DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
RCE was filed on 10/20/2021.
Claims 1-14 are pending.
Claim 15 is canceled.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-10 and 12-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rao et al., (US 2013/0128892 A1, herein after Rao) in view of Johnson et al., (US 20150381567 A1, herein after Johnson), Gondo et al., (US 2008/0077789 A1, herein after Gondo) and Merchant et al., (US 2015/0326503 A1, herein after Merchant).
Claims 1 and 14,
	Rao discloses a method comprising: receiving, at a gateway device, via a public network, , a request from a client device to access a service provided by a host device in a private network, wherein the gateway device is in communication with the public network and the private network (Figure 1, Claim 37: "a device intermediary to a client on a public network and a server on a private network", Paragraph 40: "Client computing devices 110 communicate with the gateway computing device 120 over a first network 150. The network can be ... the Internet", ¶ [0041] "The gateway computing device 120 communicates with the target computing devices 140 via a second network 180.", Paragraph 58: "... a private secured network 180 behind a gateway 120", ¶ [0078]: "the client computing device may request that a connection be set up to a specific machine on the private network behind the gateway computing device;  interpreted as "gateway device" of the claim may correspond to the "device intermediary", "gateway computing device" or "gateway". The feature "host device" of the claim may correspond to the "target computing device" or "a specific machine on the private network". The "first network" is a public network, such as the Internet, while the "second network" is a private, secured network.); receiving, at the gateway device, credential information transmitted by the client device ([0044] The gateway computing device 120 authenticates the user of the client computing device 110… Once [the gateway device 120] credentials are received from the user, authentication may occur using LDAP); transmitting, from the gateway device to the client device, a port number corresponding to the first port and an associated address of the gateway device for communicating with the service (¶ [0047]: "The gateway computing device 120 transmits remote process to the client computing device 110 . . . the remote process comprises a client application".  ¶ [0048]: "a filter table received from the client application". ¶ [0062]: "the filtering table indicates that an outbound packet should be transmitted to the client application if the outbound packet is addressed to a particular, ¶ [0055] : The gateway computing device 120 may maintain a port-mapped Network Address Translation (NAT) table, enabling the gateway computing device 120 to transmit response packets from the target computing device 140 to the port monitored by the application that originally generated the IP packet on the client computing device 110); creating, at the gateway device, a port binding between: a first port  opened to enable communications between the client device and the gateway device to transmit data for the host device service, and a second port opened to enable (¶ [0055]: The gateway computing device 120 may maintain a port-mapped Network Address Translation (NAT) table, enabling the gateway computing device 120 to transmit response packets from the target computing device 140 to the port monitored by the application that originally generated the IP packet on the client computing device 110. Interpreted "port binding" as a port-mapped Network Address Translation (NAT) table at the gateway device that maps a gateway port for the target device to a gateway port for the client device); receiving, at the gateway device on the first port via the public network, data to be transmitted to the host device, the data including an address of a device having sent the data (Figure 1, Paragraph 50: "the remote process is a client application ... the client application establishes the secure communication tunnel to the gateway computing device ... the secure communication tunnel is established over an HTTPS port, such as port 442, or any other configured port on the gateway computing device", Paragraph 53: "the remote process captures all network traffic destined for a private, secured network, such as the network 18 0 . . . the remote process redirects captured network… traffic over the established secure communications tunnel to the gateway computing device. ¶ [0076]:  the gateway-computing device 540 transforms the IP address of the packet to the IP address associated with the client-computing device 520) wherein, when the address of the device having sent the data corresponds to the address of the client device for which the first port is opened (¶ [0056]: the client computing device 110 communicates only with a public network address of the gateway computing device 120…communication tunnel is established over an HTTPS port, such as port 442, or any other configured port on the gateway computing device 120, ¶ [0050]):15229712.1Serial No.: 16/801,041 replacing, by the gateway device, the address of the client device contained in the data with an address of the gateway device on the private network to produce transcoded data, (¶ [0055]: upon receipt of the captured IP packets, the gateway computing device 120 may create a third TCP connection between the gateway computing device 120 to the target computing device 140… The gateway computing device 120 may maintain a port-mapped Network Address translation (NAT) table ¶ [0056]: the client computing device 110 communicates only with a public network address of the gateway computing device 120, the client computing device 110 is unaware of the network address of the target computing device 140… the target computing device 140 does not receive the address information of the client computing device 110, protecting the client computing device and the network on which it reside. It is interpreted gateway uses NAT table to replace the address as needed to correctly send the updated data to the destination. Transcoded data is interpreted as the received packet from client side at the gateway device on public network which is updated using NAT table for the target device on the private network) and (¶ [0091] replaces address information on the outbound packet with a destination address and destination port associated with the client application (step 808). The peripheral device transmits the modified outbound packet to the client application).
by  the gateway device, a request to authenticate the client device including the client device credential information to an authentication service; receiving, at the gateway device, a transmitted an indication that the client device has been authenticated by the authentication service; storing, by the gateway device, a record comprising: an address of the client device, and an indication that the address of the client device has been authenticated; wherein communications received at the first port from a device other than the client device are ignored by the gateway device.
Johnson discloses transmitting, by the gateway device, a request to authenticate the client device including the client device credential information to an authentication service (Fig. 1 Authentication service 133; The authentication service 133 maintains and distributes community of interest keys in response to receipt of credentials in a request (as have previously been retrieved by a hardware or virtualized system from the credentialing service 122). he authentication service 133 corresponds to a Stealth authentication service that can be used to authorize each Stealth-based (secured) endpoint within an enterprise, as well as via cloud-based VMs 110, cleartext endpoints such as endpoint 140 connected via the cloud domain 102, and VDRs 118 used to communicate with such cloud-based VMs and other devices in the cloud domain 102, ¶ [0053]. the authentication service 133, cloud-based VMs 110, as well as other external endpoints (e.g., endpoint 140), are authenticated and authorized, ¶ [0054]) receiving, at the gateway device, a transmitted an indication that the client device has been authenticated by the authentication service ([0112] An authentication completion indication (AUTH_COMPLETE_IND), corresponding to a message from the authentication manager that a Stealth user has been authenticated by the authentication service 133, includes a username, gateway, and COI response from the authentication server, ¶ [0112]…).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao by using the features, as taught by Johnson in order to efficiently improving flexibility by which devices can connect to and communicate with other devices within a Stealth-based network are desirable, ¶ [0019].
Gondo discloses storing, by the gateway device, a record comprising: an address of the client device, and an indication that the address of the client device has been authenticated (Figure 5, Paragraph 34: "The authentication server 200 performs authentication of the SIP client 400. The authentication server 200 receives the authentication information from the SIP client 400 through the data channel established between the    authentication    server 200 and    the    SIP client 400 via the SIP proxy 100 according to an INVITE request and performs authentication processing". Paragraph 43: "The SIP proxy 100 is an intermediate server that mediates communication between the    authentication    server 200 and    the    SIP client 400.    . . The SIP proxy 100 includes a    storing unit 120",    Paragraph 44:    "the storing unit    120 includes ... an authentication state table 123", Paragraph 49: "The authentication state table 123 stores_a state_of authentication by_the authentication server 200 for each SIP client 400 registered", Paragraph 50: "the authentication state table 123 stores an SIP URL and an authentication state in association with each other. "Valid" representing a state in which an SIP client is authenticated by the authentication server 200 or "invalid" representing a state in which an SIP client is not authenticated by the authentication server 200 is set in the authentication state").
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao and Johnson by using the features, as taught by Gondo in order to efficiently improving security without spoiling processing and scalability peculiar to the communication mediating server, ¶ [0096].
Merchant discloses wherein communications received at the first port from a device other than the client device are ignored by the gateway device (Create different connections that take traffic from network ports to instrument ports. View connection(s) that are using certain port(s) (e.g., network port(s), instrument port(s)) Share connection(s) with other users Add, edit, or remove connection(s) Add, edit, or remove filter(s) that is associated with certain port(s) Add, edit, or remove filter(s) that is associated with certain connection(s) Lock one or more ports to prevent one or more other users from changing a configuration parameter (e.g., a parameter of a filter) that involves the port(s), such as network port(s) and/or instrument port(s)Add one or more other users to a share list, wherein the share list identifies user(s) who has access to certain port(s), such as network port(s) and/or instrument port(s) ¶ [0083]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao, Johnson and 
Claim 14 encompass limitations that are similar to limitations of claim 1, except “an apparatus comprising: at least one processor; and a memory device comprising executable instructions, which, when executed by the at least one processor discussed by Rao in (Figs. 1, 2A, 2B computing device 120, each computer 200 includes a central processing unit 202, and a main memory unit 204 ¶ [0027]).  Thus, it is rejected with the same rationale applied against claim 1 above.

Claim 2,
	Rao, Johnson and Merchant do not disclose revoking, after a predetermined amount of time the client device's authentication.
Gondo discloses revoking, after a predetermined amount of time the client device's authentication (Success or failure of the authentication may be directly returned from the authentication server 200 to the SIP client 400 every time the authentication is performed or at a predetermined or arbitrary time interval or may be notified from the authentication server 200 to the SIP client 400 via the SIP proxy 100, ¶ [0041]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao, Johnson and Merchant by using the features, as taught by Gondo in order to efficiently improving security without spoiling processing and scalability peculiar to the communication mediating server, ¶ [0096].
Claim 3,

Gondo discloses wherein revoking the client device's authentication comprises removing the address of the client device from a list of authorized addresses (when the authentication fails, the communication disconnecting unit 106 deletes connection information concerning the SIP client 400, for which the authentication fails, from the connection information table 122 to discard the dialog, ¶ [0074]).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao, Johnson and Merchant by using the features, as taught by Gondo in order to efficiently improving security without spoiling processing and scalability peculiar to the communication mediating server, ¶ [0096].

Claim 4,
Rao discloses receiving further data from the host device, that includes an address of the host device; and before transmitting the further data to the client device, replacing the address of the host device with an address of the gateway device on the public network (¶ [0055]: The gateway computing device 120 may maintain a port-mapped Network Address translation (NAT) table, enabling the gateway computing device 120 to transmit response packets from the target computing device 140 to the port monitored by the application that originally generated the IP packet on the client computing device 110…¶ [0057]  a remote process execution on the gateway computing device 120 maintains a reverse NAT table).  
Claim 5,

	Gondo discloses wherein the address of the host device comprises a hostname (FIG. 3, the registration information table 121 stores registration information in which an SIP uniform resource identifier (URI) of the SIP client 400 registered, a host name as a name of the SIP client 400 registered, and a port number to be used are associated with one another ¶ [0046]).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao, Johnson and Merchant by using the features, as taught by Gondo in order to efficiently improving security without spoiling processing and scalability peculiar to the communication mediating server, ¶ [0096].
 Claim 6,
	Rao discloses the requested host device service comprises a virtual network administration tool (The application space 532 includes a client application 526…The application 538 can be any type and/or form of application such as any type and/or form of web browser, web-based client, client-server application, a thin-client computing client, an ActiveX control, or a Java applet, or any other type and/or form of executable instructions capable of executing on client computing device 110 or communicating via a network. The application 538 can use any type of protocol and it can be, for example, an HTTP client, an FTP client, an Oscar client, or a Telnet client ¶ [0071]).

Claim 7,
(¶ [0041] The second network 180 may use any of protocols and transport mechanisms described above in connection with the first network 150. ¶ [0003]: between a gateway and an endpoint implement architectures such as Internet Protocol Security (IPSec) and Point-to-Point Tunneling Protocol (PPTP) virtual private network (VPN) architectures).
Claim 8,
	Rao discloses wherein communications between the client device and the gateway device are encrypted using secure sockets layer (SSL) encryption (¶ [0072] the client application 526 provides functionality for managing an SSL tunnel to the gateway computing device 540. In yet other embodiments, the client application 526 provides functionality for encrypting and transmitting a packet 528 to the gateway computing device 540…¶ [0083]: a packet/frame forwarding and SSL tunnel management API 610 on the client application 326 transmits the packet to a gateway computing device 540.).  
Claim 9,
Rao discloses wherein the client device requests access to the requested host device service by communicating with the host device via a third port (the client application establishes the secure communication tunnel to the gateway computing device 120. In one embodiment, the secure communication tunnel is established over an HTTPS port, such as port 442, or any other configured port on the gateway-computing device 120, using TLS or SSL encryption ¶ [0050]).  
Claim 10,
	Rao discloses wherein the request, from the client device, to authenticate with the gateway device is received via the third port (the client application establishes the secure communication tunnel to the gateway computing device 120. In one embodiment, the secure communication tunnel is established over an HTTPS port, such as port 442, or any other configured port on the gateway-computing device 120, using TLS or SSL encryption ¶ [0050]… ¶ [0078]: "the client computing device may request that a connection be set up to a specific machine on the private network behind the gateway computing device).  

Claim 12,
	Rao, Johnson and Merchant do not disclose wherein the record further comprises a timestamp corresponding to the authentication of the client device.  
	Gondo discloses wherein the record further comprises a timestamp corresponding to the authentication of the client device (¶ [0008]…the authentication state continues until the authentication state is released according to an explicit request or a term of validity expires. Validity of the processing requested in the message is equivalent to validity of the authentication state. For example, in the case of registration processing, the authentication state is valid while a certain registration is valid. The connection information table122 stores an SIP URI1 and an SIP URI2 that are SIP URIs of the each SIP client 400, a port number 1 and a port number 2, and a term of validity of the communication established in association with one another ¶ [0048]. Fig. 4).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao, Johnson and Merchant by using the features, as taught by Gondo in order to efficiently improving security without spoiling processing and scalability peculiar to the communication mediating server, ¶ [0096].

Claim 13,
	Rao discloses wherein the associated address of the gateway device for communicating with the requested host device service comprises an address of the gateway device on the public network (the client-computing device 110 communicates only with a public network address of the gateway computing device 120 ¶ [0056]).  


Claim 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rao in view of Johnson, Gondo, Merchant and Nadig et al., (US 2018/0121260 A1, Nadig).
Claim 11,
	Rao, Johnson, Gondo and Merchant do not disclose the client device requests to access the requested host device service using an application program interface (API).  
	Nadig discloses the client device requests to access the service using an application program interface (API) (Application server 130 generally includes an API service 132, a request processor 134, and a configuration service 136. API service 132 receives a query from a client device 120 and parses the request to identify one or more systems that should process different parts of the request ¶ [0024]).  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Rao, Johnson, Gondo and Merchant by using the features, as taught by Nadig in order to efficiently reduce amount of code duplication, ¶ [0063].
Response to Arguments
Applicant’s arguments with respect to claim(s) 1 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Brugger et al., (US 20140195798 A1), ¶ [0075].
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARDIKKUMAR D PATEL whose telephone number is (571)270-7886.  The examiner can normally be reached on 9AM-5PM Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kwang B Yao can be reached on 571-272-3182.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on 






/HARDIKKUMAR D PATEL/Examiner, Art Unit 2473