DETAILED ACTION
Examiner acknowledges receipt of Applicant’s Amendment filed on 01/26/2022. Claim 1 has been canceled and claims 2-22 has been newly added. Claims 2-22 have been examined
Claim Objections
The applicant respectfully cancelled without prejudice. Therefore, the objection to claim 1 has been withdrawn. 
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Langi, 759 F.2d 887, 225N USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937,214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438,164 USPQ 619 (CCPA 1970); and, In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321 (c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application. See 37 CFR 1.130(b).
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 2-22 are provisionally rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims 1-25 of co-pending Application No. 17/135,533. Although the conflicting claims are not identical, they are not patentably distinct from each other because all the limitations, i.e., A computer implemented system for cloaked remote client to server application access, the computer system comprising: a remote client having a client application with client application data, and a client tunnel gateway module; a plurality of servers operating as a server cluster forming an overlay network wherein each server includes one of a plurality of server tunnel gateway modules that each include, one or more UDP communication sockets that mediate connectivity between the client tunnel gateway module and one of the plurality of server tunnel gateway modules, and wherein that server tunnel gateway module forms a list of available tunnels for the client tunnel gateway module; and one or more server applications communicatively coupled with the one of plurality of server tunnel gateway modules wherein responsive to lack of connectivity between the remote client and the one of the plurality of server tunnel gateway modules, the remote client selects a new server reestablishing connectivity to the one or more server applications from the list of available tunnels, are transparently found in application No. 16/903,933 with obvious wording variations as shown in table below. 
This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.
Pending Application No. 17/135,533 of Claim 1.
Instant Application No. 16/903,933 of 
Claim 2.
A computer implemented system for cloaked remote client to server application access, the computer system comprising:
a remote client having a client application with client application data, and a client tunnel gateway module;
a plurality of servers operating as a server cluster forming an overlay network wherein each server includes one of a plurality of server tunnel gateway modules that each include,
one or more UDP communication sockets that mediate connectivity between the client tunnel gateway module and one of the plurality of server tunnel gateway modules, and wherein that server tunnel gateway module forms a list of available tunnels for the client tunnel gateway module; and one or more server applications communicatively coupled with the one of plurality of server tunnel gateway modules wherein responsive to lack of connectivity between the remote client and the one of the plurality of server tunnel gateway modules, the remote client selects a new server reestablishing connectivity to the one or more server applications from the list of available tunnels.

A computer implemented system for TCIP tunneling, the computer system comprising: a remote client having a client application with Ii lien.t application on data, and a client tunnel gateway module; a plurality of servers operating as a server cluster forming an overlay network wherein each server includes one of a plurality of server tunnel gateway modules that each include, one or more UDUP communication sockets wherein each socket mediates connectivity between the client tunnel gateway module and one of th1e plurality of server tunnel gateway modules. and wherein the one of the plurality of server tunnel gateway modules forms a list of available tunnels for the client tunnel gateway module; and one or more server applications communicatively coupled with the one of plurality of server tunnel gateway modules wherein responsive to lack of connectivity between the remote client and the one of the plurality of server tunnel gateway modules, the remote client selects a new server of the plurality of servers reestablishing connectivity to the one or more server applications from the list of available tunnels.



Pending Application No. 17/135,533 of Claim 2.
Instant Application Claim 3
The computer implemented system according to claim 1, wherein the client tunnel gateway module opens one or more TCP ports to connect with one or more of the plurality of servers.
The computer implemented system according to claim 2, wherein the client tunnel gateway module opens one or more TP ports to connect with one or more of the plurality of servers.


Pat No. US10321259B2 Claim 3.
Instant Application Claim 4
The computer implemented system according to claim 1, wherein the client tunnel gateway module includes a client TCP listener open for an application tunnel with the client application.
The computer implemented system according to claim 2, wherein the client tunnel gateway module includes a client TCP listener open for an application tunnel with the client application.


Pat No. US10321259B2 Claim 4.
Instant Application Claim 5
The computer implemented system according to claim 3, wherein the application tunnel is mapped to a client tunnel origin associated with the client tunnel gateway.
The computer implemented system according to claim 4, wherein the application tunnel is mapped to a client tunnel origin associated with the client tunnel gateway.


Pat No. US10321259B2 Claim 5.
Instant Application Claim 6
The computer implemented system according to claim 4, further comprising one or more server pipe listeners wherein one of the one or more server pipe listeners includes an open port to connect the client tunnel gateway with the server tunnel gateway.
The computer implemented system according to claim 5, further comprising one or more server pipe listeners wherein one of the one or more server pipe listeners includes an open port to connect the client tunnel gateway with the server tunnel gateway.


Pat No. US10321259B2 Claim 6.
Instant Application Claim 7
The computer implemented system according to claim 5, further comprising one or more tunnel connections between the client tunnel origin and one or more server tunnel destinations associated with the server tunnel gateway.
The computer implemented system according to claim 6. further comprising one or more tunnel connections between the client tunnel origin and one or more server tunnel destinations associated with the server tunnel gateway.


Pat No. US10321259B2 Claim 7.
Instant Application Claim 8
The computer implemented system according to claim 6, wherein the one or more server tunnel destinations opens a TCP connection with each server application thereby connecting each server application to the client application via one of the one or more tunnel connections
The computer implemented system according to claim 7, wherein the one or more server tunnel destinations opens a TCP connection with each server application thereby connecting each server application to the client application via one of the one or more tunnel connections.


Pat No. US10321259B2 Claim 8.
Instant Application Claim 9
The computer implemented system according to claim 7, wherein the one or more server tunnel destinations may be located on any server within the server cluster or any server communicatively coupled to any other server within the server cluster.
The computer implemented system according to claim 8, wherein the one or more server tunnel destinations may be located on any server within the server cluster or any server communicatively coupled to any other server within the server cluster.


Pat No. US10321259B2 Claim 10.
Instant Application Claim 10
The computer implemented system according to claim 1, wherein each of the one or more server applications includes one or more TCP listening ports to interact with the client application.
The computer implemented system according to claim 2. wherein each of the one or more server applications includes one or more TCP listening ports to interact with the client application.


Pat No. US10321259B2 Claim 11.
Instant Application Claim 11
The computer implemented system according to claim 1, wherein the one or more server applications are each communicatively coupled to the server tunnel gateway module through a direct layer-4 TCP network route.
The computer implemented system according to claim 2, wherein the one or more server applications are each communicatively coupled to the server tunnel gateway module through a direct layer-4 TCP network route.


Pat No. US10321259B2 Claim 12.
Instant Application Claim 12
The computer implemented system according to claim 1, further comprising an intermediary registry communicatively coupled to each of the plurality of servers and the remote client wherein the intermediary registry maintains a list of available servers in the server cluster.
The computer implemented system according to claim 2. further comprising an intermediary registry communicatively coupled to each of the plurality of servers and the remote client wherein the intermediary registry maintains a list of available servers in the server cluster.


Pat No. US10321259B2 Claim 13.
Instant Application Claim 13
The computer implemented system according to claim 1, wherein, responsive to the remote client connecting with the one of the one or more server gateways, the server gateway tunnel module creates a client context for the remote client, the client context including a port remap table having an entry for each available tunnel, forming the list of available tunnels.
The computer implemented system according to claim 2, wherein, responsive to the remote client connecting with the one of the one or more server gateways, the server gateway tunnel module creates a client context for the remote client, the client Context including a port remap table having an entry for each available tunnel, forming the list or available tunnels.


Pat No. US10321259B2 Claim 14.
Instant Application Claim 14
A method for cloaked remote client to server application access, the method comprising:
establishing a control connection between a remote client and one of a plurality of gateway servers using UDP protocols with DTLS secure encapsulation, wherein the plurality of gateway servers form a server cluster;
receiving, by the remote client from the one of the plurality of gateway servers, a list of available tunnels for connectivity to one or more server applications wherein the list includes for each available tunnel, a tunnel name, a tunnel name pipe port, and a default TCP listener address for the tunnel name; and
opening, by the remote client, one or more pipe ports forming one or more UDP channels between the remote client and one or more of the plurality of gateway servers, wherein each pipe port corresponds to one of the available tunnels and wherein responsive to lack of connectivity between the remote client and the one of the plurality of gateway servers, the remote client selects a new server from the server cluster reestablishing connectivity to the one or more server applications from the list of available tunnels

A method for TCP tunneling, the method comprising: establishing a control connection between a remote client and one of a plurality of gateway servers using UDP protocols with DTLS secure encapsulation, wherein the plurality of gateway servers operate as a server cluster forming an overlay network; receiving, by the remote client from the one of the plurality of gateway servers, a list of available tunnels for connectivity to one or more server applications wherein the list includes fur each available tunnel, a tunnel name, a tunnel name pipe port, and a default TCP listener address for the tunnel name; and opening, by the remote client, one or more pipe ports forming one or more UDP channels between the remote client and one or more of the plurality of gateway servers, wherein each pipe port corresponds to one of the available tunnels and wherein responsive to lack of connectivity between the remote client and the one of the plurality of gateway servers, the remote client selects a new server from the server cluster reestablishing connectivity to the one or more server applications from the list of available tunnels.


Pat No. US10321259B2 Claim 15.
Instant Application Claim 15
The method according to claim 14, wherein establishing includes discovering, by the remote client, an undiscovered UDP endpoint for each gateway server.
The method according to claim 14, wherein establishing includes discovering, by the remote client, an undiscovered. UDP endpoint for each gateway server.


Pat No. US10321259B2 Claim 16.
Instant Application Claim 16
The method according to claim 15, further comprising initiating, by the remote client, a DTLS handshake with the discovered endpoint for each gateway server.
The method according to claim 15, further comprising initiating, by the remote client, a. DTLS handshake with the discovered endpoint for each gateway server.


Pat No. US10321259B2 Claim 17 and claim 18.
Instant Application Claim 17
The method according to claim 16, further comprising authenticating, by the remote client, each gateway server based on a public key presented during DTLS handshaking via a datagram message.
The method according to claim 17, responsive to successful authentication of the remote client by each gateway server, further comprising opening, by each gateway server, a pipe port to the remote client.
The method according to claim 16, further comprising authenticating, by the remote client, each gateway server based on a public key presented during DTLS handshake via datagram message and wherein responsive to successful authentication of the remote client by each gateway server, further comprising opening, by each gateway server, a pipe port to the remote client.


Pat No. US10321259B2 Claim 19.
Instant Application Claim 18
The method according to claim 18, further comprising opening, by the remote client, a pipe connection to the pipe port establishing a control connection. Device associated with a second location, second
user information comprising the user preference in 
The method according to claim 17, further comprising opening, by the remote client, a pipe connection to the pipe port establishing the control connection.


Pat No. US10321259B2 Claim 20.
Instant Application Claim 19
The method according to claim 14, wherein ascertaining includes sending, by the remote client through the control connection an authorization request for access to one or more tunnels.
The method according to claim 14, wherein ascertaining includes sending, by the remote client through the control connection an authorization request for access to one or more tunnels.


Pat No. US10321259B2 Claim 21 and claim 22.
Instant Application Claim 20
The method according to claim 20, further comprising confirming tunnel availability by ascertaining current tunnel access session counts by an authenticated user.
The method according to claim 21, responsive to confirming tunnel availability, further comprising mapping each authorized tunnel for the remote client to a unique pipe port.

The method according to claim 19, further comprising confirming tunnel availability by ascertaining current tunnel access session counts by an authenticated user and wherein responsive to confirming tunnel availability. further comprising mapping each authorized tunnel for the remote client to a unique pipe part.



Pat No. US10321259B2 Claim 23.
Instant Application Claim 21
The method according to claim 22, further comprising sending, by the remote client to the gateway server, a tunnel confirmation request through the control connection.
The method according to claim 14, further comprising sending, the remote client to the gateway server, a tunnel confirmation request through the control connection.



Pat No. US10321259B2 Claim 24.
Instant Application Claim 22
The method according to claim 14, wherein, responsive to establishing a control connection the server gateway tunnel module creates a client context for the remote client, the client context including a port remap table having an entry for each available tunnel, forming the list of available tunnels.
The method according to claim 14, wherein. responsive to establishing a control connection the serer gateway tunnel module creates a client context for the remote client, the client context including a port remap table having an entry for each available tunnel, forming the list of available tunnels.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

	Claims 2-3, 10-12, 14, and 20-21 is rejected under 35 U.S.C. 103 as being unpatentable over Glazemakers et al. (US Patent No.: 10412048 B2) in view of Eisenberg et al. (US Pub. No.: 2003/0188001 A1), in further view of Jewell (US Patent No.: 8843639 B2).
Regarding claim 2, Glazemakers teaches a computer implemented system for cloaked remote client to server application access (abstract), the computer system comprising: a remote client having a client application with client application data, and a client tunnel gateway module (column 10, lines 62-67; column 11, lines 1-5; "In step 701 of the process, gateway 600 establishes a first networking tunnel 631 with client device 621 in order to provide the client 621 access to network devices 141-143 in the private network.");
a plurality of servers operating as a server cluster forming an overlay network wherein each server includes one of a plurality of server tunnel gateway modules that each include (column 10, lines 53-61; "Access is controlled by gateways 600, 601 and 602 corresponding to gateway 100 by also implementing tunnel module 101 (not shown), management module 102 (not shown), and one or more tunnel services 150, 151 (not shown) each implementing one or more firewall services. For sake of clarity, only two firewall services 611A and 616A are shown in gateway 600."), one or more UDP communication sockets that mediate connectivity between the client tunnel gateway module and one of the plurality of server tunnel gateway modules (column 9, lines 60-65; "Firewall 420 may be a stateful firewall configured to perform stateful packet inspection, thereby keeping track of the state of networking connections established over the networking tunnel 131 between client 121 and network devices 141-143 in private network 140. Each such connection may relate to TCP or UDP networking connections."), and wherein that server tunnel gateway module forms a list of available tunnels for the client tunnel gateway module (column 9, lines 28-36; "The process starts upon establishment of the second connection in step 305 as set out above with reference to step 205 of FIG. 2. The process then proceeds to step 306 where the tunnel module selects one of the tunnel services 150, 151 to which it will forward the second connection."); and one or more server applications communicatively coupled with the one of plurality of server tunnel gateway modules (column 5, lines 1-6; "In order to control access by the client’s 121-126 to the application servers 141-143, networking tunnels 131-133 are established between the client’s 121-126 and the gateway 100. This way, the private network 140 is extended to the client’s 121-126.") wherein responsive to lack of connectivity between the remote client and the one of the plurality of server tunnel gateway modules (column 11, lines 19-27; "The interruption of the networking tunnel 631 may be caused by several factors such as, for example, by a failure in the networking path between the client 621 and the gateway 600, or by a failure of the gateway 600 itself. When the client detects the failure of the networking tunnel .."), the remote client selects a new server reestablishing connectivity to the one or more server applications from the list of available tunnels (column 11, lines 26-32; "When the client detects the failure of the networking tunnel, it establishes a new networking tunnel 632 with second gateway 601, which also provides access to private network 140. This may, for example, be done by the process as illustrated by FIG. 2 by forwarding the tunnel authentication information 653 and client access list 652 to the second gateway 601."). Glazemakers does not specifically teach specific software architecture such as a client gateway module, server gateway module and tunnel gateway module. However, in the same field of endeavor, Jewell teaches the client gateway module, server gateway module and tunnel gateway module (column 5, lines 4-19; "Client program 122 provides network application 120 an indirect route to communicate to communications network 108. Client program 122 receives messages sent from the network applications 120 and forwards the messages to tunnel server 140 through firewall 110 and communications network 108. Corresponding to the two modules installed on client system 102, target system 104 may also have two software modules installed: target program 132 and target service 130. When messages destined for target service 130 are relayed from tunnel server 140 via communications network 108, they may be received by target program 132 through firewall 110'. Target program 132 then passes the original message sent by network application 120 to target service 130."). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Glazemakers to substitute client gateway, tunnel gateway and server gateway modules from Jewell for the software from Glazemakers to reduce troublesome firewall configuration while maintaining security.
Regarding claim 3, Glazemakers-Jewell teaches the computer implemented system according to claim 2, wherein the client tunnel gateway module opens one or more TCP ports to connect with one or more of the plurality of servers (Glazemakers, column 9, lines 60- 65; " ... the state of networking connections established over the networking tunnel 131 between client 121 and network devices 141-143 in private network 140. Each such connection may relate to TCP or UDP networking connections.").


Regarding dependent claim 10, Glazemakers - Jewell teaches the computer implemented system according to claim 1, wherein each of the one or more server applications includes one or more TCP listening ports to interact with the client application (Jewell, column 8, lines 29-37; "In alternate embodiments, network application 120 may be configured to connect to target services 130 listening on more than one port. In such embodiments, client program 122 may be configured to listen on multiple ports to mimic the listening behavior of the desired target service 130.").
Regarding dependent claim 11, Glazemakers - Jewell teaches the computer implemented system according to claim 1, wherein the one or more server applications are each communicatively coupled to the server tunnel gateway module through a direct layer-4 TCP network route (Glazemakers, column 9, lines 1-16; Through interprocessor communication (IPC) the firewall services and tunnel services are able to communicate. "The gateway 100 then includes a separate tunnel service running on each processor core. This is illustrated by the exemplary embodiment of FIG. 1 where tunnel service 150 and firewall services 111, 112 and 113 are implemented on the first processor core 160 and tunnel service 151 and firewall services 114, 115 and 116 are implemented on a second processor core 161. Tunnel services 150 and 151 may, for example, be implemented as software processes running on the respective processor cores.").
Regarding dependent claim 12, Glazemakers -Jewell teaches the computer implemented system according to claim 1, further comprising an intermediary registry communicatively coupled to each of the plurality of servers (Glazemakers, The tunnel module, column 10, lines 62-67; column 11, lines 1-5; "Access is controlled by gateways 600, 601 and 602 corresponding to gateway 100 by also implementing tunnel module 101 (not shown), management module 102 (not shown), and one or more tunnel services 150, 151 (not shown) each implementing one or more firewall services.") and the remote client wherein the intermediary registry maintains a list of available servers in the server cluster (Glazemakers, column , lines ; "The process then proceeds to step 306 where the tunnel module selects one of the tunnel services 150, 151 to which it will forward the second connection. This may be done in several ways. For example, the tunnel module may distribute the connection in a round robin way by forwarding the connection each time to the next processor core. Alternatively, it may forward the connection to the processor which has the most resources available such as, for example, processing power, memory or any combination thereof.").
Regarding claim 14, recites features similar to claim 1 above. Therefore claim 14 is rejected on the same rationale as claim 1 above. For the limitations not recited Glazemakers teaches establishing a control connection between a remote client and one of a plurality of gateway servers using UDP protocols with DTLS secure encapsulation (Glazemakers, column 4, lines 20-26; "The private network 140 and other components in FIG. 1 may utilize any number and type of communication protocols, also referred to as the Internet Protocol ("IP"), or as the Transmission Control Protocol/Internet Protocol ("TCP/IP"). For example, the private network 140 may have address ranges as set by RFC 1918 for Internet Protocol Version 4 or IPv4 and RFC 4193 for Internet Protocol Version 6 or IPv6." See ... Also see column 5, lines 31-41; "The data travelling over the connections in the tunnels 131-133 may further be protected by encryption, such as according to the Internet Protocol Security (or "IPsec protocol,") transport Layer Security (or "TLS") and/or Datagram Transport Layer Security (or "DTLS"). In an example, the tunnel module 101 operates according to TLS or SSL and sets up the networking connections as TCP network connections."), wherein the list includes for each available tunnel, a tunnel name, a tunnel name pipe port, and a default TCP listener address for the tunnel name, one or more pipe ports forming one or more UDP channels (Glazemakers, Because the tunnel traffic passes through the tunnel. See column 7, lines 27-56; "More specifically, in one embodiment, the access rules are basically descriptive firewall rules, and the management module 102 fills in some of these descriptions." "The management module will contact the API and retrieve a list of IP addresses and ports, and then translate these retrieved addresses and ports into access rules like: Allow TCP traffic to 10.0.0.1 port 22 Allow TCP traffic to 10.0.0.15 port 22."); and wherein each pipe port corresponds to one of the available tunnels.

Regarding claim 20, Glazemakers - Jewell the method according to claim 19, further comprising confirming tunnel availability by ascertaining current tunnel access session counts by an authenticated user (Glazemakers, authentication is inherent to the DTLS handshaking). Glazemakers -Jewell further teaches, responsive to confirming tunnel availability, further comprising mapping each authorized tunnel for the remote client to a unique pipe port (Glazemakers, column 5, lines 56- 67; column 6, lines 1-14; "If the data packet is a control data packet, the tunnel module 101 identifies the network connection as a control connection and will redirect all further packets received over this connection to the management module 102. The control data packet may, for example, be identified by inspecting a specific TSL extension field in the header of the TLS packet.").

Regarding claim 21, Glazemakers -Jewell teaches the method according to further comprising sending, by the remote client to the gateway server, a tunnel confirmation request through the control connection (Glazemakers, column 5, lines 56-67; column 6, lines 1-14; "In order to know that the connection is for control purposes, the tunnel module may inspect the first data packet exchanged over each newly-established network connection. If the data packet is a control data packet, the tunnel module 101 identifies the network connection as a control connection and will redirect all further packets received over this connection to the management module 102. The control data packet may, for example, be identified by inspecting a specific TSL extension field in the header of the TLS packet.").

	Claims 4-9 are rejected under 35 U.S.C. 103 as being unpatentable over Glazemakers and Jewell as applied to claim 1 above, and further in view of Kumar et al., US 8020203 B2 (hereafter referred to as Kumar)
Regarding claim 4, Glazemakers - Jewell teaches the computer implemented system according to claim 3, as cited above. Glazemakers - Jewell does not specifically teach wherein the client tunnel gateway module includes a client TCP listener open for an application tunnel with the client application. However, in the same field of endeavor, Kumar teaches wherein the client tunnel gateway module includes a client TCP listener open for an application tunnel with the client application (column 6, lines 30-39; "Now, a client daemon in the VPN Client and a server daemon in the VPN Gateway D exchange a series of messages; authenticate mutually and exchange symmetric keys and form a secure tunnel. During this process the VPN Gateway D sends the information about its secondary Gateway (A) to the client, i.e. the IP address and the TCP port number on which A listens."). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Glazemakers-Jewel to substitute an open TCP listener for TCP connections from Glazemakers-Jewell to support having highly available virtual private networks (VPNs).
Regarding claim 5, Glazemakers - Jewell - Kumar teaches the computer implemented system according to claim 4, wherein the application tunnel is mapped to a client tunnel origin associated with the client tunnel gateway (Kumar, column 6, lines 30-39; The connection binds to the client TCP port. "During this process the VPN Gateway D sends the information about its secondary Gateway (A) to the client, i.e. the IP address and the TCP port number on which A listens.").
Regarding claim 6, Glazemakers - Jewell - Kumar teaches the computer implemented system according to claim 5, further comprising one or more server pipe listeners wherein one of the one or more server pipe listeners includes an open port to connect the client tunnel gateway with the server tunnel gateway (Kumar, column 3, lines 49-53, 57-62; "Then, the administrator creates a group of Secure Socket Layer (SSL) VPN gateways and assigns the resulting configuration to the group. The public address on which each gateway listens and the virtual subnet pool is different for different gateways in the same group.").
Regarding claim 7, Glazemakers - Jewell - Kumar teaches the computer implemented system according to claim 6, further comprising one or more tunnel connections between the client tunnel origin and one or more server tunnel destinations associated with the server tunnel gateway (Glazemakers, column 10, lines 65-67; column 11, lines 1-5; "In step 701 of the process, gateway 600 establishes a first networking tunnel 631 with client device 621 in order to provide the client 621 access to network devices 141-143 in the private network.").
Regarding claim 8, Glazemakers - Jewell - Kumar teaches the computer implemented system according to claim 7, wherein the one or more server tunnel destinations opens a TCP connection with each server application (Glazemakers, column 6, lines 63-67; "More specifically, in one embodiment, two connections are required for each tunnel (131,132,133) (e.g., two TCP connections in the case of a TLS tunnel). One connection is for uploading the tokens (metadata), and the other connection is for the actual tunnel traffic.") thereby connecting each server application to the client application via one of the one or more tunnel connections (Glazemakers, column 7, lines 57-62; " ... a network tunnel 131 between the client device 121 and the gateway 100 is thus established together with a separate firewall with a separate set of firewall rules for selectively blocking and allowing network traffic between the client device 121 and the network devices 141-143 in the private network 140.").
Regarding claim 9, Glazemakers -Jewell - Kumar teaches the computer implemented system according to claim 7, wherein the one or more server tunnel destinations may be located on any server within the server cluster or any server communicatively coupled to any other server within the server cluster (column 9, lines 1-16; "The gateway 100 then includes a separate tunnel service running on each processor core. This is illustrated by the exemplary embodiment of FIG. 1 where tunnel service 150 and firewall services 111, 112 and 113 are implemented on the first processor core 160 and tunnel service 151 and firewall services 114, 115 and 116 are implemented on a second processor core 161. Tunnel services 150 and 151 may, for example, be implemented as software processes running on the respective processor cores.").

	Claims 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Glazemakers and Jewell as applied to claim 14 above, and further in view of Aldridge et al., US 7992201 B2 (hereafter referred to as Aldridge)
Regarding claim 15, Glazemakers -Jewell teaches the method according to claim 14, as recited above. Glazemakers- Jewell does not specifically teach wherein establishing includes discovering, by the remote client, an undiscovered UDP endpoint for each gateway server. However, in the same field of endeavor, CCC teaches wherein establishing includes discovering, by the remote client, an undiscovered UDP endpoint for each gateway server (column 6, lines 7-28; "According to one embodiment of the present invention, a VPN client at a client device uses a locally-accessible table or similar data structure (referred to herein as a table for ease of reference) that provides LCR information for detecting which VPN gateway should be selected for reaching a particular destination host." "Or, rather than providing the table to the VPN client, the table may be stored in one or more centralized locations accessible to multiple VPN clients, and the VPN clients may receive an address of the table or a pointer to the table. As yet another alternative, a service or function may be provided whereby a VPN client can issue a request for cost metrics as needed."). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Glazemakers-Jewell to substitute unknown gateway with respect to the client from Aldridge for the available tunnels from Glazemakers-Jewell to enable more dynamic selection of tunnels that are chosen based on other network conditions.
Regarding claim 16, Glazemakers -Jewell teaches the method according to claim 15, further comprising initiating, by the remote client, a DTLS handshake with the discovered endpoint for each gateway server (Glazemakers, handshakes are inherent to utilizing a protocol. The client triggers encryption/decryption according to DTLS. See column 5, lines 31-41; "Firewall service 411 may further include an encryption and/or decryption component 423 for respectively encrypting and decrypting data transmitted to or received from the client 121. Encryption and decryption may further be performed according to the Internet Protocol Security (or "IPsec protocol,") Transport Layer Security (or "TLS") and/or Datagram Transport Layer Security (or "DTLS").").

	Claims 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Glazemakers and Jewell and Aldridge as applied to claim 16 above, and further in view of Tribble et al., US 9270449 Bl (hereafter referred to as Tribble).
Regarding claim 17, Glazemakers - Jewell -Aldridge teaches the method according to claim 16, as cited above. Glazemakers- Jewell-Aldridge does not specifically teach further comprising authenticating, by the remote client, each gateway server based on a public key presented during DTLS handshaking via a datagram message. However, in the same field of endeavor, Tribble teaches authenticating, by the remote client, each gateway server based on a public key presented during DTLS handshaking via a datagram message (column 4, lines 36-49; "Typically, before accessing the secure website, the client 202 and the reverse proxy 206 will establish a secure communication channel among themselves. A secure communication channel can be established by performing a handshake 205 using generally known cryptographic protocols, e.g., Transport Layer Security (TLS) or Secure Sockets Layer (SSL), as described above. The client 202 and the reverse proxy 206 can securely communicate data over the secure communication channel by sending data that has been encrypted using the master session key 212 that was generated as a result of the handshake 205." See also column 6, lines 64-67; "Although the protocol stack is described as implementing Transport Layer Security or Secure Sockets Layer, other protocols may be used depending on the implementation including, for example, Datagram TLS (DTLS)."). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Glazemakers-Jewell Aldridge to substitute handshaking details from Tribble because doing so would have an equivalent substitution. Glazemakers -Jewell -Aldridge -Tribble further teaches responsive to successful authentication of the remote client by each gateway server, further comprising opening, by each gateway server, a pipe port to the remote client (Tribble, column 4, lines 36-49; "The client 202 and the reverse proxy 206 can securely communicate data over the secure communication channel by sending data that has been encrypted using the master session key 212 that was generated as a result of the handshake 205.").
Regarding claim 18, Glazemakers -Jewell-Aldridge-Tribble teaches the method according to claim 18, further comprising opening, by the remote client, a pipe connection to the pipe port establishing a control connection (Glazemakers, "Thereupon, the network connection is established under step 202, for example, by a three-way handshake in the case of a TCP network connection. This first network connection is used to exchange control information between the client 121 and the gateway 100, and more particularly with the management module 102 implemented in the gateway 100. In order to know that the connection is for control purposes, the tunnel module may inspect the first data packet exchanged over each newly-established network connection.").
Regarding dependent claim 19, Glazemakers -Jewell teaches the method according to claim 14, wherein ascertaining includes sending, by the remote client through the control connection an authorization request for access to one or more tunnels (Glazemakers, column 5, lines 56-67; column 6, lines 1-14; "In order to know that the connection is for control purposes, the tunnel module may inspect the first data packet exchanged over each newly-established network connection. If the data packet is a control data packet, the tunnel module 101 identifies the network connection as a control connection and will redirect all further packets received over this connection to the management module 102. The control data packet may, for example, be identified by inspecting a specific TSL extension field in the header of the TLS packet.").



Allowable Subject Matter
Claims 13 and 22 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter: the prior art fails to teach or suggest wherein, responsive to the remote client connecting with the one of the one or more server gateways, the server gateway tunnel module creates a client context for the remote client, the client context including a port remap table having an entry for each available tunnel, forming the list of available tunnels. The database/list/table identified as "a port remap table" comprising an entry for every tunnel that is available such as not being used or free from association and thereby forming a list of available tunnels is not taught by the prior art of record.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DHARMESH J PATEL whose telephone number is (571)272-2690.  The examiner can normally be reached on Monday-Friday 8:00AM-5:00PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Marsha D Banks-Harold can be reached on (571) 272-7905.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


DHARMESH J. PATEL
Examiner
Art Unit 2465


/DHARMESH PATEL/
Examiner, Art Unit 2465


/MARSHA D BANKS HAROLD/Supervisory Patent Examiner, Art Unit 2465