Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
	- Claims 1-15 are allowed.

Allowable Subject Matter
 	The following is an Examiner's statement of reasons for allowance:
- Following a telephonic interview held on 5/12/2021, Applicant’s representative Mr. Neil Thompson authorized the Examiner’s amendment presented below in order to further differentiate the current invention from the prior art of record (see interview summary).
- The references cited in the filed IDS documents have been considered.
- In view of the Examiner’s amendment presented below, the closest identified prior art of record including Abeele, Johnson, Tableman and Gordon,  alone or in combination, do not teach or suggest all the features of independent 12 and the features of independent claim 1 as amended. 
- In Abeele et al. “Secure Service Proxy: A CoAP Intermediary for a Securer and Smarter Web of Things”, Sensors Journal, July 11, 2017, the authors disclose a reverse proxy as an endpoint that stands in for one or more other server(s) and satisfies requests on behalf of these, doing any necessary translations, and it also teaches that the client may not be aware that it is communicating with a reverse-proxy; a reverse-proxy receives requests as if it were the origin server for the target resource. The reverse proxy approach enables splitting the end-to-end communication between a constrained device and its client at the  by enabling the reverse proxy to be deployed on any system (see design), it is not restricted by the limitations common to constrained IoT devices……… A reverse proxy can improve network access by offering features such as caching, network-edge access control and enforcing congestion control algorithms. Interoperability with other systems can be increased by, e.g., translating between HTTP and CoAP, which is fairly straightforward considering the design goals of CoAP…………..without any additional configuration on either the constrained device or the client; nor does the presented approach require any modifications to the standards compliant protocol stacks (e.g., 6LoWPAN/DTLS/CoAP) running on the constrained device and the client. Indeed, the client discovers the Internet endpoint of the constrained device that is hosted on the proxy, and the proxy takes care of mapping every request to the corresponding constrained device. In the scenario presented here, all configuration is limited to the proxy [Abeele, Sections 4, 4.1, 4.2, 4.3]. However Abeele does not disclose all the features recited in claims 1 and 12.
- Johnson et al. (US Pub.No.2017/0272316), which is an Applicant provided prior art reference, discloses in one embodiment of FIG. 27 a client that sends a GET request to a Firewall.  2.  The firewall checks the GET request against NAT rules. 3. If applicable, the NAT rules instruct the firewall to forward the GET request to a reverse proxy.  4.  The reverse proxy checks the prefix URL against a map or mapping function.  5. If applicable, the reverse proxy determines that the GET request needs to be forwarded to a server (e.g., according to the mapping).  6. The proxy server modifies the GET request according to the mapping (if any) and forwards the modified GET request to the firewall. 7. The firewall checks the modified GET request against the NAT rules. 8. The firewall determines that the modified GET request originates from the reverse proxy.  9. The firewall determines that the reverse proxy is allows to access a server, modify the GET request, and forward it to the server. 10. The firewall forwards the modified GET request to the server, which process the GET request.  11. The server returns to the reverse proxy a response to the GET request.  12.The reverse proxy checks the response against a reverse mapping.  13. The reverse proxy changes the references in the URL and HTTP header (received from the server) according to the reverse mappings.  14. The reverse proxy forwards the modified response to the client [Johnson, Fig.27, para.0429-0443]. However Johnson does not disclose all the features recited in claims 1 and 12.
- Tableman (US.Pub.No.2018/0152418), discloses monitoring of data being communicated between multiple computing entities, application frames, etc., within a geographic residency.  At block 453, any data being communication within a geographic residency is securely tokenized and/or encrypted using one or more tokenization and/or encryption techniques offered by a (reverse) proxy server in communication with a token database offering relevant tokens and/or encryption protocols for facilitating the secured the tokenization and/or encryption of the data.  In one embodiment, at block 455, the (reverse) proxy server and/or the token database in the geographic residency are used to ensure that the communication of the tokenized and/or encrypted data, at least the tokenized and/or encrypted sensitive data, is securely performed between multiple computing entities (e.g., client computer, third-party server computer, etc.) within the geographic residency. the (reverse) proxy server and/or the token database in the geographic residency are used to ensure that the communication of the tokenized and/or encrypted data, at least the tokenized and/or encrypted sensitive data, is securely performed between multiple application frames (e.g., web browser, application screen, etc.) within the geographic residency.  At block 459, the tokenized and/or encrypted data is securely is received, decrypted, and viewed at the client computer using one or more of encryption/decryption techniques via one or more interfaces via one or more display screens/devices associated with or communicatively coupled to the client computer [Tableman, para. 0067-0068]. However Tableman does not disclose all the features recited in claims 1 and 12.
- Gordon et al (US Pub.No.2018/0077121) discloses a secure mechanism for exposing internal network ports through a redundant pathway over Secure Socket Layer (SSL) without requiring firewall changes, local SSL certificates, local hostnames or Network Translation policies.  The reverse proxy mechanism provides redundant pathways for remote clients and local servers to interact over SSL by converting domain host names requests through wild card hostname entries to TCP ports, relaying through a redundant reverse proxy service bus network, with localization and optimization of network traffic flow and automated bandwidth management to remote client network devices [Gordon, para.0005]. All traffic from a client device, the web interface or the native software desktop tool connects to the public Load balancers 110 over 256-bit SSL encryption using Domain Name System (DNS) requests.  The appliances then load balance traffic/requests to the closest MyWorkDrive.RTM, reverse proxy server (112, 114, 116) which converts the original request from port 443 (the default port used by secure http) over Secure Socket Layer (SSL) to a custom port assigned to each client's server and hostname.  Traffic is then routed through the encrypted service bus service bus on that custom port to the nearest network connection of the clients requested server (106, 122, 124)……….. The proxy servers (112, 114, 116) convert communications from the clients (102, 104) on port 843 to an assigned port (static TCP) for the client backend web server (106, 122, 124), using a table stored in relay database 118.  The proxy servers also convert the reverse communication from the client backend web servers, again using a table in relay database 118….. an agent installed on the client web server operates in listen only mode while communicating with the service bus network, while the agent on the reverse proxy server handles two-way communications with the service bus network.  The communication keys for the secure SSL connection are stored with the respective agents [Gordon, para.0014-0021]. However Gordon does not disclose all the features recited in claims 1 and 12.
- In view of the above, the closest prior art references alone or in combination to not teach or suggest the features recited in claims 1 and 12. Therefore independent claims 1 and 12 are deemed allowable. Claims 2-11, and 13-15 depend on one of claims 1 and 12 and are therefore allowable by virtue of their dependency.
 	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.

Examiner’s Amendment
 	The Examiner’s amendment presented below was authorized by Mr. Neil Thompson following a telephonic interview held on 5/12/2021.

Please amend the claims as follows:

1. (Currently Amended)  A method for communicating with sockets proxies comprising:
i.	establishing a secure communications session that allows setting up socket proxies between a Device_A and a Device_B, where Device_A uses a proxy-firewall server and Device_B uses an agent of the proxy-firewall server that initiates the establishment of the session by using a stand-alone proxy client that implements a secure communication protocol employing configuration data and credentials of a user account that is defined by a configuration profile of Device_B that allows connecting to the user account of Device_A;
ii.	establishing direct proxies from application sockets of Device_A;
iii. establishing reverse proxies from application sockets of Device_B; 
iv.	 protecting via the proxy-firewall server of Device_A communications between the application sockets of Device_A and reverse proxies of Device_A by configuring security contexts that are set up through marking and filtering rules for local communications, employing as a context delimiter parameter a user of an operating system of Device_A for each local communication; [[and]]
v.	protecting via the agent of Device_B the communication between the application sockets of Device_B and direct proxies of Device_B by configuring security contexts through filtering and marking rules for local communications, using as the context delimiter parameter a user of an operating system of Device_B for each local communication;
vi. recording the reverse proxies in a database of a connection-broker of Device_A as a record, where information of the reverse proxies is saved and comprises: a id_DispSocket that  stores identification of a device with a socket to make proxy; a id_DispProxy that identifies a device with which a session is maintained; an alias that saves an alias of the socket from the id_DispSocket; a socket that saves a local socket that is reserved by the operating system of Device_A for proxy and that has a network address value belonging to a pool of reserved local network addresses of Device_A;  and a socket_type that determines a socket class to which the record is referenced;
vii. inputting during a booting sequence of the operating system of Device_A a general rule of packet marking through a network framework by the proxy-firewall server, which eliminates any marking of network packets in any communication produced between local sockets of Device_A, with local addresses belonging to the pool of reserved local addresses;
viii. inputting during the booting sequence of the operating system of Device_A a general packet filtering rule by the proxy-firewall server which discards any packet with source or destination information of the local sockets of Device_A lacking marking, provided that such sockets use a local network address belonging to the pool of reserved local addresses;
ix. inputting during the booting sequence of the operating system of Device_B and through the network-framework a general rule of filtering for Socket_B and direct proxy in Device_B which determines discarding of incoming packets with that destination, and a non-local network address as a source; and
x.	inputting during the booting sequence of the operating system of Device_A and through the network-framework a general packet filtering rule by the proxy-firewall server which determines discarding of packets with source or destination a local address of the pool of reserved local addresses that has as source or destination the non-local address.

2. (Currently Amended)  The method of claim 1, wherein security contexts are established for direct and reverse proxies, further comprising:





[[vi]] i. optionally inputting during the booting sequence of the operating system of Device_A an entry into the database of Device_A relative to a Socket_A of Device_A as stated in [[the]] a configuration profile referred to as Profile_A, the entry with information comprising: the id_DispSocket; the id_DispProxy; the alias; the socket; and the socket_type;
[[vii]] ii. optionally inputting during the booting sequence of the operating system of Device_A at least one record called access_record_A into the database of Device_A relative to Socket_A of Device_A as stated in Profile_A, the access_record_A with information comprising: a con_Id that stores an identifier of the access_record_A; a socket that stores Socket_A; and a group_Id that stores a user group identification of the operating system of Device_A;
[[viii]] iii.	 inputting during the booting sequence of the operating system of Device_A, through the connection-broker to the proxy-firewall server and according to a configuration detailed in Profile_A permissions_AG into the database comprising: the group_Id, which stores identification of the user’s group of the operating system of Device_A to which access permission is granted; the alias, which stores the alias of Socket_A; and the socket, which stores a value of Socket_A;
[[ix]] iv. inputting during the booting sequence of a device operating system, through the network-framework and to the proxy-firewall server priority mark rules overriding  general ones mark rules that correspond to the permissions_AG for each Socket_A to grant access permanently to user groups of Device_A relative to the permissions as defined in Profile_A; and
[[x]] v. suppressing during the booting sequence of the operating system of Device_A each access_record, its respective permissions in the database relating to socket_entries of “socket-proxy” type and the socket_entry.
3. The method of claim 2, wherein a secure communication is established between network sockets, in which a network resource that is offered by Socket_B of a process called Process_B of Device_B is requested by a process of the operating system of Device_A and whose resource is accessible through a reverse socket-proxy further comprising:
i.	requesting the proxy-firewall server through a system call for a resolution of a protected socket and the alias Socket_B to obtain a local reverse socket-proxy by which Socket_B can be accessed;
ii.	requesting communication between the connection-broker and the proxy-firewall server for checking for any access permission that enables access to the reverse socket-proxy, the reverse socket-proxy resolution and an access to the reverse socket-proxy called access_record;
iii. checking by the connection-broker in the database the existence of a permission_AU and performing a resolution of the reverse socket-proxy;
iv.	 generating the access_record, if it does not exist in the database, in which it is assigned by the connection-broker a communication access identifier to the reverse socket-proxy called con_Id;
v.	storing or updating in the database by the connection-broker the generated access_record, which comprises: the con_Id related to a granted access; the socket to which the access is granted and which is formed by the local network address and a port; a id_User that stores a user identification of the operating system of Device_A; and a last_activity that saves the time at which the access has been granted that will be updated by an access monitor reflecting its status of activity;
vi. enabling a priority specific rule overriding the general packet marking rules of the operating system of Device_A with the proxy-firewall server, which determines that all local communications packets between a user_A running a process and the reverse socket proxy are given an assigned access identifier con_Id defined in the access_record corresponding to the reverse socket-proxy and the user_A;
vii. communicating by the proxy-firewall server with [[an]] the access monitor which checks whether there is traffic for access to the reverse socket-proxy periodically and updates the last_activity; and
viii. proceeding with the communication between the process and Socket_B which offers a resource through the reverse socket-proxy deployed in Device_A.
4. (Currently Amended)  The method of claim 2, wherein a Process_A of [[the]] a user_A in Device_A requests a direct proxy into Device_A of at least one protected socket of a foreign device called Device_AF, further comprising:
i.	requesting the proxy-firewall server by Process_A direct proxies to be performed;
ii.	requesting that the connection-broker by way of the proxy-firewall server reserve unused local sockets for use as direct socket-proxies, once the protected sockets of Device_AF are resolved, which is required to be direct proxied by means of an Agent_A;
iii. recording into the database, by the connection-broker, permissions_AU and pertinent access_records that allow the user_A to access the direct socket-proxies;
iv. recording into the database each socket_entry generated by each socket allocated to become a direct proxy, which comprises: the id_DispSocket that saves the ID of Device_AF; the id_DispProxy that saves the ID of Device_AF; the alias that saves the alias of the socket which Process_A wants to make proxy; the socket that saves the free local socket that is allocated to perform each direct proxy and has a network address value belonging to the pool of reserved local network addresses of Device_A; and the socket_type, which in this case is socket_proxy;
v.	requesting that Agent_A establishes a communications session with Device_AF using access credentials of Device_AF of the user_A provided by the proxy-firewall server, the session through which resolution of the protected sockets of Device_AF is made to be directly-proxied into Device_A; 
vi. requesting that Device_AF through the session for the resolution and establishment of the accesses for the protected sockets required by Device_AF indicated in the request;
vii. establishing by way of the proxy-firewall server a marking rule corresponding to each permission_AU by means of the network-framework enabling the user_A to access the direct sockets;
viii. requesting the establishment of each direct proxy in Device_A towards each corresponding protected socket of Device_AF, as required by Process_A;
ix. answering the Process_A by the proxy-firewall server with the resolution of the requested sockets; and
x.	communicating [[with]] by the proxy-firewall server with an access monitor that periodically updates the last_activity of each access_record inserted into the database.
[[xi.]]	

5. (Currently Amended) The method of claim 2, wherein a number of protected sockets of Device_A are in turn securely direct-proxied towards Device_AF by an agent of Device_AF referred to as Agent_AF, using configuration data and credentials of a user account called user_AAF, defined by a configuration profile of Device_A called a Profile_UAAF, enabling said agent_AF to be connected to the user’s account user_AAF, further comprising:
i.	establishing a secure session between Agent_AF and the proxy-firewall server of Device_A by the initiative of Agent_AF;
ii.	requesting the establishment of the session with a resolution of each protected socket of Device_A that is required by Agent_AF;
iii. providing a fork of the proxy-firewall server in the user_AAF account referred to as fork_AAF;
iv.	 requesting that the connection-broker by the fork_AAF for a resolution of the protected sockets using the alias and each Socket_A, and the alias of each socket_B is indicated by the Agent_AF;
v.	verifying by the connection-broker of Device_A the existence of sufficient permissions for the user_AAF in the database to be able to access the protected sockets;
vi. requesting the connection-broker by the fork_AAF for communication access to each protected socket for the account of the user_AAF of the operating system of Device_A for the protected sockets required by the Agent_AF to which the user_AAF lacks access;
vii. recording each access_record of each access granted into the connection-broker database;
viii. establishing regarding the fork_AAF [[the]] a marking rule for each access_record through the network-framework of the operating system of Device_A which allows the user_AAF to access each protected socket;
ix. responding to Agent_AF with the value of each protected socket required to allow Agent_AF to perform the direct proxies; and
x.	providing an access monitor by the fork_AAF to periodically update the last_activity value of each access_record inserted into the database.

6. (Currently Amended) The method of claim [[2]] 4, wherein at least one protected socket of Device_A is reverse-proxied into Device_AF by a request of Process_A of the user_A of Device_A through Agent_A, further comprising:
i.	requesting by part of Process_A to the proxy-firewall server [[the]] a realization of a reverse proxy of protected local sockets to which access is feasible;
ii.	requesting the connection-broker the resolution of the local sockets required in the proxy requested by Process_A;
iii. checking by the connection-broker if the user_A is provided with [[the]] necessary permissions to access the protected local sockets required in a proxy request;
iv.	inserting into the database by instances of the connection-broker access registers to the protected sockets for the account of the user_A;
v.	recording communication access in the connection-broker database as registration_accesses;
vi. establishing by instances of the proxy-firewall server [[the]] a marking rule 
vii. requesting Agent_A by the proxy-firewall server to establish a communication session with Device_AF using access credentials to Device_AF of Process_A provided by the proxy-firewall server;
viii. requesting by Agent_A in the establishment of the session a reservation of a socket protected of Device_AF for each socket to be proxified towards that device;
ix. providing by the proxy-firewall server an access monitor for periodically updating the last_activity value of user access_records_A; and
x.	sending to Device_AF by Agent_A a request for the establishment of the reverse proxies.

7. (Currently Amended) The method of claim [[2]] 4, wherein at least one protected socket of Device_AF is made proxy in reverse form towards Device_A by [[the]] an action of an agent Agent_AF using configuration data and credentials of an account user_AAF, defined by a Profile_UAAF, which allows connecting to the account AF of Device_A, further comprising:
i.	establishing a secure session between Agent_AF and the proxy-firewall server of Device_A by Agent_AF;
ii.	requesting during the establishment of the session [[the]] a reservation of local protected sockets of Device_A for the deployment of reverse proxies in Device_A of the sockets of Device_AF;
iii. providing a fork_AAF from the proxy-firewall server in the  user_AAF;
iv.	requesting the connection-broker via the fork_AAF for a reservation of unused local sockets to be used as reverse sockets_proxies indicated in the received request;
v.	recording into the database by the connection-broker the socket_entries and the access_records related to the reserved sockets for each reverse proxy;
vi. adding by the connection-broker a permission_AU into the database for each socket reserved for the User_AAF;
vii. inserting via the fork_AAF a marking rule for each permission_Au through the network framework;
viii. providing via the fork_AAF an access monitor for maintaining active accesses related to the reverse proxy; and
ix. establishing the reverse proxies via the fork_AAF, using the reserved sockets.

8. (Currently Amended) The method of claim [[2]] 3, further comprising updating the last_activity in each access_record involved in the method in different scenarios, wherein the last_activity of the access_record is updated by the proxy-firewall server whenever there is traffic from the account of the user_A to the socket-proxy; and wherein a last_activity of each access_record is updated by the proxy-firewall server whenever the process that requested the proxy that caused [[the]] a creation of [[each]] the access_record in the database is maintained in execution.

9. (Currently Amended) The method of claim 2, wherein a process called Process_C of a device called Device_C addresses a secure request for the resource offered by Socket_B of Device_B through a proxy executed by [[the]] a user_A, further comprising:
i.	using network subdomains of a main domain of a proxy as parameters of a request that requires the proxy to be able to address the resolution of the protected socket with [[the]] support of the connection-broker;
ii.	configuring a wildcard X.509 certificate to provide security to the subdomains of the proxy;
iii. receiving credentials of Process_C as headers of a request enabling the proxy to verify an identity of Process_C and checking whether it has [[the]] a permission_AU required to process the request;
iv.	 establishing a secure communication between Process_C and the proxy by using a secure communication protocol usable by Process_C and the proxy;
v.	deleting the headers of the request; and
vi. establishing a communication between the proxy and the protected socket leading to Socket_B.

10. (Currently Amended) The method of claim 8, wherein access for communication related to the access_record is closed when inactivity exceeds a threshold, further comprising:
i. eliminating [[the]] a marking rule of the operating system of Device_A related to the access_record;
ii.	removing the access_record from the database of the connection-broker of Device_A; and
iii. eliminating the permission_AU related to the access_record if it is related to the direct socket-proxy. 

11. (Currently Amended) The method of claim 3 wherein [[the]] security in communications between a stand-alone proxy client and a stand-alone proxy server is updated, further comprising:
i.	requesting via a communication session established between Agent_B and the proxy-firewall server the initiation of a process of updating the proxy client of Agent_B via the proxy-firewall server;
ii.	receiving by Agent_B a new version of the proxy client and updating Profile_BA; 
iii. testing by Agent_B the new version of the proxy client with the updated Profile_BA to establish a new communication session; and
iv. in the event of correctly setting the new communication session, eliminating a previous version of the proxy client and replacing it with the new version.

12. (Currently Amended) A system for securely communicating with network sockets comprising:
i.	a proxy-firewall server housed in a Device_A, which is configured to: receive session setup requests from other devices via a secure protocol through a stand-alone proxy server, configure strict and wide security contexts through system calls to a network-framework of an operating system of Device_A,  process proxies or socket-proxy requests via established sessions or system calls to local processes, monitor access to local sockets by access monitors, manage security updates of the devices with which a connection is maintained, and establish through the system calls to the network framework a protection of the local sockets used in the proxies of Device_A;
ii.	a type of configuration profile of the proxy-firewall server to define aspects related to operation of the proxy-firewall server and a connection-broker so-called Profile_A;
iii. a software module that functions as a proxy-firewall server, configured to: initiate the session setup requests to the proxy-firewall server through a software module called stand-alone proxy client and implementing a secure protocol; establish direct and reverse socket-proxies; and establish protection of the local sockets; 
iv.	a type of agent configuration profile referred to as Profile_BA if the profile is used to configure [[the]] a session that [[the]] an agent of Device_B establishes on Device_A, or Profile_UAAF if the profile is used to configure [[the]] a session that [[the]] an agent of Device_A is performed with Device_AF via user_A;
v.	an access monitor used to maintain a record and control over the proxies established and access in Device_A;
vi. a socket_entry that comprises: a socket that stores a protected socket [[to]] which the socket_entry comprises at least one of Socket_B if [[the]] a socket to be registered is a socket-proxy offering a resource of Device_B,  Socket_A if [[the]] a socket to be registered offers a resource of a process of Device_A and is not a result of any type of proxy, and a socket-proxy;  an alias that stores [[the]] an alias of the protected socket, which comprises at least one of alias_A and alias_B; a id_DispSocket that stores identification of [[the]] a device having the protected local socket and comprises at least one of id_B, id_AF, and id_A; a id_DisProxy that identifies [[the]] a identification of [[the]] a device to which the protected socket leads; and a socket_type that determines a type of protected socket to which a record refers comprising Socket_A, Socket_B and socket-proxy;
vii. an access_record of a user of the operating system of Device_A generated for each access granted to a direct or reverse socket-proxy type of protected socket, which comprises: a con_Id that stores an access identifier for communicating to the socket-proxy of a user_A, a socket that stores the protected socket formed by a local network address and a port to which access is granted and, a id_User that stores an identifier of the user_A of a process source of a communication request to which it has been granted access, and a last_activity that stores time at which access has been granted and is updated by the access monitor reflecting status of activity;
viii. an access_record_A for a group of users of the operating system of Device_A generated by each access granted to a protected socket of Socket_A type, which comprises: a con_Id that stores an identifier, a socket that stores Socket_A, and an id_Group that stores a user group identification of the operating system of Device_A corresponding to user_A of the process source of the communication request to which the access has been granted;
ix. a permission_AU for defining a strict security context by granting the user_A of Device_A [[the]] a possibility of accessing a protected socket of a direct or reverse socket-proxy type, which comprises: an id_User that stores the user identification of the user_A of the operating system of Device_A, an alias that stores the alias of the protected socket of another device which is provided as the socket-proxy in Device_A, and an id_DispSocket that stores the identification of the device with Socket_B or Socket_A related to the alias of the socket offering the resource through the socket-proxy;
x.	a permission_AG that defines a wide security context by granting access possibility of a group of users of Device_A to the Socket_A comprising: an id_Group that stores the identification of the group of users of the operating system of Device_A, an alias that stores the alias of Socket_A, and a socket that stores a value of the Socket_A;
xi. a connection-broker used to maintain a record and control in Device_A over the proxies made and access to the proxies and being entitled to close such access if considered inactive;
xii. a pool of local addresses of Device_A specifically reserved for this system that is protected during a booting sequence of the operating system of Device_A by the network-framework and the proxy-firewall server, with a general packet marking rule that determines [[the]] a suppression of any a discarding of any packet lacking a marking with origination and destination a local socket of Device_A, provided that any of the involved sockets use a local network address belonging to the pool of reserved local addresses, and a general packet filtering rule that determines [[the]] a discarding of any packet with source or destination a local address of the pool of local addresses reserved for this system that has as a source or destination a non-local address;
xiii.	a strict security context specified by a network framework configuration that performs a marking on traffic packets using the con_Id in the access_record related to a destination protected socket in Device_A, a user source of the communication from Device_A and the permission_AU enabling the access_record;
xiv.	a wide security context specified by the network framework configuration that performs the marking on the traffic packets using the con_Id in the access_record related to the protected socket destination of Device_A, a group of the originating users of the communication from Device_A and the permission_AG enabling such an access; and
xv. a connection-broker database configured to store different types of records comprising: socket_entry, register_record, access_record_A, permission_AU and permission_AG.

13. The system of claim 12, wherein the devices use a POSIX-type operating system, further employing a proxy client and a stand-alone proxy server based on a secure protocol SSH and where the network-framework performs packet marking and filtering using a TOS field of an IP protocol.

14. (Currently Amended)  The system of claim 12, wherein Device_B comprises a proxy-firewall server that extends control provided by Device_A proxy server to Device_B to facilitate development of services involving system calls.

15. (Currently Amended)  The system of claim 12, wherein [[the]] a Socket_B of Device_B offers a resource using a HTTP protocol and Device_A uses an HTTPS-HTTP proxy type software module to accept and process external communication requests towards the protected socket addressed in HTTPS, further comprising:
i.	a configuration of a wildcard SSL certificate for protecting a main domain of the HTTPS HTTP proxy of Device_A with all subdomains;
ii.	a configuration of a web server in Device_A to redirect communication requests for the Socket_B resource 
iii. a 
 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285.  The examiner can normally be reached on Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434