DETAILED ACTION
This Office Action is in response to the communication filed on 02/28/2022. 
Claims 1-20 are pending. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's Remarks filed on 02/28/2022 have been fully considered.
The objections to claims 7, and 17-19 presented in the previous Office action have been withdrawn in view of Applicant's amendments to the claims. However, the issue in claim 20 remains, and thus the objection to claim 20 has been maintained. See also claim objections presented below.  
In response to Applicant's arguments on pages 7-9 of Remarks that the cited references (specifically Hughes) do not teach receiving a digital certificate through a secure connection from a network access server, the secure connection passes through a network address translation device as recited in claim 1, Examiner respectfully disagrees. To further clarify, Hughes fig. 2 teaches the secure connection between the network access server (e.g. a VPN server or a network firewall device) and the authentication server via the authentication broker, and Hughes also teaches the network access server providing the authentication credentials which include a certificate to the authentication server for validation via the authentication broker, the certificate being communicated based on a specified authentication protocol (see e.g. fig. 2, [0001], [0010], [0012]-[0014], [0019]). Thus, Hughes in fact teaches receiving a digital certificate through a secure connection from the NAS, where the secure connection passes through the authentication broker. In addition, Examiner would like to point out that because of the current broad language of the claim, a second interpretation of the teachings of Hughes is also applicable to the claim. It should be noted that the claim only recites "a network access server" and "a network address translation device" without providing any special definitions for the terms. The claim also does not further clarify the structure of the claimed network access server and network address translation device, and the structural relationship between the network access server and the network address translation device. Thus, using the broadest reasonable interpretation, the network address translation device can also be interpreted as describing what the network access server is or comprises. In this case, Hughes teaches a Network Access Server (NAS), Hughes also teaches the NAS being, for example, a network firewall device, and the certificate is received through the secure connection from the NAS, where the secure connection passes through a network firewall device (see e.g. fig. 2, [0001], [0010], [0012]-[0014], [0019]). For at least the above reasons, Hughes teaches receiving a digital certificate through a secure connection from a network access server, the secure connection passing through a network address translation device as recited in claim 1. See also rejections presented below. 
Furthermore, in response to Applicant's arguments on pages 10-11 of Remarks that the cited references (specifically Hughes) do not disclose establishing a secure tunnel between the network access server and the policy management system as recited in claim 1, Examiner respectfully disagrees. Note that the claim only recites "a policy management system" without providing any specifics for the term (for example, its structure or its structural relationship with the network access server and the network address translation device). Hughes teaches a secure connection being established between the NAS and an authentication server based on a determined authentication protocol, where the authentication server is specifically associated with the determined authentication protocol (e.g. fig. 2, [0010], [0012], [0022]). Also, in response to Applicant's argument regarding the claimed "digital certificate," Examiner notes that the claim only recites the term "digital certificate" and does not further recite the specifies of the term. Thus, using the broadest reasonable interpretation, a digital certificate has been interpreted as an electronic credential that identifies, confirms the identity, or proves the authenticity of a device, server, or user. In other words, the PKI certificate taught by Hughes can be interpreted as the claimed digital certificate. In addition, Sakura teaches establishing a secure tunnel responsive to validation of a digital certificate. (e.g. [0086]-[0088], [0090]). In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Therefore, the combination of Hughes and Sakura teaches establishing a secure tunnel between the network access server and the policy management system responsive to validation of the digital certificate as recited in claim 1. Moreover, in response to Applicant's argument that the remaining dependent claims are patentable because they depend from allowable independent claims, Examiner respectfully disagrees since the base claims from which they depend are not in condition for allowance. See also rejections presented below.
Examiner also would like to point out that the features indicated in Remarks by Applicant have not been fully captured by the claims, further clarification is needed to better capture the invention features.
Claim Objections
Claim 20 is objected to because of the following informalities: 
There is insufficient antecedent basis for the limitations "the instructions to the network access server with the network access server internet protocol address by the computer system" (and "the computer system") as recited in claim 20. 
Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hughes et al. (US 2009/0158392) in view of Sakura et al. (US 2014/0068707).
Claim 1, Hughes teaches: 
A method for client validation, the method comprising:
receiving a digital certificate through a secure connection from a network access server, the secure connection passing through a network address translation device; (e.g. fig. 2, [0001], "The NAS may be in selective communication with an authentication server…an authentication server is a device that receives an authentication request from a NAS and returns a response" [0010], "NAS 110 is generally in selective communication with a dynamic authentication broker 115. NAS 110 is configured to…selectively provide an authentication request to authentication broker 115. Authentication credentials may include, for instance, a user name and an associated network password, hardware token identifier, PKI certificate, etc. The authentication request, which may be transmitted as a single transmission or a series of transmissions, includes at least the authentication credentials and a NAS identifier, such as the IP address of the NAS 110" [0013], "Authentication broker 115 may also be in communication with at least one authentication mechanism, such as authentication server 135" [0014], "the authentication server 135 may validate the supplied credentials against an internal component such as a text file, database, other internal data structure, or may validate the credentials against an external component such as an external database server, a PKI server, a token server, etc. Authentication server 135 may validate the credentials received…and may provide a response to the requesting service on authentication broker 115, indicating whether the credentials have been successfully authenticated" [0019], "NAS 110b is a network firewall device configured to communicate authentication requests to authentication broker 115…NAS 110c is an IP router configured to communicate authentication requests to authentication broker 115")
validating the digital certificate with a policy management system; (e.g. fig. 2, [0022], "Authentication broker 115 may further be in selective communication with a plurality of authentication servers 135…Once the service has determined the appropriate authentication protocol, the service may transmit the authentication request to an authentication server 135 associated with that authentication protocol. The authentication server 135 may then process the authentication request…Authentication server 135 may validate the credentials received…and may provide a response to the requesting service on authentication broker 115, indicating whether the credentials have been successfully authenticated")
establishing a secure tunnel between the network access server and the policy management system; (e.g. fig. 2, [0010], "NAS 110 will generally be configured to communicate the authentication request to authentication broker 115 using a specific authentication protocol. For example, a first NAS 110 may communicate an authentication request to authentication broker 115 using the RADIUS protocol. Another NAS 110 may communicate an authentication request to authentication broker 115 using the LDAP protocol. Still another NAS 110 may communicate an authentication request to authentication broker 115 using another authentication protocol, such as the Kerberos protocol, etc." [0012], "authentication broker 115 may include a first service which may be configured to receive incoming authentication requests in the RADIUS protocol directed to port 1812, a second service which may be configured to receive incoming authentication requests in the Kerberos format directed to port 88, and a third service which may be configured to receive incoming authentication requests in the LDAP protocol directed to port 389" [0022], "Authentication broker 115 may further be in selective communication with a plurality of authentication servers 135…Once the service has determined the appropriate authentication protocol, the service may transmit the authentication request to an authentication server 135 associated with that authentication protocol. The authentication server 135 may then process the authentication request…Authentication server 135 may validate the credentials received…and may provide a response to the requesting service on authentication broker 115, indicating whether the credentials have been successfully authenticated")
receiving, through the secure tunnel and from the network access server, a remote authentication dial-in user service access request having a network access server internet protocol address; (e.g. fig. 2, [0010], "NAS 110 will generally be configured to communicate the authentication request to authentication broker 115 using a specific authentication protocol. For example, a first NAS 110 may communicate an authentication request to authentication broker 115 using the RADIUS protocol" [0012], "authentication broker 115 may include a first service which may be configured to receive incoming authentication requests in the RADIUS protocol directed to port 1812…Upon receipt of an authentication request, the service may determine at least a NAS identifier and a user identifier from the authentication request…the service may attempt to validate the identity of the requesting NAS 110. That is, the service may identify the specific NAS 110 transmitting the authentication request, and determine whether the NAS 110 is a trusted device. To determine the validity of a NAS 110 the service may compare the received NAS identifier to a list including identifiers associated with known trusted NAS devices 110")
validating the network access server with the network access server internet protocol address by the policy management system; and (e.g. fig. 2, [0012], "the service may attempt to validate the identity of the requesting NAS 110. That is, the service may identify the specific NAS 110 transmitting the authentication request, and determine whether the NAS 110 is a trusted device. To determine the validity of a NAS 110 the service may compare the received NAS identifier to a list including identifiers associated with known trusted NAS devices 110. For instance, the service may receive an IP address from a NAS 110, and may compare the IP address to a list of trusted IP addresses. A list of identifiers associated with trusted NAS devices 110 may be stored, for example, on a database selectively accessible by authentication broker 115, such as NAS database 125")
allowing a remote authentication dial-in user service traffic responsive to the internet protocol address of the network access server being validated and closing the secure tunnel responsive to validation of the network access server failing. (e.g. [0021], "Upon receiving an authentication request from a NAS 110, the service bound to the port over which the request was received may analyze the communication to determine relevant data…a service which receives an authentication request in the RADIUS format, such as from network firewall 110b, may first determine the identity of the NAS 110 and compare and validate the identity against a list of trusted identities, such as by accessing a NAS database 125, to ensure the request originated from an approved NAS 110" [0030], "the service determines the identity of the NAS 110 from which the authentication request was received, such as through the received NAS identifier, such as the IP address of the NAS 110, which may be included in the authentication request" [0031], "the service may then attempt to authenticate the NAS 110. The service may authenticate the NAS 110 by, for example, comparing the received identifier, such as the IP address, of the NAS 110 to a list of identifiers associated with NAS devices 110 approved to authenticate user devices 105 over authentication broker 115" [0032], "if the NAS 110 is not successfully validated by the authentication broker 115 the service may end the authentication attempt. If the NAS 110 is validated, the authentication request is allowed to continue")
Hughes teaches establishing a secure tunnel between the network access server and the policy management system, and validation of the digital certificate (see above) and does not appear to explicitly teach but Sakura teaches:
 establishing responsive to validation of a digital certificate. (e.g. [0086], "the internetwork authentication proxy can verify the identity of the network device trying to establish a connection" [0087], "transport layer security (TLS) is enforced. TLS is a natural choice for establishing a secure connection between a network device and internetwork authentication proxy. A network device that has the ability to obtain a TLS client certificate identifying its owner can use the certificate to establish a mutually authenticated TLS session with an internetwork authentication proxy that has the capability" [0088], "When establishing the TLS session, each end must authenticate the other…The internetwork authentication proxy, as the TLS server, can perform client verification to obtain the network device's certificate. By verifying the certificate the internetwork authentication proxy can associate the proper customer account with the session being established" [0090], "once the TLS session is established, the network device and the internetwork authentication proxy agree on a purpose for the session")
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Sakura into the invention of Hughes, and the motivation for such an implementation would be for the purpose of establishing a persistent connection securely that avoids problems with other peripheral security equipment and prevents the other peripheral security equipment from interfering with the authorization service (Sakura [0037], [0089]).
Claim 2, Hughes-Sakura combination teaches: 
caching an attribute from the digital certificate in the policy management system. (e.g. Hughes [0016], [0033]-[0035]; Sakura [0104])
Claim 3, Hughes-Sakura combination teaches: 
further comprising a plurality of secure tunnels, wherein each of the plurality of secure tunnels is for a different network access server. (e.g. Hughes [0010], [0019]-[0020])
Claim 4, Hughes-Sakura combination teaches: 
wherein the method occurs for a first remote authentication dial-in user service traffic request for the secure tunnel between the network access server and the policy management system. (e.g. Hughes [0010], [0012], [0019]-[0020])
Claim 5, Hughes-Sakura combination teaches: 
wherein the validating the network access server with the network access server internet protocol address by the policy management system comprises reading a validation level from a configuration database. (e.g. Hughes [0015]-[0016], [0030]-[0032])
Claim 6, Hughes-Sakura combination teaches: 
wherein the secure tunnel is a transport layer security tunnel. (e.g. Sakura [0087]-[0088], [0090]) 
Claim 7, Hughes-Sakura combination teaches: 
wherein the validating the network access server comprises comparing the network access server internet protocol address to a validation configuration of the policy management system. (e.g. Hughes [0012], [0030]-[0032])
Claim 8, Hughes-Sakura combination teaches: 
wherein the validating the network access server with the network access server internet protocol address by the policy management system comprises looking up a device configuration based on the network access server internet protocol address and comparing an attribute of the network access server to the device configuration. (e.g. Hughes [0012], [0030]-[0032])
Claim 9, Hughes-Sakura combination teaches: 
wherein the validating the network access server with the network access server internet protocol address by the policy management system comprises performing a common name or subject alternative name check. (e.g. Hughes [0010], [0012])
Claim 10, Hughes-Sakura combination teaches: 
wherein the secure connection comprises a transport layer security connection. (e.g. Hughes [0019]-[0020]; Sakura [0087]-[0088], [0090]) 
Claim 11, Hughes-Sakura combination teaches: 
wherein the digital certificate comprises at least one of a network access server serial number, an issuer, a common name, and a subject alternative name. (e.g. Hughes [0010]; Sakura [0087]-[0088], [0114])
Claim 12, Hughes-Sakura combination teaches: 
wherein a network address translation device internet protocol address is passed through the secure connection to the policy management system with the digital certificate. (Hughes [0010], [0012], [0019]-[0020])
Claim 13, Hughes-Sakura combination teaches: 
further comprising rejecting the network access server when the validating the digital certificate fails. (e.g. Hughes [0036]-[0037]; Sakura [0087]-[0088])
Claim 14, Hughes-Sakura combination teaches: 
wherein the network address translation device is at least one of a firewall and a load balancer. (e.g. Hughes [0019]-[0020])
Claim 15, this claim is directed to a system containing similar limitations as recited in claim 1 and is rejected using the same rationale to combine the references.
Claim 16, this claim is directed to a system containing similar limitations as recited in claim 14 and is rejected using the same rationale to combine the references.
Claim 17, this claim is directed to a system containing similar limitations as recited in claim 7 and is rejected using the same rationale to combine the references.
Claim 18, this claim is directed to a medium containing similar limitations as recited in claim 1 and is rejected using the same rationale to combine the references.
Claim 19, this claim is directed to a medium containing similar limitations as recited in claim 2 and is rejected using the same rationale to combine the references.
Claim 20, this claim is directed to a medium containing similar limitations as recited in claim 7 and is rejected using the same rationale to combine the references.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIE C LIN whose telephone number is (571)272-7752. The examiner can normally be reached M-F 9:00AM -5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AMIE C. LIN/Primary Examiner, Art Unit 2436