DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Application was filed on 02/25/2020. 
Claims 1-14 are pending.
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. EP19315009.1 filed on 02/27/2019.
Information Disclosure Statement
As required by M.P.E.P. 609(C), the Applicant's submission of the Information Disclosure Statement dated 02/25/2020 and 04/05/2020 are acknowledged by the Examiner and the cited references have been considered in the examination of the claims now pending. As required by M.P.E.P. 609 C (2), a copy of the PTOL-1449 is initialed and dated by the Examiner is attached to the Office action.
Drawings
The drawings received on 02/25/2020 are acceptable for examination purposes.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-10 and 12-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rao et al., (US 2013/0128892 A1, herein after Rao) in view of Gondo et al., (US 2008/0077789 A1, herein after Gondo) and further in view of Merchant et al., (US 2015/0326503 A1, herein after Merchant).
Claims 1 and 14,
	Rao discloses a method comprising: receiving, at a gateway device, via a public network, and from a client device, a request to access a service provided by a host device (Figure 1, Claim 37: "a device intermediary to a client on a public network and a server on a private network", Paragraph 40: "Client computing devices 110 communicate with the gateway computing device 120 over a first network 150. The network can be ... the Internet", ¶ [0041] "The gateway computing device 120 communicates with the target computing devices 140 via a second network 180.", Paragraph 58: "... a private secured network 180 behind a gateway 120", ¶ [0078]: "the client computing device may request that a connection be set up to a specific machine on the private network behind the gateway computing device;  interpreted as "gateway device" of the claim may correspond to the "device intermediary", "gateway computing device" or "gateway". The feature "host device" of the claim may correspond to the "target computing device" or "a specific machine on the private network". The "first network" is a public network, such as the Internet, while the "second network" is a private, secured network.); transmitting, from the gateway device to an authentication service, a request to authenticate the client device (Fig. 1, authentication 140e, ¶ [0052]: the gateway computing device 120 transmits configuration information to the remote process…The information may also comprise authentication information enabling the remote process to validate that the tunnel is established…This information may enable the remote process to test and validate client-side certificates, directly or by configuring the client computing device 110); transmitting, from the gateway device to the client device, a port number corresponding to the first port and an associated (¶ [0047]: "The gateway computing device 120 transmits remote process to the client computing device 110 . . . the remote process comprises a client application".  ¶ [0048]: "a filter table received from the client application". ¶ [0062]: "the filtering table indicates that an outbound packet should be transmitted to the client application if the outbound packet is addressed to a particular, ¶ [0055] : The gateway computing device 120 may maintain a port-mapped Network Address Translation (NAT) table, enabling the gateway computing device 120 to transmit response packets from the target computing device 140 to the port monitored by the application that originally generated the IP packet on the client computing device 110); creating, at the gateway device, a port binding between: a first port for communicating with the service, the first port being opened for the client device to access the gateway device, and a second port for the gateway device to access the host device (¶ [0055]: The gateway computing device 120 may maintain a port-mapped Network Address Translation (NAT) table, enabling the gateway computing device 120 to transmit response packets from the target computing device 140 to the port monitored by the application that originally generated the IP packet on the client computing device 110. Interpreted "port binding" as a port-mapped Network Address Translation (NAT) table at the gateway device that maps a gateway port for the target device to a gateway port for the client device); receiving, at the gateway device via the public network, on the first port, data to be transmitted to the host device, the data including an address of a device having sent the data (Figure 1, Paragraph 50: "the remote process is a client application ... the client application establishes the secure communication tunnel to the gateway computing device ... the secure communication tunnel is established over an HTTPS port, such as port 442, or any other configured port on the gateway computing device", Paragraph 53: "the remote process captures all network traffic destined for a private, secured network, such as the network 18 0 . . . the remote process redirects captured network… traffic over the established secure communications tunnel to the gateway computing device. ¶ [0076]:  the gateway-computing device 540 transforms the IP address of the packet to the IP address associated with the client-computing device 520) and if the address of the device having sent the data corresponds to the address of the client device for which the first port is opened (¶ [0056]: the client computing device 110 communicates only with a public network address of the gateway computing device 120…communication tunnel is established over an HTTPS port, such as port 442, or any other configured port on the gateway computing device 120, ¶ [0050]):15229712.1Serial No.: 16/801,041 replacing, by the gateway device, the address of the client device contained in the data with an address of the gateway device on the private network to produce transcoded data, (¶ [0055]: upon receipt of the captured IP packets, the gateway computing device 120 may create a third TCP connection between the gateway computing device 120 to the target computing device 140… The gateway computing device 120 may maintain a port-mapped Network Address translation (NAT) table ¶ [0056]: the client computing device 110 communicates only with a public network address of the gateway computing device 120, the client computing device 110 is unaware of the network address of the target computing device 140… the target computing device 140 does not receive the address information of the client computing device 110, protecting the client computing device and the network on which it reside. It is interpreted gateway uses NAT table to replace the address as needed to correctly send the updated data to the destination. Transcoded data is interpreted as the received packet from client side at the gateway device on public network which is updated using NAT table for the target device on the private network) and (¶ [0091] replaces address information on the outbound packet with a destination address and destination port associated with the client application (step 808). The peripheral device transmits the modified outbound packet to the client application).
Rao does not disclose receiving, at the gateway device from the authentication service, an indication that the client device has been authenticated; storing, by the gateway device, a record comprising: an address of the client device, and an indication that the address of the client device has been authenticated; wherein communications received at the first port from a device other than the client device are ignored by the gateway device.
Gondo discloses receiving, at the gateway device from the authentication service, an indication that the client device has been authenticated (Fig. 6 steps 606 and 608…The communication mediating unit 103 of the SIP proxy 100 establishes communication between the SIP client 400 and the authentication server 200 and registers a connection state of the communication established, i.e., connection information concerning a dialog established according to the INVITE request in the connection information table 122 (step S607). The notifying unit 108 notifies the SIP client 400 that the communication has been successfully established (step S608), ¶ [0068, 0069]); storing, by the gateway device, a record comprising: an address of the client device, and an indication that the address of the client device has been authenticated (Figure 5, Paragraph 34: "The authentication server 200 performs authentication of the SIP client 400. The authentication server 200 receives the authentication information from the SIP client 400 through the data channel established between the    authentication    server 200 and    the    SIP client 400 via the SIP proxy 100 according to an INVITE request and performs authentication processing". Paragraph 43: "The SIP proxy 100 is an intermediate server that mediates communication between the    authentication    server 200 and    the    SIP client 400.    . . The SIP proxy 100 includes a    storing unit 120",    Paragraph 44:    "the storing unit    120 includes ... an authentication state table 123", Paragraph 49: "The authentication state table 123 stores_a state_of authentication by_the authentication server 200 for each SIP client 400 registered", Paragraph 50: "the authentication state table 123 stores an SIP URL and an authentication state in association with each other. "Valid" representing a state in which an SIP client is authenticated by the authentication server 200 or "invalid" representing a state in which an SIP client is not authenticated by the authentication server 200 is set in the authentication state").
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao by using the 
Merchant discloses wherein communications received at the first port from a device other than the client device are ignored by the gateway device (Create different connections that take traffic from network ports to instrument ports. View connection(s) that are using certain port(s) (e.g., network port(s), instrument port(s)) Share connection(s) with other users Add, edit, or remove connection(s) Add, edit, or remove filter(s) that is associated with certain port(s) Add, edit, or remove filter(s) that is associated with certain connection(s) Lock one or more ports to prevent one or more other users from changing a configuration parameter (e.g., a parameter of a filter) that involves the port(s), such as network port(s) and/or instrument port(s)Add one or more other users to a share list, wherein the share list identifies user(s) who has access to certain port(s), such as network port(s) and/or instrument port(s) ¶ [0083]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao and Gondo by using the features, as taught by Merchant in order to efficiently reduce the traffic that are sent to the instrument, ¶ [0002].
Claim 14 encompass limitations that are similar to limitations of claim 1, except “an apparatus comprising: at least one processor; and a memory device comprising executable instructions, which, when executed by the at least one processor discussed by Rao in (Figs. 1, 2A, 2B computing device 120, each computer 200 includes a central processing unit 202, and a main memory unit 204 ¶ [0027]).  Thus, it is rejected with the same rationale applied against claim 1 above.

Claim 2,
	Rao and Merchant do not disclose revoking, after a predetermined amount of time the client device's authentication.
Gondo discloses revoking, after a predetermined amount of time the client device's authentication (Success or failure of the authentication may be directly returned from the authentication server 200 to the SIP client 400 every time the authentication is performed or at a predetermined or arbitrary time interval or may be notified from the authentication server 200 to the SIP client 400 via the SIP proxy 100, ¶ [0041]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao and Merchant by using the features, as taught by Gondo in order to efficiently improving security without spoiling processing and scalability peculiar to the communication mediating server, ¶ [0096].
Claim 3,
Rao and Merchant do not disclose wherein revoking the client device's authentication comprises removing the address of the client device from a list of authorized addresses.
Gondo discloses wherein revoking the client device's authentication comprises removing the address of the client device from a list of authorized addresses (when the authentication fails, the communication disconnecting unit 106 deletes connection information concerning the SIP client 400, for which the authentication fails, from the connection information table 122 to discard the dialog, ¶ [0074]).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao and Merchant by using the features, as taught by Gondo in order to efficiently improving security without spoiling processing and scalability peculiar to the communication mediating server, ¶ [0096].

Claim 4,
Rao discloses receiving further data from the host device, the further data including an address of the host device; and before transmitting the further data to the client device, replacing the address of the host device with an address of the gateway device on the public network (¶ [0055]: The gateway computing device 120 may maintain a port-mapped Network Address translation (NAT) table, enabling the gateway computing device 120 to transmit response packets from the target computing device 140 to the port monitored by the application that originally generated the IP packet on the client computing device 110…¶ [0057]  a remote process execution on the gateway computing device 120 maintains a reverse NAT table).  
Claim 5,
	Rao and Merchant do not disclose wherein the address of the host device comprises a hostname.  
	Gondo discloses wherein the address of the host device comprises a hostname (FIG. 3, the registration information table 121 stores registration information in which an SIP uniform resource identifier (URI) of the SIP client 400 registered, a host name as a name of the SIP client 400 registered, and a port number to be used are associated with one another ¶ [0046]).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao and Merchant by using the features, as taught by Gondo in order to efficiently improving security without spoiling processing and scalability peculiar to the communication mediating server, ¶ [0096].
 Claim 6,
	Rao discloses the service comprises a virtual network administration tool (The application space 532 includes a client application 526…The application 538 can be any type and/or form of application such as any type and/or form of web browser, web-based client, client-server application, a thin-client computing client, an ActiveX control, or a Java applet, or any other type and/or form of executable instructions capable of executing on client computing device 110 or communicating via a network. The application 538 can use any type of protocol and it can be, for example, an HTTP client, an FTP client, an Oscar client, or a Telnet client ¶ [0071]).

Claim 7,
Rao discloses wherein the private network comprises a virtual network (¶ [0041] The second network 180 may use any of protocols and transport mechanisms described above in connection with the first network 150. ¶ [0003]: between a gateway and an endpoint implement architectures such as Internet Protocol Security (IPSec) and Point-to-Point Tunneling Protocol (PPTP) virtual private network (VPN) architectures).

	Rao discloses wherein communications between the client device and the gateway device are encrypted using secure sockets layer (SSL) encryption (¶ [0072] the client application 526 provides functionality for managing an SSL tunnel to the gateway computing device 540. In yet other embodiments, the client application 526 provides functionality for encrypting and transmitting a packet 528 to the gateway computing device 540…¶ [0083]: a packet/frame forwarding and SSL tunnel management API 610 on the client application 326 transmits the packet to a gateway computing device 540.).  
Claim 9,
Rao discloses wherein the client device requests to access the service by communicating with the host device via a third port (the client application establishes the secure communication tunnel to the gateway computing device 120. In one embodiment, the secure communication tunnel is established over an HTTPS port, such as port 442, or any other configured port on the gateway-computing device 120, using TLS or SSL encryption ¶ [0050]).  
Claim 10,
	Rao discloses wherein the request, from the client device, to authenticate with the gateway device is received via the third port (the client application establishes the secure communication tunnel to the gateway computing device 120. In one embodiment, the secure communication tunnel is established over an HTTPS port, such as port 442, or any other configured port on the gateway-computing device 120, using TLS or SSL encryption ¶ [0050]… ¶ [0078]: "the client computing device may request that a connection be set up to a specific machine on the private network behind the gateway computing device).  

Claim 12,
	Rao and Merchant do not disclose wherein the record further comprises a timestamp corresponding to the authentication of the client device.  
	Gondo discloses wherein the record further comprises a timestamp corresponding to the authentication of the client device (¶ [0008]…the authentication state continues until the authentication state is released according to an explicit request or a term of validity expires. Validity of the processing requested in the message is equivalent to validity of the authentication state. For example, in the case of registration processing, the authentication state is valid while a certain registration is valid. The connection information table122 stores an SIP URI1 and an SIP URI2 that are SIP URIs of the each SIP client 400, a port number 1 and a port number 2, and a term of validity of the communication established in association with one another ¶ [0048]. Fig. 4).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao and Merchant by using the features, as taught by Gondo in order to efficiently improving security without spoiling processing and scalability peculiar to the communication mediating server, ¶ [0096].

Claim 13,
	Rao discloses wherein the associated address of the gateway device for communicating with the service comprises an address of the gateway device on the public network (the client-computing device 110 communicates only with a public network address of the gateway computing device 120 ¶ [0056]).  

Claim 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rao in view of Gondo, Merchant and Nadig et al., (US 2018/0121260 A1, Nadig).
Claim 11,
	Rao, Gondo and Merchant do not disclose the client device requests to access the service using an application program interface (API).  
	Nadig discloses the client device requests to access the service using an application program interface (API) (Application server 130 generally includes an API service 132, a request processor 134, and a configuration service 136. API service 132 receives a query from a client device 120 and parses the request to identify one or more systems that should process different parts of the request ¶ [0024]).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao, Gondo and Merchant by using the features, as taught by Nadig in order to efficiently reduce amount of code duplication, ¶ [0063].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Mao et al., (US 2018/0295017 A1).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARDIKKUMAR D PATEL whose telephone number is (571)270-7886.  The examiner can normally be reached on 9AM-5PM Monday-Friday.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kwang B Yao can be reached on 571-272-3182.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HARDIKKUMAR D PATEL/Examiner, Art Unit 2473