DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 02/28/2019, in which, claim(s) 1-20 are pending. Claim(s) 1, 8 and 15 are independent.

Drawings
The drawings filed on 02/28/2019 are accepted by The Examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 1-20 are non-provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over:
          Claims 1-20 of Patent 9,397,892, and claims 1-20 of Patent 10,785,115.

Although the conflicting claims are not identical, they are not patentably distinct from each other because claims 1-20 are anticipated by claims 1-20 of Patent 9,397,892, and claims 1-20 of Patent 10,785,115.


Instant Application No. (16/289,125) 
Claim 1. A method for pairing a server, comprising: 
receiving, from an unpaired server, a pairing request that includes a pairing key and a requested value representing one of: a requested label, a requested configured characteristic, or a requested server state; 
determining whether to approve or reject the pairing request, comprising: identifying a pairing profile that includes a pairing key that matches the pairing key in the pairing request; 
determining that the pairing profile includes a locked default value that matches the requested value; 
determining whether the locked default value differs from the requested value; and determining whether to approve or reject the pairing request based on whether the locked default value differs from the requested value; and 
responsive to determining to approve the pairing request: 
notifying the unpaired server that the unpaired server is now a managed server; 
generating a description of the managed server, wherein the managed server description includes a set of one or more labels that describe the managed server, wherein the generated managed server description uses the locked default value responsive to approval of the pairing request; 

sending the management instructions to the managed server. 
  A method for assigning labels to workloads for enforcing a segmentation policy, the method comprising: 

receiving a pairing request from a workload, the pairing request including a pairing key associated with a pairing profile; 





assigning a first label associated with a first label dimension to the workload based on the pairing profile; 

receiving one or more attributes of the workload; 

applying a set of labeling rules to assign a second label associated with a second label dimension to the workload based on the one or more attributes; 



determining, based on a segmentation policy, one or more label-based segmentation rules applicable to the workload based on the first and second labels assigned to the workload; and 








Patent No. 10,785,115 (16/172,630)  
Instant Application No. (16/289,125) 
Claim 1. A method for configuring enforcement of a segmentation policy, the method comprising: 
obtaining a segmentation policy comprising a plurality of rules controlling communications between workloads; 
generating, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload; 
obtaining, for the particular workload, a connectivity configuration indicating a network device upstream from the particular workload; 
determining an allocation of the plurality of management instructions between enforcement on a host of a computing device on which the particular workload executes and enforcement on the network device upstream from the workload, comprising: 
detecting that the particular workload is an unmanaged workload that does not have an enforcement module installed 
responsive to detecting that the particular workload is the unmanaged workload, allocating the plurality of management instructions for enforcement by the network device; and 
sending configuration information based on the plurality of management instructions to at least one of the host and the network device in accordance with the allocation to enable enforcement of the plurality of management instructions.
  A method for assigning labels to workloads for enforcing a segmentation policy, the method comprising: 

receiving a pairing request from a workload, the pairing request including a pairing key associated with a pairing profile; 





assigning a first label associated with a first label dimension to the workload based on the pairing profile; 

receiving one or more attributes of the workload; 

applying a set of labeling rules to assign a second label associated with a second label dimension to the workload based on the one or more attributes; 



determining, based on a segmentation policy, one or more label-based segmentation rules applicable to the workload based on the first and second labels assigned to the workload; and 



distributing the one or more label-based segmentation rules to the workload to enable the workload to enforce the segmentation policy.  


Claims 1-20 are provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over:
          Claims 1-20 of application 16/113,706.

Although the conflicting claims are not identical, they are not patentably distinct from each other because claims 1-20 are anticipated by claims 1-20 of application 16/113,706.
Application No. (16/113,706)  
Instant Application No. (16/289,125) 
Claim 1. A method for managing a segmentation policy, the method comprising: 
obtaining a segmentation policy by a leader segmentation server; 
distributing, by the leader segmentation server, the segmentation policy to a first member segmentation server paired with a first plurality of paired workloads; 
generating, by the first member segmentation server based on the segmentation policy, first management instructions for controlling communications of the first plurality of paired workloads in accordance with the segmentation policy; 



distributing, by the first member segmentation server, the first management instructions to first operating system instances executing the first plurality of paired workloads to enable the first operating system instances to enforce the segmentation policy with respect to the first plurality of paired workloads.
Claim 1.  A method for assigning labels to workloads for enforcing a segmentation policy, the method comprising: 



assigning a first label associated with a first label dimension to the workload based on the pairing profile; 

receiving one or more attributes of the workload; 
applying a set of labeling rules to assign a second label associated with a second label dimension to the workload based on the one or more attributes; 

determining, based on a segmentation policy, one or more label-based segmentation rules applicable to the workload based on the first and second labels assigned to the workload; and 

distributing the one or more label-based segmentation rules to the workload to enable the workload to enforce the segmentation policy.  



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by Kirner et al. (US 2015/0127832 A1).
Regarding Claims 1, 8, and 15, Kirner discloses
receiving a pairing request from a workload, the pairing request including a pairing key associated with a pairing profile ([0006], “receiving, from an unpaired server, a pairing request that includes a pairing key”, [0055], “A pairing request includes 
assigning a first label associated with a first label dimension to the workload based on the pairing profile ([0057], “the request processing module 394 determines that the matching pairing profile includes a "locked" default label and the pairing request includes a requested label for that same dimension”, [0071], “If the pairing request includes a requested label whose value does not conflict with a locked default label, then the MS description creation module 398 populates the label portion with the requested label”, i.e. assigning a first label); 
receiving one or more attributes of the workload ([0034], “configured characteristic-related information”, [0046], “additional information used in an MFA test is present in the server's pairing request”);  
applying a set of labeling rules to assign a second label associated with a second label dimension to the workload based on the one or more attributes ([0006], “a set of one or more labels that describe the managed server”, [0028], “grouped together by specifying (i.e. applying) one or more labels (referred to herein as a "label set") that describe all of the managed servers 130 in the group”, [0038], “A default label can concern any dimension, such as Role, Environment, Application, Line of Business, or Location”, [0043], “If the server state is Unmanaged, then the server is paired, but the global manager 120 must complete an additional workflow ("2-phase pairing") in order to change the server state to one of the managed server states”, i.e. assign a second label);  
determining, based on a segmentation policy, one or more label-based segmentation rules applicable to the workload based on the first and second labels assigned to the workload ([0003], “a logical multi-dimensional label-based policy model”, [0005], “a security policy (e.g. based on first label) might specify access control and/or secure connectivity, while a resource-usage policy (e.g. based on second label) might specify usage of the administrative domain's computing resources”, [0006], “management policy that includes a rule that refers to managed servers using a (assigned) label”, [0029], “segmentation can be used with access control policies to define groups of managed servers 130 that are subject to particular policies”, e. g. “communications among a first group of managed servers 130 (specified by a first label set) can be restricted to a first secure connection setting (e.g., secure connection not required), and communications between the first group of managed servers and a second group of managed servers (specified by a second label set) can be restricted to a second secure connection setting”, i.e. the second label dimension is different than the first label dimension); and 
distributing the one or more label-based segmentation rules to the workload to enable the workload to enforce the segmentation policy ([0006], “sending the management instructions to the managed server”, [0028], “enables multiple managed servers 130 to be grouped together”, “enables the segmentation”, [0029], “segmentation can be used with access control policies to define groups of managed servers 130 that are subject to particular policies”).

Regarding Claims 2, 9, and 16, Kirner discloses
wherein applying the set of labeling rules comprises: receiving a scope of the labeling rules specifying a set of label dimensions ([0006], “a set of one or more labels that describe the managed server”, [0028], “A label set includes either zero values or one value for a dimension”); 
determining that the workload has the set of label dimensions specified by the scope; and applying the set of labeling rules to the workload responsive to determining that the workload has the set of label dimensions specified by the scope of the labeling rule ([0028], “grouped together by specifying (i.e. applying) one or more labels (referred to herein as a "label set") that describe all of the managed servers 130 in the group”, [0038], “A default label can concern any dimension, such as Role, Environment, Application, Line of Business, or Location”, i.e. a second label can be assigned by applying a set of labeling rules).

Regarding Claims 3, 10, and 17, Kirner discloses wherein the second label dimension assigned by the labeling rules is different than the first label dimension assigned based on the pairing profile ([0029], “communications among a first group of managed servers 130 (specified by a first label set) can be restricted to a first secure connection setting (e.g., secure connection not required), and communications between the first group of managed servers and a second group of managed servers (specified by a second label set) can be restricted to a second secure connection setting”, i.e. the second label dimension is different than the first label dimension).  

Regarding Claims 4, 11, and 18, Kirner discloses authenticating the pairing key received from the workload; and assigning the first label responsive to the pairing key being valid ([0008], “validate the pairing key in the pairing request”, “using a label”, i.e. assigning the first label).  

Regarding Claims 5, 12, and 19, Kirner discloses wherein the one or more attributes comprises at least one of: a portion of a hostname of the workload, an IP address of the workload, a running process executing on the workload, and an open port on the workload (Kirner, [0046], “Additional information…include”, [0047], “The server's IP address”, [0049], “service information of server…includes, for example, process information and/or package information. Process information includes, for example, names of processes that the server 160 is running, which network ports and network interfaces those processes are listening on”).  

Regarding Claims 6, 13, and 20, Kirner discloses wherein determining the one or more label-based segmentation rules applicable to the workload comprises identifying that the one or more label-based segmentation rules applicable to the workload reference the first label and the second label (Kirner, [0029], “communications among a first group of managed servers 130 (specified by a first label set) can be restricted to a first secure connection setting (e.g., secure connection not required), and communications between the first group of managed servers and a second group of managed servers (specified by a second label set) can be restricted to 

Regarding Claims 7, and 14, Kirner discloses wherein the first label associated with the first label dimension assigned based on the pairing profile is secured and does not change based on the labeling rules (Kirner, [0038], “If a default label is locked, then the value of that dimension cannot be changed”, [0057], “the request processing module 394 determines that the matching pairing profile includes a "locked" default label and the pairing request includes a requested label for that same dimension”).  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186.  The examiner can normally be reached on Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHENG-FENG HUANG/Examiner, Art Unit 2497