Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is the initial office action has been issued in response to patent application, 17/033097, filed on 25 September 2020.  Claims 1-28, as originally filed, are currently pending and have been considered below.  


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).




Claims 1, 3, 15, 17 are provisionally rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1, 3, 4, 7, 9, 10, of co-pending application 17/033153.  

Claims 1, 3, 15, 17:
Claims 1, 3, 15, 17 have similar limitations as in claims 1, 3, 4, 7, 9, 10, of co-pending application 17/033153.  Although the conflicting claims are not identical; they are not patentably distinct from each other because both applications claim a method/endpoint device performed within an agent running on an endpoint device, identifying/determining a cloud-based security service is reachable, affirmative, configuring the particular security feature/function for operating inside one of the plurality of trusted networks; and negative, configuring the particular security feature/function for operating outside one of the plurality of trusted networks.  Claims 1, 3, 15, 17 are rejected under the reasons as set forth above.  


This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.




Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.



Claims 1-28 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Bansal et al. (US2021/0234860 A1, file date 05/12/2016).

Claim 1:
With respect to claim 1, Bansal et al. discloses a method performed within an agent running on an endpoint device (mobile user device, agent 1208, Figure 20) by a processing resource of the endpoint device (process 1260 to be executed by a mobile user device (e.g., mobile user device 1202) for securing local network traffic, 0172, Figure 22), the method comprising:
detecting whether the endpoint device has been moved to a new network by monitoring for changes to an Internet Protocol (IP) address associated with the endpoint device (to reconfigure each application depending upon the changes in network conditions such as moving from one subnet to another, where a user must statically configure Internet Protocol (IP) address configuration on a network interface for every network change, 0005) (enabling the mobile user device to determine where the network packets are to be transmitted, as indicated in block 1268. Since the goal of the cloud server 1204 in this embodiment is to secure “local” network traffic, the determination (block 1268) is able to determine if network packets are bound for public address space or private address space, 0174);
when said detecting is affirmative: determining whether a trusted network determination service associated with a cloud-based security service is reachable via the new network (The process 1260 also includes opening a tunnel (e.g., persistent connection 1206) to a cloud server that is coordinated with the mobile user device for ultimately securing the local network traffic. Opening the tunnel (block 1264) may also include other steps that may also be performed during the set-up process 1240 of FIG. 21, such as user authentication steps, 0173) (The process 1240 for setting up the cloud server may also include authenticating users and mobile user devices within the cloud-based system, The agent 1208 authenticates the user and opens a persistent connection 1206 (e.g., keep-alive tunnel, pipeline, or the like) to the cloud server 1204, 0162-0163); 
when said determining is affirmative: identifying whether the new network is among a plurality of trusted networks that have been previously registered with the cloud-based security service by querying the trusted network determination service (receive config, policies, and traffic rules, 0173, Figure 22, 1266) (Based on the set of rules, the mobile application/agent opens tunnels to different host concentrators, The mobile application/agent intercepts packets on the user device and forwards over the tunnels based on the set of rules, 0144-0145) (intercepting traffic on the mobile device 300 based on a set of rules (step 1102); determining whether a connection associated with the traffic is allowed, 0150) (There can be multiple different local maps, such as a firewall map, a domain map, and an HTTP request map. The firewall map can be the first map to consult for every connection. It has rules based on destination IP address, protocol, and port. The domain map, after the firewall map, can be consulted for HTTP and HTTPS connection, After the domain map, the HTTP domain map is consulted for HTTP requests, this map will have different set of rule categories, 0151) ; and
when said identifying is affirmative, configuring a particular security feature implemented by the agent for operation inside one of the plurality of trusted networks; and when said identifying is negative, configuring the particular security feature for operation outside of the plurality of trusted networks (enabling the mobile user device to determine where the network packets are to be transmitted, as indicated in block 1268. Since the goal of the cloud server 1204 in this embodiment is to secure “local” network traffic, the determination (block 1268) is able to determine if network packets are bound for public address space or private address space. If it is determined in block 1268 that packets are bound for public space, the process 1260 proceeds to block 1270, which includes the step of allowing the mobile user device to send the network packets via the cloud server to the Internet 104 or other public networks. However, if it is determined that network packets are bound for private address space, the process 1260 proceeds to block 1272 to continue with the securing the local or private network traffic, 0174) (Figure 22: Public, send network packets via cloud server, 1270, Private, allow packets to flow normally to destination, 1278).

Claims 2, 16:
With respect to claims 2, 16, Bansal et al. discloses wherein the particular security feature comprises a secure Internet tunnel between the agent and a cloud-based security service, wherein configuration of the secure Internet tunnel for operation inside one of the plurality of trusted networks comprises deactivating the secure Internet tunnel (Private: Allow network packets to flow normally to destination, Deny drop packets, if it is determined that network packets are bound for private address space, the process 1260 proceeds to block 1272 to continue with the securing the local or private network traffic, Caution: this step may be postponed until a later time, such as after a further analysis 0174, 0177 Figure 22), and wherein configuration of the secure Internet tunnel for operation outside of the plurality of trusted networks comprises activating the secure Internet tunnel (Public: sent network packets via cloud server, allowing the mobile user device to send the network packets via the cloud server to the Internet 104 or other public networks, 0174, Figure 22, 1270).

Claims 3, 17:
With respect to claims 3, 17, Bansal et al. discloses wherein the cloud-based security service comprises a Secure Access Service Edge (SASE) platform (enterprises deployed Secure Sockets Layer (SSL) VPNs/Web Proxies, 0006) (the cloud-based system 100 provides inline monitoring inspecting traffic between the users 102, the Internet 104, and the cloud services 106, including Secure Sockets Layer (SSL) traffic, 0049) (the cloud-based system 100 can dynamically create a connection through a secure tunnel between an endpoint (e.g., users 102A, 102B) that are remote and an on-premises connector 400 that is either located in cloud file shares and applications 402 and/or in an enterprise network 404, connected to enterprise file shares and applications. The connection between the cloud-based system 100 and on-premises connector 400 is dynamic, on-demand, and orchestrated by the cloud-based system 100. A key feature is its security at the edge—there is no need to punch any holes in the existing on-premises firewall, 0078, Figure 6).

Claims 4, 18:
With respect to claims 4, 18, Bansal et al. discloses wherein the secure Internet tunnel comprises a secure Transport Layer Security (TLS) connection between the agent and a firewall associated with the SASE platform (if all traffic, including HTTP and HTTPS, is tunneled via an SSL VPN, 0043) (over secure TLS connections, 0060) (The present disclosure includes a lightweight agent or application that is executed on mobile devices with the agent supporting application firewall, 0042) (The access control can include a cloud-based firewall, 0049).

Claims 5, 19:
With respect to claims 5, 19, Bansal et al. discloses wherein deactivation of the secure Internet tunnel facilitates access by the endpoint device to local resources within the new network (Private: Allow network packets to flow normally to destination, Deny drop packets, if it is determined that network packets are bound for private address space, the process 1260 proceeds to block 1272 to continue with the securing the local or private network traffic, Caution: this step may be postponed until a later time, such as after a further analysis 0174, 0177 Figure 22).

Claims 6, 20:
With respect to claims 6, 20, Bansal et al. discloses wherein activation of the secure Internet tunnel protects communications via the new network to the cloud-based security service (Public: sent network packets via cloud server, allowing the mobile user device to send the network packets via the cloud server to the Internet 104 or other public networks, 0174, Figure 22, 1270).

Claims 7, 21:
With respect to claims 7, 21, Bansal et al. discloses further comprising when said determining is negative, configuring the particular security feature for operation outside of the plurality of trusted networks (opening a tunnel (e.g., persistent connection 1206) to a cloud server, 0173) (Public: sent network packets via cloud server, allowing the mobile user device to send the network packets via the cloud server to the Internet 104 or other public networks, 0174, Figure 22, 1270).

Claims 8, 22:
With respect to claims 8, 22, Bansal et al. discloses wherein the IP address associated with the endpoint device comprises an IP address associated with a primary ethernet adapter of the endpoint device (The network interface 206 may include, for example, an Ethernet card or adapter or a Wireless Local Area Network (WLAN) card or adapter, 0068)

Claims 9, 23:
With respect to claims 9, 23, Bansal et al. discloses wherein the agent comprises an endpoint protection platform (mobile user device, agent 1208, Figure 20) (the unified agent application 350, The UI components 710 and UI process components 712 can be platform dependent, 0109).

Claims 10, 24:
With respect to claims 10, 24, Bansal et al. discloses wherein the agent is integrated with an endpoint protection platform (mobile user device, agent 1208, Figure 20) (the unified agent application 350, The UI components 710 and UI process components 712 can be platform dependent, 0109).

Claims 11, 25:
With respect to claims 11, 25, Bansal et al. discloses wherein the agent is independent from an endpoint protection platform running on the endpoint device (mobile user device, agent 1208, Figure 20) (the unified agent application 350, The UI components 710 and UI process components 712 can be platform dependent, 0109).

Claims 12, 26:
With respect to claims 12, 26, Bansal et al. discloses wherein the cloud-based security service includes a plurality of trusted network determination services running in multiple regions throughout the world and wherein the trusted network determination service represents one of the plurality of trusted network determination services that is nearest to the endpoint device (The enforcement nodes 150 can be geographically distributed, and the policy for each user 102 follows that user 102 as he or she connects to the nearest (or other criteria) enforcement node 150, 0058) (The enforcement nodes 150 are deployed around the world and can handle hundreds of thousands of concurrent users with millions of concurrent sessions, 0059) (Figure 2)

Claims 13, 27:
With respect to claims 13, 27, Bansal et al. discloses wherein the plurality of trusted networks represent office networks of a customer of the cloud-based security service that are securely connected to the cloud- based security service (a mobile device 110, a headquarters (HQ) 112 which can include or connect to a data center (DC) 114, Internet of Things (IoT) devices 116, a branch office/remote location 118, etc., and each includes one or more user devices (an example user device 300 is illustrated in FIG. 3), 0053) (trusted network (e.g., office or home network), 0165) (office, Figure 7).

Claims 14, 28:
With respect to claims 14, 28, Bansal et al. discloses wherein the plurality of trusted networks are updated by an orchestration and automation platform associated with the cloud-based security service (The connection between the cloud-based system 100 and on-premises connector 400 is dynamic, on-demand, and orchestrated by the cloud-based system 100, 0078) (auto-update, 0106) (he unified agent application 350 supports automatic updates without impacting the user's Internet experience., 0110).

Claim 15:
With respect to claim 15, Bansal et al. discloses an endpoint device (mobile user device, agent 1208, Figure 20) comprising:
a processing resource (process 1260 to be executed by a mobile user device (e.g., mobile user device 1202) for securing local network traffic, 0172, Figure 22); and 
a non-transitory computer-readable medium (computer-executable instructions stored in a non-transitory computer-readable medium storing, 0149), coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to perform a method comprising: 
detecting, by an agent running on the endpoint device, whether the endpoint device has been moved to a new network by monitoring for changes to an Internet Protocol (IP) address associated with the endpoint device (to reconfigure each application depending upon the changes in network conditions such as moving from one subnet to another, where a user must statically configure Internet Protocol (IP) address configuration on a network interface for every network change, 0005) (enabling the mobile user device to determine where the network packets are to be transmitted, as indicated in block 1268. Since the goal of the cloud server 1204 in this embodiment is to secure “local” network traffic, the determination (block 1268) is able to determine if network packets are bound for public address space or private address space, 0174);
when said detecting is affirmative: determining, by the agent, whether a trusted network determination service associated with a cloud-based security service is reachable via the new network (The process 1260 also includes opening a tunnel (e.g., persistent connection 1206) to a cloud server that is coordinated with the mobile user device for ultimately securing the local network traffic. Opening the tunnel (block 1264) may also include other steps that may also be performed during the set-up process 1240 of FIG. 21, such as user authentication steps, 0173) (The process 1240 for setting up the cloud server may also include authenticating users and mobile user devices within the cloud-based system, The agent 1208 authenticates the user and opens a persistent connection 1206 (e.g., keep-alive tunnel, pipeline, or the like) to the cloud server 1204, 0162-0163); 
when said determining is affirmative: identifying, by the agent, whether the new network is among a plurality of trusted networks that have been previously registered with the cloud-based security service by querying the trusted network determination service (receive config, policies, and traffic rules, 0173, Figure 22, 1266) (Based on the set of rules, the mobile application/agent opens tunnels to different host concentrators, The mobile application/agent intercepts packets on the user device and forwards over the tunnels based on the set of rules, 0144-0145) (intercepting traffic on the mobile device 300 based on a set of rules (step 1102); determining whether a connection associated with the traffic is allowed, 0150) (There can be multiple different local maps, such as a firewall map, a domain map, and an HTTP request map. The firewall map can be the first map to consult for every connection. It has rules based on destination IP address, protocol, and port. The domain map, after the firewall map, can be consulted for HTTP and HTTPS connection, After the domain map, the HTTP domain map is consulted for HTTP requests, this map will have different set of rule categories, 0151); and
when said identifying is affirmative, configuring, by the agent, a particular security feature implemented on the endpoint device for operation inside one of the plurality of trusted networks; and when said identifying is negative, configuring the particular security feature for operation outside of the plurality of trusted networks (enabling the mobile user device to determine where the network packets are to be transmitted, as indicated in block 1268. Since the goal of the cloud server 1204 in this embodiment is to secure “local” network traffic, the determination (block 1268) is able to determine if network packets are bound for public address space or private address space. If it is determined in block 1268 that packets are bound for public space, the process 1260 proceeds to block 1270, which includes the step of allowing the mobile user device to send the network packets via the cloud server to the Internet 104 or other public networks. However, if it is determined that network packets are bound for private address space, the process 1260 proceeds to block 1272 to continue with the securing the local or private network traffic, 0174) (Figure 22: Public, send network packets via cloud server, 1270, Private, allow packets to flow normally to destination, 1278).



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, (see PTO Form 892).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HELAI SALEHI/           Examiner, Art Unit 2433                                                                                                                                                                                             

/BRANDON HOFFMAN/           Primary Examiner, Art Unit 2433