Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/30/2022 has been entered. Claims 15-19,21-27,29- 35,37-38 have been examined.  Claims 1-14,20,28,36 are cancelled. 


Response to Arguments
Applicant’s arguments, see Remarks, filed on 09/30/2022 with respect to the rejection(s) of claims 15,23, 31 under 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Palekar. 






Priority
Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date of the provisional application No. 61/431,270 filed on 01/10/2011 as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original non-provisional application or provisional application); the disclosure of the invention in the parent application and in the later-  filed application must be sufficient to comply with the requirements of the first paragraph of 35' U.S.C. 112. See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994).
In the present application, support for the following limitations is lacking in the provisional application 61/431,270 dated 01/10/2011:

For example: the limitation of “ wherein the first connection comprises a secure and persistent channel directly between the local network and the at least one external server;.” is not supported by provisional application. Therefore, examiner will consider the priority date back to continuation application 13/347,352 filed on 01/10/2012.







Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.


Claims 15-19,23-27, 31-35 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Klitscher et al. Publication No. WO 2010/043234 A1 (Klitscher hereinafter) in view of  Palekar et al. KR 20060047551 A ( Palekar hereinafter) 

Regarding claim 15,

Klitscher teaches a method, comprising:

initiating, by a hardware resource executing a cloud extension agent on a local network, a first connection to at least one external server, over a wide area network external from the local network and separated by at least one firewall, using a standard internet protocol, (Fig.1, Abstract - Each storage device is equipped with a software storage manager adapted to establish a permanent connection to the web application server. The web application server can then identify the storage device within the network and can access and retrieve data from said storage device on request by a user of the computing device through the device management service. The web application server and the software storage manager may have a keep-alive mechanism to avoid disconnections – Page 4 - the installed software implements a service, referred to herein as a storage manager or storage manager service, that initially establishes the connection to the web application server. The typical configuration of routers, firewalls or other intermediate network nodes can therefore be avoided and the user is not required to make any modifications to the router and/or firewall. For example,  when the storage manager service initiates a connection to the web application server from inside a firewall local to the storage device, the firewall need not be configured for the reception of external requests as long as this connection is kept alive); 

wherein the first connection comprises a[..] and persistent channel directly between the local network and the at least one external server ( Fig.1, Abstract - Each storage device is equipped with a software storage manager adapted to establish a permanent connection to the web application server. The web application server can then identify the storage device within the network and can access and retrieve data from said storage device on request by a user of the computing device through the device management service. The web application server and the software storage manager may have a keep-alive mechanism to avoid disconnections – Page 4 - the installed software implements a service, referred to herein as a storage manager or storage manager service, that initially establishes the connection to the web application server. The typical configuration of routers, firewalls or other intermediate network nodes can therefore be avoided and the user is not required to make any modifications to the router and/or firewall. For example,  when the storage manager service initiates a connection to the web application server from inside a firewall local to the storage device, the firewall need not be configured for the reception of external requests as long as this connection is kept alive – Page 22 - the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490 – Page 9 - once the connection has been opened, the web application 30 service 115 may optionally include a mechanism to maintain the connection according to the proprietary protocol). 



 receiving, via the first connection, a first set of instructions to manage a configuration of each of a first set of[..] devices by one or more local servers on the local network( Page 22  – the computing device 140 sends the user interaction to the web application service 115. For example, an HTTP-GET or HTTP-POST may be sent to the internet portal 340 provided by web application server 110. The user interaction received is then processed by the web application service 115 and a request is generated at step 460. This request for a particular action or functionality is then sent at step 465 to the storage manager 240. Again, this request may be implemented as HTTP commands or any other suitable 20 protocol command. Thus, using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310 – Page 4 - when the storage manager service initiates a connection to the web application server from inside a firewall local to the storage device, the firewall need not be configured for the reception of external requests as long as this connection is kept alive).



changing a configuration of one or more of the first set of [..] devices in response to the first set of instructions; and  transmitting, via the first connection, status and configuration information comprising data indicative of changes to the configuration of the one or more of the first set of [..] devices to the external server made in response to the first set of instructions ( Page 22 - using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310. At step 480, the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490).

Klitscher does not explicitly teach that the device of a set of devices  is a mobile device of set of mobile devices and that the channel is a secure channel.
where in a configuration of each of the first set of mobile devices includes quarantine settings of the mobile device and a security policy of the mobile device


However, Palekar teaches 

the device of a set of devices  is a mobile device of set of mobile devices (Page 7 - The present invention can be applied to various other general or special purpose computing system environments or configurations. Examples of known computing systems, environments, and configurations suitable for use in the present invention include personal computers, server computers, portable or laptop devices, multiprocessor systems, microprocessor based systems, set top boxes, programmable consumer electronics, network PCs. , Minicomputers, mainframe computers, distributed computing environments including any of the above systems or devices, and the like).


 the channel is a secure channel (Page 2 - In order to emulate a point-to-point link, data is encapsulated or wrapped with a header that provides routing information that allows cross-shared or transit internetwork to reach its final destination. To emulate a private link, the data sent is encrypted for confidentiality. Packets intercepted on a shared or public network cannot be decrypted without an encryption key - After the security alliance is established, data security processing is applied to the packets sent to the remote receiver, so that data transmission to each computer can proceed. Such processing may simply be to ensure the integrity of the data being transmitted, or may be to encrypt the data being transmitted).  


where in a configuration of each of the first set of mobile devices includes quarantine settings of the mobile device and a security policy of the mobile device (Page 5 - enforcing a network quarantine policy, comprising: a health list statement including at least one enforcement server for communicating with at least one client via a network protocol, and at least one health statement from the enforcement server And a network quarantine server comprising a coordination server for receiving and querying at least one policy server to verify at least one health statement. If each health statement is verified, the coordination  server instructs the at least one enforcement server to authorize at least one client access to the network resources. If each health statement is not verified, the coordination server instructs the at least one enforcement server to enforce the quarantine policy obtained from the at least one policy server. In keeping with the features of the present invention, the coordination server publishes an interface that allows at least one policy server to communicate with the coordination server. The coordination server communicates with at least one policy server through an interface provided by at least one policy server - Policy server 220 includes an inspection policy that an administrator wishes the client to check for operating system (OS) versions, anti-virus signature versions, and the like – The Policy Server also changes the information the client needs to change to the client with the correct configuration, such as patches, anti-virus updates, and so on. connects to policy server 220 to obtain the expected client policy, and returns SoH responses and responses to network resources. The network administrator may configure a quarantine policy on QES 230. The client can obtain the policy and configuration from a plurality of different policy servers such as, for example, a WUS server for the patch, and an anti-virus signature server - The client device may include one or more QPS, for example, QPC 410a, QPC 410b, and QPC 410c.Each QPC communicates with one or more policy servers 440 and provides policies and configurations to the network).

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings of Palekar.  The motivation for doing so is to allow a system to  reliably restrict access to network resources by devices that are not validated or have a compromised state (Abstract – Palekar).

Regarding claim 16,

Klitscher further teaches
gathering status and configuration  information from the one or more local servers on the local network (Page 22 - using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310. At step 480, the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490).

 
Regarding claim 17,

Klitscher further teaches 
wherein gathering status and configuration information is performed after initiation of the first connection (Page 22 - using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310. At step 480, the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490).

 




Regarding claim 18,

Klitscher further teaches
Wherein the first local network is a customer premise network (Fig. 1, Page 14).



Regarding claim 19,

Klitscher does not explicitly teach that the first  connection is a secure connection. 
However, Palekar teaches
wherein the first  connection is a secure connection (Page 2 - In order to emulate a point-to-point link, data is encapsulated or wrapped with a header that provides routing information that allows cross-shared or transit internetwork to reach its final destination. To emulate a private link, the data sent is encrypted for confidentiality. Packets intercepted on a shared or public network cannot be decrypted without an encryption key - After the security alliance is established, data security processing is applied to the packets sent to the remote receiver, so that data transmission to each computer can proceed. Such processing may simply be to ensure the integrity of the data being transmitted, or may be to encrypt the data being transmitted).  

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings of Palekar.  The motivation for doing so is to allow a system to  reliably restrict access to network resources by devices that are not validated or have a compromised state (Abstract – Palekar).
Regarding claim 23,

Klitscher teaches an apparatus, comprising:
 a hardware resource to execute a cloud extension agent on a local network to: Initiating a first connection to at least one external server, over a wide area network external from the local network and separated by at least one firewall, using a standard internet protocol  (Fig.1, Abstract - Each storage device is equipped with a software storage manager adapted to establish a permanent connection to the web application server. The web application server can then identify the storage device within the network and can access and retrieve data from said storage device on request by a user of the computing device through the device management service. The web application server and the software storage manager may have a keep-alive mechanism to avoid disconnections – Page 4 - the installed software implements a service, referred to herein as a storage manager or storage manager service, that initially establishes the connection to the web application server. The typical configuration of routers, firewalls or other intermediate network nodes can therefore be avoided and the user is not required to make any modifications to the router and/or firewall. For example,  when the storage manager service initiates a connection to the web application server from inside a firewall local to the storage device, the firewall need not be configured for the reception of external requests as long as this connection is kept alive); 

wherein the first connection comprises a[..] and persistent channel directly between the local network and the at least one external server Fig.1, Abstract - Each storage device is equipped with a software storage manager adapted to establish a permanent connection to the web application server. The web application server can then identify the storage device within the network and can access and retrieve data from said storage device on request by a user of the computing device through the device management service. The web application server and the software storage manager may have a keep-alive mechanism to avoid disconnections – Page 4 - the installed software implements a service, referred to herein as a storage manager or storage manager service, that initially establishes the connection to the web application server. The typical configuration of routers, firewalls or other intermediate network nodes can therefore be avoided and the user is not required to make any modifications to the router and/or firewall. For example,  when the storage manager service initiates a connection to the web application server from inside a firewall local to the storage device, the firewall need not be configured for the reception of external requests as long as this connection is kept alive – Page 22 - the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490 – Page 9 - once the connection has been opened, the web application 30 service 115 may optionally include a mechanism to maintain the connection according to the proprietary protocol). 



 receive, via the first connection, a first set of instructions to manage a configuration of each of a first set of[..] devices by one or more local servers on the local network( Page 22  – the computing device 140 sends the user interaction to the web application service 115. For example, an HTTP-GET or HTTP-POST may be sent to the internet portal 340 provided by web application server 110. The user interaction received is then processed by the web application service 115 and a request is generated at step 460. This request for a particular action or functionality is then sent at step 465 to the storage manager 240. Again, this request may be implemented as HTTP commands or any other suitable 20 protocol command. Thus, using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310 – Page 4 - when the storage manager service initiates a connection to the web application server from inside a firewall local to the storage device, the firewall need not be configured for the reception of external requests as long as this connection is kept alive).



change a configuration of one or more of the first set of [..] devices in response to the first set of instructions; and  transmit, via the first connection, status and configuration information comprising data indicative of changes to the configuration of the one or more of the first set of [..] devices to the external server made in response to the first set of instructions ( Page 22 - using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310. At step 480, the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490).

Klitscher does not explicitly teach that the device of a set of devices  is a mobile device of set of mobile devices and that the channel is a secure channel.
where in a configuration of each of the first set of mobile devices includes quarantine settings of the mobile device and a security policy of the mobile device


However, Palekar teaches 

the device of a set of devices  is a mobile device of set of mobile devices (Page 7 - The present invention can be applied to various other general or special purpose computing system environments or configurations. Examples of known computing systems, environments, and configurations suitable for use in the present invention include personal computers, server computers, portable or laptop devices, multiprocessor systems, microprocessor based systems, set top boxes, programmable consumer electronics, network PCs. , Minicomputers, mainframe computers, distributed computing environments including any of the above systems or devices, and the like).


 the channel is a secure channel (Page 2 - In order to emulate a point-to-point link, data is encapsulated or wrapped with a header that provides routing information that allows cross-shared or transit internetwork to reach its final destination. To emulate a private link, the data sent is encrypted for confidentiality. Packets intercepted on a shared or public network cannot be decrypted without an encryption key - After the security alliance is established, data security processing is applied to the packets sent to the remote receiver, so that data transmission to each computer can proceed. Such processing may simply be to ensure the integrity of the data being transmitted, or may be to encrypt the data being transmitted).  


where in a configuration of each of the first set of mobile devices includes quarantine settings of the mobile device and a security policy of the mobile device (Page 5 - enforcing a network quarantine policy, comprising: a health list statement including at least one enforcement server for communicating with at least one client via a network protocol, and at least one health statement from the enforcement server And a network quarantine server comprising a coordination server for receiving and querying at least one policy server to verify at least one health statement. If each health statement is verified, the coordination  server instructs the at least one enforcement server to authorize at least one client access to the network resources. If each health statement is not verified, the coordination server instructs the at least one enforcement server to enforce the quarantine policy obtained from the at least one policy server. In keeping with the features of the present invention, the coordination server publishes an interface that allows at least one policy server to communicate with the coordination server. The coordination server communicates with at least one policy server through an interface provided by at least one policy server - Policy server 220 includes an inspection policy that an administrator wishes the client to check for operating system (OS) versions, anti-virus signature versions, and the like – The Policy Server also changes the information the client needs to change to the client with the correct configuration, such as patches, anti-virus updates, and so on. connects to policy server 220 to obtain the expected client policy, and returns SoH responses and responses to network resources. The network administrator may configure a quarantine policy on QES 230. The client can obtain the policy and configuration from a plurality of different policy servers such as, for example, a WUS server for the patch, and an anti-virus signature server - The client device may include one or more QPS, for example, QPC 410a, QPC 410b, and QPC 410c.Each QPC communicates with one or more policy servers 440 and provides policies and configurations to the network).

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings of Palekar.  The motivation for doing so is to allow a system to  reliably restrict access to network resources by devices that are not validated or have a compromised state (Abstract – Palekar).
Regarding claim 24

Klitscher further teaches
wherein the hardware resource is further to: gather the status and configuration information from the one or more local servers on the local network (Page 22 - using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310. At step 480, the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490).


Regarding claim 25,

Klitscher further teaches 
wherein to gather the status and configuration information after initiation of the first connection (Page 22 - using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310. At step 480, the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490).

Regarding claim 26,

Klitscher further teaches
Wherein the first local network is a customer premise network ( Fig. 1, Page 14 ).


Regarding claim 27,

Klitscher does not explicitly teach that the first  connection is a secure connection. However, Palekar teaches

wherein the first  connection is a secure connection  (Page 2 - In order to emulate a point-to-point link, data is encapsulated or wrapped with a header that provides routing information that allows cross-shared or transit internetwork to reach its final destination. To emulate a private link, the data sent is encrypted for confidentiality. Packets intercepted on a shared or public network cannot be decrypted without an encryption key - After the security alliance is established, data security processing is applied to the packets sent to the remote receiver, so that data transmission to each computer can proceed. Such processing may simply be to ensure the integrity of the data being transmitted, or may be to encrypt the data being transmitted).  

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings of Palekar.  The motivation for doing so is to allow a system to  reliably restrict access to network resources by devices that are not validated or have a compromised state (Abstract – Palekar). 
Regarding claim 31,

Klitscher teaches a non-transitory computer readable storage media having program instructions to be executed by a hardware resource to:

initiating, by a hardware resource executing a cloud extension agent on a local network, a first connection to at least one external server, over a wide area network external from the local network and separated by at least one firewall, using a standard internet protocol, (Fig.1, Abstract - Each storage device is equipped with a software storage manager adapted to establish a permanent connection to the web application server. The web application server can then identify the storage device within the network and can access and retrieve data from said storage device on request by a user of the computing device through the device management service. The web application server and the software storage manager may have a keep-alive mechanism to avoid disconnections – Page 4 - the installed software implements a service, referred to herein as a storage manager or storage manager service, that initially establishes the connection to the web application server. The typical configuration of routers, firewalls or other intermediate network nodes can therefore be avoided and the user is not required to make any modifications to the router and/or firewall. For example,  when the storage manager service initiates a connection to the web application server from inside a firewall local to the storage device, the firewall need not be configured for the reception of external requests as long as this connection is kept alive); 

wherein the first connection comprises a[..] and persistent channel directly between the local network and the at least one external server( Fig.1, Abstract - Each storage device is equipped with a software storage manager adapted to establish a permanent connection to the web application server. The web application server can then identify the storage device within the network and can access and retrieve data from said storage device on request by a user of the computing device through the device management service. The web application server and the software storage manager may have a keep-alive mechanism to avoid disconnections – Page 4 - the installed software implements a service, referred to herein as a storage manager or storage manager service, that initially establishes the connection to the web application server. The typical configuration of routers, firewalls or other intermediate network nodes can therefore be avoided and the user is not required to make any modifications to the router and/or firewall. For example,  when the storage manager service initiates a connection to the web application server from inside a firewall local to the storage device, the firewall need not be configured for the reception of external requests as long as this connection is kept alive – Page 22 - the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490 – Page 9 - once the connection has been opened, the web application 30 service 115 may optionally include a mechanism to maintain the connection according to the proprietary protocol). 



 receiving, via the first connection, a first set of instructions to manage a configuration of each of a first set of[..] devices by one or more local servers on the local network( Page 22  – the computing device 140 sends the user interaction to the web application service 115. For example, an HTTP-GET or HTTP-POST may be sent to the internet portal 340 provided by web application server 110. The user interaction received is then processed by the web application service 115 and a request is generated at step 460. This request for a particular action or functionality is then sent at step 465 to the storage manager 240. Again, this request may be implemented as HTTP commands or any other suitable 20 protocol command. Thus, using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310 – Page 4 - when the storage manager service initiates a connection to the web application server from inside a firewall local to the storage device, the firewall need not be configured for the reception of external requests as long as this connection is kept alive).



changing a configuration of one or more of the first set of [..] devices in response to the first set of instructions; and  transmitting, via the first connection, status and configuration information comprising data indicative of changes to the configuration of the one or more of the first set of [..] devices to the external server made in response to the first set of instructions ( Page 22 - using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310. At step 480, the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490).

Klitscher does not explicitly teach that the device of a set of devices  is a mobile device of set of mobile devices and that the channel is a secure channel.
where in a configuration of each of the first set of mobile devices includes quarantine settings of the mobile device and a security policy of the mobile device


However, Palekar teaches 

the device of a set of devices  is a mobile device of set of mobile devices (Page 7 - The present invention can be applied to various other general or special purpose computing system environments or configurations. Examples of known computing systems, environments, and configurations suitable for use in the present invention include personal computers, server computers, portable or laptop devices, multiprocessor systems, microprocessor based systems, set top boxes, programmable consumer electronics, network PCs. , Minicomputers, mainframe computers, distributed computing environments including any of the above systems or devices, and the like).


 the channel is a secure channel (Page 2 - In order to emulate a point-to-point link, data is encapsulated or wrapped with a header that provides routing information that allows cross-shared or transit internetwork to reach its final destination. To emulate a private link, the data sent is encrypted for confidentiality. Packets intercepted on a shared or public network cannot be decrypted without an encryption key - After the security alliance is established, data security processing is applied to the packets sent to the remote receiver, so that data transmission to each computer can proceed. Such processing may simply be to ensure the integrity of the data being transmitted, or may be to encrypt the data being transmitted).  


where in a configuration of each of the first set of mobile devices includes quarantine settings of the mobile device and a security policy of the mobile device (Page 5 - enforcing a network quarantine policy, comprising: a health list statement including at least one enforcement server for communicating with at least one client via a network protocol, and at least one health statement from the enforcement server And a network quarantine server comprising a coordination server for receiving and querying at least one policy server to verify at least one health statement. If each health statement is verified, the coordination  server instructs the at least one enforcement server to authorize at least one client access to the network resources. If each health statement is not verified, the coordination server instructs the at least one enforcement server to enforce the quarantine policy obtained from the at least one policy server. In keeping with the features of the present invention, the coordination server publishes an interface that allows at least one policy server to communicate with the coordination server. The coordination server communicates with at least one policy server through an interface provided by at least one policy server - Policy server 220 includes an inspection policy that an administrator wishes the client to check for operating system (OS) versions, anti-virus signature versions, and the like – The Policy Server also changes the information the client needs to change to the client with the correct configuration, such as patches, anti-virus updates, and so on. connects to policy server 220 to obtain the expected client policy, and returns SoH responses and responses to network resources. The network administrator may configure a quarantine policy on QES 230. The client can obtain the policy and configuration from a plurality of different policy servers such as, for example, a WUS server for the patch, and an anti-virus signature server - The client device may include one or more QPS, for example, QPC 410a, QPC 410b, and QPC 410c.Each QPC communicates with one or more policy servers 440 and provides policies and configurations to the network).

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings of Palekar.  The motivation for doing so is to allow a system to  reliably restrict access to network resources by devices that are not validated or have a compromised state (Abstract – Palekar).
Regarding claim 32
Klitscher further teaches
wherein the hardware resource is further to: gather the status and configuration information from the one or more local servers on the local network (Page 22 - using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310. At step 480, the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490).


Regarding claim 33,

Klitscher further teaches 
wherein to gather the status and configuration information after initiation of the first connection (Page 22 - using the permanent connection to the storage manager 240 the service 140 will be able to forward in step 465 the user request to the intended storage device at storage manager 240. Further, the storage manager 240 performs the requested action on storage device 150, see step 470. Any result of this performed action is sent back to web application service 115 at step 4Further, the response data, i.e. the result, may then be internally forwarded (not shown) to internet portal 340 and to device management service 310. At step 480, the method continues with processing the result received from step 475 and by updating the user interface. The updated user interface is then provided to the computing device 140 at step 485. It is noted that steps 455 to 485 may be repeated until the user session is terminated at step 490).



Regarding claim 34,

Klitscher further teaches
Wherein the first local network is a customer premise network (Fig. 1, Page 14).


Regarding claim 35,

Klitscher does not explicitly teach that the first  connection is a secure connection.

 However, Palekar teaches
wherein the first  connection is a secure connection (Page 2 - In order to emulate a point-to-point link, data is encapsulated or wrapped with a header that provides routing information that allows cross-shared or transit internetwork to reach its final destination. To emulate a private link, the data sent is encrypted for confidentiality. Packets intercepted on a shared or public network cannot be decrypted without an encryption key - After the security alliance is established, data security processing is applied to the packets sent to the remote receiver, so that data transmission to each computer can proceed. Such processing may simply be to ensure the integrity of the data being transmitted, or may be to encrypt the data being transmitted).  

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings of Palekar.  The motivation for doing so is to allow a system to reliably restrict access to network resources by devices that are not validated or have a compromised state (Abstract – Palekar).

Claims 21, 29,37 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Klitscher in view of Palekar further in view of  Graham et al. US 8843622 (Graham hereinafter)

Regarding claim 21,

Klitscher further teaches wherein the set of instructions are received by  the cloud extension agent using [...] a protocol over the  network connection (Page 22). However, Klitscher does not explicitly teach a set of instructions are received using an XMPP protocol over a secure connection 

Graham  teaches 
a set of instructions are received using an XMPP protocol over a secure connection (Claim 1; Col. 13, lines 7-20 - Turning to FIG. 2C, FIG. 2C is a simplified flowchart 203 illustrating one potential operation associated with the present disclosure. In an embodiment, at 220, a transport 10 layer security (TLS) is established and server authentication is performed. For example, TLS and server authentication (i.e., mutual authentication) may be performed with respect to CPE 12a and status server 14a. At 222, an XMPP stream is opened between a CPE and a server. For example, an XMPP  stream may be created between status server 14a and CPE 12a. At 226, the connection between the CPE and the server is authenticated and new streams are opened  - Col. 13, lines 7-20 - Turning to FIG. 2C, FIG. 2C is a simplified flowchart 203 illustrating one potential operation associated with the present disclosure. In an embodiment, at 220, a transport 10 layer security (TLS) is established and server authentication is performed. For example, TLS and server authentication (i.e., mutual authentication) may be performed with respect to CPE 12a and status server 14a. At 222, an XMPP stream is opened between a CPE and a server. For example, an XMPP 15 stream may be created between status server 14a and CPE 12a. At 226, the connection between the CPE and the server is authenticated and new streams are opened ).



It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings of Graham.  The motivation for doing so is to allow a system to encode messages communicated on the persistent connections using an extensible messaging and presence protocol (XMPP)  for secure communication (Abstract – Graham) . 

Regarding claim 29,

Klitscher further teaches wherein the set of instructions are received by  the cloud extension agent using [...] a protocol over the  network connection (Page 22). However, Klitscher does not explicitly teach a set of instructions are received using an XMPP protocol over a secure connection 
Graham  teaches 
a set of instructions are received using an XMPP protocol over a secure connection (Claim 1; Col. 13, lines 7-20 - Turning to FIG. 2C, FIG. 2C is a simplified flowchart 203 illustrating one potential operation associated with the present disclosure. In an embodiment, at 220, a transport 10 layer security (TLS) is established and server authentication is performed. For example, TLS and server authentication (i.e., mutual authentication) may be performed with respect to CPE 12a and status server 14a. At 222, an XMPP stream is opened between a CPE and a server. For example, an XMPP  stream may be created between status server 14a and CPE 12a. At 226, the connection between the CPE and the server is authenticated and new streams are opened  - Col. 13, lines 7-20 - Turning to FIG. 2C, FIG. 2C is a simplified flowchart 203 illustrating one potential operation associated with the present disclosure. In an embodiment, at 220, a transport 10 layer security (TLS) is established and server authentication is performed. For example, TLS and server authentication (i.e., mutual authentication) may be performed with respect to CPE 12a and status server 14a. At 222, an XMPP stream is opened between a CPE and a server. For example, an XMPP 15 stream may be created between status server 14a and CPE 12a. At 226, the connection between the CPE and the server is authenticated and new streams are opened ).

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings of Graham.  The motivation for doing so is to allow a system to encode messages communicated on the persistent connections using an extensible messaging and presence protocol (XMPP)  for secure communication (Abstract – Graham) .
Regarding claim 37,

Klitscher further teaches wherein the set of instructions are received by  the cloud extension agent using [...] a protocol over the  network connection (Page 22). However, Klitscher does not explicitly teach a set of instructions are received using an XMPP protocol over a secure connection 
Graham  teaches 
a set of instructions are transmitted using an XMPP protocol over a secure connection (Claim 1; Col. 13, lines 7-20 - Turning to FIG. 2C, FIG. 2C is a simplified flowchart 203 illustrating one potential operation associated with the present disclosure. In an embodiment, at 220, a transport 10 layer security (TLS) is established and server authentication is performed. For example, TLS and server authentication (i.e., mutual authentication) may be performed with respect to CPE 12a and status server 14a. At 222, an XMPP stream is opened between a CPE and a server. For example, an XMPP  stream may be created between status server 14a and CPE 12a. At 226, the connection between the CPE and the server is authenticated and new streams are opened  - Col. 13, lines 7-20 - Turning to FIG. 2C, FIG. 2C is a simplified flowchart 203 illustrating one potential operation associated with the present disclosure. In an embodiment, at 220, a transport 10 layer security (TLS) is established and server authentication is performed. For example, TLS and server authentication (i.e., mutual authentication) may be performed with respect to CPE 12a and status server 14a. At 222, an XMPP stream is opened between a CPE and a server. For example, an XMPP 15 stream may be created between status server 14a and CPE 12a. At 226, the connection between the CPE and the server is authenticated and new streams are opened ).

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings of Graham.  The motivation for doing so is to allow a system to encode messages communicated on the persistent connections using an extensible messaging and presence protocol (XMPP)  for secure communication (Abstract – Graham).

Claims 22,30,38 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Klitscher in view of Palekar further in view of Staveley et al. Patent No. US 6,973,491 B1 (Staveley hereinafter)


Regarding claim 22,

Klitscher does not explicitly teach

determining, by the cloud extension agent, whether any updates from the at least one external server are waiting to be sent

However, Staveley teaches
determining, by the cloud extension agent, whether any updates from the at least one external server are waiting to be sent (Col.8, lines 10-25 Main module 30 also performs other operations. For example, if the parameter "auto upgrade" is specified in the configuration file, main module 30 will invoke the automation15 upgrade component, as described above. Also, if a URL is given for the location a test configuration file, the main module 30 will download the test configuration file from the specified URL).  

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings Staveley.  The motivation for doing so is to allow a system to always be aware of new configuration for the target devices (Col.8, lines 10-25 – Staveley).

Regarding claim 30,

Klitscher does not explicitly teach

Wherein the hardware resource is further to determine whether any updates from the at least one external server are waiting to be sent

However, Staveley teaches
Wherein the hardware resource is further to determine whether any updates from the at least one external server are waiting to be sent (Col.8, lines 10-25 Main module 30 also performs other operations. For example, if the parameter "auto upgrade" is specified in the configuration file, main module 30 will invoke the automation15 upgrade component, as described above. Also, if a URL is given for the location a test configuration file, the main module 30 will download the test configuration file from the specified URL).  

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings Staveley.  The motivation for doing so is to allow a system to always be aware of new configuration for the target devices (Col.8, lines 10-25 – Staveley).
Regarding claim 38,

Klitscher does not explicitly teach

Wherein the hardware resource is further to determine whether any updates from the at least one external server are waiting to be sent

However, Staveley teaches
Wherein the hardware resource is further to determine whether any updates from the at least one external server are waiting to be sent (Col.8, lines 10-25 Main module 30 also performs other operations. For example, if the parameter "auto upgrade" is specified in the configuration file, main module 30 will invoke the automation15 upgrade component, as described above. Also, if a URL is given for the location a test configuration file, the main module 30 will download the test configuration file from the specified URL).  

It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to modify the teachings of Klitscher to include the teachings Staveley.  The motivation for doing so is to allow a system to always be aware of new configuration for the target devices (Col.8, lines 10-25 – Staveley).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOUNES NAJI whose telephone number is (571)272-2659.  The examiner can normally be reached on Monday - Friday 8:30 AM -5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A Louie can be reached on (571) 270-1684.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/YOUNES NAJI/Primary Examiner, Art Unit 2445