DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination under 37 CFR 1.114
	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this Application after Final Rejection. Since this Application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 11/08/2021 has been entered. 
	Claims 5, 12 and 18 have been canceled and claims 1, 7, 8, 14, 15 and 20 are amended. Claims 1-4, 6-11, 13-17 and 19-20 remain pending.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-4, 6-11, 13-17 and 19-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Objections
In response to corrective amendments, the objection of record to claim 15 is withdrawn. 

Double Patenting Rejection
Per applicant’s request in Remarks dated 05/05/2021 and as previously indicated in the final action dated 08/25/2021, DP rejection of record is maintained until such time when all formal and informal issues have been resolved and claims are otherwise in condition for allowance.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 1, 2, 4, 6-9, 11, 13-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Buruganahalli, US9419942B1 in view of Barbson, US2007/0245401A1.
 
Per claim 1, Buruganahalli discloses a method comprising: 
identifying, by a device intermediary to a plurality of clients and a plurality of servers responsive to a request to access a server of the plurality of servers, a policy from a plurality of policies to control the device's server certificate validation of server certificates of the plurality of servers (FIG. 7 is a flow diagram for providing destination domain extraction for secure protocols in accordance with some embodiments.  At 702, monitoring network communications between a client and a remote server is performed.  At 704, determining if the client sends a request to create a secure connection with the remote server is performed (e.g., in which the network communications are initiating a setup for a secure protocol-based connection).  At 706, extracting a destination domain from the request to create the secure connection with the remote server is performed.  In some embodiments, the secure protocol is a secure sockets layer (SSL) protocol or transport layer security (TLS) protocol, and the destination domain is extracted from the server name indication (SNI) of a client hello message sent from the client to the remote server.  In some embodiments, destination domain extraction for secure protocols further includes applying a policy (e.g., a security policy) based on the destination domain to filter traffic using a security device – Buruganahalli: col. 14, lines 44-61 – Note: applying a policy based on destination domain inherently/necessarily anticipates identifying the policy from plurality of policies because multiple domain names/servers are disclosed – see Fig. 2, 216, 218 and 220), 
Buruganahalli is not relied on to disclose but Barbson discloses the plurality of policies restricting server certificate validation to one or more specific servers or domain names specified in one or more policies of the plurality of policies, each policy of the plurality of policies specifying whether to perform server certificate validation of a respective server or domain name (Rule 320 is a "Block" rule that specifies conditions under which certificates will be blocked (i.e., treated as if they are invalid)….policy rules are evaluated and enforced in order of most-specific to least-specific…multiple rules might be evaluated before encountering a matching rule (that is, a rule for which the specified conditions are met).  Policy rules may be written such that more than one matching rule is evaluated to determine whether a particular server certificate is permitted or blocked, if desired, where each matching rule that is evaluated preferably operates to further filter the certificate – Barbson: par. 0034-0035 – Note: applicable for modifying blacklisted and/or unknown domains in Buruganahalli), or to forego the server certificate validation of the respective server or domain name (rule 310 is a "Permit" rule and specifies a set of conditions under which server certificates will be permitted (i.e., treated as if they have been validated) even though the root CA certificate is not available… Thus, if the conditions in rule 310 are met, the server certificate is permitted (and rule 320 is preferably not evaluated) – Barbson: par. 0034-0035 – Note: applicable for modifying whitelisted domains in Buruganahalli). 
Note: Barbson further discloses “it will be obvious to one of skill in the art, given the teachings provided herein, that a policy repository may contain a large number of policy rules.  And, although the sample rules 310, 320 are relatively simple and use a "permit" and "block" syntax, this is by way of illustration only: rules used in an actual implementation may vary in complexity and alternative syntax may be used” – Barbson: par. 0044.
Buruganahalli in view of Barbson further discloses determining, by the device based at least on the policy, to perform the server certificate validation of the server or a corresponding domain name using a subset of one or more certificate authority (CA) certificates of a plurality of CA certificates available to the device (SNI is an extension to the TLS protocol that indicates what hostname (e.g., destination domain) that the client is attempting to connect to at the start of the handshaking process for setting a secure TLS communication channel/session between a client and a remote server.  This standard extension for SNI was developed to allow a server to present multiple certificates on the same IP address and port number and, as a result, allows multiple secure (HTTPS) websites (e.g., and/or any other service over TLS) to be served using the same IP address without requiring all those sites to use the same certificate…Therefore, with clients and servers that support SNI, a single IP address can be used to serve a group of domain names for which it is impractical to get a common certificate – Buruganahalli: col. 4, lines 63-67 and col. 5, lines 1-13); 
performing, by the device, the server certificate validation of the server or the corresponding domain name using the one or more CA certificates identified by the policy (if a flow is initially determined to be permissible based on a policy prior to the set-up of the encrypted data communication for that flow between a client and a remote server, then the flow can be allowed, and a policy may require that the session be decrypted for further analysis and further potential filtering based on the policy– Buruganahalli: col. 6, lines 6-20 – Note: as disclosed in col. 4, lines 63-67 and col. 5, lines 1-13, with clients and servers that support SNI, multiple secure (HTTPS) websites (e.g., and/or any other service over TLS) are served using the same IP address without requiring all those sites to use the same certificate…Therefore, a single IP address can be used to serve a group of domain names); and 
establishing, by the device, access to the server responsive to validation of the one or more CA certificates identified by the policy (If the firewall policy of ACME Company has white listed the domain associated with the Banking Corporation as a trusted domain, then Bob's connection (e.g., an SSL/TLS session) with the web site for the Banking Corporation can be allowed…[if] the remote server is determined to be associated with an unknown site (e.g., a domain that is not on a white list of the firewall policy and also not on a black list of the firewall policy)…, the firewall can be configured to allow the connection and can also be configured to further monitor the encrypted data communications of that session between Alice's laptop and the remote server in order to determine whether or not further action(s) should be performed based on the firewall policy – Buruganahalli: col. 5, lines 63-66 and col. 6, lines 21-26).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Buruganahalli in view of Barbson to include [identifying] the plurality of policies restricting server certificate validation to one or more specific servers or domain names specified in one or more policies of the plurality of policies, each policy of the plurality of policies specifying whether to perform server certificate validation of a respective server or domain name, or to forego the server certificate validation of the respective server or domain name.
One of ordinary skill in the art would have been motivated because it would allow to include “Policy filtering services [that] are built into security processing of an execution environment for resolving how to handle a digital security certificate of a communicating entity without requiring a local copy of a root certificate that is associated with the entity through a certificate authority ("CA") chain” – Barbson: Abstract.

Per claim 8, it recites a system comprising: 
a device comprising one or more processors, coupled to memory and intermediary to a plurality of clients and a plurality of servers (FIG. 5 is a functional diagram of hardware components of a security device for providing destination domain extraction for secure protocols in accordance with some embodiments… Specifically, security device 402 includes a high performance multi-core CPU 502 and RAM 504.  Security device 402 also includes a storage 510 (e.g., one or more hard disks or solid state storage units), which is used to store policy and other configuration information as well as signatures.  In some embodiments, storage 510 stores tables that include host names/identifiers (e.g., destination domains) and associated IP addresses and possibly other information for clients and/or remote servers identified as external sites that are monitored for implementing policies using destination domain extraction for secure protocols – Buruganahalli: col. 13, lines 29-44), wherein the device is configured to perform the method steps as recited in claim 1.
Therefore, claim 8 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 15, it recites a non-transitory computer readable medium storing program instructions for causing one or more processors intermediary to a plurality of clients and a plurality of servers (FIG. 5 is a functional diagram of hardware components of a security device for providing destination domain extraction for secure protocols in accordance with some embodiments… Specifically, security device 402 includes a high performance multi-core CPU 502 and RAM 504 – Buruganahalli: col. 13, lines 29-44 – Note: the term `processor` refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions) to perform the method steps as recited in claim 1.
Therefore, claim 15 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 2, 9 and 16, Buruganahalli in view of Barbson discloses features of claims 1, 8 and 15, further comprising receiving, by the device, the request to access the server via a secure socket layer (SSL) connection (the secure protocol is a secure sockets layer (SSL) protocol or transport layer security (TLS) protocol, and the destination domain is extracted from the server name indication (SNI) of a client hello message sent from the client to the remote server – Buruganahalli: Abstract).

Per claims 4 and 11, Buruganahalli in view of Barbson discloses features of claims 2 and 9, wherein the SSL connection comprises a clientless SSL connection (SSL handshaking flows 250-270 are then exchanged, and comprise a client hello 250 and a server hello 260… FTP client 210 realizes, upon receiving the server certificate at 270, that the root CA certificate is not available on the client's key ring.  As has been discussed, an end user is generally responsible for resolving this problem when using prior art techniques.  According to preferred embodiments, however, policy rules are consulted to determine how to resolve the problem – Barbson: par. 0031-0032).
The same motivation to modify Buruganahalli in view of Barbson applied to claim 1 above applies here.

Per claims 6, 13 and 19, Buruganahalli in view of Barbson discloses features of claims 1, 8 and 15, further comprising identifying, by the device, the policy from the plurality of policies using one or more parameters identified via the request (destination domain extraction for secure protocols further includes applying a policy (e.g., a security policy) based on the destination domain to filter traffic using a security device – Buruganahalli: col. 14, lines 44-61 – Note: applying a policy based on destination domain inherently/necessarily anticipates identifying the policy from plurality of policies because multiple domain names/servers are disclosed – see Fig. 2, 216, 218 and 220).

Per claims 7, 14 and 20, Buruganahalli in view of Barbson discloses features of claims 1, 8 and 15, further comprising foregoing, by the device, server certificate validation of a second server or second domain name responsive to a second policy of the plurality of policies identified by the device responsive to a second request to access the second server (rule 310 is a "Permit" rule and specifies a set of conditions under which server certificates will be permitted (i.e., treated as if they have been validated) even though the root CA certificate is not available – Barbson: par. 0031-0032 and 0034).
 The same motivation to modify Buruganahalli in view of Barbson applied to claim 1 above applies here.

2.	Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Buruganahalli, US9419942B1 in view of Barbson, US2007/0245401A1, as applied to claims 2, 9 and 16 above, and further in view of Brinskelle, US8683052B1.

Per claims 3, 10 and 17, Buruganahalli in view of Barbson discloses features of claims 2, 9 and 16.
Buruganahalli or Barbson is not relied on to disclose but Brinskelle discloses wherein the SSL connection comprises a virtual private network (The security agent may be integrated with an application proxy, web proxy, or the like.  One or more users may make use of the security agent.  For example, a virtual private network (VPN) is setup from the user to the enterprise, network traffic is routed through the VPN to a web proxy containing a security agent within the enterprise – Brinskelle: col. 33, lines 38-44).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Buruganahalli-Barbson further in view of Brinskelle to include wherein the SSL connection comprises a virtual private network.
One of ordinary skill in the art would have been motivated because it would allow to include a security agent that “monitors communications and provides guidance to the user regarding the risk of their online communications” – Brinskelle: col. 33, lines 45-46, to “protect against attacks… by being situated or operating externally to a web browser Wildcard certificates: … by assessing the destination communication elements and using risk decisions to determine whether the communications are acceptable” – Brinskelle: col. 9, lines 30-51.
Examiner’s Note
To expedite prosecution, applicant is welcome to initiate an interview to discuss the prior art references, including those cited but currently not relied on, after they have a chance to review this action.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Das (US10193698B1) discloses a device (intermediary between a client and a server) receiving a message, associated with establishing a secure session, including a first certificate chain associated with a server device. The device generates a first certificate fingerprint associated with the first certificate chain and determines a policy identifier associated with a security policy on which the first certificate chain is to be validated.  

Himawan (US2013/0159703A1) discloses relying party 105 and subject 115 that can represent a variety of electronic devices, comprised of hardware and/or software elements, configured to utilize server-based certificate validation protocol (SCVP) to validate the certificate used for establishing the communication. The relying party 105 sends the client PKI certificate 125 (or other type of subject certificate) along with a list of trusted PKI certificates 130 (or other type of trusted certificate) to a SCVP responder 110.  The SCVP responder 110 determines and validates a certificate path 135 between the client PKI certificate 125 and one of the trusted PKI certificates 130 of the relying party 105.  The result of the certificate path validation can be sent to the relying party 105, which can then proceed to authenticate the subject 115.

Nigriny (US2015/0326399A1) discloses Delegated Path Validation (DPV) that comprises offloading to a trusted server the work involved in validating a public key certificate, and a DPV type response typically only includes a "valid" or "not valid" indicator, thereby saving on transaction bandwidth.  An SCVP server operating in DPV mode combines certificate information supplied by the client with certificate path and revocation status information obtained by the DPV server.  In this manner, the DPV server is able to apply complex validation policies that are prohibitive for each client to perform.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/Examiner, Art Unit 2494