DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments
The indicated allowability of dependent claims 13 and 25 is withdrawn in view of the newly discovered reference(s) to Matthews.  Rejections based on the newly cited reference(s) follow below.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-2, 9-12, 14, and 20-23 is/are rejected under 35 U.S.C. 103 as being unpatentable over  Glazemakers et al., US 10412048 B2 (hereafter referred to as Glazemakers) in view of Jewell, US 8843639 B2 (hereafter referred to as Jewell) and in view of Matthews et al., US 10601779 B1 (hereafter referred to as Matthews).
Regarding claim 1, Glazemakers teaches a computer implemented system for cloaked remote client to server application access (abstract), the computer system comprising: 
a remote client having a client application with client application data, and a client tunnel gateway module (column 10, lines 62-67; column 11, lines 1-5; “In step 701 of the process, gateway 600 establishes a first networking tunnel 631 with client device 621 in order to provide the client 621 access to network devices 141-143 in the private network.”); 
a plurality of servers operating as a server cluster forming an overlay network wherein each server includes one of a plurality of server tunnel gateway modules that each include (column 10, lines 53-61; “Access is controlled by gateways 600, 601 and 602 corresponding to gateway 100 by also implementing tunnel module 101 (not shown), management module 102 (not shown), and one or more tunnel services 150, 151 (not shown) each implementing one or more firewall services.  For sake of clarity, only two firewall services 611A and 616A are shown in gateway 600.”), one or more UDP communication sockets that mediate connectivity between the client tunnel gateway module and one of the plurality of server tunnel gateway modules (column 9, lines 60-65; “Firewall 420 may be a stateful firewall configured to perform stateful packet inspection, thereby keeping track of the state of networking connections established over the networking tunnel 131 between client 121 and network devices 141-143 in private network 140.  Each such connection may relate to TCP or UDP networking connections.”), and wherein that server tunnel gateway module forms a list of available tunnels for the client tunnel gateway module (column 9, lines 28-36; “The process starts upon establishment of the second connection in step 305 as set out above with reference to step 205 of FIG. 2.  The process then proceeds to step 306 where the tunnel module selects one of the tunnel services 150, 151 to which it will forward the second connection.”); and one or more server applications communicatively coupled with the one of plurality of server tunnel gateway modules (column 5, lines 1-6; “In order to control access by the clients 121-126 to the application servers 141-143, networking tunnels 131-133 are established between the clients 121-126 and the gateway 100.  This way, the private network 140 is extended to the clients 121-126.”) wherein responsive to lack of connectivity between the remote client and the one of the plurality of server tunnel gateway modules (column 11, lines 19-27; “The interruption of the networking tunnel 631 may be caused by several factors such as, for example, by a failure in the networking path between the client 621 and the gateway 600, or by a failure of the gateway 600 itself.  When the client detects the failure of the networking tunnel…”), the remote client selects a new server reestablishing connectivity to the one or more server applications from the list of available tunnels (column 11, lines 26-32; “When the client detects the failure of the networking tunnel, it establishes a new networking tunnel 632 with second gateway 601, which also provides access to private network 140.  This may, for example, be done by the process as illustrated by FIG. 2 by forwarding the tunnel authentication information 653 and client access list 652 to the second gateway 601.”). Glazemakers does not specifically teach specific software architecture such as a client gateway module, server gateway module and tunnel gateway module. However, in the same field of endeavor, Jewell teaches the client gateway module, server gateway module and tunnel gateway module (column 5, lines 4-19; “Client program 122 provides network application 120 an indirect route to communicate to communications network 108.  Client program 122 receives messages sent from the network applications 120 and forwards the messages to tunnel server 140 through firewall 110 and communications network 108. Corresponding to the two modules installed on client system 102, target system 104 may also have two software modules installed: target program 132 and target service 130.  When messages destined for target service 130 are relayed from tunnel server 140 via communications network 108, they may be received by target program 132 through firewall 110'.  Target program 132 then passes the original message sent by network application 120 to target service 130.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Glazemakers to substitute client gateway, tunnel gateway and server gateway modules from Jewell for the software from Glazemakers to reduce troublesome firewall configuration while maintaining security. 
Glazemakers-Jewells does not specifically teach wherein, responsive to the remote client connecting with the one of the one or more server gateways, the server gateway tunnel module creates a client context for the remote client, the client context including a port remap table having an entry for each available tunnel, forming the list of available tunnels. However, in the same field of endeavor, Matthews teaches wherein, responsive to the remote client connecting with the one of the one or more server gateways, the server gateway tunnel module creates a client context for the remote client, the client context including a port remap table having an entry for each available tunnel, forming the list of available tunnels (See column 3, lines 58-64; “… [T]he VPN client may be configured to access the VPN service to obtain a list of available VPN appliances. “ Also see column 2, lines 53-62; “ … VPN session data typically include … TCP ports, …” And column , lines ; “The distributed VPN client component 320 includes a node list 321, a tunnel monitor 323 and a service interface 325. The node list 321 generally identifies what VPN appliances in the VPN service 300 are being used for an active VPN session or which are available for use in a VPN session. Once established, the tunnel monitor 323 may track a health state of each active VPN session (or VPN appliance).”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Glazemakers-Jewell to substitute client context from Matthews for the available tunnels of Glazemakers-Jewell to  reduce the likelihood of wasting network resources when establishing connections to unavailable tunnels by leveraging associated tunnel session parameters. 
Regarding dependent claim 2, Glazemakers-Jewell-Matthews  teaches the computer implemented system according to claim 1, wherein the client tunnel gateway module opens one or more TCP ports to connect with one or more of the plurality of servers (Glazemakers, column 9, lines 60-65; “…the state of networking connections established over the networking tunnel 131 between client 121 and network devices 141-143 in private network 140.  Each such connection may relate to TCP or UDP networking connections.”).
Regarding dependent claim 9, Glazemakers-Jewell-Matthews teaches the computer implemented system according to claim 1, wherein transport connectivity between the remote client and the server tunnel gateway module is via UDP/IP protocols with DTLS secure encapsulation (Glazemakers, column 4, lines 20-26; “The private network 140 and other components in FIG. 1 may utilize any number and type of communication protocols, also referred to as the Internet Protocol ("IP"), or as the Transmission Control Protocol/Internet Protocol ("TCP/IP"). For example, the private network 140 may have address ranges as set by RFC 1918 for Internet Protocol Version 4 or IPv4 and RFC 4193 for Internet Protocol Version 6 or IPv6.” See  … Also see column 5, lines 31-41; “The data travelling over the connections in the tunnels 131-133 may further be protected by encryption, such as according to the Internet Protocol Security (or "IPsec protocol,") transport Layer Security (or "TLS") and/or Datagram Transport Layer Security (or "DTLS"). In an example, the tunnel module 101 operates according to TLS or SSL and sets up the networking connections as TCP network connections.”).
Regarding dependent claim 10, Glazemakers-Jewell-Matthews teaches the computer implemented system according to claim 1, wherein each of the one or more server applications includes one or more TCP listening ports to interact with the client application (Jewell, column 8, lines 29-37; “In alternate embodiments, network application 120 may be configured to connect to target services 130 listening on more than one port.  In such embodiments, client program 122 may be configured to listen on multiple ports to mimic the listening behavior of the desired target service 130.”).
Regarding dependent claim 11, Glazemakers-Jewell-Matthews teaches the computer implemented system according to claim 1, wherein the one or more server applications are each communicatively coupled to the server tunnel gateway module through a direct layer-4 TCP network route (Glazemakers, column 9, lines 1-16; Through interprocessor communication (IPC) the firewall services and tunnel services are able to communicate. “The gateway 100 then includes a separate tunnel service running on each processor core.  This is illustrated by the exemplary embodiment of FIG. 1 where tunnel service 150 and firewall services 111, 112 and 113 are implemented on the first processor core 160 and tunnel service 151 and firewall services 114, 115 and 116 are implemented on a second processor core 161.  Tunnel services 150 and 151 may, for example, be implemented as software processes running on the respective processor cores.”).
Regarding dependent claim 12, Glazemakers-Jewell-Matthews teaches the computer implemented system according to claim 1, further comprising an intermediary registry communicatively coupled to each of the plurality of servers (Glazemakers, The tunnel module, column 10, lines 62-67; column 11, lines 1-5; “Access is controlled by gateways 600, 601 and 602 corresponding to gateway 100 by also implementing tunnel module 101 (not shown), management module 102 (not shown), and one or more tunnel services 150, 151 (not shown) each implementing one or more firewall services.”) and the remote client wherein the intermediary registry maintains a list of available servers in the server cluster (Glazemakers, column 9, lines 30-39; “The process then proceeds to step 306 where the tunnel module selects one of the tunnel services 150, 151 to which it will forward the second connection.  This may be done in several ways.  For example, the tunnel module may distribute the connection in a round-robin way by forwarding the connection each time to the next processor core.  Alternatively, it may forward the connection to the processor which has the most resources available such as, for example, processing power, memory or any combination thereof.”).
Claim 14 recites features similar to claim 1 above. Therefore claim 14 is rejected on the same rationale as claim 1 above. For the limitations not recited Glazemakers teaches establishing a control connection between a remote client and one of a plurality of gateway servers using UDP protocols with DTLS secure encapsulation (Glazemakers, column 4, lines 20-26; “The private network 140 and other components in FIG. 1 may utilize any number and type of communication protocols, also referred to as the Internet Protocol ("IP"), or as the Transmission Control Protocol/Internet Protocol ("TCP/IP"). For example, the private network 140 may have address ranges as set by RFC 1918 for Internet Protocol Version 4 or IPv4 and RFC 4193 for Internet Protocol Version 6 or IPv6.” Also see column 5, lines 31-41; “The data travelling over the connections in the tunnels 131-133 may further be protected by encryption, such as according to the Internet Protocol Security (or "IPsec protocol,") transport Layer Security (or "TLS") and/or Datagram Transport Layer Security (or "DTLS"). In an example, the tunnel module 101 operates according to TLS or SSL and sets up the networking connections as TCP network connections.”), wherein the list includes for each available tunnel, a tunnel name, a tunnel name pipe port, and a default TCP listener address for the tunnel name, one or more pipe ports forming one or more UDP channels (Glazemakers, Because the tunnel traffic passes through the tunnel. See column 7, lines 27-56; “More specifically, in one embodiment, the access rules are basically descriptive firewall rules, and the management module 102 fills in some of these descriptions.” “The management module will contact the API and retrieve a list of IP addresses and ports, and then translate these retrieved addresses and ports into access rules like: Allow TCP traffic to 10.0.0.1 port 22 Allow TCP traffic to 10.0.0.15 port 22.”); and  wherein each pipe port corresponds to one of the available tunnels (column 7, lines 27-56; “ Correlated to a rule. “The management module will contact the API and retrieve a list of IP addresses and ports, and then translate these retrieved addresses and ports into access rules like: Allow TCP traffic to 10.0.0.1 port 22 Allow TCP traffic to 10.0.0.15 port 22.”) . 
Regarding dependent claim 20, Glazemakers-Jewell-Matthews teaches the method according to claim 14, wherein ascertaining includes sending, by the remote client through the control connection an authorization request for access to one or more tunnels (Glazemakers, column 5, lines 56-67; column 6, lines 1-14; “In order to know that the connection is for control purposes, the tunnel module may inspect the first data packet exchanged over each newly-established network connection.  If the data packet is a control data packet, the tunnel module 101 identifies the network connection as a control connection and will redirect all further packets received over this connection to the management module 102.  The control data packet may, for example, be identified by inspecting a specific TSL extension field in the header of the TLS packet.”).
Regarding dependent claim 21, Glazemakers-Jewell-Matthews teaches the method according to claim 20, further comprising confirming tunnel availability by ascertaining current tunnel access session counts by an authenticated user (Glazemakers, authentication is inherent to the DTLS handshaking).
Regarding dependent claim 22, Glazemakers-Jewell-Matthews teaches the method according to claim 21, responsive to confirming tunnel availability, further comprising mapping each authorized tunnel for the remote client to a unique pipe port (Glazemakers,  column 5, lines 56-67; column 6, lines 1-14; “If the data packet is a control data packet, the tunnel module 101 identifies the network connection as a control connection and will redirect all further packets received over this connection to the management module 102.  The control data packet may, for example, be identified by inspecting a specific TSL extension field in the header of the TLS packet.”).
Regarding dependent claim 23, Glazemakers-Jewell-Matthews teaches the method according to claim 22, further comprising sending, by the remote client to the gateway server, a tunnel confirmation request through the control connection (Glazemakers, column 5, lines 56-67; column 6, lines 1-14; “In order to know that the connection is for control purposes, the tunnel module may inspect the first data packet exchanged over each newly-established network connection.  If the data packet is a control data packet, the tunnel module 101 identifies the network connection as a control connection and will redirect all further packets received over this connection to the management module 102.  The control data packet may, for example, be identified by inspecting a specific TSL extension field in the header of the TLS packet.”).

Claims 3-8 and 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Glazemakers-Jewell-Matthews as applied to claim 1 above, and further in view of  Kumar et al., US 8020203 B2 (hereafter referred to as Kumar)
Regarding dependent claim 3, Glazemakers-Jewell-Matthews teaches the computer implemented system according to claim 1, as cited above. Glazemakers-Jewell-Matthews does not specifically teach wherein the client tunnel gateway module includes a client TCP listener open for an application tunnel with the client application. However, in the same field of endeavor, Kumar teaches wherein the client tunnel gateway module includes a client TCP listener open for an application tunnel with the client application (column 6, lines 30-39; “Now, a client daemon in the VPN Client and a server daemon in the VPN Gateway D exchange a series of messages; authenticate mutually and exchange symmetric keys and form a secure tunnel.  During this process the VPN Gateway D sends the information about its secondary Gateway (A) to the client, i.e. the IP address and the TCP port number on which A listens.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Glazemakers-Jewell-Matthews to substitute an open TCP listener for TCP connections from Kumar for TCP ports management from Glazemakers-Jewell-Matthews  to support having highly available virtual private networks (VPNs).
Dependent claim 24 is rejected on the same rationale. 
Regarding dependent claim 4, Glazemakers-Jewell-Matthews-Kumar teaches the computer implemented system according to claim 3, wherein the application tunnel is mapped to a client tunnel origin associated with the client tunnel gateway (Kumar, column 6, lines 30-39; The connection binds to the client TCP port. “During this process the VPN Gateway D sends the information about its secondary Gateway (A) to the client, i.e. the IP address and the TCP port number on which A listens.”).
Regarding claim 5, Glazemakers-Jewell-Matthews-Kumar teaches the computer implemented system according to claim 4, further comprising one or more server pipe listeners wherein one of the one or more server pipe listeners includes an open port to connect the client tunnel gateway with the server tunnel gateway (Kumar, column 3, lines 49-53, 57-62; “Then, the administrator creates a group of Secure Socket Layer (SSL) VPN gateways and assigns the resulting configuration to the group.  The public address on which each gateway listens and the virtual subnet pool is different for different gateways in the same group.”).
Regarding dependent claim 6, Glazemakers-Jewell-Matthews-Kumar teaches the computer implemented system according to claim 5, further comprising one or more tunnel connections between the client tunnel origin and one or more server tunnel destinations associated with the server tunnel gateway (Glazemakers, column 10, lines 65-67; column 11, lines 1-5; “In step 701 of the process, gateway 600 establishes a first networking tunnel 631 with client device 621 in order to provide the client 621 access to network devices 141-143 in the private network.”).
Regarding dependent claim 7, Glazemakers-Jewell-Matthews-Kumar teaches the computer implemented system according to claim 6, wherein the one or more server tunnel destinations opens a TCP connection with each server application (Glazemakers, column 6, lines 63-67; “More specifically, in one embodiment, two connections are required for each tunnel (131,132,133) (e.g., two TCP connections in the case of a TLS tunnel).  One connection is for uploading the tokens (metadata), and the other connection is for the actual tunnel traffic.”) thereby connecting each server application to the client application via one of the one or more tunnel connections (Glazemakers, column 7, lines 57-62; “… a network tunnel 131 between the client device 121 and the gateway 100 is thus established together with a separate firewall with a separate set of firewall rules for selectively blocking and allowing network traffic between the client device 121 and the network devices 141-143 in the private network 140.”).
Regarding dependent claim 8, Glazemakers-Jewell-Matthews-Kumar teaches the computer implemented system according to claim 7, wherein the one or more server tunnel destinations may be located on any server within the server cluster or any server communicatively coupled to any other server within the server cluster (Glazemakers, column 9, lines 1-16; “The gateway 100 then includes a separate tunnel service running on each processor core.  This is illustrated by the exemplary embodiment of FIG. 1 where tunnel service 150 and firewall services 111, 112 and 113 are implemented on the first processor core 160 and tunnel service 151 and firewall services 114, 115 and 116 are implemented on a second processor core 161.  Tunnel services 150 and 151 may, for example, be implemented as software processes running on the respective processor cores.”).

Claims 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Glazemakers-Jewell-Matthews as applied to claim 14 above, and further in view of  Aldridge et. al., US 7992201 B2 (hereafter referred to as Aldridge)
Regarding dependent claim 15, Glazemakers-Jewell-Matthews teaches the method according to claim 14, as recited above. Glazemakers-Jewell-Matthews does not specifically teach wherein establishing includes discovering, by the remote client, an undiscovered UDP endpoint for each gateway server. However, in the same field of endeavor, Aldridge teaches wherein establishing includes discovering, by the remote client, an undiscovered UDP endpoint for each gateway server (column 6, lines 7-28; “According to one embodiment of the present invention, a VPN client at a client device uses a locally-accessible table or similar data structure (referred to herein as a table for ease of reference) that provides LCR information for detecting which VPN gateway should be selected for reaching a particular destination host.” “Or, rather than providing the table to the VPN client, the table may be stored in one or more centralized locations accessible to multiple VPN clients, and the VPN clients may receive an address of the table or a pointer to the table.  As yet another alternative, a service or function may be provided whereby a VPN client can issue a request for cost metrics as needed.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Glazemakers-Jewell-Matthews to substitute unknown gateway with respect to the client from Aldridge for the available tunnels from Glazemakers-Jewell-Matthews to enable more dynamic selection of tunnels that are chosen based on other network conditions. 
Regarding dependent claim 16, Glazemakers-Jewell-Matthews-Aldridge teaches the method according to claim 15, further comprising initiating, by the remote client, a DTLS handshake with the discovered endpoint for each gateway server (Glazemakers, handshakes are inherent to utilizing a protocol. The client triggers encryption/decryption according to DTLS. See column 5, lines 31-41; “Firewall service 411 may further include an encryption and/or decryption component 423 for respectively encrypting and decrypting data transmitted to or received from the client 121.  Encryption and decryption may further be performed according to the Internet Protocol Security (or "IPsec protocol,") Transport Layer Security (or "TLS") and/or Datagram Transport Layer Security (or "DTLS").”).

Claims 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Glazemakers-Jewell-Matthews-Aldridge as applied to claim 16 above, and further in view of  Tribble et al., US 9270449 B1 (hereafter referred to as Tribble).
Regarding dependent claim 17, Glazemakers-Jewell-Matthews -Aldridge teaches the method according to claim 16, as cited above. Glazemakers-Jewell-Matthews -Aldridge does not specifically teach further comprising authenticating, by the remote client, each gateway server based on a public key presented during DTLS handshaking via a datagram message. However, in the same field of endeavor, Tribble teaches authenticating, by the remote client, each gateway server based on a public key presented during DTLS handshaking via a datagram message (column 4, lines 36-49; “Typically, before accessing the secure website, the client 202 and the reverse proxy 206 will establish a secure communication channel among themselves.  A secure communication channel can be established by performing a handshake 205 using generally known cryptographic protocols, e.g., Transport Layer Security (TLS) or Secure Sockets Layer (SSL), as described above. The client 202 and the reverse proxy 206 can securely communicate data over the secure communication channel by sending data that has been encrypted using the master session key 212 that was generated as a result of the handshake 205.” See also column 6, lines 64-67; “Although the protocol stack is described as implementing Transport Layer Security or Secure Sockets Layer, other protocols may be used depending on the implementation including, for example, Datagram TLS (DTLS).”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Glazemakers-Jewell-Matthews-Aldridge to substitute handshaking details from Tribble for the negotiating in Glazemakers-Jewell-Matthews-Aldridge because doing so would have detailed the procedures for security related protocols and thereby include them.
Regarding dependent claim 18, Glazemakers-Jewell-Matthews -Aldridge -Tribble teaches the method according to claim 17, responsive to successful authentication of the remote client by each gateway server, further comprising opening, by each gateway server, a pipe port to the remote client (Tribble, column 4, lines 36-49; “The client 202 and the reverse proxy 206 can securely communicate data over the secure communication channel by sending data that has been encrypted using the master session key 212 that was generated as a result of the handshake 205.”).
Regarding dependent claim 19, Glazemakers-Jewell-Matthews-Aldridge-Tribble teaches the method according to claim 18, further comprising opening, by the remote client, a pipe connection to the pipe port establishing a control connection (Glazemakers, “Thereupon, the network connection is established under step 202, for example, by a three-way handshake in the case of a TCP network connection.  This first network connection is used to exchange control information between the client 121 and the gateway 100, and more particularly with the management module 102 implemented in the gateway 100.  In order to know that the connection is for control purposes, the tunnel module may inspect the first data packet exchanged over each newly-established network connection.”).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PATRICE L WINDER whose telephone number is (571)272-3935. The examiner can normally be reached M-F 10am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Patrice L Winder/             Primary Examiner, Art Unit 2452