Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 16/826,762 filed on 3/23/2020. Claims 1-20 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 6/24/2021, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Allowable Subject Matter
Claims 9, 16 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.








Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3-5, 10, 12, 17 and 19  is/are rejected under 35 U.S.C. 103 as being unpatentable over Pednekar et al. (US 2020/0067878) in view of Koshal et al. (US 2020/0259795) and Barker et al. (US 2012/0216133).

	As per claim 1, Pednekar teaches a method of secure remote troubleshooting of a private cloud from a public cloud via a computer network, the private cloud providing a set of computing services or computing resources to users of the private cloud, wherein the method comprising: upon receiving, from [[an operator]] of the private cloud, a request for a servicing connection with the public cloud; establishing the requested servicing connection between the private cloud and the public cloud upon receiving the list of access authorizations (Pednekar, Paragraph 0064 recites “In Step 520, a second request to establish a VPN between the client, the public cloud server, and the private cloud is sent to the private cloud via an SSL connection. In one or more embodiments of the invention, the SSL connection is a persistent SSL connection that is associated with the client.”).
	But fails to explicitly teach an operator of the private cloud and querying the operator for a list of access authorizations indicating a subset of the computing services or computing resources in the private cloud that are accessible from the public cloud via the requested servicing connection.
	However, in an analogous art Koshal teaches an operator of the private cloud and querying the operator for a list of access authorizations indicating a subset of the computing services or computing resources in the private cloud that are accessible from the public cloud via the requested servicing connection (Koshal, Paragraph 0011 recites “Whenever, the user is outside the network, a virtual private network (VPN) connection is established that allows a user to access the corporate resources. In one embodiment, the user may be allowed access to only limited resources within the corporate network. In order to allow a user access to only allowed resources a configuration that includes the list of accessible domains is provided to the device. The device creates a VPN adapter based on the received configuration that provides the device access to the accessible resources within the corporate network. A domain is a distinct subset of the internet with addresses sharing a common suffix or under the control of a particular organization or individual. For example, .edu is a domain name of resources related to education websites. Allowing a user access to the corporate resources based on auto-generation of the VPN connection, solves the various problems related to remote access of corporate resources.” It is interpreted that the VPN adapter is a part of the private network, and will be used to determine which resources are accessible to the device.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Koshal’s automatic vpn establishment with split tunnel for remote resources with Pednekar’s system and method of obtaining data from private cloud behind enterprise firewall because the use of having a list of available resources for access, helps to protect data that should be kept private.
	And fails to teach subsequently, upon receiving, from the public cloud, data representing a command to be executed by a computing service or to consume a computing resource in the private cloud, identifying that the data representing the command is received via the established servicing connection from the public cloud; determining, based on the list of access authorizations corresponding to the servicing connection, whether access to the computing service or computing resource to which the command is directed is allowed from the public cloud via the servicing connection; and in response to determining that access to the computing service or computing resource is not allowed, preventing the command from being executed in the private cloud, thereby avoiding unauthorized access to the computing service or computing resource in the private cloud.
	However, in an analogous art Barker teaches subsequently, upon receiving, from the public cloud, data representing a command to be executed by a computing service or to consume a computing resource in the private cloud, identifying that the data representing the command is received via the established servicing connection from the (Barker, Paragraph 0018 recites “ As a method for accessing a protected resource, one embodiment includes at least: receiving a login request from a user for access to an authentication intermediary server; authenticating the user at the authentication server and downloading user profile data to a module, such as a browser Plugin, to enable the Plugin to access one or more protected resources and to do at least one of: supervise, deny and control the use of individual functions on the protected resource and/or in the browser's own functions (generally referred to here as "controlled functions"); subsequently the user's browser page loads, and resource requests are matched to data in the Plugin user profile. When the Plugin detects events triggered by the code in pages loaded to the browser or the browser's own functions that correspond to controlled functions, those functions and optionally (in the case of an event triggered by page code loaded), relative surrounding page code, are suppressed or modified according to the profile settings. When the Plugin detects a resource request or a controlled function request in the user's browser for an address at a protected resource or a controlled function of the browser, the Plugin, based on the resource request match against the Plugin user profile, determines whether the response should be to allow, deny, modify or control use of the protected resource and/or controlled function and then, accordingly, allowing, preventing, modifying or controlling operation.”); 
	and in response to determining that access to the computing service or computing resource is not allowed, preventing the command from being executed in the (Barker, Paragraph 0018 recites “For example, the Plugin will block or modify a response to the resource request and/or controlled function request when the information in the stored user profile for the user indicates that the user is not permitted to perform the particular operation with the protected resource related to the resource request and/or the controlled function.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Barker’s secure cloud computing system and method with Pednekar’s system and method of obtaining data from private cloud behind enterprise firewall because the use access policies for resources will help ensure only authorized accesses are allowed.  

	As per claim 3, Pednekar in combination with Koshal and Barker teaches the method of claim 1, Koshal further teaches in response to determining that access to the computing service or computing resource is allowed from the public cloud via the servicing connection, forwarding the command to the computing service or computing resource in the private cloud to be executed in the private cloud (Koshal, Paragraph 0011 recites “Whenever, the user is outside the network, a virtual private network (VPN) connection is established that allows a user to access the corporate resources. In one embodiment, the user may be allowed access to only limited resources within the corporate network. In order to allow a user access to only allowed resources a configuration that includes the list of accessible domains is provided to the device. The device creates a VPN adapter based on the received configuration that provides the device access to the accessible resources within the corporate network. A domain is a distinct subset of the internet with addresses sharing a common suffix or under the control of a particular organization or individual. For example, .edu is a domain name of resources related to education websites. Allowing a user access to the corporate resources based on auto-generation of the VPN connection, solves the various problems related to remote access of corporate resources.” It is interpreted that the VPN adapter is a part of the private network, and will be used to determine which resources are accessible to the device.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Koshal’s automatic vpn establishment with split tunnel for remote resources with Pednekar’s system and method of obtaining data from private cloud behind enterprise firewall because the use of having a list of available resources for access, helps to protect data that should be kept private.

	As per claim 4, Pednekar in combination with Koshal and Barker teaches the method of claim 1, Koshal further teaches in response to determining that access to the computing service or computing resource is allowed from the public cloud via the servicing connection, forwarding the command to the computing service or computing resource in the private cloud to be executed in the private cloud to generate data representing execution results; and transmitting, from the private cloud to the public cloud, the data representing execution results of executing the command in the private cloud, thereby allowing an entity external to the private cloud to perform diagnostics or repair in the private cloud (Koshal, Paragraph 0011 recites “Whenever, the user is outside the network, a virtual private network (VPN) connection is established that allows a user to access the corporate resources. In one embodiment, the user may be allowed access to only limited resources within the corporate network. In order to allow a user access to only allowed resources a configuration that includes the list of accessible domains is provided to the device. The device creates a VPN adapter based on the received configuration that provides the device access to the accessible resources within the corporate network. A domain is a distinct subset of the internet with addresses sharing a common suffix or under the control of a particular organization or individual. For example, .edu is a domain name of resources related to education websites. Allowing a user access to the corporate resources based on auto-generation of the VPN connection, solves the various problems related to remote access of corporate resources.” The use of the connection for diagnostic or repair of the private cloud, does not add additional function, as it is being seen as merely intended use of the connection to the private cloud.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Koshal’s automatic vpn establishment with split tunnel for remote resources with Pednekar’s system and method of obtaining data from private cloud behind enterprise firewall because the use of having a list of available resources for access, helps to protect data that should be kept private.

	As per claim 5, Pednekar in combination with Koshal and Barker teaches the method of claim 1, Koshal further teaches in response to determining that access to the computing service or computing resource is allowed from the public cloud via the (Koshal, Paragraph 0011 recites “Whenever, the user is outside the network, a virtual private network (VPN) connection is established that allows a user to access the corporate resources. In one embodiment, the user may be allowed access to only limited resources within the corporate network. In order to allow a user access to only allowed resources a configuration that includes the list of accessible domains is provided to the device. The device creates a VPN adapter based on the received configuration that provides the device access to the accessible resources within the corporate network. A domain is a distinct subset of the internet with addresses sharing a common suffix or under the control of a particular organization or individual. For example, .edu is a domain name of resources related to education websites. Allowing a user access to the corporate resources based on auto-generation of the VPN connection, solves the various problems related to remote access of corporate resources.” The use of the connection for diagnostic or repair of the private cloud, does not add additional function, as it is being seen as merely intended use of the connection to the private cloud).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Koshal’s automatic vpn establishment with split tunnel for remote resources with Pednekar’s system and method of obtaining data from private cloud behind enterprise firewall because the use of having a list of available resources for access, helps to protect data that should be kept private.

	Regarding claim 10, claim 10 is directed to a similar device associated with the method of claim 1 respectively. Claim 10 is similar in scope to claim 1, respectively, and are therefore rejected under similar rationale. 

	Regarding claims 12 and 19, claims 12 and 19 are directed to a similar device and method associated with the method of claim 4 respectively. Claims 12 and 19 are similar in scope to claim 4, respectively, and are therefore rejected under similar rationale. 


	As per claim 17, Pednaker teaches a method of secure remote troubleshooting of a private cloud from a public cloud via a computer network, the private cloud providing a set of computing services or computing resources to users of the private cloud, wherein the method comprising: upon receiving, at the private cloud, a request for a servicing connection with the public cloud, establish the requested servicing connection between the private cloud and the public cloud (Pednekar, Paragraph 0064 recites “In Step 520, a second request to establish a VPN between the client, the public cloud server, and the private cloud is sent to the private cloud via an SSL connection. In one or more embodiments of the invention, the SSL connection is a persistent SSL connection that is associated with the client.”), 
	the established servicing connection corresponding to a list of access authorizations indicating a subset of the computing services or computing resources in the private cloud accessible from the public cloud via the servicing connection;
	However, in an analogous art Koshal teaches the established servicing connection corresponding to a list of access authorizations indicating a subset of the computing services or computing resources in the private cloud accessible from the public cloud via the servicing connection (Koshal, Paragraph 0011 recites “Whenever, the user is outside the network, a virtual private network (VPN) connection is established that allows a user to access the corporate resources. In one embodiment, the user may be allowed access to only limited resources within the corporate network. In order to allow a user access to only allowed resources a configuration that includes the list of accessible domains is provided to the device. The device creates a VPN adapter based on the received configuration that provides the device access to the accessible resources within the corporate network. A domain is a distinct subset of the internet with addresses sharing a common suffix or under the control of a particular organization or individual. For example, .edu is a domain name of resources related to education websites. Allowing a user access to the corporate resources based on auto-generation of the VPN connection, solves the various problems related to remote access of corporate resources.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Koshal’s automatic vpn establishment with split tunnel for remote resources with Pednekar’s system and method of obtaining data from private cloud behind enterprise firewall because the use of having a list of available resources for access, helps to protect data that should be kept private.


	And fails to teach subsequently, upon receiving, from the public cloud, data representing a command to be executed by a computing service or to consume a computing resource in the private cloud, identifying that the data representing the command is received via the established servicing connection from the public cloud; determining, based on the list of access authorizations corresponding to the servicing connection, whether access to the computing service or computing resource to which the command is directed is allowed from the public cloud via the servicing connection; and in response to determining that access to the computing service or computing resource is not allowed, preventing the command from being executed in the private cloud, thereby avoiding unauthorized access to the computing service or computing resource in the private cloud.
	However, in an analogous art Barker teaches subsequently, upon receiving, from the public cloud, data representing a command to be executed by a computing service or to consume a computing resource in the private cloud, identifying that the data representing the command is received via the established servicing connection from the public cloud; determining, based on the list of access authorizations corresponding to the servicing connection, whether access to the computing service or computing resource to which the command is directed is allowed from the public cloud via the servicing connection (Barker, Paragraph 0018 recites “ As a method for accessing a protected resource, one embodiment includes at least: receiving a login request from a user for access to an authentication intermediary server; authenticating the user at the authentication server and downloading user profile data to a module, such as a browser Plugin, to enable the Plugin to access one or more protected resources and to do at least one of: supervise, deny and control the use of individual functions on the protected resource and/or in the browser's own functions (generally referred to here as "controlled functions"); subsequently the user's browser page loads, and resource requests are matched to data in the Plugin user profile. When the Plugin detects events triggered by the code in pages loaded to the browser or the browser's own functions that correspond to controlled functions, those functions and optionally (in the case of an event triggered by page code loaded), relative surrounding page code, are suppressed or modified according to the profile settings. When the Plugin detects a resource request or a controlled function request in the user's browser for an address at a protected resource or a controlled function of the browser, the Plugin, based on the resource request match against the Plugin user profile, determines whether the response should be to allow, deny, modify or control use of the protected resource and/or controlled function and then, accordingly, allowing, preventing, modifying or controlling operation.”); 
	and in response to determining that access to the computing service or computing resource is not allowed, preventing the command from being executed in the private cloud, thereby avoiding unauthorized access to the computing service or computing resource in the private cloud (Barker, Paragraph 0018 recites “For example, the Plugin will block or modify a response to the resource request and/or controlled function request when the information in the stored user profile for the user indicates that the user is not permitted to perform the particular operation with the protected resource related to the resource request and/or the controlled function.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Barker’s secure cloud computing system and method with Pednekar’s system and method of obtaining data from private cloud behind enterprise firewall because the use access policies for resources will help ensure only authorized accesses are allowed.  





Claims 2, 11 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pednekar et al. (US 2020/0067878) and Koshal et al. (US 2020/0259795) and Barker et al. (US 2012/0216133) and in further view of Sheu (US 2015/0296377).

	As per claim 2, Pednekar in combination with Koshal and Barker teaches the method of claim 1, but fails to teach in response to determining that access to the computing service or computing resource is not allowed, terminating the servicing connection with the public cloud; and generating and storing, at the private cloud, records indicating the received command and the unauthorized access to the computing service or computing resource in the private cloud.
	However, in an analogous art Sheu teaches in response to determining that access to the computing service or computing resource is not allowed, terminating the servicing connection with the public cloud; and generating and storing, at the private cloud, records indicating the received command and the unauthorized access to the computing service or computing resource in the private cloud (Sheu, Paragraph 0057 recites “In step 330, it has been determined that the user was not successfully authenticated and the request for access to the restricted wireless network 170 is rejected. This may occur where the user is not currently authorized to access the restricted wireless network, the user entered incorrect authenticated information, or the like. Rejection of the access request may include terminating the connection, enforcing various security measures (e.g., identifying the illicit or unauthorized access attempt by date, time, and indicia of the user attempting access), or the like.” It would be obvious to record any unauthorized attempts in a network to ensure security).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Sheu’s sharing security keys with headless devices with Pednekar’s system and method of obtaining data from private cloud behind enterprise firewall because the use terminating a connection when an unauthorized attempt is made ensures the security of a network, in the event the attempt plans to be further malicious.  

	Regarding claims 11 and 18, claims 11 and 18 are directed to a similar device and method associated with the method of claim 2 respectively. Claims 11 and 18 are similar in scope to claim 2, respectively, and are therefore rejected under similar rationale. 

Claims 6 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pednekar et al. (US 2020/0067878) and Koshal et al. (US 2020/0259795) and Barker et al. (US 2012/0216133) and in further view of Thomas (US 2018/0143961).
	
	As per claim 6, Pednekar in combination with Koshal and Barker teaches the method of claim 1, but fails to teach wherein establishing the requested servicing connection includes transmitting, from the private cloud, an outbound connection 
	However, in an analogous art Thomas teaches wherein establishing the requested servicing connection includes transmitting, from the private cloud, an outbound connection request to the public cloud for establishing the servicing connection, and wherein the private cloud is configured to reject any inbound connection request (Thomas, Paragraph 0233 recites “In another embodiment (not shown), a firewall is not provided in front of the servers, clients or devices on the network, where the servers/clients/devices are configured to reject inbound connection requests.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Thomas’ bidirectional networked real-time data exchange using a spreadsheet application with Pednekar’s system and method of obtaining data from private cloud behind enterprise firewall because the use rejecting inbound requests helps to control the accesses to a network.   

	Regarding claim 13, claim 13 is directed to a similar device associated with the method of claim 6 respectively. Claim 13 is similar in scope to claim 6, respectively, and are therefore rejected under similar rationale. 	
	




Claims 7, 8, 14 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pednekar et al. (US 2020/0067878) and Koshal et al. (US 2020/0259795) and Barker et al. (US 2012/0216133) and in further view of Hsu et al. (US 2008/0082658).

	As per claim 7, Pednekar in combination with Koshal and Barker teaches the method of claim 1, but fails to teach wherein identifying that the data representing the 
	However, in an analogous art Hsu teaches wherein identifying that the data representing the command is received from the public cloud via the established servicing connection includes inspecting a header of the received data for a header value indicating an identifier of the servicing connection (Hsu, Paragraph 0024 recites “The spam control module 216 may obtain the IP address using DNS query mechanisms, and/or inspecting a TCP header of a connection request or email message. As explained below, the data repository 220 comprises a data structure referred to herein as a blacklist 222 that lists IP addresses corresponding to one or more spammers. Such a list may be manually populated (e.g., by a network administrator), or populated through the use of various filtering mechanisms implemented by the spam control module 216, among other mechanisms. A connection request from the client server 108 that includes an IP address listed on the blacklist 222 is reset, or in some embodiments, the connection request is granted and the email message blocked. In some embodiments, denial (e.g., reset or blocked) of the connection request may be made based on the presence of the IP address of the connection request on a blacklist or other spam control list of another server device (e.g., which is communicated to the spam control module 216).”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Hsu’s Spam control systems and methods with Pednekar’s system and method of obtaining data from private cloud behind enterprise firewall because the use checking a header is to control access in the even that a header is blacklisted from connecting to the network.    
	
As per claim 8, Pednekar in combination with Koshal and Barker teaches the method of claim 1, Koshal further teaches retrieving, from a network storage in the private network, the list of access authorizations corresponding to the servicing connection according to the identifier of the servicing connection; and wherein determining whether access to the computing service or computing resource to which the command is directed is allowed includes determining whether access to the computing service or computing resource is indicated as being allowable in the retrieved list of access authorizations (Koshal, Paragraph 0011 recites “Whenever, the user is outside the network, a virtual private network (VPN) connection is established that allows a user to access the corporate resources. In one embodiment, the user may be allowed access to only limited resources within the corporate network. In order to allow a user access to only allowed resources a configuration that includes the list of accessible domains is provided to the device. The device creates a VPN adapter based on the received configuration that provides the device access to the accessible resources within the corporate network. A domain is a distinct subset of the internet with addresses sharing a common suffix or under the control of a particular organization or individual. For example, .edu is a domain name of resources related to education websites. Allowing a user access to the corporate resources based on auto-generation of the VPN connection, solves the various problems related to remote access of corporate resources.” It is interpreted that the VPN adapter is a part of the private network, and will be used to determine which resources are accessible to the device.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Koshal’s automatic vpn establishment with split tunnel for 
	But fails to teach wherein: identifying that the data representing the command is received from the public cloud via the established servicing connection includes inspecting a header of the received data for a header value indicating an identifier of the servicing connection. 
	However, in an analogous art Hsu teaches wherein: identifying that the data representing the command is received from the public cloud via the established servicing connection includes inspecting a header of the received data for a header value indicating an identifier of the servicing connection (Hsu, Paragraph 0024 recites “The spam control module 216 may obtain the IP address using DNS query mechanisms, and/or inspecting a TCP header of a connection request or email message. As explained below, the data repository 220 comprises a data structure referred to herein as a blacklist 222 that lists IP addresses corresponding to one or more spammers. Such a list may be manually populated (e.g., by a network administrator), or populated through the use of various filtering mechanisms implemented by the spam control module 216, among other mechanisms. A connection request from the client server 108 that includes an IP address listed on the blacklist 222 is reset, or in some embodiments, the connection request is granted and the email message blocked. In some embodiments, denial (e.g., reset or blocked) of the connection request may be made based on the presence of the IP address of the connection request on a blacklist or other spam control list of another server device (e.g., which is communicated to the spam control module 216).”).


	Regarding claim 14, claim 14 is directed to a similar device associated with the method of claim 7 respectively. Claim 14 is similar in scope to claim 7, respectively, and are therefore rejected under similar rationale. 	
	
	Regarding claim 15, claim 15 is directed to a similar device associated with the method of claim 8 respectively. Claim 15 is similar in scope to claim 8, respectively, and are therefore rejected under similar rationale. 	
	
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439