DETAILED ACTION
This action is in response to the initial claims filed 7/10/2019.  Claims 1-8 are pending.  Independent claims 1, 4 and 7, and corresponding dependent claims are directed towards a method, system and non-transitory computer-readable storage medium for dynamically enforcing context sensitive network access control policies.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Drawings
The drawings are objected to because:  Fig. 1 shows the “VPN Tunnel” as 110A, however the specification and Fig. 4 uses 110A to refer to a VPN endpoint.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be 
Specification
The disclosure is objected to because of the following informalities: [0039] “computer implemented system 100” is not shown in the drawings; [0043] “the policy controller 200” should read “the policy controller 300”; [0043] l. 11 “When the user device 102 is deemed to be internal” should read “When the user device 102 is deemed to be external”; [0043] “but only as long as until” is grammatically incorrect as “but only as long as” and “until” are contradictory terms, suggest removing “until” as the intent is for the specified type of enforcement to occur as long as the device is determined to be internal, and a different enforcement to occur while the device is determined to be external.	Appropriate correction is required.
Claim Objections
Claims 4 and 7 are objected to because of the following informalities, shown with suggested amendments:  Claim 4 l. 41 “said second device location” for proper antecedent basis; Claim 4 l. 46 “said reconfigured micro-segmentation policy” for proper antecedent basis; Claim 4 l. 47 “said second device location” for proper antecedent basis; and Claim 7 l. 39 “
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1-8 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 1 ll. 14-17, Claim 4 ll. 19-22 and Claim 7 ll. 13-16 recite the limitation create/creating “said at least one micro-segmentation policy in-line with said first security context, and configuring said at least one micro-segmentation policy to enforce said first security context on said user computer and said enterprise server, only until said user computer is determined to be located at said first device location” which unclear and indefinite as per the specification and drawing (see. Fig. 2A-2B) the intent of the invention is to enforce security context upon user computers while they are  only as long as  said user computer is determined to be located at said first device location”.
Claim 2 l. 12 recites the limitation “said data transmission” which lacks proper antecedent basis as there is no prior recitation of “data transmission”.  For purposes of applying prior art the limitation has been construed as “said IP datagrams 
Claim 2 ll. 12-15, Claim 5 ll. 11-14 and Claim 8 ll. 12-15 recite the limitation enforce/enforcing “said first security context on said data transmission between said user computer and said enterprise server, via said micro-segmentation policy, until said user computer is determined to be connected to said enterprise server via at least one of said Local Area Network (LAN), Wide Area Network (WAN) and Intranet” which unclear and indefinite as per the specification and drawing (see. Fig. 2A-2B) the intent of the invention is to enforce security context upon user computers while they are determined to be located at a specific location.  For purposes of applying prior art the limitation has been construed as enforce/enforcing “said first security context on said data transmission between said user computer and said enterprise server, via said micro-segmentation policy, as long as
Claims 3 and 6 incorporate the deficiencies of claims 1 and 4, through dependency, and are therefore also rejected.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-8 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Barabash et al. (US 2016/0173535 A1), published Jun. 16, 2016.
As to claim 1, Barabash anticipates a computer-implemented method (Barabash [0004]) for creating and enforcing at least one contextual micro-segmentation policy on a user computer communicably connected to an enterprise server via a pre-established, secured enterprise network (Barabash Fig. 1 items 48, 42 and 20 physical client, local NAS server, network) said method comprising the following computer-implemented steps:	identifying contextual information (Barabash Fig. 2 item 80; [0027] context detection/definition module determines current context of network) corresponding to a network connection (Barabash [0033] context includes data flow information of source and destination) established between said user computer and said enterprise server via said pre-established, secured enterprise network (Barabash Fig. 1 items 48, 42 physical client, local NAS server; [0013] connection of two endpoints on same network), and determining, based on said contextual information, at least a first device location corresponding to said user computer (Barabash [0035] data flow; [0015] context includes current endpoints locations);	determining, based on said contextual information, whether said first device location is a location internal to said enterprise network (Barabash [0033] determine relevant dynamic context of source and destination being on same network (local vs. remote); [0035] dynamic context changing when location of endpoint moves to remote site), and only in an event said first device location is a location internal to said enterprise network, defining a first security context based on said first device location (Barabash [0053]-[0057] context defined by attributes of both network and data including location), and configuring said first security context to be responsive to a change in said first device location (Barabash Fig. 3 item 96 dynamic context change? (Yes/No); [0052] detect change in context);	creating said at least one micro-segmentation policy in-line with said first security context (Barabash [0017] apply current context of network to data forwarding policies, and adjust data forwarding rules), and configuring said at least one micro-segmentation policy to enforce said first security context on said user computer and said enterprise server (Barabash [0051] rules specifying path between endpoints comprising a sequence of multiple network segments; [0052] convey rules to data forwarding devices), only as long as said user computer is determined to be located at said first device location (Barabash [0035] change in context/location invalidates prior rules on effected forwarding devices), and selectively facilitating transmission of IP datagrams filtering rules for firewalls);	continually monitoring said contextual information corresponding to said network connection, to identify at least one change in said contextual information (Barabash Fig. 3 item 96 ‘NO’ path checks for dynamic context change continuously; [0027] context detection/definition module determines current context of network), and determining, based on said at least one change in said contextual information, whether said user computer has migrated to a second device location different from said first device location (Barabash [0035] source of data flow moves to remote network);	only in an event said user computer is determined to have migrated to said second device location, determining whether said second device location is a location external to said enterprise network (Barabash [0035] source of data flow moves to remote network);	only in an event said user computer is determined to be external to said enterprise network, determining whether said user computer is triggering a proxy device from said second device location to connect to said enterprise server (Barabash [0020] security gateways controlling incoming and outgoing traffic via VPN tunnels; [0049] data forwarding devices can include proxy servers; [0035] source of data flow moves to remote network – must go through gateway 44 or 52; [0051] path specification with remote network between endpoints);	in response to determining that said user computer is triggering a proxy device from said second device location to connect to said enterprise server, characterizing said user computer as a remote user computer, and modifying, in real-time, and at least process dynamic context; [0035] processor detects change in dynamic context as source of given data flow moves to remote network); and	dynamically reconfiguring said micro-segmentation policy in-line with said second security context (Barabash [0035] updating rules according to new context), such that reconfigured micro-segmentation policy is enforced on said proxy device and is rendered applicable to said IP datagrams transmitted from said remote user computer to said enterprise server via said proxy device, to facilitate selective transmission of said IP datagrams between said remote user computer and said enterprise server via said proxy device (Barabash [0035] convey updated rules to effected network switches; [0049] data forwarding devices can be proxy servers; [0050] forwarding rules are for data handling, packet filtering, redirection, etc.), notwithstanding translation of IP datagrams transmitted from said remote user computer, by a predetermined network address translation (NAT) unit (Barabash [0049] data forwarding devices can be network address translators).
As to claim 2, Barabash discloses the invention as claimed as described in claim 1, including wherein the step of determining, based on said contextual information, at least a first device location corresponding to said user computer, further includes the LAN), Wide Area Network (WAN) (Barabash [0041] WAN) and Intranet (Barabash [0027] detecting change in context includes detection of connection/disconnection of physical client from network 20; [0018] network 20 as wide area network);	identifying said first device location as a location within said enterprise network, only in an event said user computer is connected to said enterprise server via at least one of said Local Area Network (LAN), Wide Area Network (WAN) and Intranet (Barabash [0027] detecting change in context includes detection of connection/disconnection of physical client from network 20; [0033] detect if source and destination of flow are located on same network);	characterizing said user computer as a trusted device only in an event said user computer is connected to said enterprise server via at least one of said Local Area Network (LAN), Wide Area Network (WAN) and Intranet (Barabash [0033] endpoints on same network then direct forwarding occurs); and	enforcing said first security context on said data transmission between said user computer and said enterprise server, via said micro-segmentation policy, as long as said user computer is determined to be connected to said enterprise server via at least one of said Local Area Network (LAN), Wide Area Network (WAN) and Intranet (Barabash [0035] change in context, and resulting change in forwarding rules, occurring when source of dataflow moves to remote network; Fig. 3 item 96; [0052] processor monitoring for change in context; [0050] forwarding rules are for data handling, packet filtering, redirection, etc.).
As to claim 3, Barabash discloses the invention as claimed as described in claim 1, including wherein the step of characterizing said user computer as a remote user computer, further includes the following steps:	determining whether said user computer is connected to said enterprise server via a virtual private network (Barabash [0035] determine source of data flow has moved to remote network; Fig. 1 items 30 and 32; [0018] local network communicates with remote network via VPN tunnels);	only in an event said user computer is determined to be connected to said enterprise server via said virtual private network, identifying a VPN endpoint on said Virtual Private Network through which said user computer is connected to said enterprise server, and designating said VPN endpoint as said proxy device (Barabash [0020] firewalls 54 and 56 on gateways 44 and 52 control incoming network traffic via VPN tunnels; [0025] identify forwarding device in network and store in data forwarding device list);	enforcing said reconfigured micro-segmentation policy on transmission of said IP datagrams between said remote user computer, said proxy device and said enterprise server, in-line with said second security context (Barabash [0028] convey updated data forwarding rules to data forwarding devices in list), until said remote user computer ceases to communicate with said enterprise computer via said proxy device (Barabash [0035] change in context/location invalidates prior rules on effected forwarding devices);	programming said reconfigured micro-segmentation policy, at least in part, to forwarding rules are for data handling, packet filtering, redirection, etc.).
As to claim 4, Barabash anticipates a computer-implemented system for creating and enforcing at least one contextual micro-segmentation policy (Barabash [Abstract]) on a user computer (Barabash Fig. 1 item 48 local client) communicably connected to an enterprise server via a pre-established, secured enterprise network (Barabash Fig. 1 item 42 local network storage server (NAS)), said system comprising:	at least one processor (Barabash Fig. 2 item 70);	at least one memory module storing computer program code, and communicably coupled to said processor (Barabash Fig. 2 item 72 memory having modules), wherein said memory module and said computer program code stored therein are configured, with said processor, to cause said computer-implemented system to (Barabash [0026] execution of policy management software by processor):	identity contextual information (Barabash Fig. 2 item 80; [0027] context detection/definition module determines current context of network) corresponding to a network connection (Barabash [0033] context includes data flow information of source and destination) established between said user computer and said enterprise server via said pre-established, secured enterprise network (Barabash Fig. 1 items 48, 42 physical client, local NAS server; [0013] connection of two endpoints on same network), and data flow; [0015] context includes current endpoints locations);	determine, based on said contextual information, whether said first device location Is a location internal to said enterprise network (Barabash [0033] determine relevant dynamic context of source and destination being on same network (local vs. remote); [0035] dynamic context changing when location of endpoint moves to remote site), and only in an event said first device location is determined to be a location internal to said enterprise network, define a first security context based on said first device location (Barabash [0053]-[0057] context defined by attributes of both network and data including location), and render said first security context to be responsive to a change in said first device location (Barabash Fig. 3 item 96 dynamic context change? (Yes/No); [0052] detect change in context);	create said at least one micro-segmentation policy in-line with said first security context (Barabash [0017] apply current context of network to data forwarding policies, and adjust data forwarding rules), and configure said micro-segmentation policy to enforce said first security context on said user computer and said enterprise server (Barabash [0051] rules specifying path between endpoints comprising a sequence of multiple network segments; [0052] convey rules to data forwarding devices), only as long as said user computer is determined to be located at said first device location (Barabash [0035] change in context/location invalidates prior rules on effected forwarding devices), and selectively facilitate data transmission between said user computer and said enterprise server, in-line with said first security context (Barabash filtering rules for firewalls);	continually monitor said contextual information corresponding to said network connection, to identify at least one change in said contextual information (Barabash Fig. 3 item 96 ‘NO’ path checks for dynamic context change continuously; [0027] context detection/definition module determines current context of network), and determine, based on said at least one change in said contextual information, whether said user computer has migrated to a second device location different from said first device location (Barabash [0035] source of data flow moves to remote network);	only in an event said user computer is determined to have migrated to said second device location, determine whether said second device location is a location external to said enterprise network (Barabash [0035] source of data flow moves to remote network);	only in an event said user computer is determined to be external to said enterprise network, determine whether said user computer is triggering a proxy device from said second device location to connect to said enterprise server (Barabash [0020] security gateways controlling incoming and outgoing traffic via VPN tunnels; [0049] data forwarding devices can include proxy servers; [0035] source of data flow moves to remote network – must go through gateway 44 or 52; [0051] path specification with remote network between endpoints);	in response to determining that said user computer is triggering a proxy device from said second device location to connect to said enterprise server, characterize said user computer as a remote user computer, and modify, in real- time, and at least in part, said first security context, and dynamically generate a second security context, said process dynamic context; [0035] processor detects change in dynamic context as source of given data flow moves to remote network); and	dynamically reconfigure said micro-segmentation policy in-line with said second security context (Barabash [0035] updating rules according to new context), such that reconfigured micro-segmentation policy is enforced on said proxy device and is rendered applicable to said IP datagrams transmitted from said remote user computer to said enterprise server via said proxy device, for facilitating selective transmission of said IP datagrams between said remote user computer and said enterprise server via said proxy device (Barabash [0035] convey updated rules to effected network switches; [0049] data forwarding devices can be proxy servers; [0050] forwarding rules are for data handling, packet filtering, redirection, etc.), notwithstanding translation of IP datagrams transmitted from said remote user computer, by a predetermined network address translation (NAT) unit (Barabash [0049] data forwarding devices can be network address translators).
Claims 5-6 have subject matter similar to that of claims 2-3, and are rejected in the same matter and under the same grounds.
As to claim 7, Barabash discloses a non-transitory computer-readable storage medium having computer-readable instructions stored thereupon (Barabash [0006]), said computer-readable instructions when read and executed by a computer processor (Barabash [0026] policy management application executed by processor), cause the computer processor to:	identify contextual information (Barabash Fig. 2 item 80; [0027] context detection/definition module determines current context of network) corresponding to a network connection (Barabash [0033] context includes data flow information of source and destination) established between said user computer and said enterprise server via said pre-established, secured enterprise network (Barabash Fig. 1 items 48, 42 physical client, local NAS server; [0013] connection of two endpoints on same network), and determine, based on said contextual information, at least a first device location corresponding to said user computer (Barabash [0035] data flow; [0015] context includes current endpoints locations);	determine, based on said contextual information, whether said first device location is a location internal to said enterprise network (Barabash [0033] determine relevant dynamic context of source and destination being on same network (local vs. remote); [0035] dynamic context changing when location of endpoint moves to remote site), and only in an event said first device location is determined to be a location internal to said enterprise network, define a first security context based on said first device location (Barabash [0053]-[0057] context defined by attributes of both network and data including location), and render said first security context to be responsive to a change in said first device location (Barabash Fig. 3 item 96 dynamic context change? (Yes/No); [0052] detect change in context);	create said micro-segmentation policy in-line with said first security context (Barabash [0017] apply current context of network to data forwarding policies, and adjust data forwarding rules), and configure said micro-segmentation policy to enforce said first security context on said user computer and said enterprise server (Barabash [0051] rules specifying path between endpoints comprising a sequence of multiple network segments; [0052] convey rules to data forwarding devices), only as long as said user computer is determined to be located at said first device location (Barabash [0035] change in context/location invalidates prior rules on effected forwarding devices), and selectively facilitate data transmission between said user computer and said enterprise server, in-line with said first security context (Barabash [0050] filtering rules for firewalls);	continually monitor said contextual information corresponding to said network connection, to identify at least one change in said contextual information (Barabash Fig. 3 item 96 ‘NO’ path checks for dynamic context change continuously; [0027] context detection/definition module determines current context of network), and determine, based on said at least one change in said contextual information, whether said user computer has migrated to a second device location different than said first device location (Barabash [0035] source of data flow moves to remote network);	only in an event said user computer is determined to have migrated to said second device location, determine whether said second device location is a location external to said enterprise network (Barabash [0035] source of data flow moves to remote network);security gateways controlling incoming and outgoing traffic via VPN tunnels; [0049] data forwarding devices can include proxy servers; [0035] source of data flow moves to remote network – must go through gateway 44 or 52; [0051] path specification with remote network between endpoints);	in response to determining that said user computer is triggering a proxy device from said second device location to connect to said enterprise server, characterize said user computer as a remote user computer, and modify, in real-time, and at least in part, said first security context, and dynamically generate a second security context, said second security context consistent with migration of said user computer from said first device location to second device location, and consequentially from within said enterprise network to outside said enterprise network, and with characterization of said user computer as said remote user computer (Barabash [0034] process dynamic context; [0035] processor detects change in dynamic context as source of given data flow moves to remote network); and	dynamically reconfigure said micro-segmentation policy in-line with said second security context (Barabash [0035] updating rules according to new context), such that reconfigured micro-segmentation policy is enforced on said proxy device and is rendered applicable to said IP datagrams transmitted from said remote user computer to said enterprise server via said proxy device, to facilitate selective transmission of said IP datagrams between said remote user computer and said enterprise server via said convey updated rules to effected network switches; [0049] data forwarding devices can be proxy servers; [0050] forwarding rules are for data handling, packet filtering, redirection, etc.), notwithstanding translation of IP datagrams transmitted from said remote user computer, by a predetermined network address translation (NAT) unit (Barabash [0049] data forwarding devices can be network address translators).
As to claim 8, Barabash discloses the invention as claimed as described in claim 7, including wherein said computer-readable instructions are further configured to trigger said computer processor to:	identify whether said user computer is connected to said enterprise server via at least one of a Local Area Network (LAN) (Barabash [0041] LAN), Wide Area Network (WAN) (Barabash [0041] WAN) and Intranet (Barabash [0027] detecting change in context includes detection of connection/disconnection of physical client from network 20; [0018] network 20 as wide area network);	identify said first device location as within said enterprise network, only in an event said user computer is connected to said enterprise server via at least one of said Local Area Network (LAN), Wide Area Network (WAN) and Intranet (Barabash [0027] detecting change in context includes detection of connection/disconnection of physical client from network 20; [0033] detect if source and destination of flow are located on same network);	categorize said user computer as a trusted device only in an event said user computer is connected to said enterprise server via at least one of said Local Area endpoints on same network then direct forwarding occurs);	enforce said first security context on said data transmission between said user computer and said enterprise server, via said micro-segmentation policy, until said user computer is determined to be connected to said enterprise server via at least one of said Local Area Network (LAN), Wide Area Network (WAN) and Intranet (Barabash [0035] change in context, and resulting change in forwarding rules, occurring when source of dataflow moves to remote network; Fig. 3 item 96; [0052] processor monitoring for change in context; [0050] forwarding rules are for data handling, packet filtering, redirection, etc.);	determine whether said user computer is connected to said enterprise server via a virtual private network (Barabash [0035] determine source of data flow has moved to remote network; Fig. 1 items 30 and 32; [0018] local network communicates with remote network via VPN tunnels);	characterize said user computer as said remote user computer, only in an event said user computer is determined to be connected to said enterprise server via said virtual private network, and if a VPN endpoint located on said virtual private network is designated as said proxy device (Barabash [0020] firewalls 54 and 56 on gateways 44 and 52 control incoming network traffic via VPN tunnels; [0025] identify forwarding device in network and store in data forwarding device list);	enforce said reconfigured micro-segmentation policy on transmission of IP datagrams between said remote user computer, said proxy device and said enterprise server, in-line with said second security context (Barabash [0028] convey updated data forwarding rules to data forwarding devices in list), until said user computer ceases to communicate with said enterprise computer via said proxy device (Barabash [0035] change in context/location invalidates prior rules on effected forwarding devices).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Pai et al. (US 2017/0353496 A1) is related to hardware-based virtualized security isolation.
Nicodemus et al. (US 2007/0143851 A1) is related to controlling access to computing resources based on known security vulnerabilities.
Dupont et al. (US 2009/0307753 A1) related to network access control based on location.
Labana et al. (US 8,528,059 B1) is related to corporate network access control using a software shell installed on remote host.
Yada (US 2014/0201808 A1) is related to change of policy based on change of device location.
Manmohan et al. (US 9,565,059 B1) is related to group management changes based on network connection events.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC W SHEPPERD whose telephone number is (571)270-5654.  The examiner can normally be reached on Monday - Thursday, Alt. Friday, 7:30AM - 5:00PM, EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Eric W Shepperd/Primary Examiner, Art Unit 2492