DETAILED ACTION
The Amendment filed on April 26th, 2022 has been entered and made of record.
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mr. Wesley W. Whitmyer Jr. on May 09th, 2022. During the telephone conference, Mr. Whitmyer has agreed and authorized the Examiner to amend claims 1, 5-7, 9-10 & 12-13 and to cancel claims 4 & 11.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Examiner’s Amendment
An Examiner’s Amendment to the record appears below. Should the changes and/or additions be unacceptable to the Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Claims
Replacing claims 1, 5-7, 9-10 & 12-13 and canceling claims 4 & 11 as following:
Claim 1: (Currently Amended) A computer-implemented method comprising:
receiving, by a first gateway, a first connection request from a user device, said first connection request including an access token;
validating the access token in an identity and access management (IAM) service;
after successful validation, establishing a first tunnel between the user device and a target device via a chain of trusted certificate-based point-to-point connections through one or more intermediate gateways, wherein the first tunnel is established by using a reverse connection from the first gateway to the target device, said reverse connection being based on a pre-established connection from the target device to the first gateway via an outbound port in the target device and in each of the one or more intermediate gateways in the chain, said target device having no direct internet protocol connectivity to the user device without the first tunnel;
receiving, by the target device, a second connection request from the user device via the first tunnel, said second connection request including the access token;
establishing a second tunnel between the target device and the IAM service via the chain of trusted certificate-based point-to-point connections through the one or more intermediate gateways, wherein the second tunnel is established by using the reverse connection from the first gateway to the target device, said target device having no direct internet protocol connectivity to the IAM service without the second tunnel;
validating the access token in the IAM service via the second tunnel;
verifying, by the target device, that a user is authorized to access a target service, said target service being included in the target device or in another device directly connected to the target device; and
upon successful authorization, granting the user device access to communicate with the target service via the first tunnel.

Claim 4: (Canceled)

Claim 5: (Currently Amended) The computer-implemented method of claim [[4]]1, further comprising:
receiving, by the target service, a third connection request from the user device via the first tunnel, said third connection request including the access token; and
validating the access token in the IAM service via the second tunnel.

Claim 6: (Currently Amended) The computer-implemented method of claim [[4]]1, wherein the authorization of the user is based at least on one or more roles associated with the user.

Claim 7: (Currently Amended) A non-transitory computer readable medium comprising program instructions which, when run on a computing apparatus, causes the computing apparatus to perform at least the following steps:
receiving a first connection request from a user device, said first connection request including an access token;
validating the access token in an identity and access management (IAM) service;
after successful validation, establishing a first tunnel between the user device and a target device via a chain of trusted certificate-based point-to-point connections through one or more intermediate gateways, wherein the first tunnel is established by using a reverse connection from the computing apparatus to the target device, said reverse connection being based on a pre-established connection from the target device to the computing apparatus via an outbound port in the target device and in each of the one or more intermediate gateways in the chain, said target device having no direct internet protocol connectivity to the user device without the first tunnel;
establishing a second tunnel between the target device and the IAM service via the chain of trusted certificate-based point-to-point connections through the one or more intermediate gateways, wherein the second tunnel is established by using the reverse connection from the computing apparatus to the target device, said target device having no direct internet protocol connectivity to the IAM service without the second tunnel;
validating the access token in the IAM service via the second tunnel;
verifying, by the target device, that a user is authorized to access a target service, said target service being included in the target device or in another device directly connected to the target device; and
upon successful authorization, granting the user device access to communicate with the target service via the first tunnel.

Claim 9: (Currently Amended) Equipment comprising at least one processor and at least one memory including computer program code, wherein the at least one memory and the computer program code are configured to, with the at least one processor, perform the following steps:
receiving a first connection request from a user device, said first connection request including an access token;
validating the access token in an identity and access management (IAM) service;
after successful validation, establishing a first tunnel between the user device and a target device via a chain of trusted certificate-based point-to-point connections through one or more intermediate gateways, wherein the first tunnel is established by using a reverse connection from the equipment to the target device, said reverse connection being based on a pre-established connection from the target device to the equipment via an outbound port in the target device and in each of the one or more intermediate gateways in the chain, said target device having no direct internet protocol connectivity to the user device without the first tunnel;
establishing a second tunnel between the target device and the IAM service via the chain of trusted certificate-based point-to-point connections through the one or more intermediate gateways, wherein the second tunnel is established by using the reverse connection from the equipment to the target device, said target device having no direct internet protocol connectivity to the IAM service without the second tunnel;
validating the access token in the IAM service via the second tunnel;
verifying, by the target device, that a user is authorized to access a target service, said target service being included in the target device or in another device directly connected to the target device; and
upon successful authorization, granting the user device access to communicate with the target service via the first tunnel.

Claim 10: (Currently Amended) A system comprising at least 
a user device,
a target device, and
three or more gateways;
wherein one of the three or more gateways is a first gateway configured to receive a first connection request from the user device, said first connection request including an access token;
wherein one of the three or more gateways is a device gateway directly connected to the target device or included in the target device;
wherein at least one of the three or more gateways is an intermediate gateway between the first gateway and the device gateway;
wherein the first gateway is further configured to have trusted bidirectional communication with the target device via a chain of trusted certificate-based point-to-point connections by using a reverse connection from the first gateway to the target device, said reverse connection being based on a pre-established connection from the target device to the first gateway via an outbound port in the target device and in the intermediate gateway;
wherein the first gateway is further configured to send the access token to an identity and access management (IAM) service for validating the access token;
wherein the three or more gateways are configured to establish a first tunnel between the target device and the user device by using the reverse connection from the first gateway to the target device, said target device having no direct internet protocol connectivity to the user device without the first tunnel;
wherein the target device is further configured to receive a second connection request from the user device via the first tunnel, said second connection request including the access token;
wherein the three or more gateways are further configured to establish a second tunnel between the IAM service and the target device via the chain of trusted certificate-based point-to-point connections by using the reverse connection from the first gateway to the target device, said target device having no direct internet protocol connectivity to the IAM service without the second tunnel;
wherein the target device is further configured to send the access token to the IAM service via the second tunnel for validating the access token;
wherein the target device is further configured to verify that a user associated with the access token is authorized to access a target service, and, upon successful authorization, grant the user device access to communicate with the target service via the first tunnel, said target service being included in the target device or in another device directly connected to the target device.

Claim 11: (Canceled)

Claim 12: (Currently Amended) The system of claim 10, wherein the target service is configured to receive a third connection request from the user device via the first tunnel, said third connection request including the access token, and to send the access token to the IAM service via the second tunnel for validating the access token.

Claim 13: (Currently Amended) The system of claim 10, wherein the authorization of the user is based at least on one or more roles associated with the user.

Examiner’s Statement of reason for Allowance
Claims 4, 8 and 11 were canceled. Claims 1-3, 5-7, 9-10 and 12-16 are allowed.
The following is an examiner’s statement of reasons for allowance:
The present invention is directed a method, a non-transitory computer-readable medium and a system for secure remote connections in industrial internet of things. The closest prior arts, as previously recited, Mahaffey (U.S. Pub. Number 2015/0188949) and Kailash (U.S. Patent Number 8,656,154) are also generally direct to various aspects for cloud-based network security and cloud based service logout using cryptographic challenge response. However, none of Mahaffey and Kailash teaches or suggests, alone or in combination, the particular combinations of steps or elements as recited in the independent claims 1, 7, 9 and 10. For example, none of the cited prior arts teaches or suggests the elements of “receiving, by a first gateway, a first connection request from a user device, said first connection request including an access token; validating the access token in an identity and access management (IAM) service; after successful validation, establishing a first tunnel between the user device and a target device via a chain of trusted certificate-based point-to-point connections through one or more intermediate gateways, wherein the first tunnel is established by using a reverse connection from the first gateway to the target device, said reverse connection being based on a pre-established connection from the target device to the first gateway via an outbound port in the target device and in each of the one or more intermediate gateways in the chain, said target device having no direct internet protocol connectivity to the user device without the first tunnel; receiving, by the target device, a second connection request from the user device via the first tunnel, said second connection request including the access token; establishing a second tunnel between the target device and the IAM service via the chain of trusted certificate-based point-to-point connections through the one or more intermediate gateways, wherein the second tunnel is established by using the reverse connection from the first gateway to the target device, said target device having no direct internet protocol connectivity to the IAM service without the second tunnel; validating the access token in the IAM service via the second tunnel; verifying, by the target device, that a user is authorized to access a target service, said target service being included in the target device or in another device directly connected to the target device; and upon successful authorization, granting the user device access to communicate with the target service via the first tunnel.” Therefore, the claims are allowable over the cited prior arts.
Claims 2-3, 5-6, 16 & 12-15 are allowed because of their dependence from independent claims 1, 7, 9 & 10.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
           
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHOI V LE whose telephone number is (571)270-5087.  The examiner can normally be reached on 9:00 AM - 5:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KHOI V LE/
Primary Examiner, Art Unit 2436