Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/12/2022 has been entered.
Claims 1-30 are pending.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 23-26 are rejected under 35 USC 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claims are directed to a gateway device including a processor adapted to perform functionalities. The broadest reasonable interpretation for “processor” is software. Therefore, the claims are not statutory. The examiner recommends to amend the claims to have them recite a piece of hardware such as memory, hardware processor ...

Invitation to Participate in DSMER Pilot Program
The present application satisfies the criteria for participation set forth in the Federal Register Notice entitled “Deferred Subject Matter Eligibility Response (DSMER) Pilot Program.” Therefore, the examiner invites applicant to participate in the DSMER pilot program. 

An applicant who accepts the invitation to participate in this pilot program must still file a reply to every Office action mailed in this application, but may defer presenting arguments or amendments in response to subject matter eligibility (SME) rejection(s) until the earlier of final disposition of the application, or the withdrawal or obviation of all other outstanding non-SME rejections. A final disposition for purposes of this pilot program occurs upon the earliest of: mailing of a notice of allowance; mailing of a final Office action; filing of a notice of appeal; filing of a request for continued examination; or abandonment of the application. Other than applicant’s ability to defer responding to SME rejections, participation in the DSMER pilot program does not alter the normal examination process (e.g., as outlined in MPEP 700), and applicant must still respond to all non-SME rejections when replying to Office actions. 

Further information about the pilot program, including an explanation of the criteria for receiving an invitation, and the conditions of participation, is provided in the Federal Register Notice announcing the program, which is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response.

Applicant has two choices with respect to this invitation:
(1) Applicant may elect to participate in the DSMER pilot program. To effect this choice, applicant MUST accept this invitation by filing a completed request form PTO/SB/456 with a timely response to this Office action. The DSMER Pilot request form must be signed in accordance with 37 CFR § 1.33(b) by a person having authority to prosecute the application, and must be submitted via the USPTO’s patent electronic filing systems (EFS-Web or Patent Center). The form is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response. If the form is properly completed and timely received, the application will be entered into the pilot program.

(2) Applicant may decline to participate in the pilot program. No action is required from applicant to effect this choice, because if applicant does not timely file a properly completed form PTO/SB/456, the application will not be entered into the pilot program.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-6, 8-29 are rejected under 35 U.S.C. 103 as being unpatentable over US 9148408 to Glazemakers et al., hereinafter Glazemakers in view of US 20190036934 to Ptichaimani et al., hereinafter Pitchaimani.
Regarding claim 1, Glazemakers discloses
A method of controlling application-specific access to a secure network arranged within a communication environment, the method comprising: providing access control data that identifies an authorized client application being authorized to access at least one service provided by the secure network and further identifies at least one service provided by the secure network to which service the authorized client application is authorized to access (Fig. 1, col. 5, lines 50-67, col. 6, lines 1-6: firewall included in gateway 100 uses firewall rules that define application servers in private network a given client can access), receiving a first request at a secure gateway device from a requesting client application external to the secure network, the first request being an access request to access to the secure network (Fig. 1, col. 6, lines 21-27: client 121-122 external to private network 140 request access to application server 141-143 in the private network), receiving, at the secure gateway device, the access control data including data related to the requesting client application (col. 5, lines 50-60: firewall rules are provided by configuration module or by another source), in response to at least one of a request from the secure gateway device, reception of the first request, transmission of the first request (col. 10, lines 15-38, Fig. 4, 406: receive client access first in response to client ‘s request (step 401) and activate firewall rules), 
checking, by the secure gateway device, whether the first request includes information trustworthily identifying the requesting client application, wherein when the checking indicates that the first request includes information trustworthily identifying the requesting client application, verifying, by the secure gateway device, on a basis of the access control data and the information trustworthily, whether the requesting client application is the authorized client application being authorized to access the at least one service provided by the secure network; granting, by the secure gateway device, access to the secure network in response to verifying that the requesting client application is the authorized client application (col. 11, lines 4-30: client request to setup network tunnel, client authentication is verified by gateway, obtain from the client access list rules allowing to access services or application servers); receiving, at the secure gateway device, a second request from the requesting client application to access a requested service provided by the secure network; verifying, by the secure gateway device, based on the access control data, whether the requesting client application is the client application authorized to access the requested service; and granting, by the secure gateway device, access to the requested service in response to verifying that the requesting client application is the client application authorized to access the requested service; and denying, by the secure gateway device, access to the requested service, in the case the verifying whether the requesting client application is the client application authorized to access the requested service indicates that the requesting client application is not the client application authorized to access the requested service (Fig. 5, col. 11, lines 65-67, col. 12, lines 1-42: receive request to access application server from applications running on a client, verify request against access list,  verify client authentication, access granted or denied whether requirements are met; access can be denied for instance because of blacklisted IP address (col. 6, lines 39-67)). 
Glazemakers does not explicitly teach but Pitchaimani receiving, at the secure gateway device, the access control data including data related to the requesting client application  in response to an update process, the update process to include at least one of replacing or amending a portion of present access control data ([0031][0039][0041]: upon receiving a request from a client, a gateway  accesses a lookup table stored in memory or a in a remote server associated for instance with a whitelist of approved applications, the lookup table or whitelist is updated to reflect the list of currently accepted users). It would have been obvious to a skilled artisan before the instant application was effectively filed to have the gateway of Glazemakers receive updated control access data as taught by Pitchaimani because it would allow filtering the traffic accurately in response to change in the compliance status of the requestors, increasing security).

Regarding claim 2, Glazemakers in view of Pitchaimani discloses the method of claim 1, wherein the secure network comprises the secure gateway device providing access to the secure network for client applications external to the secure network (Glazemakers Fig. 1: client 121 in network external to private network 140).

Regarding claim 3, Glazemakers in view of Pitchaimani discloses the method of claim 1, further comprising at least one of the following: denying, by the secure gateway device, access to the secure network, when the checking indicates that the first request does not include information trustworthily identifying the requesting client application; denying, by the secure gateway device, access to the secure network in response to verifying that the requesting client application is not the authorized client application (Glazemakers col. 6, lines 53-67: information identifying the client listed in blacklist).

Regarding claim 4, Glazemakers in view of Pitchaimani discloses the method of claim 1, wherein the communication environment includes an access control server, which maintains the access control data, and wherein the access control data is provided from the access control server to the secure gateway device (Glazemakers col. 10, lines 30-33: retrieve client access list from authentication server which maintains the list, and provide it to the gateway).  

Regarding claim 5, Glazemakers in view of Pitchaimani discloses the method of claim 1, wherein an access control server is either integrated into the secure network or external to the secure network (Glazemakers Fig. 1: authentication server is external to private network 140).

Regarding claim 6, Glazemakers in view of Pitchaimani discloses the method of claim 1, wherein the information trustworthily identifying the application is a Transport Layer Security certificate (Glazemakers col. 5, lines 45-50: TLS used to establish tunnel, upon successful authentication of tunnel authentication information, which is known to a person skilled in the art as a certificate for TLS).

Regarding claim 8, Glazemakers in view of Pitchaimani discloses the method of claim 1, wherein the at least one service provided by the secure network is hosted by at least one node in the secure network (Glazemakers Fig. 1, application server 141-143), and wherein the second request includes an indication of the at least one nodes hosting the requested service (Glazemakers col. 18: lines 22-25: URL of application server , or col. 9, lines 44-54: application server address shown in address bar or web browser).

.  Regarding claim 9, Glazemakers in view of Pitchaimani discloses the method of claim 1, wherein the second request includes an indication identifying a connection to the requested service (Glazemakers col. 9, lines 44-54: application server address shown in address bar or web browser).

Regarding claim 10, Glazemakers in view of Pitchaimani discloses the method of claim 1, wherein verifying that the requesting client application is the client application authorized to access the requested service comprises comparing the information trustworthily identifying the requesting client application with the access control data (Glazemakers col. 8, lines 8-35: access control list or client access list includes authorized domains of the client, or authorized client roles that can only access the application servers).  
Regarding claim 11, Glazemakers in view of Pitchaimani discloses the method of claim 1, further comprising: establishing, prior to receiving the first request, a position of trust between the application installed on the client device and the secure network yielding trustworthy identity information of the application and wherein the access control data is obtained from the trustworthy identity information (Glazemakers col. 7, lines 34-47: the client runnel list defines the position of trust that allow to establish a tunnel, including tunnel authentication information to authenticate the client; the client access list is obtained after establishing the tunnel (see Fig. 4) i.e. access control data is obtained from verifying the information on client tunnel list).  

Regarding claims 12-13, 22-23, 27 the claims recite substantially the same content as claim 1 and are rejected substantially using the rationales for rejecting claim 1. 
Regarding claims 14-21, the claims recite substantially the same content as claims 4-11, respectively, and are rejected substantially using the rationales for rejecting claims 4-11, respectively. 
Regarding claim 25, the claim recites substantially the same content as claim 3 and is rejected using the rationales for rejecting claim 3.

Regarding claim 24, Glazemakers in view of Pitchaimani discloses the secure gateway device of claim 23, wherein the communication environment includes an access control server, which maintains the access control data, the secure gateway device being further adapted to: request the access control data from the access control server prior to the receiving of the first request from the client application information (Glazemakers col. 10, lines 15-38: receive client access first and activate firewall rules, see also Fig. 4, 406 ); 
Glazemakers does not explicitly teach, but Pitchaimani, discloses a gateway configured to request the access control data from the access control server upon the receiving of the first request from the client application ([0032]: gateway obtains lookup files from a server or repository); and request the access control data from the access control server in response to an update process to update the access control data ([0051]: gateway accesses updated lookup table from repository or from a server in response to updated token).  See claim 1 for motivation to combine.

Regarding claim 26, the claim recites substantially the same content as claim 24 and is rejected using the rationales for rejecting claim 24. 

Regarding claim 28, Glazemakers in view of Pitchaimani discloses the method of claim 1, further comprising maintaining a communication connection between the requesting client application and the secure gateway device upon the secure gateway device determining, from the access control data, the requesting client application is not authorized to access the requested service (Glazemakers col. 12, lines 42-67: tunnel established and maintained open between the client and the gateway while keep alive messages are received from the client; col.13, lines 21-31: after the client sends the access list to the gateway for accessing selected application servers; col. 5, lines 20-35; col.5, lines 60 to col.6 line 20, col.8, lines 1-20: firewall rules obtained from the access list are activated to allow traffic to specific servers, provided some conditions are satisfied, meaning access to a server can be denied if server not allowed in the rules or conditions not met, the tunnel between the client and the gateway remaining open as long as keep alive messages are received).

Regarding claim 29, Glazemakers in view of Pitchaimani discloses the method of claim 1, wherein the requested service is a first requested service, further comprising receiving, at the secure gateway device, a third request from the requesting client application to access a second requested service provided by secure network, 10U.S. Serial No. 16/354,990 Response to Final Office Action Dated September 13, 2021 verify, based on the access control data whether the requesting client application is the client application authorized to access the second requested service (Glazemakers col.11:65-67, col.12:1-35 : gateway receives another request from the client, to access a second server, verify if access is authorized for the client using the base access list which states a selection of a second server requires an enhanced authentication requirements from the client).  

Claim 7 is rejected under 35 USC 103 as being unpatentable over Glazemakers and Pitchaimani,  in view of US 20070133763 to D’Angelo et al., hereinafter D’Angelo. 
Regarding claim 7, Glazemakers in view of Pitchaimani discloses the method of claim 1, but does not teach the rest of the limitation.
In an analogous art, D’Angelo discloses an access gateway (Fig. 2) receiving requests from an application, a certificate identifier is extracted from the request and a profiling database searched for a match to the certificate identifier of the application ([0123], Fig. 8). D’Angelo discloses wherein verifying that the requesting client application is the client application authorized to access the requested service comprises analyzing a public key included in the information trustworthily identifying the application (D’Angelo [0057]: extract public key from the certificate for verification in database); and further comprising at least one of: verifying that the requesting client application is the client application authorized to access the requested service comprises comparing information derived from the public key with the access control data; and analyzing the public key comprises hashing the public key and verifying that the requesting client application is the client application authorized to access the requested service is based on the hash value of the public key (D’Angelo [0070]: use verified public key to authenticate the request e.g. by comparing a decrypted messages hash value with a calculated message hash value); it would have been obvious to a skilled artisan before the application was filed to use the public key of the certificate to authenticate the application because it is a well-known technique and would not need any testing).

Claim 30 is rejected under 35 USC 103 as being unpatentable over Glazemakers and Pitchaimani,  in view of US 20180041374 to Hasek, hereinafter Hasek.
Regarding claim 30, Glazemakers in view of Pitchaimani discloses the method of claim 1, but does not teach the rest of the claim.
In an analogous art, Hasek discloses a gateway used to allow or restrict acess to content in the content delivery network using a control access list ([0037]). Hasek discloses updating the access control list ),  wherein the update process is to be initiated in response to at least one of a timed control signal or an event at the secure gateway device or an access control server, the access control server to transmit the access control data to the secure gateway device ([0023][0052] Fig. 1C: the update is initiated by an event at an access control server (the provisioning module 150), the access control server sending the updated list to the gateway)/ It would have been obvious to a skilled artisan before the instant application was filed to initiate the updated access list as taught by Hasek before it would allow to keep an updated and accurate list to filter traffic provided automatically instead of manually , improving security (Hasek [0023]).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Nishizawa et al 20130247142 disclose an ID provider device that judges whether to permit the transmission of the service data in accordance with whether environmental conditions of the user for the execution of a service conform to the read policy information.
Satish et al 8353021 disclose a security system that monitors the trustworthiness and firewall configurations of a set of clients, where a firewall configuration comprises a set of firewall rules that control access by an application to network communication functionalities of a client. 
Chickering et al 8001610 disclose agents or software applications installed on a set of endpoints to gather the health information that represents security states of the endpoint devices. The agents send updated health information to the controller. In response to a login attempt, the controller processes the health indicators and identity information through a set of administrator-defined policies to generate a set of access rights. The controller transfers the set of access rights to the protection devices. The protection devices then control user access to network resources according to the set of access rights. The controller sends updated sets of access rights to the protection devices whenever the access rights change.
Platt et al 20090249440 disclose a system comprising a policy engine configured to retrieve attributes from the user store connector corresponding to a user and use the attributes to evaluate access policies, if any, which are defined for protection of resources, to determine whether or not the user should be granted access to the resources; an admin component that is configured to enable the access policies to be defined relative to attributes and the resources; and a policy store configured to store the access policies.
Jothimani et al 20080301801 disclose techniques for policy based virtual private network (VPN) communications; at the remote processing environment, policies are evaluated and are used for modifying permissible VPN routes that the client uses on behalf of the principal during the VPN session. The modified VPN routes are dynamically pushed to the client at the start of the VPN session and dynamically enforced by the client with communications, which are initiated by the principal during the VPN session.
Freund 20050273850 discloses  receiving at server client’s requests, consulting rules, verifying a client has applicable security policy in force, determining whether the client is in compliance with security policy, approving /denying the request to access application if client is compliant or not.
Keane et al 20030131263  disclose a gateway receiving a request from a client, using a firewall module which allows/disallows packets based on rules.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        6/10/2022