Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communications received 7/6/2021. Claims 1-27 are pending.

Response to Arguments
Applicant’s arguments received on 7/6/2021 are respectfully considered and are addressed as follows:
Regarding the 101 rejection, the amendments overcome the rejection. The rejection is withdrawn.
Regarding the prior art rejection, the amendments overcome the present rejection. A new ground of rejection is presented based on a changed scope of the claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8-23, 25 and 27 are rejected under 35 U.S.C. 103 as being unpatentable over US 9148408 to Glazemakers et al., hereinafter Glazemakers.
Regarding claim 1, Glazemakers discloses
A method of controlling application-specific access to a secure network arranged within a communication environment, the method comprising: providing access control data that identifies an authorized client application being authorized to access at least one service provided by the secure network and further identifies at least one service provided by the secure network to which service the authorized client application is authorized to access (col. 5, lines 61-67, col. 6, lines 1-6: firewall rules define application servers in private network the client can access), receiving a first request at a secure gateway device from a requesting client application external to the secure network, the first request being an access request to access to the secure network, checking, by the secure gateway device, whether the first request includes information trustworthily identifying the requesting client application, wherein when the checking indicates that the first request includes information trustworthily identifying the requesting client application, verifying, by the secure gateway device, on a basis of the access control data and the information trustworthily, whether the requesting client application is the authorized client application being authorized to access the at least one service provided by the secure network; granting, by the secure gateway device, access to the secure network in response to verifying that the requesting client application is the authorized client application (col. 11, lines 4-30: client request to setup network tunnel, client authentication is verified by gateway, obtain from the client access list rules allowing to access services or application servers); establishing a communication connection between the requesting client application and the secure gateway device via which the requesting client application informs the secure gateway device on one or more services of the secure network the requesting client application wants to access (col. 11, lines 21-30: obtain list of application servers that can be accessed); receiving, at the secure gateway device, a second request from the requesting client application to access a requested service provided by the secure network; verifying, by the secure gateway device, based on the access control data, whether the requesting client application is the client application authorized to access the requested service; and granting, by the secure gateway device, access to the requested service in response to verifying that the requesting client application is the client application authorized to access the requested service, denying, by the secure gateway device, access to the requested service, in the case the verifying whether the requesting client application is the client application authorized to access the requested service indicates that the requesting client application is not the client application authorized to access the requested service (Fig. 5, col. 11, lines 65-67, col. 12, lines 1-42: receive request to access application server, verify request against access list,  verify client authentication, access granted or denied whether requirements are met; access can be denied for instance because of blacklisted IP address (col. 6, lines 39-67)); and  maintaining the communication connection between the requesting client application and the secure gateway device (col. 12, lines 42-67: tunnel maintained open using keep alive messages and context and state information; col. 5, lines 21-31: a client may potentially access all application servers thru tunnel provided access is allowed).  Because the gateway maintaining the communication connection between the requesting client application and the secure gateway device where the client application is not authorized to access the requested service so that the requesting client application is able to transmit another second request to access another requested service provided by secure network. It would have been obvious to a skilled artisan before the instant application was effectively filed to  maintain the communication connection between the requesting client application and the secure gateway device where the client application is not authorized to access the requested service so that the requesting client application is able to transmit another second request to access another requested service provided by secure network because it would prevent the client from re-establishing connection to the gateway and would prevent computation overhead related to connection establishment, improving computing resource management.
Regarding claim 2, Glazemakers discloses the method of claim 1, wherein the secure network comprises the secure gateway device providing access to the secure network for client applications external to the secure network (Fig. 1: client 121 in network external to private network 140).
Regarding claim 3, Glazemakers discloses the method of claim 1, further comprising at least one of the following: denying, by the secure gateway device, access to the secure network, when the checking indicates that the first request does not include information trustworthily identifying the requesting client application; denying, by the secure gateway device, access to the secure network in response to verifying that 
Regarding claim 4, Glazemakers discloses the method of claim 1, wherein the communication environment includes an access control server, which maintains the access control data, and wherein the access control data is provided from the access control server to the secure gateway device (col. 10, lines 30-33: retrieve client access list from authentication server which maintains the list, and provide it to the gateway).  
Regarding claim 5, Glazemakers discloses the method of claim 1, wherein an access control server is either integrated into the secure network or external to the secure network (Fig. 1: authentication server is external to private network 140).
Regarding claim 6, Glazemakers discloses the method of claim 1, wherein the information trustworthily identifying the application is a Transport Layer Security certificate (col. 5, lines 45-50: TLS used to establish tunnel, upon successful authentication of tunnel authentication information, which is known to a person skilled in the art as a certificate for TLS).
Regarding claim 8, Glazemakers discloses the method of claim 1, wherein the at least one service provided by the secure network is hosted by at least one node in the secure network (Fig. 1, application server 141-143), and wherein the second request includes an indication of the at least one nodes hosting the requested service (col. 18: lines 22-25: URL of application server , or col. 9, lines 44-54: application server address shown in address bar or web browser).
.  Regarding claim 9, Glazemakers discloses the method of claim 1, wherein the second request includes an indication identifying a connection to the requested service (col. 9, lines 44-54: application server address shown in address bar or web browser).
Regarding claim 10, Glazemakers discloses the method of claim 1, wherein verifying that the requesting client application is the client application authorized to access the requested service comprises comparing the information trustworthily identifying the requesting client application with the access control data (col. 8, lines 8-35: access control list or client access list includes authorized domains of the client, or authorized client roles that can only access the application servers).  
Regarding claim 11, Glazemakers discloses the method of claim 1, further comprising: establishing, prior to receiving the first request, a position of trust between the application installed on the client device and the secure network yielding trustworthy identity information of the application and wherein the access control data is obtained from the trustworthy identity information (col. 7, lines 34-47: the client runnel list defines the position of trust that allow to establish a tunnel, including tunnel authentication information to authenticate the client; the client access list is obtained after establishing the tunnel (see Fig. 4) i.e. access control data is obtained from verifying the information on client tunnel list).  
Regarding claims 12-13, 22-23, 27 the claims recite substantially the same content as claim 1 and are rejected substantially using the rationales for rejecting claim 1. 
Regarding claims 14-21, the claims recite substantially the same content as claims 4-11, respectively, and are rejected substantially using the rationales for rejecting claims 4-11, respectively. 
Regarding claim 25, the claim recites substantially the same content as claim 3 and is rejected using the rationales for rejecting claim 3.


Claim 7 is rejected under 35 USC 103 as being unpatentable over Glazemakers,  in view of US 20070133763 to D’Angelo et al., hereinafter D’Angelo. 
Regarding claim 7, Glazemakers discloses the method of claim 1, but does not teach the rest of the limitation.
In an analogous art, D’Angelo discloses an access gateway (Fig. 2) receiving requests from an application, a certificate identifier is extracted from the request and a profiling database searched for a match to the certificate identifier of the application ([0123], Fig. 8). D’Angelo discloses wherein verifying that the requesting client application is the client application authorized to access the requested service comprises analyzing a public key included in the information trustworthily identifying the application (D’Angelo [0057]: extract public key from the certificate for verification in database); and further comprising at least one of: verifying that the requesting client application is the client application authorized to access the requested service comprises comparing information derived from the public key with the access control data; and analyzing the public key comprises hashing the public key and verifying that the requesting client application is the client application authorized to access the  

Claims 24 and 26 are rejected under 35 USC 103 as being unpatentable over Glazemakers, in view of US 20060090196 to Van Bemmel et al., hereinafter Van Bemmel.
Regarding claim 24, Glazemakers discloses the secure gateway device of claim 23, wherein the communication environment includes an access control server, which maintains the access control data, the secure gateway device being further adapted to: request the access control data from the access control server prior to the receiving of the first request from the client application information (col. 10, lines 15-38: receive client access first and activate firewall rules, see also Fig. 4, 406 ); Glazemakers does not explicitly teach, but van Bemmel, in an analogous art,  discloses a gateway configured to request the access control data from the access control server ([0022]: gateway obtains the latest version of security policies from remote server) upon the receiving of the first request from the client application (Fig. 3 step 302 gateway receives a request from a client in a loop, and [0023], periodically downloads the latest policies ); and request the access control data from the access control server in response to an update process to update the access control data ([0023]: the gateway is notified of the updates of policies on the remote server and downloads a copy of the 
Regarding claim 26, the claim recites substantially the same content as claim 24 and is rejected using the rationales for rejecting claim 24. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138.  The examiner can normally be reached on Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.