DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on September 20, 2022.
Status of claims within the present application:
Claims 1 – 34 are pending
Claims 16 and 33 are amended.

Response to Arguments
Regarding objection to the abstract of the disclosure, Applicant’s remarks, see page [7 – 8], filed on September 20, 2022, have been considered and are persuasive. Therefore, the objection is withdrawn.
Regarding claims 1 – 6, 8 – 9, 13 – 23, 25 – 26, and 30 – 34 that were rejected under 35 U.S.C. 103 as being unpatentable over US 20100306816 A1 to McGrew et al., (hereinafter, “ McGrew”) in view of US 20160036778 A1 to Chen at al., (hereinafter, “Chen”), Applicant’s remarks, see page [8 – 12], filed on September 20, 2022, have been considered but they are not persuasive. Therefore, the applicant is directed to response below: 
With respect to independent claim 1, Applicant argues that the prior does not teach “a first certificate that is used to establish a secure network connection, wherein the first certificate comprises a first security attribute associated with a source IP address”. Examiner notes that McGrew discloses “the authentication policy decision determination made at 130 may be based, at least in part, on the identity data. The identity data may include a digital certificate, a message authentication code (MAC), an internet protocol (IP) destination address of the DFWIOI, an IP source address of the DFWIOI, a nonce generated by the first endpoint, a nonce generated by the second endpoint, a validation information for the digital certificate from a digital certificate exchange, and so on.” [Para. 26]. The identity data does map to the first certificate because the identity data encompass multiple component such as a digital certificate, an internet protocol (IP) destination address of the DFWIOI, and an IP source address of the DFWIOI. The element that is described to the applicant’s “first certificate” still within the mapping of the identity data because there is a certificate and IP address of both the source and destination. Secondly, the mapping of identity data is defined by the prior art because it is clearly defined that “the identity data may include a digital certificate, a message authentication code (MAC), an internet protocol (IP) destination address of the DFWIOI, an IP source address of the DFWIOI, a nonce generated by the first endpoint, a nonce generated by the second endpoint, a validation information for the digital certificate from a digital certificate exchange, and so on.” [para. 26]. Finally, there is a IP destination address within the identity data which would be used to send information between the two endpoints with partial encryption. Therefore, the rejection still stands.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 6, 8 – 9, 13 – 23, 25 – 26, and 30 – 34 are rejected under 35 U.S.C. 103 as being unpatentable over US 20100306816 A1 to McGrew et al., (hereinafter, “ McGrew”) in view of US 20160036778 A1 to Chen at al., (hereinafter, “Chen”).
Regarding claim 1, modified McGrew teaches a method for establishing a secure and authenticated network connection, the method comprising: a) receiving, from a requesting entity, a destination IP address and a first certificate that is used to establish a secure network connection, wherein the first certificate comprises a first security attribute associated with a source IP address; [McGrew, para. 26 discloses Method 100 may include, at 110, detecting a data flow. The data flow detected at 110 may be a data flow in which indicia of identity (DFWIOI) travel between a first endpoint and a second endpoint. The DFWIOI may be partially encrypted. While an encrypted DFWIOI is identified, in one embodiment the DFWIOI may not be encrypted but may still include information that can be used to authenticate one or both endpoints. Para. 29 discloses the authentication policy decision determination made at 130 may be based, at least in part, on the identity data. The identity data may include a digital certificate, a message authentication code (MAC), an internet protocol (IP) destination address of the DFWIOI, an IP source address of the DFWIOI, a nonce generated by the first endpoint, a nonce generated by the second endpoint, a validation information for the digital certificate from a digital certificate exchange, and so on.] b) identifying, with aid of one or more processors, a stored second security attribute associated with the destination IP address; [McGrew, para. 27 discloses Method 100 may also include, at 120, collecting an identity data. The identity data collected at 120 may be associated with the DFWIOI, the first endpoint, the second endpoint, and so on. The identity data associated with the DFWIOI may be data associated with the identities of the first endpoint and/or the second endpoint. While identity data is described, one skilled in the art will appreciate that the data may also include attributes, assertions, link layer addresses, TCP ports, UDP ports, and other parameters. para. 34 discloses a first process could detect a data flow at 110, a second process could collect an identity data at 120, a third process could make and authentication policy decision at 130, and a fourth process could control a networking device at 140. While four processes are described, it is to be appreciated that a greater and/or lesser number of processes could be employed and that lightweight processes, regular processes, threads, and other approaches could be employed. As described above, the identity data may be associated with user identity, device identity, location identity, and so on.], but McGrew does not teach c) determining, with aid of the one or more processors, a policy action based at least in part on the first security attribute and the second security attribute.  
However, Chen does teach c) determining, with aid of the one or more processors, a policy action based at least in part on the first security attribute and the second security attribute. [Chen, para. 90 discloses Security gateway 150 queries corporate directory 470 for a security policy, where the query includes user identity 424. User identity 424 may include private user identity 124 or public user identity 127. Corporate directory 470 matches user identity 424 against security policy 402 and determines security policy 402 is applicable to user identity 424. In some embodiments security policy 402 maps network parameters to a user identity and there is a match between user identity 424 and the user identity in the security policy 402. In some embodiments, security policy 402 maps network parameters to a group identity (not shown) and user identity 424 is a member of the group identity. In response to finding the match between the user identity 424 and the user identity in the security policy 402, corporate directory 470 sends security policy 402 to security gateway 150.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Chen’s system with McGrew’s system, with a motivation for A secure network 160 includes a host 130. User 120 uses host 130 to access a public application 180 hosted in application server 190. Application server 190 is outside of secure network 160. The network traffic between host 130 and application server 190 passes through security gateway 150. [Chen, para. 35]

As per claim 2, modified McGrew teaches the method of claim 1, further comprising transmitting, from the requesting entity, a certificate signing request (CSR) to an intermediate certificate authority, wherein the CSR comprises the first security attribute and the associated source IP address. [McGrew, para. 41 discloses Method 100 may include, at 325, verifying an identity. The identity that is verified at 325 may be the identity of the first endpoint, the identity of the second endpoint, and so on. The identity may be verified at 325 by acquiring a collected information from the digital certificate exchange. The collected information may include, for example, the identity of the first endpoint and/or the identity of the second endpoint. The collected information may facilitate validation of the digital certificate retrieved from the DFWIOI. The digital certificate may also be known as a digital signature. Para. 18 discloses verification of digital signatures associated with data flows and their sources and/or receivers may be performed. Verification may include communicating with a digital exchange that verifies the digital signature. AvM authentication may attempt to verify the digital signature with a third party digital exchange. The verification provides the network security device with a cryptographic guarantee that an endpoint that generated the signature is the holder of the private key associated with the public key.]

As per claim 3, modified McGrew teaches the method of claim 2, wherein a mapping relationship between the first security attribute and the source IP address is received from a computing device running the intermediate certificate authority. [McGrew, para. 27 discloses Method 100 may also include, at 120, collecting an identity data. The identity data collected at 120 may be associated with the DFWIOI, the first endpoint, the second endpoint, and so on. The identity data associated with the DFWIOI may be data associated with the identities of the first endpoint and/or the second endpoint. While identity data is described, one skilled in the art will appreciate that the data may also include attributes, assertions, link layer addresses, TCP ports, UDP ports, and other parameters. Para. 18 discloses verification of digital signatures associated with data flows and their sources and/or receivers may be performed. Verification may include communicating with a digital exchange that verifies the digital signature. AvM authentication may attempt to verify the digital signature with a third party digital exchange. The verification provides the network security device with a cryptographic guarantee that an endpoint that generated the signature is the holder of the private key associated with the public key.]

As per claim 4, modified McGrew teaches the method of claim 3, wherein the mapping relationship is at least in part managed by the intermediate certificate authority. [McGrew, para. 18 discloses verification of digital signatures associated with data flows and their sources and/or receivers may be performed. Verification may include communicating with a digital exchange that verifies the digital signature. AvM authentication may attempt to verify the digital signature with a third party digital exchange. The verification provides the network security device with a cryptographic guarantee that an endpoint that generated the signature is the holder of the private key associated with the public key.]

As per claim 5, modified McGrew teaches the method of claim 2, further comprising receiving a certificate from the intermediate certificate authority, wherein the certificate comprises the first security attribute. [McGrew, para. 41 discloses Method 100 may include, at 325, verifying an identity. The identity that is verified at 325 may be the identity of the first endpoint, the identity of the second endpoint, and so on. The identity may be verified at 325 by acquiring a collected information from the digital certificate exchange. The collected information may include, for example, the identity of the first endpoint and/or the identity of the second endpoint. The collected information may facilitate validation of the digital certificate retrieved from the DFWIOI. The digital certificate may also be known as a digital signature.]

Regarding claim 6, modified McGrew teaches the method of claim 2, but McGrew does not teach further comprising storing the certificate in a local database managed by the requesting entity.  
However, Chen does teach further comprising storing the certificate in a local database managed by the requesting entity. [Chen, para. 13 discloses storing the second user identity as a network user identity used for accessing the network in the application session record. para. 62 discloses Security gateway 150 creates application session record 184. Security gateway 150 extracted the source IP address from the IP header of data packet 339, and stores the source IP address as host identity 134. In some embodiments, data packet 339 includes link layer information, such as a source MAC address; security gateway 150 extracts and stores the source MAC address as host identity 134.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Chen’s system with McGrew’s system, with a motivation for A secure network 160 includes a host 130. User 120 uses host 130 to access a public application 180 hosted in application server 190. Application server 190 is outside of secure network 160. The network traffic between host 130 and application server 190 passes through security gateway 150. [Chen, para. 35]

Regarding claim 8, modified McGrew the method of claim 1, but McGrew does not teach further comprising identifying, with aid of the one or more processors, a second certificate associated with the destination IP address.  
However, Chen does teach further comprising identifying, with aid of the one or more processors, a second certificate associated with the destination IP address. [Chen, para. 81 discloses Identity server 570 receives host identity 134 and application session time 186. Identity server 570 matches host identity 134 and application session time 186 against access session record 164. Identity server 570 determines that host identity 134 matches host identity of access session record 164. Identity server 570 further determines that application session time 186 matches access session time 166 of access session record 164 as application session time 186 is between the starting time and the ending time of access session record 164. Identity server 570 sends private user identity 124 of access session record 164 to security gateway 150 as a response to the query. para. 87 discloses security gateway 150 obtains the additional user information from identity server 570. In some embodiments, security gateway 150 obtains the additional user information by querying a different server, such as a corporate directory server, by using the private user identity 124 received from identity server 570.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Chen’s system with McGrew’s system, with a motivation for A secure network 160 includes a host 130. User 120 uses host 130 to access a public application 180 hosted in application server 190. Application server 190 is outside of secure network 160. The network traffic between host 130 and application server 190 passes through security gateway 150. [Chen, para. 35]

Regarding claim 9, modified McGrew teaches the method of claim 8, but McGrew does not teach further comprising transmitting the second certificate to the requesting entity.  
However, Chen does teach further comprising transmitting the second certificate to the requesting entity.  [Chen, para. 13 discloses querying an identity server by sending the host identity and the application session time in the application session record, wherein the identity server comprises an access session record for an access session between a second host and the network, wherein the access session record comprises a second user identity used for accessing the network through the second host, a second host identity for the second host, and an access session time, wherein the identity server compares the host identity in the application session record with the second host identity in the access session record, and comparing the access session time with the application session time, wherein the identity server returns the second user identity in the access session record, if the host identity in the application session record matches the second host identity in the access session record, and if the access session time matches the application session time; and storing the second user identity as a network user identity used for accessing the network in the application session record;]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Chen’s system with McGrew’s system, with a motivation for A secure network 160 includes a host 130. User 120 uses host 130 to access a public application 180 hosted in application server 190. Application server 190 is outside of secure network 160. The network traffic between host 130 and application server 190 passes through security gateway 150. [Chen, para. 35]
As per claim 13, modified McGrew teaches the method of claim 1, further comprising executing the policy action on a base system logic or by the requesting entity. [McGrew, para. 48 discloses a control logic 450 to determine a connection policy 455 for the data flow 420. The connection policy 455 may be based, at least in part, on the identification information. The connection policy 455 may control whether to allow a connection for the data flow 420, a quality of service (QoS) for the data flow 420, and so on. In one embodiment, the QoS may include parameters to facilitate control of a data transfer rate, a memory allocation associated with the data flow, a security monitoring feature, a packet delay, a packet jitter target rate, and so on.] 

As per claim 14, modified McGrew teaches the method of claim 13, wherein the base system logic comprises a bare metal server, a hypervisor or a docker base for controlling one or more virtual machines or containers. [McGrew, para. 33 discloses the networking device may be associated with the DFWIOI. Control of the networking device at 140 may be based, at least in part, on the authentication policy decision made at 130. The network device may be a firewall that the data flow traverses when traveling between the first endpoint and the second endpoint. The firewall may act as a security agent that allows or denies the data flow the ability to traverse the firewall. One skilled in the art will realize that a data flow may or may not actually travel between the first endpoint and the second endpoint. In cases where the data flow is denied the right to traverse the firewall, the data flow is still a data flow except it does not actually flow to its intended destination. For example, the first endpoint may request to send the data flow to the second endpoint, however, the networking device may not allow the connection based on the authentication policy decision made at 130.] 

As per claim 15, modified McGrew teaches the method of claim 1, wherein the policy action comprises at least one of the following: allow, block, rate-limit, mark and alert. [McGrew, para. 17 discloses the network security device may decide whether to allow, block or limit access to a network based on the results of AvM associated with receivers, sources, (e.g., identity networking) and/or the messages associated with those receivers and sources. Different identity authentication or verification approaches may be used with AvM to give network security devices an ability to identify and/or verify sources and receivers of data flows to prevent attacks. In addition to authenticating end-user identity, AvM may also facilitate identifying and validating end-point devices (e.g., anti-counterfeiting certificate) that facilitate enforcing device or location authorizations.]

Regarding claim 16, modified McGrew teaches the method of claim 1, wherein the first certificate is a trusted certificate issued by a certificate authority, [McGrew, para. 41 discloses the identity that is verified at 325 may be the identity of the first endpoint, the identity of the second endpoint, and so on. The identity may be verified at 325 by acquiring a collected information from the digital certificate exchange. The collected information may include, for example, the identity of the first endpoint and/or the identity of the second endpoint. The collected information may facilitate validation of the digital certificate retrieved from the DFWIOI. The digital certificate may also be known as a digital signature.], but McGrew does not teach wherein the first security attribute in the first certificate comprises a security group the source IP address is associated therewith.
However, Chen does teach wherein the first certificate is a trusted certificate issued by a certificate authority, wherein the first security attribute in the first certificate comprises a security group the source IP address is associated therewith. [Chen, para. 90 discloses Security gateway 150 queries corporate directory 470 for a security policy, where the query includes user identity 424. User identity 424 may include private user identity 124 or public user identity 127. Corporate directory 470 matches user identity 424 against security policy 402 and determines security policy 402 is applicable to user identity 424. In some embodiments security policy 402 maps network parameters to a user identity and there is a match between user identity 424 and the user identity in the security policy 402. In some embodiments, security policy 402 maps network parameters to a group identity (not shown) and user identity 424 is a member of the group identity. In response to finding the match between the user identity 424 and the user identity in the security policy 402, corporate directory 470 sends security policy 402 to security gateway 150.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Chen’s system with McGrew’s system, with a motivation for A secure network 160 includes a host 130. User 120 uses host 130 to access a public application 180 hosted in application server 190. Application server 190 is outside of secure network 160. The network traffic between host 130 and application server 190 passes through security gateway 150. [Chen, para. 35]

Regarding claim 17, modified McGrew teaches the method of claim 1, but McGrew does not teach wherein the second security attribute comprises a security group the destination IP address is associated therewith.  
However, Chen does teach wherein the second security attribute comprises a security group the destination IP address is associated therewith. [Chen, para. 90 discloses Security gateway 150 queries corporate directory 470 for a security policy, where the query includes user identity 424. User identity 424 may include private user identity 124 or public user identity 127. Corporate directory 470 matches user identity 424 against security policy 402 and determines security policy 402 is applicable to user identity 424. In some embodiments security policy 402 maps network parameters to a user identity and there is a match between user identity 424 and the user identity in the security policy 402. In some embodiments, security policy 402 maps network parameters to a group identity (not shown) and user identity 424 is a member of the group identity. In response to finding the match between the user identity 424 and the user identity in the security policy 402, corporate directory 470 sends security policy 402 to security gateway 150.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Chen’s system with McGrew’s system, with a motivation for A secure network 160 includes a host 130. User 120 uses host 130 to access a public application 180 hosted in application server 190. Application server 190 is outside of secure network 160. The network traffic between host 130 and application server 190 passes through security gateway 150. [Chen, para. 35]

	Regarding claim 18 – 23, they recite features as similar to feature within claim 1 – 6, therefore, they are rejected in a similar manner.

Regarding claim 25 – 26, they recite features as similar to feature within claim 8 – 9, therefore, they are rejected in a similar manner.

Regarding claim 30 – 34, they recite features as similar to feature within claim 13 – 17, therefore, they are rejected in a similar manner.

Claims 7, 10, 12, 24, 27, and 29 are rejected under 35 U.S.C. 103 as being unpatentable over US 20100306816 A1 to McGrew et al., (hereinafter, “McGrew”) in view of US 20160036778 A1 to Chen at al., (hereinafter, “Chen”) in further view of US 20090198689 A1 to Frazier et al., (hereinafter, “Frazier”).
Regarding claim 7, modified McGrew teaches the method of claim 2, but modified McGrew does not teach wherein the intermediate certificate authority is verified by a root certificate authority.  
However, Frazier does teach wherein the intermediate certificate authority is verified by a root certificate authority. [Frazier, para. 57 discloses (1) creation of a certificate authority, (2) signing of certificates for trust domain entities, (3) maintenance of a revocation list for trust domain entities, and (4) authentication and revocation checking mechanisms in a subscribing entities. Para. 58 discloses a certificate authority must be created to anchor the trust domain. The role of the certificate authority is to issue identities and credentials to trust domain entities by signing certificates for those trust domain entities. In one embodiment of the invention, the X.509 standard is used for certificates, which specifies the format, signing algorithms and standards, and methods for validation of a certificate. The certificate authority is a component of one controller within a trust domain. If there multiple controllers within the same trust domain, one is designated the master and becomes the certificate authority for the entire trust domain. The new certificate authority is called the trust domain certificate authority (TDCA), and is embodied by a public/secret key pair, as well as a certificate representing the certificate authority. ]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Frazier’s system with McGrew’s system, with a motivation to verify whether a certificate presented by a trust domain entity is valid; therefore, all subscribing entities must receive a copy of the TDCA certificate before they can begin to operate with components that are in the trust domain. [Frazier, para. 58]
 
Regarding claim 10, modified McGrew teaches the method of claim 8, but modified McGrew does not teach wherein the first certificate and the second certificate are issued by the same intermediate certificate authority. 
However, Frazier does teach wherein the first certificate and the second certificate are issued by the same intermediate certificate authority. [Frazier, para. 60 discloses The Master Controller 505 bootstraps the signing keypair and master certificate in a step 520. The User 500 is prompted for and sets passphrase to protect the certificate authority secret key, the certificate authority expiration date, and default expiry for subordinate certificates in a step 525. The certificate authority secret key is stored on the master controller disk and protected with a user-set passphrase in a step 530. A certificate revocation list is created, signed, and published in a step 530. The master certificate authority embeds the public key and current certificate revocation list into Agent installation package in a step 535. A User 500 requests that a Controller generate a certificate signing request in a step 540. The Controller 510 creates a keypair and a certificate signing request for use in authentication to Agents 500 in a step 545. The User 500 receives the certificate signing request in a text format from the web-based user interface in a step 550. Para. 61 discloses The TDCA can issue certificates to entities to make them part of the trust domain.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Frazier’s system with McGrew’s system, with a motivation to verify whether a certificate presented by a trust domain entity is valid; therefore, all subscribing entities must receive a copy of the TDCA certificate before they can begin to operate with components that are in the trust domain. [Frazier, para. 58]

Regarding claim 12, modified McGrew teaches the method of claim 11, but modified McGrew does not teach wherein the different intermediate certificate authorities are verified by the same root certificate authority. 
However, Frazier does teach wherein the different intermediate certificate authorities are verified by the same root certificate authority. [Frazier, para. 57 discloses (1) creation of a certificate authority, (2) signing of certificates for trust domain entities, (3) maintenance of a revocation list for trust domain entities, and (4) authentication and revocation checking mechanisms in a subscribing entities. Para. 58 discloses a certificate authority must be created to anchor the trust domain. The role of the certificate authority is to issue identities and credentials to trust domain entities by signing certificates for those trust domain entities. In one embodiment of the invention, the X.509 standard is used for certificates, which specifies the format, signing algorithms and standards, and methods for validation of a certificate. The certificate authority is a component of one controller within a trust domain. If there multiple controllers within the same trust domain, one is designated the master and becomes the certificate authority for the entire trust domain. The new certificate authority is called the trust domain certificate authority (TDCA), and is embodied by a public/secret key pair, as well as a certificate representing the certificate authority.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Frazier’s system with McGrew’s system, with a motivation to verify whether a certificate presented by a trust domain entity is valid; therefore, all subscribing entities must receive a copy of the TDCA certificate before they can begin to operate with components that are in the trust domain. [Frazier, para. 58]

Regarding claim 24, it recites features as similar to feature within claim 7, therefore, it is rejected in a similar manner.

Regarding claim 27 and 29, they recite features as similar to feature within claim 10 and 12, therefore, they are rejected in a similar manner.

Claims 11 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over US 20100306816 A1 to McGrew et al., (hereinafter, “McGrew”) in view of US 20160036778 A1 to Chen at al., (hereinafter, “Chen”) in further view of US 20150326401 A1 to Jin et al., (hereinafter, “Jin”).
Regarding claim 11, modified McGrew teaches the method of claim 8, but modified McGrew does not teach wherein the first certificate and the second certificate are issued by different intermediate certificate authorities.  
However, Jin does teach wherein the first certificate and the second certificate are issued by different intermediate certificate authorities [Jin, para. 19 discloses certificates issued by the different CAs are indicated by issuers of certificates in the certificate information.]
Therefore, it would have been obvious to one of ordinary skill within the art before the effective filling date to combine Frazier’s system with McGrew’s system, with a motivation to implement automatic revocation of a digital certificate for a network element device out of a network environment, thereby ensuring that a device certificate of an operator is used with permission, and increasing network security for the operator. [Jin, para. 8]

Regarding claim 28, it recites features as similar to feature within claim 11, therefore, it is rejected in a similar manner.

Conclusion
Pertinent prior art made of record however not relied upon includes:
US 20160048936 A1 to Perkowski et al. 
“An advanced relational database and user interface system used for the evaluation, analysis and generation of specialized reports in any of a plurality data analysis environments. The database and analysis system can be utilized for many purposes, but particularly and preferably to support the analysis of patent claims and more specifically claim construction, infringement, written description, invalidity and/or patentability, among other matters of intellectual property litigation and analysis.”
US 20130212292 A1 to Jennings et al.
 “The system and method for streaming media to a viewer and managing the media comprises an enhanced service routing processor (ESRP), a real time switch management system (RTSMS), a name routing processor (NRP), and a managed media switch (MMS). The RTSMS has a reservation system. The ESRP receives media from an owner, manages the media according to media rules and order rules defined by the owner, and distributes the media to one or more switches, such as the MMS, according to the media rules and the order rules. The RTSMS is configured to receive the media rules and to receive a viewer's media request via the reservation server. The reservation system of the RTSMS processes the media request according to the media rules and builds a reservation for the requested media. The RTSMS generates the reservation to the viewer and to the NRP. The NRP receives the reservation data from the viewer and from the RTSMS. The NRP processes the reservation data and locates an MMS that can stream the media to the viewer. The NRP transmits the IP address of the MMS to the viewer and transmits the reservation data to the MMS. The viewer initiates a session or connection with the MMS using the reservation number. If the reservation data from the viewer matches the reservation data from the NRP, the MMS streams the media to the viewer.”
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Phuc Pham whose telephone number is (571)272-8893. The examiner can normally be reached Monday - Thursday 7:30 AM - 4:30 PM; Friday 8:00 AM - 12:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/P.P./Patent Examiner, Art Unit 2434                                                                                                                                                                                                        
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434