DETAILED ACTION
Claims 1-20 have been amended. Claims 1-20 remain pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted 03/02/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Thomas Franklin on August 12, 2022. The application has been amended as follows: 
In the claims:
1.	(Currently Amended) A system to provide  policy-controlled communication over the Internet between a plurality of remote services and a plurality of third party applications executing on a client device, the system comprising one or more processors and one or more memories with code for: 
a client endpoint function that  executes on the client device while coupled to a first VPN tunnel, the client endpoint function comprising:
a first policy component, enforcing a plurality of policies on network packet traffic for a plurality of applications, wherein the plurality of policies specify one or more aspects of processing of network sessions from a third party application to a remote service,
an first interceptor component that identifies network packet traffic and network sessions compliant with the plurality of policies, and 
a first VPN endpoint component, which provides a connection to a mid-link server using a first VPN tunnel programmed according to  the plurality of policies, 
a service endpoint function that operates a remote service of the plurality of remote services, the service endpoint function at a service location, the service endpoint function comprising:
a second interceptor component that identifies network packet traffic using the plurality of policies, and
a second VPN endpoint component that connects to the mid-link server using a second VPN tunnel programmed according to  the plurality of policies, and
a mid-link server, coupled to the first VPN tunnel and the second VPN tunnel, the mid-link server comprising:
a first and second VPN termination point that authenticates and terminates the first and second VPN tunnels at a mid-link server,
a second policy component, wherein the second policy component uses the plurality of policies to specify at least: policy-based routing, packet re-addressing, and content mediation rules on packet traffic arriving from the first VPN tunnel,
a router component interposed between the first and second VPN tunnels, wherein the router component operates to route network packet traffic between the first and second VPN tunnels via a route specified by the plurality of policies,
an inspection component that analyzes network packet traffic in accordance with the plurality of policies, and
a mediation component, effective to mask network addresses of the client device and service devices from each other, wherein the third party application operates with the remote service to provide functionality to the client device, 
wherein the inspection component inspects the network packet traffic for specific content and provides instructions to at least one of the router component or the mediation component, and the instructions are a function of at least one policy of the plurality of policies that applies to the specific content.
2.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the mid-link server comprises an Access Resource Server (ARS) that includes the inspection component.
3.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the inspection component is a data loss prevention (DLP) component. 
4.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the router component routes connection network packet traffic through the inspection component.
5.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the at least one policy of the plurality of policies is selected as a function of at least one of a user, an application, an endpoint, or a session.
6.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the inspection component inspects the network traffic for at least one of packet filtering, threat detection, deep packet inspection, or data loss prevention (DLP).
7.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the inspection component inspects the network traffic for specific blocked content.
8.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 7, wherein upon identifying the specific blocked content, the inspection component blocks the specific blocked content.
9.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the first VPN tunnel comprises a plurality of physical VPN tunnels to differing client gateway components.
10.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the second VPN tunnel comprises a plurality of physical VPN tunnels to differing service VPN concentrators.
11.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the plurality of third party applications have their network traffic redirected to the first VPN tunnel.
12.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein domain name service (DNS) is used to redirect network packet traffic of the third party application to the mid-link server.
13.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the first VPN tunnel is built into an operating system for the client device.
14.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein an address service endpoint is a non-routable IP address.
15.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the first interceptor component traps network packet traffic on the client device.
16.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein a first connection over the first VPN tunnel is encrypted between the client endpoint function and the mid-link server.
17.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein a second connection over the second VPN tunnel is encrypted between the mid-link server and the service endpoint function.
18.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the mid-link server comprises a firewall interposed into network packet flow between the first and second VPN tunnels.
19.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the network packet traffic between client devices and the remote service is dual encrypted, with a first encryption being applied to network data packets for the client device to service session, and a second encryption applied for transport over a VPN tunnel. 
20.	(Currently Amended) The system to provide  policy-controlled communication over the Internet between the plurality of remote services and the plurality of third party applications executing on the client device as recited in claim 1, wherein the plurality of policies includes a policy specifying what encryption to use on one or both of the first and second VPN tunnels.

Allowable Subject Matter
Claims 1-20 are allowed. No reason for allowance is needed as the record is clear in light of applicant’s arguments and examiner amendment above. See MPEP 1302.14(l).

According to MPEP 1302.14 (I): “In most cases, the examiner’s actions and the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule. This is particularly true when applicant fully complies with 37 CFR 1.111 (b) and (c) and 37 CFR 1.133(b). Thus, where the examiner’s actions clearly point out the reasons for rejection and the applicant’s reply explicitly presents reasons why claims are patentable over the reference, the reasons for allowance are in all probability evident from the record and no statement should be necessary.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARIF E ULLAH whose telephone number is (571)272-5453.  The examiner can normally be reached on Mon-Fri 7:00-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHARIF E ULLAH/Primary Examiner, Art Unit 2495