Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
             DETAILED ACTION
This office action is in response to the communication filed on 11/14/2018. Claims 1-20 are pending in the application. Claims 1-20 have been rejected. 
    Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/25/2019 and 02/26/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
      				 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.


Claims 1-4, 6-7, 11-14 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over US 2015/0319174 A1 (hereinafter Hayton et al)
Regarding claim 1, Hayton et al teaches a method of authenticating users to a hybrid-cloud service  (note para. [0021], [0053]-[0054], [0060]; authenticating and authorizing a client to in enterprise systems via direct or indirect connections, which may include public and private (enterprise) networks (e.g. "hybrid-cloud services”)) the method comprising:
operating a set of local agents on respective computing machines connected to a private intranet, the private intranet connected to a public network via a gateway, the gateway configured to block incoming connection requests arriving over the public network and directed to any of the set of local agents (note para. [0062]-[0063]: client agent and the gateway services; gateway acts as a firewall sentinel to a virtual private network of an enterprise system ("intranet'); also see para. [0043], [0053], [0060], [0100]-[0102]); and
in response to (i) receipt from a first client device of a first resource request for accessing a cloud resource of the hybrid-cloud service and (ii) a reachable agent of the set of agents then receiving an incoming connection request from the first client device (note para. [0095]-[0101 ], [0107]-[0112]; a client device attempting to access an enterprise system resource using a secured and/or unsecure application, 
transmitting a silent authentication factor to the first client device, the silent authentication factor providing an indication that that first client device that satisfies enterprise authorization requirements  "silent authentication factor" is disclosed by reference to the "authentication information", such as an (access) token or a cookie, transmitted to the client;  According to paragraph [0100], the authorization information, such as the access token, may be required by the enterprise system before access to a requested enterprise resource is granted to the client, and is indicative that the enterprise's authorization requirements are satisfied);
receiving a first authentication request from the first client device, the first authentication request specifying a first set of authentication factors which includes the silent authentication factor (note para. [0099]-[0100]: Disclosed by reference to the  client device submitting the token along with the request, thereby satisfying, by proving that the client already has to the token, that it satisfied the enterprise's authorization requirement for access to an enterprise resource); and 
performing a first authentication operation on the first authentication request (note para. [0099]-[0102])
Hayton et al , and is submitted by the client seeking access to an enterprise resource is indicative of the requesting client satisfying enterprise authorization requirements, rather than being indicative that the client device "is connected to the private intranet".
However, examiner takes an official notice on that at the time of effective filing data of the claimed invention, features such as selectively allowing particular client device connected to a private intranet to access resources upon authentication was well-known in the art. Only allowing certain client devices but not others to access enterprise services (through utilization of a private  intranet access policy), constitutes a variant in authorization policy that can easily substitute Hayton et al’s enterprise authentication system to selectively authorize its private/ sensitive resources to only particular clients.
Regarding claim 2, Hayton et al teaches the method of claim 1, further comprising, in response to (i) receipt from a second client device of a second resource request for accessing the cloud resource (note para.  [0100]-[0107]) and (ii) no agent of the set of agents then receiving any incoming connection request from the second client device (note para. [0100]-[0102], [0128]: in some embodiments, client request sent directly  to gateway without any agent intervention; In these situations, if client device 302 request services corresponding to a token that gateway 360 previously obtained, then gateway 360 may not need to perform some or all of the negotiation steps described above),

performing a second authentication operation on the second authentication request using the second set of authentication factors.
Hayton et al fails to teach expressly the second set of authentication factors including no silent authentication factor that indicates that the second client device is connected to the private intranet.
However, examiner takes an official notice on that at the time of effective filing data of the claimed invention, features such as the second set of authentication factors including no silent authentication factor that indicates that the second client device is connected to the private intranet was well-known in the art.  Therefore, at the time of filing of the claimed invention, it would have been obvious to ordinary skill in the art to modify Hayton et al’s enterprise authentication system to utilize other types of authentication factors/ requests parameters not including any silent authenticator or credentials (especially in the case, where client is already/ previously authenticated or failed to be authenticated) for accessing/ connecting to a private intranet.
Regarding claim 3, Hayton et al teaches the method of claim 2, further comprising blocking, by the gateway, an inbound connection request issued by the 
Regarding claim 4, Hayton et al teaches the method of claim 2, further comprising generating the silent authentication factor by a cloud-based server, wherein transmitting the silent authentication factor to the first client device includes sending the silent authentication factor over the public network (note para. [0052]-[0053], [0056], [0100])
Regarding claim 6, Hayton et al  teaches the method of claim 4, wherein the second set of authentication factors includes an additional authentication factor that is not one of the first set of authentication factors (note para. [0100]-[0107]: a client being denied access to an enterprise resource for failing to present the token or authorization information along with the request to access an enterprise resource, may be asked to obtain and provide other credentials)
Regarding claim 7, Hayton et al  teaches the method of claim 6, wherein the additional authentication factor requires a user of the second client device to perform a manual operation that is not required of a user of the first client device when providing the first authentication request (note para. [0100]-[0107]: a client being denied access to an enterprise resource for failing to present the token or authorization information along with the request to access an enterprise resource, may be asked to obtain and provide other credentials; also see para. [0113]: client might be asked for additional information before authentication)
Regarding claim 11, Hayton et al teaches an electronic system configured to operate as part of a hybrid-cloud service (note para. [0021], [0053]: authenticating and authorizing a client to in enterprise systems via direct or indirect connections, which may include public and private (enterprise) networks (e.g. "hybrid-cloud services”)) and comprising control circuitry that includes a set of processors coupled to memory (note figure 1.103: memory, 1.111: processor), the control circuitry constructed and arranged to:
("intranet'); also see para. [0043], [0053], [0060], [0100]-[0102]); and
in response to (i) receipt from a first client device of a first resource request for accessing a cloud resource of the hybrid-cloud service and (ii) a reachable agent of the set of agents then receiving an incoming connection request from the first client device (note para. [0095]-[0101 ], [0107]-[0112]; a client device attempting to access an enterprise system resource using a secured and/or unsecure application, via a gateway; also see para. [0060]-[0063]: an enrolled client device (e.g., mobile device) with a client agent, which interacts with gateway server (which includes Access  Gateway and application controller functionality) to access various enterprise resources),
transmit a silent authentication factor to the first client device, the silent authentication factor providing an indication that that first client device is "silent authentication factor" is disclosed by reference to the "authentication information", such as an (access) token or a cookie, transmitted to the client;  According to paragraph [0100], 
receive a first authentication request from the first client device, the first authentication request specifying a first set of authentication factors which includes the silent authentication factor (note para. [0099]-[0100]: Disclosed by reference to the  client device submitting the token along with the request, thereby satisfying, by proving that the client already has to the token, that it satisfied the enterprise's authorization requirement for access to an enterprise resource), and
perform a first authentication operation on the first authentication request (note para. [0099]-[0102])
Although "authorization information" or "token" taught by Hayton et al , and is submitted by the client seeking access to an enterprise resource is indicative of the requesting client satisfying enterprise authorization requirements, rather than being indicative that the client device "is connected to the private intranet".
However, examiner takes an official notice on that at the time of effective filing data of the claimed invention, features such as selectively allowing particular client device connected to a private intranet to access resources upon authentication was well-known in the art. Only allowing certain client devices but not others to access enterprise services (through utilization of a private  intranet access policy), constitutes a variant in authorization policy that can easily substitute Hayton et al’s enterprise authentication system to selectively authorize its private/ sensitive resources to only particular clients.
Regarding claim 12, Hayton et al teaches a  computer program product including a set of non-transitory, computer-readable media having instructions (note para. [0030], [0094]) which, when executed by control circuitry of an electronic system, cause the electronic system to perform a method of authenticating users to a hybrid-cloud service (note para. [0021], [0053]: authenticating and authorizing a client to in enterprise systems via direct or indirect connections, which may include public and private (enterprise) networks (e.g. "hybrid-cloud services”)), the method comprising:
operate a set of local agents on respective computing machines connected to a private intranet, the private intranet connected to a public network via a gateway, the gateway configured to block incoming connection requests arriving over the public network and directed to any of the set of local agents (note para. [0062]-[0063]: client agent and the gateway services; gateway acts as a firewall sentinel to a virtual private network of an enterprise system ("intranet'); also see para. [0043], [0053], [0060], [0100]-[0102]); and
in response to (i) receipt from a first client device of a first resource request for accessing a cloud resource of the hybrid-cloud service and (ii) a reachable agent of the set of agents then receiving an incoming connection request from the first client device (note para. [0095]-[0101 ], [0107]-[0112]; a client device attempting to access an enterprise system resource using a secured and/or unsecure application, 
transmit a silent authentication factor to the first client device, the silent authentication factor providing an indication that that first client device is "silent authentication factor" is disclosed by reference to the "authentication information", such as an (access) token or a cookie, transmitted to the client;  According to paragraph [0100], the authorization information, such as the access token, may be required by the enterprise system before access to a requested enterprise resource is granted to the client, and is indicative that the enterprise's authorization requirements are satisfied),
receive a first authentication request from the first client device, the first authentication request specifying a first set of authentication factors which includes the silent authentication factor (note para. [0099]-[0100]: Disclosed by reference to the  client device submitting the token along with the request, thereby satisfying, by proving that the client already has to the token, that it satisfied the enterprise's authorization requirement for access to an enterprise resource), and
perform a first authentication operation on the first authentication request (note para. [0099]-[0102])
Hayton et al , and is submitted by the client seeking access to an enterprise resource is indicative of the requesting client satisfying enterprise authorization requirements, rather than being indicative that the client device "is connected to the private intranet".
However, examiner takes an official notice on that at the time of effective filing data of the claimed invention, features such as selectively allowing particular client device connected to a private intranet to access resources upon authentication was well-known in the art. Only allowing certain client devices but not others to access enterprise services (through utilization of a private  intranet access policy), constitutes a variant in authorization policy that can easily substitute Hayton et al’s enterprise authentication system to selectively authorize its private/ sensitive resources to only particular clients.
Regarding claim 13, Hayton et al teaches the computer program product of claim 12, wherein the method further comprises, in response to (i)  receipt from a second client device of a second resource request for accessing the cloud resource (note para.  [0100]-[0107]) and (ii) no agent of the set of agents then receiving any incoming connection request from the second client device (note para. [0100]-[0102], [0128]: in some embodiments, client request sent directly  to gateway without any agent intervention; In these situations, if client device 302 request services corresponding to a token that gateway 360 previously obtained, then gateway 360 may not need to perform some or all of the negotiation steps described above),

performing a second authentication operation on the second authentication request using the second set of authentication factors.
Hayton et al fails to teach expressly the second set of authentication factors including no silent authentication factor that indicates that the second client device is connected to the private intranet.
However, examiner takes an official notice on that at the time of effective filing data of the claimed invention, features such as the second set of authentication factors including no silent authentication factor that indicates that the second client device is connected to the private intranet was well-known in the art.  Therefore, at the time of filing of the claimed invention, it would have been obvious to ordinary skill in the art to modify Hayton et al’s enterprise authentication system to utilize other types of authentication factors/ requests parameters not including any silent authenticator or credentials (especially in the case, where client is already/ previously authenticated or failed to be authenticated) for accessing/ connecting to a private intranet.
Regarding claim 14, Hayton et al teaches the computer program product of claim 13, wherein the method further comprises generating the silent 
Regarding claim 16, Hayton et al  teaches the computer program product of claim 14, wherein the second set of authentication factors includes an additional authentication factor that is not one of the first set of authentication factors (note para. [0100]-[0107]: a client being denied access to an enterprise resource for failing to present the token or authorization information along with the request to access an enterprise resource, may be asked to obtain and provide other credentials)
Regarding claim 17, Hayton et al  teaches the computer program product of claim 16, wherein the additional authentication factor requires a user of the second client device to perform a manual operation that is not required of a user of the first client device when providing the first authentication request (note para. [0100]-[0107]: a client being denied access to an enterprise resource for failing to present the token or authorization information along with the request to access an enterprise resource, may be asked to obtain and provide other credentials; also see para. [0113]: client might be asked for additional information before authentication)


Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over US 2015/0319174 A1 (hereinafter Hayton et al) in view of US 2015/0180868 A1 (hereinafter Sng)
Regarding claims 5 and 15, Hayton et al teaches the method/ computer program product of claim 4, wherein generating the silent authentication factor includes creating a "silent authentication factor" is disclosed by Hayton et al reference to the "authentication information", such as an (access) token or a cookie; also note expiration of cookie/ credential after session ends)
Hayton et al  fails to teach expressly teaches creating a one-time token (OTT), the OTT expiring after being used in a single authentication request.
 However, Sng teaches creating a one-time token (OTT), the OTT expiring after being used in a single authentication request (note para. [0022], [0032]-[0033]: single use token, and associated expiration time)
Sng and  Hayton et al are analogous art because they are from the same field of endeavor of   authenticating client devices for preventing unauthorized access to resources in distributed network. Therefore, at the time of effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Hayton et al method to further include the features of creating a one-time token (OTT), the OTT expiring after being used in a single authentication request Sng since such arrangement is well-known in the art and would ensure further security of the authentication credential data.

Claims 8-10 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2015/0319174 A1 (hereinafter Hayton et al) in view of US 2014/0208393 A1 (hereinafter Yasukawa et al)
Regarding claims 8 and 18, Hayton et al fails to teach expressly the method/ computer program product, further comprising: registering each of the set of local agents with the cloud-based server, the cloud-based server storing network addresses for each of the set of local agents; and in response to receiving a discovery request from the first client device, providing an agent list of the set of local agents and their respective network addresses to the first client device.
However, Yasukawa et al teaches registering each of the set of local agents with the cloud-based server, the cloud-based server storing network addresses for each of the set of local agents (note para. [0107]); and in response to receiving a discovery request from the first client device, providing an agent list of the set of local agents and their respective network addresses to the first client device (note para. [0107]: one or more session anchor(s) in clouds which are available for a proxy agent and list of available session anchors are given to the proxy agent)
Yasukawa et al and  Hayton et al are analogous art because they are from the same field of endeavor of   dynamically authenticating client devices for accessing to resources in distributed network. Therefore, at the time of effective Hayton et al method to further include the features of in response to receiving a discovery request from the first client device, providing an agent list of the set of local agents and their respective network addresses to the first client device taught by Yasukawa et al since such arrangement would be desirable to the users  for dynamically and efficiently obtain and manage proxy/ local authentication agents information.
Regarding claims 9 and 19, Hayton et al fails to teach expressly wherein, when receiving the inbound connection request by the reachable agent, the inbound connection request is directed to one of the network addresses on the agent list.
However, Yasukawa et al teaches wherein, when receiving the inbound connection request by the reachable agent, the inbound connection request is directed to one of the network addresses on the agent list (note para. [0107]: one or more session anchor(s) in clouds which are available for a proxy agent and list of available session anchors are given to the proxy agent)
Yasukawa et al and  Hayton et al are analogous art because they are from the same field of endeavor of   dynamically authenticating client devices for accessing to resources in distributed network. Therefore, at the time of effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Hayton et al method to further include the features of wherein, when receiving the inbound connection request by the reachable agent, the inbound connection request is directed to one of the network addresses on the agent Yasukawa et al since such arrangement would be desirable to the users  for dynamically and efficiently obtain and manage proxy/ local authentication agents information.
Regarding claims 10 and 20, Hayton et al fails to teach expressly the method further comprising, in response to receiving a discovery request from the second client device, providing the agent list to the second client device.
However, Yasukawa et al teaches the method further comprising, in response to receiving a discovery request from the second client device, providing the agent list to the second client device (note para. [0032] The proxy agent  comprises an input/output section configured to receive a request to instantiate the proxy agent with address information of the identified session anchor, to send a session request to the session anchor, and to receive a session URL from the session anchor; and para. [0107]: one or more session anchor(s) in clouds which are available for a proxy agent and list of available session anchors are given to the proxy agent)
Yasukawa et al and  Hayton et al are analogous art because they are from the same field of endeavor of   dynamically authenticating client devices for accessing to resources in distributed network. Therefore, at the time of effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Hayton et al method to further include the features of in response to receiving a discovery request from the second client device, providing the agent list to the second client device taught by Yasukawa et al in order to 
            Conclusion
A shortened statutory period for response to this action is set to expire in 3 (Three) months and 0 (Zero) days from the mailing date of this letter. Failure to respond within the period for response will result in ABANDOMENT of the application (see 35 U.S.C 133, M.P.E.P 710.02(b)). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHANTO ABEDIN whose telephone number is 571-272-3551.  The examiner can normally be reached on M-F from 8:30 AM to 6:30 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jung (Jay) Kim, can be reached on 571-272-3804. The RightFax number for faxing directly to the examiner is 571-273-3551. 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http:// www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/SHANTO ABEDIN/Primary Examiner, Art Unit 2494