token authenticates said user to a domain other than a domain of said resource.   
However, in the same field of endeavor, Wu teaches wherein said first token authenticates said user to a domain other than a domain of said resource, (See Wu: Column 1, lines 22-24, In some instances, a resource may be associated with a network-enabled software application other than the web browser).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu wherein said first token authenticates said user to a domain other than a domain of said resource. The motivation for doing so would be to access these VPN-protected 

As per claim 23, Doloff in view of Wu teaches the method of claim 16.
Doloff does not teach wherein said issuing is implemented by redirecting said first request.  
However, in the same field of endeavor, Wu teaches wherein said issuing is implemented by redirecting said first request, (See Wu: Column 8, lines 19-20 and FIG. 3, After creating the session cookie, SSL VPN manager 38 forwards the request to resource server 14 (73)).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu wherein said issuing is implemented by redirecting said first request.  The motivation for doing so would be to access these VPN-protected resources through a web browser, a VPN gateway or other security device requires a remote user to supply credentials, e.g., a username and password. After the user supplies the credentials, the VPN gateway authenticates the user and establishes a secure session between the web browser and the VPN gateway, (See Wu: Column 1, lines 12-20).

claim 27, Doloff teaches a system comprising: a processing system containing one or more processors, said processing system being configured to: (a) receive via a shared virtual private network (VPN) a first request, said first request from a user on a first side of said shared VPN, said receiving at a second side of said shared VPN, and said first request including a reference to a resource to be accessed by said user; (See Doloff: Abstract, receiving, from a requestor, a request for access to one or more resources).
(See also Doloff: Paragraph 0027 and FIG. 3: element 302 “Receive request for access resources (VPN)”, FIG. 3 illustrates an example process 300 for authenticating a request that can be used in accordance with various embodiments. It should be understood that for this and other processes discussed herein that additional, fewer, or alternative steps can be performed in similar or alternative steps, or in parallel, within the scope of the various embodiments unless otherwise stated. In this example, a request for access to a set of resources is received 302). 
(See also Doloff: Paragraph 0015 and FIG. 1, In the case of a VPN request, the resource manager can allocate and configure a VPN connection such that VPN software 122 executing on the client device 102 (equivalent to user on a first side) can access the resources (equivalent to reference to a resource to be accessed by said user) in the provider environment 106 (equivalent to second side) as if the client were directly connected to those resources inside the provider environment. 
(See also Doloff: Paragraph 0013 and FIG. 1, The sharing of these multi-tenant resources from a provider environment is often referred to as resource sharing, Web services, or “cloud computing,” among other such terms and depending 114 of one or more types). 
Doloff also teaches  (b) evaluate said first request to determine whether said first request includes a first token, said first token authenticating said user, and if said first request lacks said first token: (See Doloff: FIG. 4: Element 402 “Receive information for request to be authenticated”, 404 “Determine first set of authentication information for request” and 406 “Analyze authentication information to determine whether request is invalid per denial criterion”).
(See also Doloff: Paragraph 0015 and FIG. 1, The token or ticket can be passed with requests on the VPN session in order to indicate authentication (i.e., first token) and obtain permitted access to the resources).
(See also Doloff: Paragraph 0027 and FIG. 3, for example, with the information being contained in the request, associated with a source of the request, or otherwise determined. In some embodiments, the request may include a credential or user identifier that can be used to obtain other authentication information relevant for the request. In this example process, a first set of authentication checks is performed 306 with respect to the request information).
(See also Doloff: Paragraph 0027 and FIG. 4: Element 408 “Invalid?” and 410 “Deny request”, Based at least in part upon any or all of these criteria, a determination can be made 408 whether the request is invalid, or at least unable to be authenticated. If so, the request can be denied 410 or other actions can be taken, such as to notify a user of an issue with the request that a valid user could remedy).
 teaches (i) generate said first token authenticating said user, (See Doloff: Paragraph 0029 and FIG. 4, a first authentication token or ticket can be generated 412).
Doloff also teaches (ii) register said user, said registration including associating said user with said first token, (See Doloff: Paragraph 0014 and FIG. 1,The identity provider can provide the credentials to the resource provider environment 106 and/or to the client device 102, whereby the client device can utilize those credentials to obtain access or use of various resources in the provider environment, where the type and/or scope of access can depend upon factors such as a type of user, a type of user account, a role associated with the credentials, or a policy associated with the user and/or credentials, among other such factors).
(See also Doloff: Paragraph 0019 and FIG. 1, As mentioned, the authentication for internal services, as may provide websites or other content access, can involve an authentication mechanism that provides tokens that identifies the users associated with requests, where those tokens can only be obtained from a specific service, such as a corporate token granting service).
Doloff also teaches (d) evaluate said first request to determine whether said first request includes a second token, and if said first request includes said second token then allowing said user access to said resource, (See Doloff: Paragraph 0030 and FIG. 4,  If is determined 422 that the request is not authenticated, then the request can be denied 424 or otherwise processed. If the request is authenticated, a second token (or ticket, credential, etc.) can be generated 426 that can enable subsequent requests or actions for that user, device, or account to be granted without additional authentication, at least during a current session or active lifetime of the second token. An authentication response, as well as the second token, can then be provided 428 to a source of the request, or other destination, enabling the requested access to be obtained using the second credential).

Doloff  does not teach (ii) issue said first request further including said first token, said registration identifying, at said second side of said shared VPN, said user based on said first token, (c) evaluate said first request to determine whether said first request includes a second token, said second token authenticating said user to said resource, and if said first request lacks said second token: 	 (i) generate said second token authenticating said user to said resource, and (ii) issue said first request further including said second token.  
However, in the same field of endeavor, Wu teaches issuing said first request further including said first token, said registration identifying, at said second side of said shared VPN, said user based on said first token, (See Wu: Column 2, lines 1-14 and FIG. 1, For example, a web browser may establish a secure sockets layer virtual private network (SSL VPN) session with a SSL VPN gateway by providing one or more authentication credentials to the SSL VPN gateway. When the user of the web browser sends a request to access one of the resources (i.e., issuing said first request) provided by a resource server protected by the SSL VPN gateway, the request is intercepted, either by specialized software executing on the client device or by the SSL VPN gateway. In either case, the SSL VPN gateway issues a temporary token to the client device when the requested resource is associated with a software application external application (i.e., second side)).
Wu also teaches evaluating said first request to determine whether said first request includes a second token, said second token authenticating said user to said resource, and if said first request lacks said second token: (See Wu: Column 8, lines 12-16 and FIG. 2, token verification module 40 determines that the temporary token is valid (“YES” of 69), SSL VPN manager 38 creates an application-specific cookie, i.e., a session cookie that cannot be accessed by other applications, and stores the actual credentials of user 4 within the cookie (72)).
(See also Wu: Column 7, lines 52-57 and FIG. 3 and FIG. 4, If the resource request does not include a user credentials (“NO” of 52), (i.e., determine whether said first request includes a second token) SSL VPN manager 38 determines whether the intercepted request includes a temporary token (68). If the request does not include a temporary token (“NO” of 68), (i.e., first request lacks said second token) SSL VPN manager 38 requests that user 17 supply a username and password for the requesting application (70). … 
(See also Wu: Column 8, lines 1-3 and FIG. 3 and FIG. 4, If the temporary token is not valid (“NO” of 69), token verification module 40 alerts SSL VPN manager 38 to this fact. 
Wu also teaches (i) generating said second token authenticating said user to said resource, (See Wu: Column 10, lines 12-19, FIG. 3 and FIG. 4, When token creation module 44 (i.e., generating said second token) receives a resource request from SSL 38, token creation module 44 extracts the URL and hostname portions of the resource request. For example, the URL portion of the resource request may be “/docs/myDoc.doc” and the hostname portion may be “www.ex.com”. The combination of the URL portion and the hostname portion of the resource request identifies which resource is requested.
Wu also teaches (ii) issuing said first request further including said second token, (See Wu: Column 5, lines 63-67, FIG. 3 and FIG. 4, On the other hand, if SSL VPN manager 38 determines that the intercepted resource request will result in the launch of an application 8, SSL VPN manager 38 requests that token creation module 44 issue a temporary token).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu to issue said first request further including said first token, said registration identifying, at said second side of said shared VPN, said user based on said first token, (c) evaluate said first request to determine whether said first request includes a second token, said second token authenticating said user to said resource, and if said first request lacks said second token: (i) generate said second token authenticating said user to said resource, and (ii) issue said first request further including said second token. The motivation for doing so would be to have a virtual private network (VPN) in enterprise environment to protect one or more network resource. The motivation for doing so would be to access these VPN-protected resources through a web browser, a VPN gateway or other security device requires a remote user to supply credentials, e.g., 

As per claim 30, Doloff teaches a method for identification, the method comprising the steps of: (a) sending via a shared virtual private network (VPN) a first request, said first request from a user on a first side of said shared VPN, said sending at a first side of said shared VPN, and said first request including a reference to a resource to be accessed by said user; (See Doloff: Abstract, receiving, from a requestor, a request for access to one or more resources).
(See also Doloff: Paragraph 0027 and FIG. 3: element 302 “Receive request for access resources (VPN)”, FIG. 3 illustrates an example process 300 for authenticating a request that can be used in accordance with various embodiments. It should be understood that for this and other processes discussed herein that additional, fewer, or alternative steps can be performed in similar or alternative steps, or in parallel, within the scope of the various embodiments unless otherwise stated. In this example, a request for access to a set of resources is received 302). 
(See also Doloff: Paragraph 0015 and FIG. 1, In the case of a VPN request, the resource manager can allocate and configure a VPN connection such that VPN software 122 executing on the client device 102 (equivalent to user on a first side) can access the resources (equivalent to reference to a resource to be accessed by said user) in the provider environment 106 (equivalent to second side) as if the client were directly connected to those resources inside the provider environment. 
sharing of these multi-tenant resources from a provider environment is often referred to as resource sharing, Web services, or “cloud computing,” among other such terms and depending upon the specific environment and/or implementation. In this example the provider environment includes a plurality of electronic resources 114 of one or more types). 

Doloff also teaches (b) evaluating said first request to determine whether said first request includes a first token, said first token authenticating said user, and if said first request lacks said first token: (See Doloff: FIG. 4: Element 402 “Receive information for request to be authenticated”, 404 “Determine first set of authentication information for request” and 406 “Analyze authentication information to determine whether request is invalid per denial criterion”).
(See also Doloff: Paragraph 0015 and FIG. 1, The token or ticket can be passed with requests on the VPN session in order to indicate authentication (i.e., first token) and obtain permitted access to the resources).
(See also Doloff: Paragraph 0027 and FIG. 3, for example, with the information being contained in the request, associated with a source of the request, or otherwise determined. In some embodiments, the request may include a credential or user identifier that can be used to obtain other authentication information relevant for the request. In this example process, a first set of authentication checks is performed 306 with respect to the request information).
(See also Doloff: Paragraph 0027 and FIG. 4: Element 408 “Invalid?” and 410 “Deny request”, Based at least in part upon any or all of these criteria, a determination 408 whether the request is invalid, or at least unable to be authenticated. If so, the request can be denied 410 or other actions can be taken, such as to notify a user of an issue with the request that a valid user could remedy).

Doloff also teaches (i) generating said first token authenticating said user, (See Doloff: Paragraph 0029 and FIG. 4, a first authentication token or ticket can be generated 412).

Doloff also teaches (ii) registering said user, said registration including associating said user with said first token, (See Doloff: Paragraph 0014 and FIG. 1,The identity provider can provide the credentials to the resource provider environment 106 and/or to the client device 102, whereby the client device can utilize those credentials to obtain access or use of various resources in the provider environment, where the type and/or scope of access can depend upon factors such as a type of user, a type of user account, a role associated with the credentials, or a policy associated with the user and/or credentials, among other such factors).
(See also Doloff: Paragraph 0019 and FIG. 1, As mentioned, the authentication for internal services, as may provide websites or other content access, can involve an authentication mechanism that provides tokens that identifies the users associated with requests, where those tokens can only be obtained from a specific service, such as a corporate token granting service).

(ii) issuing said first request further including said first token, said registration identifying, at said second side of said shared VPN, said user based on said first token, (c) evaluating said first request to determine whether said first request includes a second token, said second token authenticating said user to said resource, and if said first request lacks said second token: 	 (i) generating said second token authenticating said user to said resource, and (ii) issuing said first request further including said second token, and 
(d) evaluating said first request to determine whether said first request includes a second token, and if said first request includes said second token then allowing said user access to said resource.  
However, in the same field of endeavor, Wu teaches (ii) issuing said first request further including said first token, said registration identifying, at said second side of said shared VPN, said user based on said first token,
(See Wu: Column 2, lines 1-14 and FIG. 1, For example, a web browser may establish a secure sockets layer virtual private network (SSL VPN) session with a SSL VPN gateway by providing one or more authentication credentials to the SSL VPN gateway. When the user of the web browser sends a request to access one of the resources (i.e., issuing said first request) provided by a resource server protected by the SSL VPN gateway, the request is intercepted, either by specialized software executing on the client device or by the SSL VPN gateway. In either case, the SSL VPN gateway issues a temporary token to the client device when the requested resource is associated with a software application that is external to the web browser. This temporary token includes temporary credential information that can subsequently be external application (i.e., second side)).
Wu also teaches evaluating said first request to determine whether said first request includes a second token, said second token authenticating said user to said resource, and if said first request lacks said second token: (See Wu: Column 8, lines 12-16 and FIG. 2, token verification module 40 determines that the temporary token is valid (“YES” of 69), SSL VPN manager 38 creates an application-specific cookie, i.e., a session cookie that cannot be accessed by other applications, and stores the actual credentials of user 4 within the cookie (72)).
(See also Wu: Column 7, lines 52-57 and FIG. 3 and FIG. 4, If the resource request does not include a user credentials (“NO” of 52), (i.e., determine whether said first request includes a second token) SSL VPN manager 38 determines whether the intercepted request includes a temporary token (68). If the request does not include a temporary token (“NO” of 68), (i.e., first request lacks said second token) SSL VPN manager 38 requests that user 17 supply a username and password for the requesting application (70). … 
(See also Wu: Column 8, lines 1-3 and FIG. 3 and FIG. 4, If the temporary token is not valid (“NO” of 69), token verification module 40 alerts SSL VPN manager 38 to this fact. 
Wu also teaches (i) generating said second token authenticating said user to said resource, 
(See also Wu: Column 10, lines 12-19, FIG. 3 and FIG. 4, When token creation module 44 (i.e., generating said second token) receives a resource request from SSL 38, token creation module 44 extracts the URL and hostname portions of the resource request. For example, the URL portion of the resource request may be “/docs/myDoc.doc” and the hostname portion may be “www.ex.com”. The combination of the URL portion and the hostname portion of the resource request identifies which resource is requested.
Wu also teaches (ii) issuing said first request further including said second token, (See Wu: Column 5, lines 63-67, FIG. 3 and FIG. 4, On the other hand, if SSL VPN manager 38 determines that the intercepted resource request will result in the launch of an application 8, SSL VPN manager 38 requests that token creation module 44 issue a temporary token).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu to issuing said first request further including said first token, said registration identifying, at said second side of said shared VPN, said user based on said first token, (c) evaluating said first request to determine whether said first request includes a second token, said second token authenticating said user to said resource, and if said first request lacks said second token: (i) generating said second token authenticating said user to said resource, and (ii) issuing said first request further including said second token, and 
(d) evaluating said first request to determine whether said first request includes a second token, and if said first request includes said second token then allowing said user access to said resource.  . The motivation for doing so would be to access these 


Claim 32 is a medium claim similar to the method of claim 30 and is analyzed and rejected accordingly.

11. 	Claims 19-21, 25-26 and 28-29 are rejected under 35 U.S.C. 103 as being unpatentable over Doloff in view of Wu and in view of Drozd; Michal J. et al.  (U.S. Patent US 10057246 B1, hereinafter Drozd).
As per claim 19, Doloff in view of Wu teaches the method of claim 16.
Doloff in view of Wu does not teach wherein said user is selected from the group consisting of:(a) a person;(b) a person using an application on a client computer;(c) a person using a web browser on a client computer; and (d) a software process.  
However, in the same field of endeavor, Drozd teaches wherein said user is selected from the group consisting of:(a) a person;(b) a person using an application on a client computer;(c) a person using a web browser on a client computer; and (d) a software process.  
100 includes, but is not limited to, one or more client systems 101-102 (equivalent to person) communicatively coupled to cloud storage server 160, identity provider server 170, and authentication/authorization (AUTH) server 180 (equivalent to software process) over network 103. Clients 101-102 may be any type of clients (equivalent to person using an application on a client computer) such as a host or server, a personal computer (e.g., desktops, laptops, and tablets), a “thin” client, a personal digital assistant (PDA), a Web enabled appliance (equivalent to person using a web browser on a client computer), or a mobile phone (e.g., Smartphone), etc. As used herein, a client may also refer to a user/principal, a principal tenant, a child tenant, and/or a component in a multi-tenant environment, see [Drozd: Column 6: lines 4-15; FIG. 1B: 100 ‘System’, 101-102 ‘Client’, 160 ‘Cloud Server’, 170 ‘Identity Provider Server’, and 180 ‘AUTH server’].

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu and also with the teaching of Drozd wherein said user is selected from the group consisting of: a person; a person using an application on a client computer; a person using a web browser on a client computer; and 	a software process. The motivation for doing so would be to have authentication, authorization, and managing access control of users in a multi-tenant environment via a command line interface, (See Drozd: Column 1, lines 11-13).


Doloff in view of Wu does not teach wherein said first request includes a uniform resource locator (URL)
	However, in the same field of endeavor, Drozd teaches wherein said first request includes a uniform resource locator (URL)
In one embodiment, of Drozd, AUTH server 180 includes user interface 410configured to receive one or more access requests from one or more clients using the Remote Procedure Call (RPC), Hypertext Transfer Protocol Source (HTTPS), (equivalent to first request includes a uniform resource locator (URL)). Representational State Transfer (REST) protocol, or any combination thereof, see [Drozd: Column 15: lines 37-42; FIG. 1B: 180 ‘AUTH Server’, FIG. 4: 410 ‘User Interface, Web’].

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu and also with the teaching of Drozd wherein said first request includes a uniform resource locator (URL). The motivation for doing so would be to have authentication, authorization, and managing access control of users in a multi-tenant environment via a command line interface, (See Drozd: Column 1, lines 11-13).

As per claim 21, Doloff in view of Wu teaches the method of claim 16.
Doloff in view of Wu does not teach wherein said resource is a website)
wherein said resource is a website
Drozd teaches that when client accesses resources of cloud servers 160, cloud servers 160 communicates with AUTH server 180to verify token 194, similar to the authentication and authorization process received through the GUI or Web interface (equivalent to resource is a website), see [Drozd: Column 5: lines 20-23; FIG. 1A: 160 ‘Cloud Server’, 180 ‘AUTH Server’, and 194 ‘Token’].

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu and also with the teaching of Drozd wherein said resource is a website. The motivation for doing so would be to have authentication, authorization, and managing access control of users in a multi-tenant environment via a command line interface, (See Drozd: Column 1, lines 11-13).

As per claim 25, Doloff in view of Wu teaches the method of claim 17.
Doloff in view of Wu does not teach wherein said second token is selected from the group consisting of:  (a) a cookie; and (b) a domain identification (ID) cookie.  
	However, in the same field of endeavor, Drozd teaches wherein said second token is selected from the group consisting of: (a) a cookie; and (b) a domain identification (ID) cookie.  
In one embodiment, of Drozd, AUTH server 180 includes user interface 410configured to receive one or more access requests from one or more clients using the Remote Procedure Call (RPC), Hypertext Transfer Protocol Source (HTTPS), (equivalent to first request includes a uniform resource locator (URL)). Representational State Transfer (REST) protocol, or any combination thereof, see [Drozd: Column 15: lines 37-42; FIG. 1B: 180 ‘AUTH Server’, FIG. 4: 410 ‘User Interface, Web’].
(b) said resource is a website;
Drozd teaches that when client accesses resources of cloud servers 160, cloud servers 160 communicates with AUTH server 180to verify token 194, similar to the authentication and authorization process received through the GUI or Web interface (equivalent to resource is a website), see [Drozd: Column 5: lines 20-23; FIG. 1A: 160 ‘Cloud Server’, 180 ‘AUTH Server’, and 194 ‘Token’].

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu and also with the teaching of Drozd wherein said second token is selected from the group consisting of: (a) a cookie; and.: (b) a domain identification (ID) cookie. The motivation for doing so would be to have authentication, authorization, and managing access control of users in a multi-tenant environment via a command line interface, (See Drozd: Column 1, lines 11-13).

As per claim 26, Doloff in view of Wu teaches the method of claim 17.
Doloff in view of Wu does not teach wherein said second token is based on a unique user identification (userid) data for a domain of said resource.  
wherein said second token is based on a unique user identification (userid) data for a domain of said resource.  
For example, AUTH server 180, of Drozd, uses the specified credentials of the user to lookup the associated credentials in the AUTH server store. As used herein, "specified credentials" refer to a combination of one or more of the user ID (equivalent to userid), password, tenant ID, and domain ID (equivalent to second token is based on a unique user identification (userid) data for a domain of said resource), which are provided by the user (e.g., as part of a login process or as part of the authentication request itself), see [Drozd: Column 12: lines 48-54; FIG. 1A: 180 ‘Authentication Server’].
 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu and also with the teaching of Drozd wherein said second token is based on a unique user identification (userid) data for a domain of said resource. The motivation for doing so would be to have authentication, authorization, and managing access control of users in a multi-tenant environment via a command line interface, (See Drozd: Column 1, lines 11-13).

As per claim 28, Doloff in view of Wu teaches the method of claim 27.
Doloff in view of Wu does not teach wherein:	 (a) said processing system is a cloud gateway deployed on the Internet;	 (b) said user is a person using an application on a client computer deployed on a company intranet;	 and (c) said first request is sent by said person using said application, via an internal company router on said company intranet, via said VPN, to said cloud gateway.  
	However, in the same field of endeavor, Drozd teaches wherein:	 (a) said processing system is a cloud gateway deployed on the Internet;	 (b) said user is a person using an application on a client computer deployed on a company intranet;	 and (c) said first request is sent by said person using said application, via an internal company router on said company intranet, via said VPN, to said cloud gateway
Referring to FIG. 1A, of Drozd, system 190 includes client 101 communicatively coupled to authentication and authorization (authentication/authorization or AUTH) server 180 and one or more cloud servers 160 over network 103 (equivalent to cloud gateway), see [Drozd: Column 3: lines 33-36; FIG. 1A: 190 ‘System, 101 ‘Client Device’, 180 ‘Authentication Server’, 160 ‘AUT’, and 103 ‘Network’].
Drozd discloses that network 103 may be any type of networks such as a local area network (LAN), a wide area network (WAN) such as the Internet (equivalent to deployed on the Internet),, a fiber network, a storage network, or a combination thereof, wired or wireless, see [Drozd: Column 6: lines 20-24; FIG. 1A: 103 ‘Network’].
160 may be a storage server used for various different purposes, such as to provide multiple users or client systems with access to shared data and/or to back up (or restore) data (e.g., mission critical data), which may be hosted via a variety of applications or programs (equivalent to user is a person using an application on a client computer deployed on a company intranet), see [Drozd: Column 6: lines 30-35; FIG. 1A: 160 ‘Cloud Server’].
FIG. 1A, of Drozd, is a block diagram illustrating an authentication/authorization system according to one embodiment of the invention. Referring to FIG. 1A, system 190 includes client 101 communicatively coupled to authentication and authorization (authentication/authorization or AUTH) (equivalent to first request is sent by said person using said application) server 180 and one or more cloud servers 160 (e.g., VPN) over network 103 (equivalent to company intranet). Cloud servers 160 (equivalent to cloud gateway) provide cloud services over network 103 such as cloud storage services or content services. The resources provided by cloud servers 160 may be accessed by a variety of client devices, such as client device 101. Although only one client 101 is shown, it will be appreciated that multiple clients having the same or similar configuration may also be coupled to network 103 and accessing resources or services provided by AUTH server 180 and cloud servers 160, see [Drozd: Column 3: lines 31-44; FIG. 1A: 190 ‘System’, 101 ‘Client Device’, 103 ‘Network’, 180 ‘AUTH’, and 160 ‘Cloud Server’160 ‘Cloud Server’]. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu and also with the teaching of Drozd wherein:(a) said processing system is a cloud 

As per claim 29, Doloff in view of Wu teaches the method of claim 27.
Doloff in view of Wu does not teach wherein: (a) said first request includes a uniform resource locator (URL); (b) said resource is a website;	 (c) said second token authenticating the user to said resource is selected from the group consisting of:(i) a cookie; and (ii) a domain identification (ID) cookie; and (d) said second token is based on a unique user identification (userid) data for a domain of said resource.  
	However, in the same field of endeavor, Drozd teaches wherein: (a) said first request includes a uniform resource locator (URL); (b) said resource is a website;	 (c) said second token authenticating the user to said resource is selected from the group consisting of:(i) a cookie; and (ii) a domain identification (ID) cookie; and (d) said second token is based on a unique user identification (userid) data for a domain of said resource.  In one embodiment, of Drozd, AUTH server 180 includes user interface 410configured to receive one or more access requests from one or more clients using the Remote Procedure Call (RPC), Hypertext Transfer Protocol Source (HTTPS), (equivalent to first request includes a uniform resource locator (URL)). Representational State Transfer (REST) protocol, or any combination thereof, see [Drozd: Column 15: lines 37-42; FIG. 1B: 180 ‘AUTH Server’, FIG. 4: 410 ‘User Interface, Web’].
(b) said resource is a website;
Drozd teaches that when client accesses resources of cloud servers 160, cloud servers 160 communicates with AUTH server 180to verify token 194, similar to the authentication and authorization process received through the GUI or Web interface (equivalent to resource is a website), see [Drozd: Column 5: lines 20-23; FIG. 1A: 160 ‘Cloud Server’, 180 ‘AUTH Server’, and 194 ‘Token’].
c) said second token authenticating the user to said resource is selected from the group consisting of:(i) a cookie; and (ii) a domain identification (ID) cookie;
For example, AUTH server 180, of Drozd, uses the specified credentials of the user to lookup the associated credentials in the AUTH server store. As used herein, "specified credentials" refer to a combination of one or more of the user ID, password, tenant (i.e., group) ID, and domain ID, which are provided by the user (e.g., as part of a login process or as part of the authentication request itself), (equivalent to a cookie and a domain identification (ID) cookie), see [Drozd: Column 12: lines 48-54; FIG. 1A: 180 ‘Authentication Server’].
(d) said second token is based on a unique user identification (userid) data for a domain of said resource;
For example, AUTH server 180, of Drozd, uses the specified credentials of the user to lookup the associated credentials in the AUTH server store. As used herein, combination of one or more of the user ID (equivalent to userid), password, tenant ID, and domain ID (equivalent to second token is based on a unique user identification (userid) data for a domain of said resource), which are provided by the user (e.g., as part of a login process or as part of the authentication request itself), see [Drozd: Column 12: lines 48-54; FIG. 1A: 180 ‘Authentication Server’].

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu and also with the teaching of Drozd wherein: (a) said first request includes a uniform resource locator (URL); (b) said resource is a website; (c) said second token authenticating the user to said resource is selected from the group consisting of:(i) a cookie; and (ii) a domain identification (ID) cookie; and (d) said second token is based on a unique user identification (userid) data for a domain of said resource. The motivation for doing so would be to have authentication, authorization, and managing access control of users in a multi-tenant environment via a command line interface, (See Drozd: Column 1, lines 11-13).

12. 	Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Doloff in view of Wu and in view of Teo; Wee Tuck  (U.S. Application US 20070234061 A1, hereinafter Teo).
As per claim 24, Doloff in view of Wu teaches the method of claim 16.
wherein said registering includes generating a virtual internet protocol (VIP) address and associating said user with said VIP address.    
However, in the same field of endeavor, Teo teaches wherein said registering includes generating a virtual internet protocol (VIP) address and associating said user with said VIP address.  
Teo discloses that to provide access to authenticated resources (equivalent to authenticating the user) and to prevent access to all other remote resources, a bi-directional or unidirectional tunnel may be used, a virtual IP may be allocated to the end-user device 105 (equivalent to assigning a virtual internet protocol (IP) address to the user and using said virtual IP instead of said userid), and/or ingress or egress filtering may be used, see [Teo: Paragraph 0106: lines 6-9; FIG. 1: 105 ‘End User Device’].

It would have been obvious to one of ordinary skill in the art at the time of effective filing date to modify the invention of Doloff with the teaching of Wu and further with the teaching of Teo wherein said registering includes generating a virtual internet protocol (VIP) address and associating said user with said VIP address.23 The motivation for doing so would be to create a system and method for providing transactional security to an end-user device, see [Teo: Paragraph 0003: lines 2-3].

13. 	Claim 31 is rejected under 35 U.S.C. 103 as being unpatentable over Doloff in view of Wu and in view of Drozd and in view of Teo.

As per claim 31, Doloff in view of Wu teaches the method of claim 30.
Doloff does not teach (e) said issuing is implemented by redirecting said first request.
However, in the same field of endeavor, Wu teaches (e) said issuing is implemented by redirecting said first request; (See Wu: Column 2, lines 1-14 and FIG. 1, For example, a web browser may establish a secure sockets layer virtual private network (SSL VPN) session with a SSL VPN gateway by providing one or more authentication credentials to the SSL VPN gateway. When the user of the web browser sends a request to access one of the resources (i.e., issuing said first request) provided by a resource server protected by the SSL VPN gateway, the request is intercepted, either by specialized software executing on the client device or by the SSL VPN gateway. In either case, the SSL VPN gateway issues a temporary token to the client device when the requested resource is associated with a software application that is external to the web browser. This temporary token includes temporary credential information that can subsequently be used by the SSL VPN gateway to authenticate the external application (i.e., second side)).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu to issuing is implemented by redirecting said first request. The motivation for doing so would be to access these VPN-protected resources through a web browser, a VPN gateway or other security device requires a remote user to supply credentials, e.g., a 

Doloff in view of Wu does not teach wherein: (a) said user is selected from the group consisting of:(i) a person; (ii) a person using an application on a client computer; (iii) a person using a web browser on a client computer; and (iv) a software process;	 (b) said first request includes a uniform resource locator (URL); (c) said resource is a website; (d) said second token authenticating the user to said resource is selected from the group consisting of:	(i) a cookie;	 and (ii) a domain identification (ID) cookie; (e) said issuing is implemented by redirecting said first request; (f) said registering includes associating said userid with an IP address associated with the user,	 (g) subsequent to said uthenticating the user: assigning a virtual internet protocol (IP) address to the user and using said virtual IP instead of said userid; and (i) said second token is based on a unique user identification (userid) data for a domain of said resource; (a) said user is selected from the group consisting of:(i) a person; (ii) a person using an application on a client computer; (iii) a person using a web browser on a client computer; and (iv) a software process;
  However, in the same field of endeavor, Drozd teaches  (a) said user is selected from the group consisting of:(i) a person;	 (ii) a person using an application on a client computer; (iii) a person using a web browser on a client computer; and (iv) a software process; (b) said first request includes a uniform resource locator (URL); (c) said resource is a website; (d) said second token authenticating the user to said resource is selected from the group consisting of:
In one embodiment, of Drozd, AUTH server 180 includes user interface 410 configured to receive one or more access requests from one or more clients using the Remote Procedure Call (RPC), Hypertext Transfer Protocol Source (HTTPS), (equivalent to first request includes a uniform resource locator (URL)). Representational State Transfer (REST) protocol, or any combination thereof, see [Drozd: Column 15: lines 37-42; FIG. 1B: 180 ‘AUTH Server’, FIG. 4: 410 ‘User Interface, Web’].

(b) said first request includes a uniform resource locator (URL);
In one embodiment, of Drozd, AUTH server 180 includes user interface 410configured to receive one or more access requests from one or more clients using the Remote Procedure Call (RPC), Hypertext Transfer Protocol Source (HTTPS), (equivalent to first request includes a uniform resource locator (URL)). Representational State Transfer (REST) protocol, or any combination thereof, see [Drozd: Column 15: lines 37-42; FIG. 1B: 180 ‘AUTH Server’, FIG. 4: 410 ‘User Interface, Web’].

(c) said resource is a website;
Drozd teaches that when client accesses resources of cloud servers 160, cloud servers 160 communicates with AUTH server 180to verify token 194, similar to the authentication and authorization process received through the GUI or Web interface (equivalent to resource is a website), see [Drozd: Column 5: lines 20-23; FIG. 1A: 160 ‘Cloud Server’, 180 ‘AUTH Server’, and 194 ‘Token’].

(d) said second token authenticating the user to said resource is selected from the group consisting of:	(i) a cookie;	 and (ii) a domain identification (ID) cookie;
For example, AUTH server 180, of Drozd, uses the specified credentials of the user to lookup the associated credentials in the AUTH server store. As used herein, "specified credentials" refer to a combination of one or more of the user ID, password, tenant (i.e., group) ID, and domain ID, which are provided by the user (e.g., as part of a login process or as part of the authentication request itself), (equivalent to a cookie and a domain identification (ID) cookie), see [Drozd: Column 12: lines 48-54; FIG. 1A: 180 ‘Authentication Server’].

Drozd also teaches (h) said second token is based on a unique user identification (userid) data for a domain of said resource;
For example, AUTH server 180, of Drozd, uses the specified credentials of the user to lookup the associated credentials in the AUTH server store. As used herein, "specified credentials" refer to a combination of one or more of the user ID (equivalent to userid), password, tenant ID, and domain ID (equivalent to second token is based on a unique user identification (userid) data for a domain of said resource), which are provided by the user (e.g., as part of a login process or as part of the authentication request itself), see [Drozd: Column 12: lines 48-54; FIG. 1A: 180 ‘Authentication Server’].

Referring to FIG. 1B, of Drozd, system 100 includes, but is not limited to, one or more client systems 101-102 (equivalent to person) communicatively coupled to cloud storage server 160, identity provider server 170, and authentication/authorization (AUTH) server 180 (equivalent to software process) over network 103. Clients 101-102 may be any type of clients (equivalent to person using an application on a client computer) such as a host or server, a personal computer (e.g., desktops, laptops, and tablets), a “thin” client, a personal digital assistant (PDA), a Web enabled appliance (equivalent to person using a web browser on a client computer), or a mobile phone (e.g., Smartphone), etc. As used herein, a client may also refer to a user/principal, a principal tenant, a child tenant, and/or a component in a multi-tenant environment, see [Drozd: Column 6: lines 4-15; FIG. 1B: 100 ‘System’, 101-102 ‘Client’, 160 ‘Cloud Server’, 170 ‘Identity Provider Server’, and 180 ‘AUTH server’].

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Doloff with the teaching of Wu and also with the teaching of Drozd wherein: (a) said user is selected from the group consisting of:	(i) a person; (ii) a person using an application on a client computer; (iii) a person using a web browser on a client computer; and (iv) a software process; (b) said first request includes a uniform resource locator (URL); (c) said resource is a 

Doloff in view of Wu and in view of Drozd does not teach (f) said registering includes associating said userid with an IP address associated with said user, (g) subsequent to said authenticating said user: assigning a virtual internet protocol (IP) address to said user and using said virtual IP instead of said userid;
However, in the same field of endeavor, Teo teaches (f) said registering includes associating said userid with an IP address associated with said user, (g) subsequent to said authenticating said user: assigning a virtual internet protocol (IP) address to said user and using said virtual IP instead of said userid;
Teo discloses that to provide access to authenticated resources (equivalent to authenticating the user) and to prevent access to all other remote resources, a bi-directional or unidirectional tunnel may be used, a virtual IP may be allocated to the end-user device 105 (equivalent to assigning a virtual internet protocol (IP) address to the user and using said virtual IP instead of said userid), and/or ingress or egress filtering may be used, see [Teo: Paragraph 0106: lines 6-9; FIG. 1: 105 ‘End User Device’].

It would have been obvious to one of ordinary skill in the art at the time of effective filing date to modify the invention of Doloff with the teaching of Wu and with the .

Response to Arguments
Applicant's arguments filed on 10/06/2020 have been fully considered but they are not persuasive. 

Applicant argues regarding independent claims on pages 11-12 that: “A careful review of Doloff fails to find any mention of using a "shared VPN". In contrast, the current claims solve a problem that arises when using a shared VPN, as recited in the current claim "receiving via a shared VPN a first request". See, for example, page 1 lines 21-24 and page 6 line 16 to page 7 line 2. As Doloff does not use a shared VPN, Doloff does not have the problems created by using a shared VPN, and thus Doloff does not address the feature of "identify" recited in the current claim.” 
Examiner respectfully disagrees with the Applicant’s argument and would like to point out that Doloff discloses “shared VPN” wherein Doloff discloses client devices directly connected to the resources inside a provider environment; herein, “directly connected” is referred to internal network connection through VPN which can be interpreted as “shared VPN” (e.g. Doloff: [0015]). Multiple clients uses direct VPN request to access resources; herein tokens can be passed with VPN requests on the 

Applicant argues on pages 13-14 of the remark that: “A careful review of Wu fails to find any mention of using a "shared VPN". As Wu does not use a shared VPN, Wu does not have the problems created by using a shared VPN, and thus Wu does not address the feature of "identifying" recited in the current claim.”
Examiner respectfully disagrees with the Applicant’s argument and would like to point out that primary reference teaches “shared VPN” (e.g. see Doloff: [0015] and the response above). Furthermore, Doloff further discloses “identifying” by passing a token with the VPN request to access resources. WU further discloses token verification which determines if a token related to the client is valid (e.g. see, Wu: Column 8, lines 12-16). Thus, reads on the claimed limitation. 


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the 




Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256.  The examiner can normally be reached on Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  


SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495          

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495