Detailed Action
This office action is a response to an application filed on 12/01/2019 in which claims 17 – 30 are pending and ready for examination.

This application claims priority and is a continuation of U.S. Application Provisional No. 15097282 filed on April 12, 2016, U.S. Patent Application No. 15097282 claims priority from U.S. Provisional Patent Application No. 62146786 filed 13-April-2015.

Information Disclosure Statement
The Examiner has considered the reference(s) listed on the Information Disclosure Statement submitted on 3/8/2021. 7/03/2020, 4/10/2020, 12/14/2020 and 10/26/2020.
Drawings
The Examiner contends that the drawings submitted on 12/01/2019 are acceptable for examination proceedings. 
	
Pre-AIA  
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

First inventor to File Provisions of the AIA 
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA 

Graham v Deere Test for Obviousness 
The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 17 - 30 are rejected under 35 U.S.C. 103 as being unpatentable over Sajassi United States Patent 9559951 in view of Herle United States Patent Application 20150372982.
With regards to Claim 17, Sajassi teaches where of a method comprising of deploying a gateway in at least one public cloud; Column 08 Row 11 E-VPN endpoints and IP-VPN endpoints may generally include a suitable network element, e.g., device which communicates on a network. Typically, an E -VPN endpoint may be configured to interoperate with an IP -VPN provider edge device In one embodiment, an E -VPN provider edge device may interoperate with an IP -VPN provider edge device that may be, but is not limited to being, an IP -VPN client site that accesses cloud services, an IP -VPN Top-of-Rack (ToR) switch, and/or an IP -VPN gateway. 
deploying an edge device that automatically connects to the gateway to establish the VPN for the enterprise; Column 02 Row 35   In one embodiment, an IRB solution that is based on E-VPN may interoperate substantially seamlessly with IP-VPN network elements over Multiprotocol Label Switching (MPLS) and IP networks. A data center network (DCN) that includes an E-VPN that supports E-VPN endpoints and IP-VPN endpoints allows efficient forwarding for intra-subnet switching and efficient forwarding for inter-subnet switching within the DCN as well as across different DCNs. By allowing an E-VPN provider edge device to effectively communicate using E-VPN to E-VPN speakers, e.g., endpoints, and to effectively communicate using IP-VPN with IP-VPN speakers, e.g., endpoints, the E-VPN provider edge device may be used to effectively support interoperation of E-VPN speakers and IP-VPN speakers.
and from each deployed edge device , providing to the gate way a set of local subnets of the edge device that is readable over the VPN; Column 02 Row 45 (16)   Substantially seamless operation between E-VPN and IP-VPN may generally be such that an IP-VPN speaker, e.g, an IP-VPN provider edge device, in communication with an E-VPN provider edge device is effectively unaware that it is in communication with the E-VPN provider edge device and not an IP-VPN provider edge device. An E-VPN provider edge device that supports both E-VPN and IP-VPN efficiently forwards intra-subnet traffic, and efficiently forwards inter-subnet traffic by allowing an E-VPN media access control (MAC) advertisement route to carry an IP address and a MAC address.
Sajassi discloses the invention substantially as recited above. It may be obvious to a person skilled in the art at the time of the invention disclosure to further amend Sajassi deploying a gateway in at least one public cloud to connect a plurality of premises of an enterprise;  Herle in the same field of endeavor teaches in ¶ [0004] ¶ [0004] The method can further include utilizing the DNS to determine a destination of the requests; and for the requests for the enterprise, contacting the topology controller to pre-fetch the topology of the enterprise. The method can further include operating an on-premises redirection proxy within the enterprise, wherein the on-premises redirection proxy is configured to establish the tunnel from the enterprise to the VPN device. Secure tunnels to the enterprise are dialed out from the enterprise by the on-premises redirection proxy. The on-premises redirection proxy is a virtual machine operating behind a firewall associated with the enterprise. The on-premises redirection proxy is configured as a bridge between the client and applications inside the enterprise. The VPN device operates on a cloud node in the cloud system, and wherein the cloud system includes a distributed security cloud. The VPN device can include one of a software instance on a cloud node or a virtual machine on the cloud node. The topology controller includes a network topology of the enterprise including internal domain names and subnets
 It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Sajassi.
One would have been motivated to modify Sajassi in this manner so that an Enterprise in a clientless manner can receive a request to access resources from a Web browser on a user device in a cloud system. 		

With regards to Claim 18, Sajassi teaches where before the VPN is established between the gateway and each deployed edge device, negotiating a secure connection link between the gateway and each deployed edge device in preparation for transmission of secure traffic between the gateway and edge device once the VPN is established; Column 03 Row 09  As mentioned above, substantially seamless interoperability with respect to E-VPN and IP-VPN[i.e.gateway] may be achieved by an E-VPN provider edge device.  In general, an E-VPN provider edge device that supports routing of E-VPN traffic and routing of IP-VPN traffic may establish a many-to-one mapping between MAC-VRFs and an IP-VPN VRF instance.

With regards to Claim 19, Sajassi teaches of establishing a VPN between the gateway and a particular edge device after the particular edge device receives a message from an orchestrator that the VPN should be established; Column 03 Row 253 E-VPN provider edge device 104 generally includes functionality which allows E-VPN provider edge device 104 to support both E-VPN and IP-VPN, as mentioned above. FIG. 2 is a diagrammatic representation of an E-VPN provider edge device, e.g., E-VPN provider edge device 104 of FIG. 1, in accordance with an embodiment. 

With regards to Claim 20, Sajassi discloses the invention substantially as recited above. It may be obvious to a person skilled in the art at the time of the invention disclosure to further amend Sajassi where at each edge device, establishing an unsecure tunnel with the gateway before negotiating the secure connection link between the edge device and the gateway, said establishing comprising sending, as part of a handshake message exchange, information needed to identify the edge device and a logical identifier for the enterprise. Herle in the same field of endeavor teaches in ¶[0005]  0005] In another exemplary embodiment, a cloud system includes one or more Virtual Private Network (VPN) servers, wherein one or more clients connect securely to the one or more VPN servers; a topology controller communicatively coupled to the one or more VPN servers; a Domain Name Server (DNS) communicatively coupled to the topology controller and the one or more VPN servers; and a redirection proxy located in a private network and communicatively coupled to the one or more VPN servers and the topology controller; wherein requests from the one or more clients to the private network cause on demand secure connections being established by the redirection proxy to associated VPN servers. Requests from the one or more clients outside of the private network are forwarded without traversing the private network. The redirection proxy maintains a persistent connection to the topology controller and establishes secure tunnels to the one or more VPN servers based on direction from the topology controller. The topology controller includes a network topology of the private network including internal domain names and subnets. The VPN servers operate on cloud nodes in a distributed security cloud.
 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Sajassi.

One would have been motivated to modify Sajassi in this manner so that each edge device can establish a secure link by first establishing an unsecure tunnel with the gateway before negotiating the secure connection link between the edge device and the gateway.

With regards to Claim 21, Sajassi teaches where as part of the handshake message exchange between the gateway and the edge device, the edge device provides to the gateway the set of local subnets of the edge device; Column 06 Row 12 In one embodiment, for a given tenant, a IP-VPN provider edge device may share substantially only IP-VPN routes for some of its associated subnets with an E-VPN provider edge device.  When substantially only IP-VPN routes from some associated subnets are effectively provided to an E-VPN provider edge device by a IP-VPN provider edge device, then one route may be selected for use as a common route between the IP-VPN provider edge device and the E-VPN provider edge device for common subnets [i.e. local subnets].


With regards to Claim 22, Sajassi discloses the invention substantially as recited above. It may be obvious to a person skilled in the art at the time of the invention disclosure to further amend Sajassi where the edge device automatically contacts the gateway and provides data as part of the handshake message exchange because each individual gateway is a self-contained autonomous entity that can be configured through the edge devices rather than being configured by an external orchestrator; Herle in the same field of endeavor teaches in ¶[0013]  In various exemplary embodiments, systems and methods for an intelligent, cloud-based global VPN are described. At a high level, the systems and methods dynamically creates a connection through a secure tunnel between three entities: an end-point, a cloud, and an on-premises redirection proxy. The connection between the cloud and on-premises proxy is dynamic, on-demand and orchestrated by the cloud. A key feature of the systems and methods is its security at the edge--there is no need to punch any holes in the existing on-premises firewall. The redirection proxy inside the enterprise (on premises) "dials out" and connects to the cloud as if too were an end-point..

It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Sajassi.

One would have been motivated to modify Sajassi in this manner so that each edge device can independently connect to the gateway.

With regards to Claim 23, Sajassi teaches where at the gateway, a new virtual routing and forwarding (VRF) table for the enterprise after being contacted by an initial edge device of the entity; Column 06 Row 58  Returning to step 709, if it is determined that a multi-destination frame has been received, then a copy of the multi-destination frame is sent in step 713 on each P2MP multicast tree associated with a given EVI and/or VRF to E-VPN endpoints.  It should be appreciated that each copy sent on an E-VPN tree associated with a given EVI and/or VRF to E-VPN endpoints is generally sent with a split-horizon label.

With regards to Claim 24, Sajassi teaches of inserting, at the gateway, each edge devices set of reachable local subnets in the VRF table of the edge device's enterprise; Column 05 Row 07  After the lookup is performed, it is determined in step 517 whether the destination MAC address corresponds to a BVI.  If the destination MAC address corresponds to a BVI, then an IP address lookup is performed in step 521.  The IP address lookup may be performed by using, for example, a bridge-domain identifier to index into an associated VRF table, i.e., a VRF table associated with an appropriate VRF instance.  Once the IP address lookup is performed, the E-VPN packet is forwarded in step 525 using inter-subnet routing.  The method of processing an E-VPN packet is completed upon the E-VPN packet being forwarded using inter-subnet routing

With regards to Claim 25, Sajassi teaches where providing the set of local subnets comprises: receiving, at each deployed particular edge device, a message from an orchestrator that the VPN has been enabled; Column 03 Row 25  E-VPN provider edge device 104 generally includes functionality which allows E-VPN provider edge device 104 to support both E-VPN and IP-VPN, as mentioned above. 

after receiving the message, sending the gateway a message to indicate that the set of local subnets of the particular edge device are reachable over the VPN; Column 03 Row 28  E-VPN provider edge device 104 also includes at least one VRF instance 244 and at least one MAC-VRF or EVI 248.  In general, a one-to-many-mapping is established between each VRF instance 244 and an MAC-VRF, as will be discussed below with reference to FIG. 3.  MAC-VRF may have multiple associated bridge domains that use a VLAN-aware bundling service interface.  In one embodiment, a bridge domain may map to a unique IP subnet within a VRF context.

With regards to Claim 26, Sajassi teaches where providing the set of local subnets further comprises in preparation for establishing the VPN, providing the set of local subnets before receiving the message from the orchestrator that the VPN has been enabled; Column 03 Row 65 As mentioned above, substantially seamless interoperability with respect to E-VPN and IP-VPN may be achieved by an E-VPN provider edge device.  In general, an E-VPN provider edge device that supports routing of E-VPN traffic and routing of IP-VPN traffic may establish a many-to-one mapping between MAC-VRFs and an IP-VPN VRF instance.  Each MAC-VRF may have any number of associated bridge domains that may each map to a substantially unique IP subnet within a VRF context.  That is, each MAC-VRF may have multiple associated bridge domains that each map to a substantially unique IP subnet.  

With regards to Claim 27, Sajassi teaches of implementing a routing protocol between each edge device and the gateway; Column 03 Row 65 As mentioned above, substantially seamless interoperability with respect to E-VPN and IP-VPN may be achieved by an E-VPN provider edge device. In general, an E-VPN provider edge device that supports routing of E-VPN traffic and routing of IP-VPN traffic may establish a many-to-one mapping between MAC-VRFs and an IP-VPN VRF instance.
With regards to Claim 28, Sajassi teaches where the routing protocol relays state information of each particular edge device that connects to the gateway to each other edge device that connects to the gateway and thus is one hop away.  Column 02 Row 12 According to one aspect, a method includes obtaining traffic, determining a host Media Access Control (MAC) address, and determining a host Internet Protocol (IP) address using the traffic. The method also includes generating an Ethernet virtual private network (E-VPN) MAC route advertisement that includes both the host MAC address and the host IP address and generating an IP virtual private network (IP-VPN) route advertisement that includes the host IP address. 
 
With regards to Claim 29, Sajassi teaches of defining a virtual routing and forwarding (VRF) table for the enterprise; Column 03 Row 56 E-VPN provider edge device 104 also includes at least one VRF instance 244 and at least one MAC-VRF or EVI 248. In general, a one-to-many-mapping is established between each VRF instance 244 and an MAC-VRF, as will be discussed below with reference to FIG. 3. MAC-VRF may have multiple associated bridge domains that use a VLAN-aware bundling service interface. In one embodiment, a bridge domain may map to a unique IP subnet within a VRF context..

and identifying in the VRF table each edge device that is one hop away from a particular edge device;
Column 03 Row 65  As mentioned above, substantially seamless interoperability with respect to E-VPN and IP-VPN may be achieved by an E-VPN provider edge device. In general, an E-VPN provider edge device that supports routing of E-VPN traffic and routing of IP-VPN traffic may establish a many-to-one mapping between MAC-VRFs and an IP-VPN VRF instance

With regards to Claim 30, Sajassi teaches where the state information includes the local subnets reachable over the VPN.
Column 03 Row That is, each MAC-VRF may have multiple associated bridge domains that each map to a substantially unique IP subnet.

Conclusion;
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY BARON whose telephone number is (571)270-1748.  The examiner can normally be reached on 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yemane Mesfin can be reached on 571 272 3927.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/HENRY BARON/Examiner, Art Unit 2462                                                                                                                                                                                                        


	/YEMANE MESFIN/             Supervisory Patent Examiner, Art Unit 2462                                                                                                                                                                                           
	
	
	
	.