DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2. This is the initial office action that has been issued in
response to patent application 16/416,452, filed on 05/20/2019.
Claims 1-21 as originally filed, are currently pending and have
been considered below. Claim 1, 9 and 15 are independent claims.

Claim Interpretation
3. The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “configured to” in claims 1-2, 4, 8, 15-16 and 19.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.



Claim Rejections - 35 USC § 112
4. The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 1-2, 4, 8, 15-16 and 19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1-2, 4, 8, 15-16 and 19 recites phrases “processor cooperating with the memory and configured to receive a connection”, “the processor is further configured to, prior to authorizing the connection”,  “the processor is further configured to validate a signature”, “the processor is further configured to drop the connection with the client device”, “a server configured to generate a connection lease for a client device”,  ‘virtual delivery appliance configured to receive a connection request”,  “virtual delivery appliance is further configured to, prior to authorizing the connection” and “the virtual delivery appliance is further configured to, upon receiving the connection lease”.
Claims 1-2, 4, 8, 15-16 and 19 uses the phrases “configured” term coupled with functional language. It is unclear whether the recited structure, material, or acts are sufficient for performing the claimed function since such structure (which includes an algorithm for performing the claimed function), material or acts is/are not clearly present in the drawings (e.g.  flowcharts, block diagrams) and specification. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claim Rejections - 35 USC § 103
5. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


6. Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Bell(US 20130219468 A1) in view of Saulpaugh(US 8001232 B2).

7. Regarding Claim 1, Bell discloses, a computing device comprising: a memory and a processor cooperating with the memory and configured to receive a connection request from a client device having a public/private encryption key pair associated therewith, the connection request based upon a connection lease and the public key for the client device, and the connection lease being generated based upon an authenticated version of the public key for the client device (Bell, ¶[0010],  another aspect described herein provides a method for establishing a session using a connection lease. Initially, a connection broker receives a request for a session from a client device. The connection broker determines, based on an identification of the client device, one or more session hosts the client device is authorized to access. ¶[0009], According to another aspect, a session host apparatus may include a processor controlling operations of the session host apparatus, and memory storing computer readable instructions that, when executed by the processor, cause the session host apparatus to establish a session with a session client using a connection lease.  ¶[0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key); 
Bell does not explicitly disclose the following limitations that Saulpaugh teaches:
verify that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Saulpaugh, Col. 36, lines 6-10, The lease presenter then presents the lease token to one or more session hosts in step 607 as defined by the lease token. The lease presenter may further provide confirmation to the session host that the user has already been authenticated. Alternatively the lease token may be delivered to the session host by a network device, virtual machine (VM) or other server such as an Access Gateway, Web Interface, Delivery Services or the broker itself (any of which can act as the “lease presenter”), after intercepting the initial request from the session client); 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to 
verify authentication of the public key that will generate a match from the connection for the client device to enhance security.
and authorize the connection with the client device and provide the client device with access to a virtual computing session via the connection (Bell, ¶[0078], a lease token (or a separate lease) may include information to authorize a network connection through a security device, such as an access gateway, in which case the lease may be presented to the gateway as part of establishing the connection with the session host.).  

8. Regarding Claim 2, Bell in view of Saulpaugh disclose, 
Bell does not explicitly disclose the following limitations that Saulpaugh teaches:
the computing device of claim 1 wherein the processor is further configured to, prior to authorizing the connection with the client device: initiate a challenge to be signed by the client device with the private key associated with the client device (Saulpaugh, Col. 56, lines 17-20, In one embodiment, the client may access the authentication service using a challenge/response mechanism Such as a logon account with password and thus may be verified as a valid client.); 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include initiating a challenge that will need to be signed with a private key using a client device to enhance security levels.

and validate the signed response with the public key for the client device (Bell, ¶[0066], Each connection lease may be cryptographically signed 511 so that a session host can verify the validity of the lease without needing to communicate with a broker. For example, in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

9. Regarding Claim 3, Bell in view of Saulpaugh disclose, the computing device of claim 2 wherein the processor initiates the challenge and validates the signed response prior to verifying that the authenticated version of Page 31 of 37ID2012US (96122) the public key upon which the connection lease was generated matches the public key for the client device (Bell, ¶[0074],  The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. ¶[0066],  a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

10. Regarding Claim 4, Bell in view of Saulpaugh disclose, the computing device of claim 2 wherein, prior to the challenge and response, the processor is further configured to validate a signature and date associated with the connection lease, and validate that the public key is valid (Bell, Claim 14, the session host validating the lease token based on the cryptographic signature of the lease token ;based on the validating, the session host sending connection information for use by the client device to establish a session with the session host).  

11. Regarding Claim 5, Bell in view of Saulpaugh disclose, the computing device of claim 2 wherein the processor initiates the challenge and validates the signed response after verifying that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, ¶[0074],  The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. ¶[0066],  a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

12. Regarding Claim 6, Bell in view of Saulpaugh disclose, the computing device of claim 1 wherein the connection lease includes a hash of the authenticated version of the public key for the client device (Bell, ¶[0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker. The session host can thereby ensure that the information included in the lease is provided by a trusted broker. The broker may further include a hash value associated with the lease token to ensure that the lease is not improperly altered or changed after issuance by the broker and before use by a user or device).  

13. Regarding Claim 7, Bell in view of Saulpaugh disclose, 
Bell does not explicitly disclose the following limitations that Saulpaugh teaches:
the computing device of claim 1 wherein the public/private key pair is generated at the client device using a hardware-backed key store (Saulpaugh, Col. 52, lines 38-42, In some embodiments, a hardware-based physical identification method may be used to authenticate the client. For example, the user may Supply a physical identification Such as a Smart card for identification and authorization.). 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include a device where the public/private key is generated by using a hardware backed key store to enhance security.

14. Regarding Claim 8, Bell in view of Saulpaugh disclose, the computing device of claim 1 wherein the processor is further configured to drop the connection with the client device based on a failure to verify that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, ¶[0085], Using one or more aspects described above, the use of connection leases and lease tokens provides greater resilience by reducing the dependence of virtualization systems on central infrastructure and single points of failure, and further provides the ability to scale up quickly and easily for managed hosted applications and desktops. The ability to scale up results from a connection broker being queried less often per session client. As a result a single connection broker has the ability to service a much larger number of session clients when using connection leases and lease tokens as described herein, as opposed to prior art inline connection broker architectures.).  

15. Regarding Claim 9, Bell discloses, a method comprising: receiving a connection request at a virtual delivery appliance from a client device having a public/private Page 32 of 37ID2012US (96122) encryption key pair associated therewith, the connection request being based upon a connection lease and the public key for the client device, and the connection lease being generated based upon an authenticated version of the public key for the client device (Bell, ¶[0010],  another aspect described herein provides a method for establishing a session using a connection lease. Initially, a connection broker receives a request for a session from a client device. The connection broker determines, based on an identification of the client device, one or more session hosts the client device is authorized to access. ¶[0009], According to another aspect, a session host apparatus may include a processor controlling operations of the session host apparatus, and memory storing computer readable instructions that, when executed by the processor, cause the session host apparatus to establish a session with a session client using a connection lease.  ¶[0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key); verifying at the virtual delivery appliance that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Saulpaugh, Col. 36, lines 6-10, The lease presenter then presents the lease token to one or more session hosts in step 607 as defined by the lease token. The lease presenter may further provide confirmation to the session host that the user has already been authenticated. Alternatively the lease token may be delivered to the session host by a network device, virtual machine (VM) or other server such as an Access Gateway, Web Interface, Delivery Services or the broker itself (any of which can act as the “lease presenter”), after intercepting the initial request from the session client); and authorizing a connection with the client device and providing the client device with access to a virtual computing session via the connection (Bell, ¶[0078], a lease token (or a separate lease) may include information to authorize a network connection through a security device, such as an access gateway, in which case the lease may be presented to the gateway as part of establishing the connection with the session host.).  

16. Regarding Claim 10, Bell in view of Saulpaugh disclose, the method of claim 9 further comprising, prior to authorizing the connection with the client device: initiating a challenge from the virtual delivery appliance to be signed by the client device with the private key associated with the client device (Saulpaugh, Col. 56, lines 17-20, In one embodiment, the client may access the authentication service using a challenge/response mechanism Such as a logon account with password and thus may be verified as a valid client. ); and validating at the virtual delivery appliance the signed response with the public key for the client device (Bell, ¶[0066], Each connection lease may be cryptographically signed 511 so that a session host can verify the validity of the lease without needing to communicate with a broker. For example, in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

17. Regarding Claim 11, Bell in view of Saulpaugh disclose, the method of claim 10 wherein initiating and validating comprise initiating the challenge and validating the signed response prior to verifying that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device Bell, ¶[0074],  The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. ¶[0066],  a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.). 
 
18. Regarding Claim 12, Bell in view of Saulpaugh disclose, the method of claim 10 wherein initiating and validating comprise initiating the challenge and validating the signed response after verifying that the authenticated version Page 33 of 37ID2012US (96122) of the public key upon which the connection lease was generated matches the public key for the client device (Bell, ¶[0074],  The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. ¶[0066],  a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

19. Regarding Claim 13, Bell in view of Saulpaugh disclose, the method of claim 9 wherein the public key for the client device is registered with a broker (Bell, ¶[0010], Yet another aspect described herein provides a method for establishing a session using a connection lease. Initially, a connection broker receives a request for a session from a client device. The connection broker determines, based on an identification of the client device, one or more session hosts the client device is authorized to access, and one or more resources the client device is authorized to use on the one or more session hosts. ); and further comprising validating, at the virtual delivery appliance, that the public key for the client device is registered with the broker prior to verifying that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, ¶[0066],  in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker. The session host can thereby ensure that the information included in the lease is provided by a trusted broker. ¶[0005], When a user desires to connect to a virtual desktop, the user's local software client contacts a connection broker to establish a session with a remote desktop or other resource. Conventional connection brokers are said to be “inline” and thus involved in all decisions to determine where to direct a user's session. Stated differently, all connections must be initiated through and established with the assistance of the connection broker).  

20. Regarding Claim 14, Bell in view of Saulpaugh disclose, the method of claim 9 wherein the connection lease includes a hash of the authenticated version of the public key for the client device (Bell, ¶[0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker. The session host can thereby ensure that the information included in the lease is provided by a trusted broker. The broker may further include a hash value associated with the lease token to ensure that the lease is not improperly altered or changed after issuance by the broker and before use by a user or device).
  
21. Regarding Claim 15, Bell in view of Saulpaugh disclose, a computing system comprising: a server configured to generate a connection lease for a client device, the client device having a public/private encryption key pair associated therewith, and the connection lease being generated based upon an authenticated version of the public key for the client device (Bell, ¶[0010],  another aspect described herein provides a method for establishing a session using a connection lease. Initially, a connection broker receives a request for a session from a client device. The connection broker determines, based on an identification of the client device, one or more session hosts the client device is authorized to access. ¶[0009], According to another aspect, a session host apparatus may include a processor controlling operations of the session host apparatus, and memory storing computer readable instructions that, when executed by the processor, cause the session host apparatus to establish a session with a session client using a connection lease.  ¶[0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key); and a virtual delivery appliance configured to receive a connection request from the client device based upon the connection lease and the public key for the client device (Bell, ¶[0021], According to one or more aspects, generic computing device 101 may be a server 106 a in a single-server or multi-server desktop virtualization system configured to provide virtual machines for client access devices. ¶[0072], Alternatively the lease token may be delivered to the session host by a network device, virtual machine (VM) or other server such as an Access Gateway, Web Interface, Delivery Services or the broker itself (any of which can act as the “lease presenter”), after intercepting the initial request from the session client ), verify that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Saulpaugh, Col. 36, lines 6-10, The lease presenter then presents the lease token to one or more session hosts in step 607 as defined by the lease token. The lease presenter may further provide confirmation to the session host that the user has already been authenticated. Alternatively the lease token may be delivered to the session host by a network device, virtual machine (VM) or other server such as an Access Gateway, Web Interface, Delivery Services or the broker itself (any of which can act as the “lease presenter”), after intercepting the initial request from the session client), Page 34 of 37ID2012US (96122)authorize a connection with the client device and provide the client device with access to a virtual computing session via the connection (Bell, ¶[0078], a lease token (or a separate lease) may include information to authorize a network connection through a security device, such as an access gateway, in which case the lease may be presented to the gateway as part of establishing the connection with the session host.).  

22. Regarding Claim 16, Bell in view of Saulpaugh disclose, the computing system of claim 15 wherein the virtual delivery appliance is further configured to, prior to authorizing the connection with the client device: initiate a challenge to be signed by the client device with the private key associated with the client device (Saulpaugh, Col. 56, lines 17-20, In one embodiment, the client may access the authentication service using a challenge/response mechanism Such as a logon account with password and thus may be verified as a valid client.); and validate the signed response with the public key for the client device (Bell, ¶[0066], Each connection lease may be cryptographically signed 511 so that a session host can verify the validity of the lease without needing to communicate with a broker. For example, in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

23. Regarding Claim 17, Bell in view of Saulpaugh disclose, the computing system of claim 16 wherein the virtual delivery appliance initiates the challenge and validates the signed response prior to verifying that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, ¶[0074],  The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. ¶[0066], a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

24. Regarding Claim 18, Bell in view of Saulpaugh disclose, the computing system of claim 16 wherein the virtual delivery appliance initiates the challenge and validates the signed response after verifying that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, ¶[0074],  The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. ¶[0066],  a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

25. Regarding Claim 19, Bell in view of Saulpaugh disclose, the computing system of claim 15 wherein the server has a public/private key pair associated therewith (Bell, ¶[0037], a primary network 104 comprised of multiple sub-networks located between the client machines 140 and the servers 106; a primary public network 130 (e.g., the Internet) with a private sub-network;); wherein generated connection lease is signed with the server private key (Bell, ¶[0066], Each connection lease may be cryptographically signed 511 so that a session host can verify the validity of the lease without needing to communicate with a broker. For example, in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 40); wherein the virtual delivery appliance is further configured to, upon receiving the connection lease, verify the connection lease signature and also perform a challenge-response Page 35 of 37ID2012US (96122)with the client device based upon an authenticated version of the server public key.  

26. Regarding Claim 20, Bell in view of Saulpaugh disclose, the computing system of claim 15 wherein the authenticated version of the public key is obtained following authentication from the client device to the server (Bell, [0072], The lease presenter then presents the lease token to one or more session hosts in step 607 as defined by the lease token. The lease presenter may further provide confirmation to the session host that the user has already been authenticated. Alternatively the lease token may be delivered to the session host by a network device, virtual machine (VM) or other server such as an Access Gateway, Web Interface, Delivery Services or the broker itself (any of which can act as the “lease presenter”), after intercepting the initial request from the session client); and wherein the server receives the authenticated version of the public key from the client device and generates the connection lease for the client device responsive thereto (Bell, ¶[0010], Another aspect described herein provides a method for establishing a session using a connection lease. Initially, a connection broker receives a request for a session from a client device. The connection broker determines, based on an identification of the client device, one or more session hosts the client device is authorized to access, and one or more resources the client device is authorized to use on the one or more session hosts. The connection broker then generates a lease token based on the client device, the one or more session hosts, and the one or more resources, where the lease token is a self-sustaining package of data from which each of the one or more session hosts can determine whether the client device is authorized to access the one or more resources hosted by that session host.).  

27. Regarding Claim 21, Bell in view of Saulpaugh disclose, the computing system of claim 15 wherein the connection lease comprises an encrypted payload and an unencrypted manifest (Bell, ¶[0080], some information in the connection lease may be encrypted to prevent information disclosure to less-trusted components, such as client (endpoint) devices. In such an example, some information may remain unencrypted); and wherein the authenticated version of the public key is included within the unencrypted manifest (Bell, ¶[0080], some information may remain unencrypted, e.g., information about the validity period of the lease (if any), and the nature and addresses of any services to which the lease may be presented (gateway devices, boot services or session hosts), so that the lease presenter can determine whether the lease token is suitable for its purposes or not.).




Conclusion
28. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939.  The examiner can normally be reached on M-F, 8 AM TO 5 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MAYASA SHAAWAT/
Examiner Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433