DETAILED ACTION
This Office Action is in response to application 16/479,196 filed on July 18, 2019.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-16 are pending and herein considered.

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/18/2019 and 10/09/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-7 and 9-15 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 4-5, 7-8, 10-12, 15-16, 18-19 and 21-22 of U.S. Patent No. 10,798,560 in view of Suhonen et al. (Suhonen) 2005/0060328.


                 Instant Application 16/479,196
       U.S. Patent Publication No. 10,798,560
1. A method for determining a path of data traffic based on a destination Internet Protocol (IP) address, the destination IP address being either private or public and belonging to any one of multiple organizations, the method comprising:
[[activating, at a telecommunication endpoint, a VPN;
interconnecting a service device on a private network with a VPN gateway, in response to activating the VPN;]]
receiving, at a managed service platform, a subscriber identifier associated with the telecommunication endpoint and the destination IP address of one of the multiple organizations;
if both the subscriber identifier and the destination IP address of the one of the multiple organizations are not registered in a predetermined policy database: a) at the telecommunication endpoint, prompting a subscriber identified by the subscriber identifier to register the subscriber identifier associated with the telecommunication endpoint, and

if the subscriber identifier and the destination IP address of the one of the multiple organizations are registered in the predetermined policy database, routing, via the service device on the private network, the data traffic to a private network resource of the one of the multiple organizations matching the destination IP address; and

if the subscriber identifier is registered in the predetermined policy database and the destination IP address of the one of the multiple organizations is not registered in the predetermined policy database, routing, via the service device on the private network, the data traffic via an IP transit service to a public internet.




3. The method of claim of claim 2, further comprising interconnecting, via the service device on the private network, directly with the wide-area network.

4. The method of claim 1, wherein the private network resource is a cloud service provider platform of the one of the multiple organizations matching the destination IP address.


5. The method of claim 4, further comprising interconnecting, via the service device on the private network, directly with the cloud service provider platform.






7. The method of claim 1, wherein if the destination IP address is registered, further comprising blocking data traffic from a predetermined type of website or web service, routed to the destination IP address.



9. A system for determining a path of data traffic based on a destination Internet Protocol (IP) address, the destination IP address being either private or public and belonging to any one of multiple organizations, the system comprising:
a telecommunication endpoint;
a managed service platform configured to:
(a) receive a subscriber identifier associated with the telecommunication endpoint and the 
(b) if both the subscriber identifier and the destination IP address of the one of the multiple organizations are not registered in a predetermined policy database, perform actions of:
(i) at the telecommunication endpoint, prompting a subscriber identified by the subscriber identifier to register the subscriber identifier associated with the telecommunication endpoint, and
(ii) registering the subscriber identifier in the predetermined policy database, based on information received from the telecommunication endpoint in response to the prompting;
a service device on a private network configured to:
(a) if the subscriber identifier and the destination IP address of the one of the organizations are registered in the predetermined policy database, route the data traffic to a private network 
(b) if the subscriber identifier is registered in the predetermined policy database and the destination IP address of the organization is not registered in the predetermined policy database, route the data traffic via an IP transit service to a public internet; and
[[a VPN gateway configured to interconnect with the service device on the private network, in response to activating a VPN at the telecommunication endpoint]].

10. The system of claim 9, wherein the private network resource is a wide-area network of the organization matching the destination IP address.

11. The system of claim of claim 10, wherein the service device on the private network is further configured to interconnect directly with the wide-area network.




13. The system of claim 12, wherein the service device on the private network is further configured to interconnect directly with the cloud service provider platform.

14. The system of claim 9, wherein the service device on the private network is further configured to establish public Internet connectivity via the IP transit service.

15. The system of claim 9, wherein the service device on the private network is further configured to block data traffic from predetermined type of website or web service, based on the destination IP address.








receiving, at a managed service platform, a subscribed device identifier and the destination IP address of one of the multiple organizations; if both the subscribed device identifier and the destination IP address of the one of the multiple organizations are not registered in a predetermined policy database: a) prompting a subscriber or an owner of the subscribed device, at a telecommunications endpoint associated with the subscribed device identifier, to register the endpoint, and b) registering the subscribed device identifier in the predetermined policy 


 if the subscribed device identifier and the destination IP address of the one of the multiple organizations are registered in the predetermined policy database, routing, via a service device of the managed service platform on a private network, the data traffic to a private network resource of the one of the multiple organizations; and 

if the subscribed device identifier is registered in the policy database and the destination IP address of the one of the multiple organizations is not registered in the predetermined policy database, routing, via the service device of the managed service platform on the private network, the data traffic via an IP transit service to a public internet.





5. The method of claim of claim 3, further comprising interconnecting, via the service device of the managed service platform on the private network, directly with the wide-area network.

7. The method of claim 1, wherein the private network resource is a cloud service provider platform of the organization matching the destination IP address. 


8. The method of claim 5, further comprising interconnecting, via the service device of the managed service platform on the private network, directly with the cloud service provider platform.





11. The method of claim 1, wherein if the destination IP address is registered, further comprising blocking data traffic from a predetermined type of website or web service, routed to the destination IP address.



12. A system for determining a path of data traffic based on a destination IP address, the destination IP address being either private or public and belonging to any one of multiple organizations, the system comprising: (I) a managed service platform configured to: 

(a) receive a subscribed device identifier and the destination IP address of one of the multiple organizations, and (b) if both the subscribed 















15. The system of claim 12, wherein the private network resource is a wide-area network of the organization matching the destination IP address. 

    16. The system of claim of claim 15, wherein the service device on the private network is further configured to interconnect directly with the wide-area network. 



    19. The system of claim 18, wherein the service device on the private network is further configured to interconnect directly with the cloud service provider platform. 

21. The system claim 12, wherein the service device on the private network is further configured to establish public Internet connectivity via the IP transit service. 

    22. The system claim 12, wherein the service device on the private network is further configured to block data traffic from a predetermined type of website or web service routed to the destination IP address if the destination IP address is registered.










Patent 10,798,560 (herein 560) does not disclose, which Suhonen discloses activating, at a telecommunication endpoint, a VPN; interconnecting a service device on a private network with a VPN gateway, in response to activating the VPN (para. [0011] a virtual private network (VPN) gateway server (10) providing rules for wireless access over a secure tunnel connection to a corporate network (20), the method including: configuring a user database (15, 25) of the server to provide user specific rules for the access over the secure tunnel connection, the configuring including associating different specific users with respective sets of allowed TCP server ports; authenticating a user connecting to the secure tunnel connection; and limiting the authenticated user's access to the corporate network (20) by forwarding only user data received in the secure tunnel that as destination has a port that is included by the set of allowed TCP server ports associated with the user in the user database (15, 25); para. [0016] a user's access to the corporate network involves two separated TCP sessions. One VPN tunnel in the form of an encrypted connection between the user's wireless client terminal and the gateway server, and one session between the gateway server and a back-end server of the corporate network. In the latter TCP session, the gateway server acts as a client against a server socket defined by an allowed TCP server port).
 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of 560 to provide activating, at a telecommunication endpoint, a VPN; interconnecting a service device on a private network with a VPN gateway, in response to activating the VPN, taught by Suhonen, in order to control to what extent 

Regarding claim 9; claim 9 is rejected with similar rationale as claim 1, above

Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 10,798,560 in view of Suhonen et al. (Suhonen) U.S Pub. Number 2005/0060328 and further in view of Wei et al. (Wei) U.S Pat Number 8,895,766.
Regarding claim 8; The combination of 560 and Suhonen does not disclose which Wei disclose the method of claim 1, further comprising detecting, at the telecommunication endpoint, an untrusted connection with an access network, wherein the activating of the VPN is in response to detecting the untrusted connection (col 4, line 12-40, the gateway system 211 may also communicate with the cloud security server 214 through a GRE tunnel or by using some other communication protocol. In one embodiment, the gateway system 211 redirects network traffic to the cloud security server 214 based on the application that originated the network traffic. As a particular example, the gateway system 211 may be configured to redirect network traffic of some applications to the cloud security server 214 by way of the VPN tunnel (see arrow 202). For other applications, the gateway system 211 may be configured to bypass in-the-cloud scanning and send the other applications' network traffic directly to its destination (see arrow 203);  col 6, line 5-16, a redirection policy stored in the policy repository 320 may indicate that network traffic originated from trusted applications will not be redirected to the cloud to the cloud security server 214, while network traffic from unknown, suspicious or vulnerable applications will be redirected to the cloud security server 214 for scanning).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of 560, in view of Suhonen to provide detecting, at the telecommunication endpoint, an untrusted connection with an access network, wherein the activating of the VPN is in response to detecting the untrusted connection, taught by Wei, The motivation is to decrease demand for bandwidth and computation resources. For example, network traffic originated from trusted applications will not be redirected to the cloud to the cloud security server, while network traffic from unknown, suspicious or vulnerable applications will be redirected to the cloud security server for scanning.

Regarding claim 16; claim 16 is rejected with similar rationale as claim 8, above.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VU V TRAN whose telephone number is (571)270-1708.  The examiner can normally be reached on M-F, 8 AM- 4 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/VU V TRAN/Examiner, Art Unit 2491