Zero Trust Support for Secure Networks Via Modified Virtual Private Network

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Continued Examination Under 37 CFR 1.114 1. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12-23-2025 has been entered. 2. Claims 1 - 19, 21 are pending. Claims 1, 9, 11, 14, 16, 21 have been amended. Claim 20 has been canceled. Claims 1, 9, 16 are independent. This application was filed on 2-28-2023. Response to Arguments 3. Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 12-23-2025, with respect to the rejection(s) under Chauhan in view Arthurs and further in view of Kawasaki have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Chauhan in view Arthurs and further in view of Kawasaki and Barker. A. Applicant argues on page 10 of Remarks: ... "in response to receiving the second access request, denying the second access request based on a predefined security policy that limits the first connection tunnel against providing access to the second software application, ... . The Examiner respectfully disagrees. Kawasaki discloses receiving a second application request for network communications. Kawasaki discloses denying access to a second application request (does not support a second access request) due to policy requirements (such as security policy requirements). (see Kawasaki page 36: if the UE 10 does not support the second PDN connection (second request) and / or if the establishment of the second PDN connection does not comply with the UE 10 policy, the UE 10 rejects the establishment of the second PDN connection (second request). More specifically, the UE 10 receives the PDN connection acceptance and / or the PDN connection rejection (based on the seventh identification information and / or PDN connection attribute information included in the PDN connection acceptance and / or the UE 10 policy). PDN connectivity reject may be sent.; The UE 10 may transmit at least one of the PDN connection rejection message ID (PDN connectivity message identity), the procedure transaction ID, and the cause information included in the PDN connection rejection. Further, the UE 10 may further include the fourth identification information in the PDN connection rejection.; The fourth identification information may be information indicating that the UE 10 does not support the second PDN connection and / or information indicating that the establishment of the second PDN connection does not comply with the UE 10 policy.) And, Barker discloses wherein denying the access request for the client device to access the second software application via the first connection tunnel. (see Barker paragraph [0032]: each of the two resident applications are associated with only one communication path) B. Applicant argues on page 11 of Remarks: ... "denying, by the VPN server, the second access request for the client device to access the second software application via the first connection tunnel.". The Examiner respectfully disagrees. Kawasaki discloses receiving a second application request for network communications. Kawasaki discloses denying access to a second application request (does not support a second access request) due to policy requirements (such as security policy requirements). (see Kawasaki page 36: if the UE 10 does not support the second PDN connection (second request) and / or if the establishment of the second PDN connection does not comply with the UE 10 policy, the UE 10 rejects the establishment of the second PDN connection (second request). More specifically, the UE 10 receives the PDN connection acceptance and / or the PDN connection rejection (based on the seventh identification information and / or PDN connection attribute information included in the PDN connection acceptance and / or the UE 10 policy). PDN connectivity reject may be sent.; The UE 10 may transmit at least one of the PDN connection rejection message ID (PDN connectivity message identity), the procedure transaction ID, and the cause information included in the PDN connection rejection. Further, the UE 10 may further include the fourth identification information in the PDN connection rejection.; The fourth identification information may be information indicating that the UE 10 does not support the second PDN connection and / or information indicating that the establishment of the second PDN connection does not comply with the UE 10 policy.) And, Barker discloses wherein denying the access request for the client device to access the second software application via the first connection tunnel. (see Barker paragraph [0032]: each of the two resident applications are associated with only one communication path) C. Applicant argues on page 11 of Remarks: ... Nowhere does Arthurs describe the same client device requesting access to multiple software applications via the same connection tunnel, nor denying client device access to an additional software application via the same connection tunnel. The Examiner respectfully disagrees. Kawasaki discloses receiving a second application request for network communications. Kawasaki discloses denying access to a second application request (does not support a second access request) due to policy requirements (such as security policy requirements). (see Kawasaki page 36: if the UE 10 does not support the second PDN connection (second request) and / or if the establishment of the second PDN connection does not comply with the UE 10 policy, the UE 10 rejects the establishment of the second PDN connection (second request). More specifically, the UE 10 receives the PDN connection acceptance and / or the PDN connection rejection (based on the seventh identification information and / or PDN connection attribute information included in the PDN connection acceptance and / or the UE 10 policy). PDN connectivity reject may be sent.; The UE 10 may transmit at least one of the PDN connection rejection message ID (PDN connectivity message identity), the procedure transaction ID, and the cause information included in the PDN connection rejection. Further, the UE 10 may further include the fourth identification information in the PDN connection rejection.; The fourth identification information may be information indicating that the UE 10 does not support the second PDN connection and / or information indicating that the establishment of the second PDN connection does not comply with the UE 10 policy.) And, Barker discloses wherein denying the access request for the client device to access the second software application via the first connection tunnel. (see Barker paragraph [0032]: each of the two resident applications are associated with only one communication path) D. Applicant argues on page 12 of Remarks: ... None of the cited references disclose or make obvious a VPN server that performs all the claimed operations. The Examiner respectfully disagrees. Chauhan discloses the utilization of VPN type communications between a set of network-connected nodes. Chauhan discloses the utilization of server type network-connected nodes (i.e. VPN server) and client type network-connected nodes (i.e. VPN Client). (see Chauhan paragraph [0104]: the networking agent 412 can establish a secure socket layer (SSL) VPN between the client application and a server 430 providing the network application 406. The VPN connections, sometimes referred to as microVPN or application-specific VPN, may be specific to particular network applications, particular devices,; paragraph [0005]: A client application executing on a client device can allow a user to access applications (apps) that are served from and/or hosted on one or more servers, such as web applications and software-as-a-service (SaaS) applications (hereafter sometimes generally referred to as network applications).; paragraph [0104]: networking agent 412 can connect to enterprise resources (including services) for instance via a virtual private network (VPN). For example, the networking agent 412 can establish a secure socket layer (SSL) VPN between the client application and a server 430 providing the network application 406.; (VPN communications; VPN servers, VPN clients)) E. Applicant argues on page 12 of Remarks: ... Independent claims 9 and 16 are amended to recite the same or similar features as independent claim 1 and are patentable for at least the same reasons. Independent claims 9, 16 have similar limitations as independent claim 1. Responses to arguments against independent claim 1 also answer arguments against independent claims 9, 16. F. Applicant argues on page 12 of Remarks: ... "wherein the predefined security policy restricts locks the first connection tunnel to provide access to only a single software application that is the first software application.". The Examiner respectfully disagrees. Barker discloses restricting or locking access for a first connection tunnel by a second application. Access is restricted to a first application utilizing a first connection tunnel. (see Barker paragraph [0032]: each of the two resident applications are associated with only one communication path; paragraph [0011]: The third application is operable to receive a user identification of a preferred application selected from the first and second applications and to restrict a user's access to the other application not selected as the preferred application,) G. Applicant argues on page 13 of Remarks: ... Chauhan does not teach or describe a connection tunnel being locked to provide access to only a single software application. The Examiner respectfully disagrees. Barker discloses restricting or locking access for a first connection tunnel by a second application. Access is restrictied to a first application utilizing a first connection tunnel. (see Barker paragraph [0032]: each of the two resident applications are associated with only one communication path; paragraph [0011]: The third application is operable to receive a user identification of a preferred application selected from the first and second applications and to restrict a user's access to the other application not selected as the preferred application,) H. Applicant argues on page 13 of Remarks: ... Dependent claims 2-8, 10-15, 17-19, and 21 are patentable at least by virtue of dependency from one of the independent claims ... . Responses to arguments against the independent claims also answer arguments against the associated dependent claims. Claim Rejections - 35 USC § 103 4. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 5. Claims 1, 2, 8 - 10, 16, 17, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Chauhan et al. (US PGPUB No. 20200145385) in view of Arthurs et al. (US PGPUB No. 20160344839) and further in view of Kawasaki et al. (Patent No. WO 2016/163410 A1) and Barker et al. (US PGPUB No. 20070050502). Regarding Claims 1, 9, 16, Chauhan discloses a Virtual Private Network (VPN) server comprising: a processor, and a memory device that includes instructions executable by the processor for causing the processor to perform operations and a method and a non-transitory computer-readable medium comprising instructions that are executable by a processor for causing the processor to perform operations, comprising: a) receiving, from a VPN client executing on a client device, a first access request for a first software application in a computing environment that is accessible via the VPN server, the first access request comprising authentication credentials for the VPN server; (see Chauhan paragraph [0009]: identifying, by the client application from the monitored user interactions, a second one or more network applications provided by one or more application servers to which the user is likely to request access; transmitting a request to access the identified second one or more network applications on behalf of the user, by the client application to the one or more application servers, responsive to the identification; receiving a request of the user, by the client application via the embedded browser, to access a second network application of the second one or more network applications; and responsive to receipt of the request to access the second network application, providing the received data of the second network application to the embedded browser from the memory of the client application, the browser rendering the provided data for display to the user.; paragraph [0005]: A client application executing on a client device can allow a user to access applications (apps) that are served from and/or hosted on one or more servers, such as web applications and software-as-a-service (SaaS) applications (hereafter sometimes generally referred to as network applications).; paragraph [0104]: networking agent 412 can connect to enterprise resources (including services) for instance via a virtual private network (VPN). For example, the networking agent 412 can establish a secure socket layer (SSL) VPN between the client application and a server 430 providing the network application 406.; (VPN communications, VPN servers, VPN clients)) b) authenticating the first access request based on the authentication credentials; (see Chauhan paragraph [0010]: includes authenticating the user by performing an authentication procedure with a remote authentication server, and wherein the transmission of the request to access the identified one or more network applications and receipt of data of the identified one or more network applications occurs prior to completion of the authentication procedure.) and c) in response to authenticating the first access request, providing a first connection tunnel between the client device and the first software application, the client device being configured to access the first software application via the first connection tunnel. (see Chauhan paragraph [0057]: The authentication service 258 may then grant to the user access to multiple enterprise resources 204,; paragraph [0071]: Network access to internal resources may occur directly from individual managed applications 310 through access gateway 306. The application management framework 314 is responsible for orchestrating the network access on behalf of each application 310. ... Multiple modes of network connection may be used, such as reverse web proxy connections and end-to-end VPN-style tunnels 318. (secure connection channels: first, second) Chauhan does not specifically disclose for d) denying second access request for second software application, second access request being received from VPN client via first connection tunnel, second software application being accessible via the VPN server. However, Authurs discloses after providing the first connection tunnel: d) receiving a second access request for the client device to access a second software application in the computing environment via the first connection tunnel, the second access request being received via the first connection tunnel from the VPN client executing on the client device, the second software application being accessible via the VPN server. (see Arthurs paragraph [0014]: client devices of a given user may have various feature capabilities that are different from client devices of another user. In this scenario, the techniques described herein include restricting a communication channel based on capabilities of one of the client devices being less than capabilities of a client device of another user. Further, in some cases, client devices of a given user may have various feature capabilities that are different from client devices of another user. In this scenario, the techniques described herein include restricting a communication channel based on capabilities of one of the client devices being less than capabilities of a client device of another user.; paragraph [0021]: message server 102 may be further configured to determine communication capabilities of the first client 108, and determine communication capabilities of the second client 110. The message server 102 may restrict the communication channel based on capabilities of the first client 108 being less than the capabilities of the second client 110. Alternatively, the message server may restrict the communication channel based on capabilities of the second client 110 being less than the capabilities of the first client 108.; (denying access request for a particular application, connection channel)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan for d) denying second access request for second software application, second access request being received from VPN client via first connection tunnel, second software application being accessible via the VPN server as taught by Authurs. One of ordinary skill in the art would have been motivated to employ the teachings of Authurs for the benefits achieved from a system that manages multiple connection channels associated with multiple VPN type application and users. (see Arthurs paragraph [0014]) Chauhan in view of Arthurs does not specifically disclose receiving second access request, denying second access request based on a predefined security policy that limits connection tunnel against providing access to second software application. However, Kawasaki discloses wherein in response to receiving the second access request, denying the second access request for the client device to access the second software application based on a predefined security policy that limits the first connection tunnel against providing access to the second software application. (see Kawasaki page 36: if the UE 10 does not support the second PDN connection and / or if the establishment of the second PDN connection does not comply with the UE 10 policy, the UE 10 rejects the establishment of the second PDN connection. More specifically, the UE 10 receives the PDN connection acceptance and / or the PDN connection rejection (based on the seventh identification information and / or PDN connection attribute information included in the PDN connection acceptance and / or the UE 10 policy). PDN connectivity reject) may be sent.; The UE 10 may transmit at least one of the PDN connection rejection message ID (PDN connectivity message identity), the procedure transaction ID, and the cause information included in the PDN connection rejection. Further, the UE 10 may further include the fourth identification information in the PDN connection rejection.; The fourth identification information may be information indicating that the UE 10 does not support the second PDN connection and / or information indicating that the establishment of the second PDN connection does not comply with the UE 10 policy.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan for receiving second access request, denying second access request based on a predefined security policy that limits connection tunnel against providing access to second software application as taught by Kawasaki. One of ordinary skill in the art would have been motivated to employ the teachings of Kawasaki for the enhanced security of a system denying network access based upon a network security policy. (see Kawasaki page 36) Furthermore, Chauhan does not specifically disclose denying access request to access the second software application via the first connection tunnel. However, Barker discloses wherein denying the access request for the client device to access the second software application via the first connection tunnel. (see Barker paragraph [0032]: each of the two resident applications are associated with only one communication path) And, for Claim 9, Chauhan does not specifically disclose predefined security policy locks first connection tunnel to provide access to only a single software application that is the first software application. However, Barker discloses wherein the predefined security policy locks the first connection tunnel to provide access to only a single software application that is the first software application. (see Barker paragraph [0032]: each of the two resident applications are associated with only one communication path; paragraph [0011]: The third application is operable to receive a user identification of a preferred application selected from the first and second applications and to restrict a user's access to the other application not selected as the preferred application,) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan for denying access request to access the second software application via the first connection tunnel, and predefined security policy locks first connection tunnel to provide access to only a single software application that is the first software application as taught by Barker. One of ordinary skill in the art would have been motivated to employ the teachings of Barker for the enhanced security of a system that enables restricting access (locking access) to specific communication links. (see Barker paragraph [0032]) Furthermore, for Claim 16, Chauhan does not specifically disclose the predefined security policy restricts the first connection tunnel against providing the client device with access to other software applications in the computing environment. However, Barker discloses wherein the predefined security policy restricts the first connection tunnel against providing the client device with access to other software applications in the computing environment, the other software applications being different than the first software application. (see Barker paragraph [0032]: each of the two resident applications are associated with only one communication path; paragraph [0011]: The third application is operable to receive a user identification of a preferred application selected from the first and second applications and to restrict a user's access to the other application not selected as the preferred application,) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan for the predefined security policy restricts the first connection tunnel against providing the client device with access to other software applications in the computing environment as taught by Barker. One of ordinary skill in the art would have been motivated to employ the teachings of Barker for the enhanced security of a system that enables restricting access (locking access) to specific communication links. (see Barker paragraph [0032]) Furthermore, for Claim 1, Chauhan discloses a processor; and a memory device that includes instructions executable by the processor for causing the processor to perform operation. (see Chauhan paragraph [0043]: Processor(s) 103 may be implemented by one or more programmable processors to execute one or more executable instructions, such as a computer program, to perform the functions of the system.) Furthermore, for Claim 16, Chauhan discloses wherein a non-transitory computer-readable medium comprising instructions that are executable by a processor for causing the processor to perform operations. (see Chauhan paragraph [0043]: Processor(s) 103 may be implemented by one or more programmable processors to execute one or more executable instructions, such as a computer program, to perform the functions of the system.; paragraph [0202]: systems and methods described above may be provided as one or more computer-readable programs embodied on or in one or more articles of manufacture. The term “article of manufacture” as used herein is intended to encompass code or logic accessible from and embedded in one or more computer-readable devices,) Regarding Claims 2, 10, 17, Chauhan-Authurs-Kawasaki-Barker discloses the VPN server of claim 1 and the method of claim 9 and the non-transitory computer-readable medium of claim 16, wherein the operation of providing the first connection tunnel between the client device and the first software application further comprises: a) authorizing the VPN client to establish the first connection tunnel. (see Chauhan paragraph [0057]: The authentication service 258 may then grant to the user access to multiple enterprise resources 204,; paragraph [0071]: Network access to internal resources may occur directly from individual managed applications 310 through access gateway 306. The application management framework 314 is responsible for orchestrating the network access on behalf of each application 310. ... Multiple modes of network connection may be used, such as reverse web proxy connections and end-to-end VPN-style tunnels 318. (secure connection channels: first, second) Chauhan does not specifically disclose for b) restricting access for the VPN client to prevent the client device from accessing the second software application via the first connection tunnel. However, Authurs discloses: b) restricting access for the VPN client to prevent the client device from accessing the second software application via the first connection tunnel. (see Arthurs paragraph [0014]: client devices of a given user may have various feature capabilities that are different from client devices of another user. In this scenario, the techniques described herein include restricting a communication channel based on capabilities of one of the client devices being less than capabilities of a client device of another user. Further, in some cases, client devices of a given user may have various feature capabilities that are different from client devices of another user. In this scenario, the techniques described herein include restricting a communication channel based on capabilities of one of the client devices being less than capabilities of a client device of another user.; paragraph [0021]: message server 102 may be further configured to determine communication capabilities of the first client 108, and determine communication capabilities of the second client 110. The message server 102 may restrict the communication channel based on capabilities of the first client 108 being less than the capabilities of the second client 110. Alternatively, the message server may restrict the communication channel based on capabilities of the second client 110 being less than the capabilities of the first client 108.; (restrict user to access second application from first connection channel)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan for d) denying second access request for second software application, second access request being received from VPN client via first connection tunnel, second software application being accessible via the VPN server as taught by Authurs. One of ordinary skill in the art would have been motivated to employ the teachings of Authurs for the benefits achieved from a system that manages multiple connection channels associated with multiple VPN type application and users. (see Arthurs paragraph [0014]) Regarding Claim 8, Chauhan-Authurs-Kawasaki-Barker discloses the VPN server of claim 1, wherein the memory device further includes instructions executable by the processor for causing the processor to perform operations comprising: a) generating, based on the authentication credentials in the first access request, a token for the client device, the token usable by the client device to access a set of connection tunnels; (see Chauhan paragraph [0167]: Authentication may include receiving a request to authenticate a user (e.g. upon login to a web application or server, or from launch of the client application or selection of a login interface), obtaining user credentials (e.g. account name or number, biometric data, passwords, or other such identifiers, either via a prompt or via an input interface (e.g. NFC or Bluetooth interface receiving an authentication token provided by another device, data from a fingerprint reader, etc.)), transmitting an authentication request to an authentication server or application server, and if the credentials are determined to be valid, receiving an authentication token.) and b) providing access, for the client device, to a set of software applications associated with the set of connection tunnels based on the token. (see Chauhan paragraph [0057]: The authentication service 258 may then grant to the user access to multiple enterprise resources 204,; paragraph [0071]: Network access to internal resources may occur directly from individual managed applications 310 through access gateway 306. The application management framework 314 is responsible for orchestrating the network access on behalf of each application 310. ... Multiple modes of network connection may be used, such as reverse web proxy connections and end-to-end VPN-style tunnels 318. (secure connection channels: first, second) Regarding Claim 21, Chauhan-Authurs-Kawasaki-Barker discloses the VPN server of claim 1. Chauhan does not specifically disclose the predefined security policy restricts first communication channel against providing the client device with access to other software applications in computing environment. However, Kawasaki discloses wherein the predefined security policy restricts the first connection tunnel against providing the client device with access to other software applications in the computing environment, the other software applications being different than the first software application. (see Kawasaki page 36: if the UE 10 does not support the second PDN connection and / or if the establishment of the second PDN connection does not comply with the UE 10 policy, the UE 10 rejects the establishment of the second PDN connection. More specifically, the UE 10 receives the PDN connection acceptance and / or the PDN connection rejection (based on the seventh identification information and / or PDN connection attribute information included in the PDN connection acceptance and / or the UE 10 policy). PDN connectivity reject) may be sent.; The UE 10 may transmit at least one of the PDN connection rejection message ID (PDN connectivity message identity), the procedure transaction ID, and the cause information included in the PDN connection rejection. Further, the UE 10 may further include the fourth identification information in the PDN connection rejection.; The fourth identification information may be information indicating that the UE 10 does not support the second PDN connection and / or information indicating that the establishment of the second PDN connection does not comply with the UE 10 policy.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan for predefined security policy restricts first communication channel against providing the client device with access to other software applications in computing environment. as taught by Kawasaki. One of ordinary skill in the art would have been motivated to employ the teachings of Kawasaki for the enhanced security of a system denying network access based upon a network security policy. (see Kawasaki page 36) 6. Claims 3, 4, 11, 12, 18, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Chauhan in view of Arthurs and further in view of Kawasaki and Barker and Borkar et al. (Patent No. CN 112997180 A). Regarding Claims 3, 11, 18, Chauhan-Authurs-Kawasaki-Barker discloses the VPN server of claim 1 and the method of claim 9 and the non-transitory computer-readable medium of claim 16, wherein the memory device further includes instructions executable by the processor for causing the processor to perform operations, including a connection tunnel. (see Chauhan paragraph [0057]: The authentication service 258 may then grant to the user access to multiple enterprise resources 204,; paragraph [0071]: Network access to internal resources may occur directly from individual managed applications 310 through access gateway 306. The application management framework 314 is responsible for orchestrating the network access on behalf of each application 310. ... Multiple modes of network connection may be used, such as reverse web proxy connections and end-to-end VPN-style tunnels 318. (secure connection channels: first, second) Chauhan-Authurs-Kawasaki does not specifically disclose updating an active directory to include first connection tunnel information by mapping first software application to first connection tunnel. However, Borkar discloses wherein updating an active directory to include the first connection tunnel by mapping the first software application to the first connection tunnel. (see Borkar page 19: Limited and complete Kerberos support may be additional features. Complete supporting features involve the full Kerberos login to active directory (AD) 322 using AD cipher or trusted client credentials, and the ability to obtain Kerberos service ticket to respond to the challenge of HTTP negotiation authentication. limited support feature relates to Citrix access gateway enterprise version (AGEE) in the constraint delegation, wherein the AGEE supports invoking the Kerberos protocol conversion, so that it can respond to HTTP negotiation authentication challenge; and obtaining and using the Kerberos service ticket (subject to restriction delegating).; page 45: the client driver mapping (CDM) virtual channel of the embedded browser to the network application) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan-Authurs-Kawasaki for updating an active directory to include first connection tunnel information by mapping first software application to first connection tunnel as taught by Borkar. One of ordinary skill in the art would have been motivated to employ the teachings of Borkar for the enhanced security from a system that enables the utilization of an active directory for authentication of clients within a network environment. (see Borkar page 19; page 45) Regarding Claims 4, 12, 19, Chauhan-Authurs-Kawasaki-Barker-Borkar discloses the VPN server of claim 3 and the method of claim 11 and the non-transitory computer-readable medium of claim 18, wherein the active directory further includes a set of authentication credentials required to authenticate the client device to the VPN server for the first connection tunnel, and wherein the operation of authenticating, based on the authentication credentials, the first access request further comprises: Furthermore, Chauhan discloses wherein that the authentication credentials received from the VPN client are included in the set of authentication credentials required to authenticate the client device for the first connection tunnel. (see Chauhan paragraph [0010]: includes authenticating the user by performing an authentication procedure with a remote authentication server, and wherein the transmission of the request to access the identified one or more network applications and receipt of data of the identified one or more network applications occurs prior to completion of the authentication procedure.; paragraph [0111]: The secure container can include an access manager that governs access to the file system by applications and other components of the client device. Access to the file system can be governed based on document access policies (e.g., encoded rules) maintained by the client application, in the documents and/or in the file system. A document access policy can limit access to the file system based on (1) which application or other component of the client device is requesting access, (2) which documents are being requested, (3) time or date, (4) geographical position of the client device, (5) whether the requesting application or other component provides a correct certificate or credentials,) Chauhan-Authurs-Kawasaki does not specifically disclose for a) accessing the active directory, and for b) verifying, based on the set of authentication credentials in the active directory. However, Borkar discloses: a) accessing the active directory; and b) verifying, based on the set of authentication credentials in the active directory. (see Borkar page 19: Limited and complete Kerberos support may be additional features. Complete supporting features involve the full Kerberos login to active directory (AD) 322 using AD cipher or trusted client credentials, and the ability to obtain Kerberos service ticket to respond to the challenge of HTTP negotiation authentication (receive Kerberos information responding to authentication challenge). limited support feature relates to Citrix access gateway enterprise version (AGEE) in the constraint delegation, wherein the AGEE supports invoking the Kerberos protocol conversion, so that it can respond to HTTP negotiation authentication challenge; and obtaining and using the Kerberos service ticket (subject to restriction delegating).; page 45: the client driver mapping (CDM) virtual channel of the embedded browser to the network application) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan-Authurs-Kawasaki for a) accessing the active directory, and for b) verifying, based on the set of authentication credentials in the active directory as taught by Borkar. One of ordinary skill in the art would have been motivated to employ the teachings of Borkar for the enhanced security from a system that enables the utilization of an active directory for authentication of clients within a network environment. (see Borkar page 19; page 45) 7. Claims 5 - 7, 13 - 15 are rejected under 35 U.S.C. 103 as being unpatentable over Chauhan in view of Arthurs and further in view of Kawasaki and Barker and Kursun (US PGPUB No. 20210141874). Regarding Claims 5, 13, Chauhan-Authurs-Kawasaki-Barker discloses the VPN server of claim 1 and the method of claim 9, wherein the operation of denying the second access request for the second software application received from the client device via the first connection tunnel further comprises: Chauhan-Authurs-Kawasaki does not specifically disclose for a) determining that access to second software application via VPN server requires additional authentication, and for b) in response to determining that access requires additional authentication, transmitting an authentication request for additional authentication credentials. However, Kursun discloses: a) determining that access to the second software application via the VPN server requires additional authentication compared to the first software application; (see Chauhan paragraph [0011]: processing device is further configured to: determine an authentication level required to execute the action; determine that the primary authentication credential does not satisfy the authentication level required to execute the action;) and b) in response to determining that access to the second software application requires additional authentication, transmitting an authentication request to the VPN client for additional authentication credentials. (see Chauhan paragraph [0011]: processing device is further configured to: determine an authentication level required to execute the action; determine that the primary authentication credential does not satisfy the authentication level required to execute the action; initiate, via the user device, a request to receive a secondary authentication credential.; paragraph [0012]: the processing device is further configured to: receive, from the authentication chip, the secondary authentication credential,) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan-Authurs-Kawasaki for a) determining that access to second software application via VPN server requires additional authentication, and for b) in response to determining that access requires additional authentication, transmitting an authentication request for additional authentication credentials as taught by Kursun. One of ordinary skill in the art would have been motivated to employ the teachings of Kursun for the enhanced security of a system that enables a determination of a requirement for additional authentication information. (see Chauhan paragraph [0011]; paragraph [0012]) Regarding Claims 6, 14, Chauhan-Authurs-Kawasaki-Kursun discloses the VPN server of claim 5 and the method of claim 13, wherein the memory device further includes instructions executable by the processor for causing the processor to perform operations comprising, subsequent to transmitting the authentication request to the VPN client for additional authentication credentials: a) receiving, from the VPN client, a third access request for the second software application, the third access request comprising the additional authentication credentials; (see Chauhan paragraph [0009]: identifying, by the client application from the monitored user interactions, a second one or more network applications provided by one or more application servers to which the user is likely to request access; transmitting a request to access the identified second one or more network applications on behalf of the user, by the client application to the one or more application servers, responsive to the identification; receiving a request of the user, by the client application via the embedded browser, to access a second network application of the second one or more network applications; and responsive to receipt of the request to access the second network application, providing the received data of the second network application to the embedded browser from the memory of the client application, the browser rendering the provided data for display to the user.) and b) authenticating the third access request based on the additional authentication credentials. (see Chauhan paragraph [0010]: includes authenticating the user by performing an authentication procedure with a remote authentication server, and wherein the transmission of the request to access the identified one or more network applications and receipt of data of the identified one or more network applications occurs prior to completion of the authentication procedure.) Chauhan does not specifically disclose for c) providing second connection tunnel between client device and second software application, client device being configured to access second software application via second connection tunnel. However, Authurs discloses: c) providing a second connection tunnel between the client device and the second software application, the client device being configured to access the second software application via the second connection tunnel. (see Authurs paragraph [0018]: During channel-based communication, a session may be established between the message server 106, the desktop client 116 of the first user 108 and the desktop client 120 of the second user 110. The channel-based communication may establish a communication channel based on a predefined communication channel for communicating with any of the client devices of a given user. For example, the message server 106 may establish a session via a predefined communication channel that is used for all of the client devices of the second user 110 including the desktop client 120, the web client 122, and the mobile client 124.; (enable accessing network interface, access second application via second connection tunnel)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan for c) providing second connection tunnel between client device and second software application, client device being configured to access second software application via second connection tunnel as taught by Authurs. One of ordinary skill in the art would have been motivated to employ the teachings of Authurs for the benefits achieved from a system that manages multiple connection channels associated with multiple VPN type application and users. (see Arthurs paragraph [0014]) Chauhan does not specifically disclose second tunnel being locked to provide access only to a single software application that is the second software application. However, Barker discloses wherein the second tunnel being locked to provide access only to a single software application that is the second software application. (see Barker paragraph [0032]: each of the two resident applications are associated with only one communication path; paragraph [0011]: The third application is operable to receive a user identification of a preferred application selected from the first and second applications and to restrict a user's access to the other application not selected as the preferred application,) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan for second tunnel being locked to provide access only to a single software application that is the second software application as taught by Barker. One of ordinary skill in the art would have been motivated to employ the teachings of Barker for the enhanced security of a system that enables restricting access (locking access) to specific communication links. (see Barker paragraph [0032]) Regarding Claims 7, 15, Chauhan-Authurs-Kawasaki-Barker-Kursun discloses the VPN server of claim 6 and the method of claim 14, providing connection tunnels. (see Chauhan paragraph [0057]: The authentication service 258 may then grant to the user access to multiple enterprise resources 204,; paragraph [0071]: Network access to internal resources may occur directly from individual managed applications 310 through access gateway 306. The application management framework 314 is responsible for orchestrating the network access on behalf of each application 310. ... Multiple modes of network connection may be used, such as reverse web proxy connections and end-to-end VPN-style tunnels 318. (secure connection channels: first, second) Chauhan does not specifically disclose denying a fourth access request for first software application received from VPN client via second connection tunnel. However, Kawasaki discloses wherein further comprising: after providing the second connection tunnel; receiving, via the second connection tunnel, a fourth access request for the VPN client for the first software application; and in response to receiving the fourth access request, denying the fourth access request based on the second connection tunnel being secured against providing access to the first software application. (see Kawasaki page 36: if the UE 10 does not support the second PDN connection and / or if the establishment of the second PDN connection does not comply with the UE 10 policy, the UE 10 rejects the establishment of the second PDN connection. More specifically, the UE 10 receives the PDN connection acceptance and / or the PDN connection rejection (based on the seventh identification information and / or PDN connection attribute information included in the PDN connection acceptance and / or the UE 10 policy). PDN connectivity reject) may be sent.; The UE 10 may transmit at least one of the PDN connection rejection message ID (PDN connectivity connectivity message identity), the procedure transaction ID, and the cause information included in the PDN connection rejection. Further, the UE 10 may further include the fourth identification information in the PDN connection rejection.; The fourth identification information may be information indicating that the UE 10 does not support the second PDN connection and / or information indicating that the establishment of the second PDN connection does not comply with the UE 10 policy.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Chauhan for receiving second access request, denying second access request based on a predefined security policy that limits first connection tunnel against providing access to second software application as taught by Kawasaki. One of ordinary skill in the art would have been motivated to employ the teachings of Kawasaki for the enhanced security of a system denying network access based upon a network security policy. (see Kawasaki page 36) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032. The examiner can normally be reached Work: 12-9PM (most days). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CJ/ January 12, 2026 /KHOI V LE/Primary Examiner, Art Unit 2436