Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Non-Final Office action in response to communications received November 15, 2022.  No claim have been amended, added or canceled.  Therefore, claims 1-28 are pending and addressed below. 


Response to Arguments
Applicant’s arguments, see Page 7-9, filed November 15, 2022, with respect to the rejection(s) of claim(s) 1-28 under 35 USC 102 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of found prior art reference, Lee et al. (US10348767 B1, file date 02/24/2017).
Examiner withdraws Bansal et al. (US2021/0234860 A1) since it does not precede the filing date of the present application.  Bansal et al. was filed April 15, 2021 and is a continuation of application 15/153108 (file date 05/12/2016) however 15/153108 does not include Figure 22 which was later added to US2021/0234860 A1) and therefore is ineligible for use in combination with other reference. 


Information Disclosure Statement
The information disclosure statement filed 11/16/2022 complies with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609 and the information referred to therein has been considered as to the merits.  


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).




Claims 1, 3, 15, 17 are provisionally rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1, 3, 4, 7, 9, 10, of co-pending application 17/033153.  

Claims 1, 3, 15, 17:
Claims 1, 3, 15, 17 have similar limitations as in claims 1, 3, 4, 7, 9, 10, of co-pending application 17/033153.  Although the conflicting claims are not identical; they are not patentably distinct from each other because both applications claim a method/endpoint device performed within an agent running on an endpoint device, identifying/determining a cloud-based security service is reachable, affirmative, configuring the particular security feature/function for operating inside one of the plurality of trusted networks; and negative, configuring the particular security feature/function for operating outside one of the plurality of trusted networks.  Claims 1, 3, 15, 17 are rejected under the reasons as set forth above.  


This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.



Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.



Claims 1-28 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Lee et al. (US10348767 B1, file date 02/24/2017).

Claims 1 and 15:
With respect to claims 1 and 15, Lee et al. discloses a method performed within an agent running on an endpoint device (virtual network agents (e.g., control daemons and virtual network proxies) and virtual routing tables are provided to the end points and virtual network switches, Column 18, lines 37-47) (The endpoints are provisioned with secure connection agents 2125A-N, Figure 21) (operation pf Virtual network platform, Figures 10 and 11A), comprising:
a processing resource (public cloud can offer on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services). Column 9, lines 11-14); and 
a non-transitory computer-readable medium (computer-readable medium or non-transitory computer-readable medium. Column 5, lines 55-58), coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to perform a method comprising: 
detecting whether the endpoint device has been moved to a new network by monitoring for changes to an Internet Protocol (IP) address associated with the endpoint device (as IP forwarding tables. IP addresses are assigned. controller 1015 assigns a first virtual IP address (e.g., “vIPa”) to a first virtual network proxy (“VNPA”) 1020A, a second virtual IP address (e.g., “vIPb”) to a second virtual network proxy (“VNPB”) 1020B. Column 19, lines 36-Column 20, line 6);
when said detecting is affirmative: determining whether a trusted network determination service associated with a cloud-based security service is reachable via the new network (determining if the connection should be provided through a virtual network connection includes comparing one or more than one Internet Protocol (IP) addresses associated with the second end point against a list of IP addresses stored at the first end point. Column 20, lines 51-67) (Figure 11A, 1125) (When the end-points need to access each other (e.g., the client-server applications running inside these end-points are trying to reach each other), they will be able to use the pre-defined/allowed virtual networks. Column 19, lines 31-35);
when said determining is affirmative: identifying whether the new network is among a plurality of trusted networks that have been previously registered with the cloud-based security service by querying the trusted network determination service (if a data packet includes a routing address that matches an entry in the static virtual routing table, a security check 1135 is performed to determine whether a virtual network connection should be established.  client manager 1005 checks with controller 1015 for security permission. Column 21, lines 1-34) ; and
when said identifying is affirmative, configuring a particular security feature implemented by the agent for operation inside one of the plurality of trusted networks (Virtual/Static tables, Figure 11B) (if the security check passes (step 1145), the controller informs the virtual network proxies and virtual network switches to create a session for the virtual network connection, In a step 1150, dynamic virtual network routing tables are created for the virtual network proxies and virtual network switch. Traffic between the first and second network domains is then routed according to the dynamic routing tables, Column 21, lines 35-49) (Figure 11A, 1145, 1150); and 
when said identifying is negative, configuring the particular security feature for operation outside of the plurality of trusted networks (Virtual/Static tables, Figure 11B) (If the security check fails (step 1140), the application client is blocked from connecting to the application server, the controller may deny permission to use the virtual network, Column 21, lines 28-34) (There can be cases where a routing address is found in the static virtual routing table, but the controller denies the virtual network connection, one or more parameters of the policy have or have not been satisfied, Column 21, lines 11-18) (Figure 11A, 1140).

Claims 2, 16:
With respect to claims 2, 16, Lee et al. discloses wherein the particular security feature comprises a secure Internet tunnel between the agent and a cloud-based security service (Virtual/Static tables, Figure 11B) (informs the virtual network proxies and virtual network switches to create a session for the virtual network connection, will inform first virtual network proxy (VNPA) 1020A, second virtual network proxy (VNPB) 1020B, and a first virtual network switch (VNS1) 1030, between the first and second virtual network proxies, to create a session for connection, Column 21, lines 35-44, Figure 11A, 1145), wherein configuration of the secure Internet tunnel for operation inside one of the plurality of trusted networks comprises deactivating the secure Internet tunnel (There can be cases where a routing address is found in the static virtual routing table, but the controller denies the virtual network connection, one or more parameters of the policy have or have not been satisfied, Column 21, lines 11-18), and wherein configuration of the secure Internet tunnel for operation outside of the plurality of trusted networks comprises activating the secure Internet tunnel (Traffic between the first and second network domains is then routed according to the dynamic routing tables, Column 21, lines 45-48).

Claims 3, 17:
With respect to claims 3, 17, Lee et al. discloses wherein the cloud-based security service comprises a Secure Access Service Edge (SASE) platform (An end point can include a physical server (e.g., blade servers or rack-mounted servers), a virtual machine (VM), a virtual network edge gateway, Column 7, lines 24-27) (the controller may be implemented in the enterprise demilitarized zone (DMZ) on the edge of the enterprise corporate network, Column 41, lines 45-47).

Claims 4, 18:
With respect to claims 4, 18, Lee et al. discloses wherein the secure Internet tunnel comprises a secure Transport Layer Security (TLS) connection between the agent and a firewall associated with the SASE platform (a security protocol for securing connections between the endpoints in the LAN. Some examples of security protocols include Secure Sockets Layer (SSL), Transport Layer Security (TLS), Column 42, lines 13-16) (A network domain can be enterprise local area network (LAN), server farm environment, or an Infrastructure as a Service (IaaS) cloud datacenter, which can be protected by conventional peripheral firewalls. The two network domains can be interconnected via Internet or any TCP/IP network. Column 8, lines 35-39).

Claims 5, 19:
With respect to claims 5, 19, Lee et al. discloses wherein deactivation of the secure Internet tunnel facilitates access by the endpoint device to local resources within the new network (There can be cases where a routing address is found in the static virtual routing table, but the controller denies the virtual network connection, one or more parameters of the policy have or have not been satisfied, Column 21, lines 11-18) (public cloud can offer on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services). Column 9, lines 11-14).


Claims 6, 20:
With respect to claims 6, 20, Lee et al. discloses wherein activation of the secure Internet tunnel (Traffic between the first and second network domains is then routed according to the dynamic routing tables, Column 21, lines 45-48) protects communications via the new network to the cloud-based security service (the decision can be made within the originating domain (e.g., the first domain). This feature helps to conserve the computing resources of the virtual network, reduce network traffic across the virtual network, and prevent bottlenecks. The virtual network platform provides IT administrators with the flexibility to decide the conditions, circumstances, or contexts for when the virtual network should be used (or not be used) to transmit data across two or more network domains, Column 11, lines 30-43).

Claims 7, 21:
With respect to claims 7, 21, Lee et al. discloses further comprising when said determining is negative, configuring the particular security feature for operation outside of the plurality of trusted networks (Virtual/Static tables, Figure 11B) (If the security check fails (step 1140), the application client is blocked from connecting to the application server, the controller may deny permission to use the virtual network, Column 21, lines 28-34) (There can be cases where a routing address is found in the static virtual routing table, but the controller denies the virtual network connection, one or more parameters of the policy have or have not been satisfied, Column 21, lines 11-18) (Figure 11A, 1140).

Claims 8, 22:
With respect to claims 8, 22, Lee et al. discloses wherein the IP address associated with the endpoint device comprises an IP address associated with a primary ethernet adapter of the endpoint device (The computer network system is representative of many different environments including a Ethernet, Column 4, lines 35-37)
Endpoints in a LAN may share a common part of an address, Uniform Resource Locator (URL), or IP address range, a LAN may be built on Ethernet, Column 40, lines 20-25).

Claims 9, 23:
With respect to claims 9, 23, Lee et al. discloses wherein the agent comprises an endpoint protection platform (The endpoints are provisioned with secure connection agents 2125A-N, Figure 21). 

Claims 10, 24:
With respect to claims 10, 24, Lee et al. discloses wherein the agent is integrated with an endpoint protection platform (The endpoints are provisioned with secure connection agents 2125A-N, Figure 21).

Claims 11, 25:
With respect to claims 11, 25, Lee et al. discloses wherein the agent is independent from an endpoint protection platform running on the endpoint device (the CoIP endpoint includes an agent, e.g., zLink, 3930 connected to a CoIP virtual device 3935 in a kernel space 3940 of an operating system (OS) (e.g., guest OS) 3945 at the endpoint. Figure 39).

Claims 12, 26:
With respect to claims 12, 26, Lee et al. discloses wherein the cloud-based security service includes a plurality of trusted network determination services running in multiple regions throughout the world and wherein the trusted network determination service represents one of the plurality of trusted network determination services that is nearest to the endpoint device (The virtual network platform may be referred to as a wide area virtual network because it goes across or connects different network domains. Column 9, lines 55-66) (Figures 4 and 5).

Claims 13, 27:
With respect to claims 13, 27, Lee et al. discloses wherein the plurality of trusted networks represent office networks of a customer of the cloud-based security service that are securely connected to the cloud- based security service (Enterprise customers, Column 34, lines 4-16).

Claims 14, 28:
With respect to claims 14, 28, Lee et al. discloses wherein the plurality of trusted networks are updated by an orchestration and automation platform associated with the cloud-based security service (In a hybrid cloud environment, the virtual routing table can be dynamically updated when end points are added to or deleted from the virtual network. The updated virtual routing table will be pushed by the controller to each involved control daemon and then implemented in each VNP. Column 14, lines 63-67) (an IT administrator will program the central controller to define users and user groups (therefore, their computer (e.g., laptop computer) will automatically become end-points when they are on the computer and log in to the system), and the servers or VMs that are running some enterprise applications for access on the virtual network platform. Column 15, lines 23-29).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, (see PTO Form 892).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HELAI SALEHI/           Examiner, Art Unit 2433                                                                                                                                                                                             
/William J. Goodchild/Primary Examiner, Art Unit 2433