Passive mode + SSH tunneling set up with external tool.

I am using WinSCP 4.1.6 (Build 412). I am using PuTTY to set up SSH tunneling (using WinSCP to set it up is not an option). I am connecting to an FTP server using passive mode (the passive port is also forwarded through the tunnel). This means that the server's passive mode IP it provides is incorrect, it's the server's LAN IP on the other side of the tunnel but for this to work, WinSCP needs to override that and use 127.0.0.1 instead.

How do I configure this? The WinSCP documentation implies that it's possible to connect through a tunnel when using an external tool:

https://winscp.net/eng/docs/ui_login_tunnel#tunnel_options

Yet it doesn't describe how to set this up. Disabling tunneling in WinSCP does not work, of course, since WinSCP trusts that the passive IP sent from the server is correct (but it's not). Enabling tunneling but not entering any information also does not work, WinSCP won't connect and fails with a network error. Choosing "FTP" instead of "SFTP" as the file protocol (which is correct, it's FTP through the tunnel, not SFTP) removes the tunneling options entirely.

Really all I need is an option that lets me override the IP used for passive port connections for plain old insecure FTP connections. Without that option, it does not seem like WinSCP can actually be used to connect to an FTP server through an SSH tunnel set up by an external tool, as implied in the documentation. I feel like I must be missing something simple. I am looking at WinSCP as a free alternative to SmartFTP, which does support this configuration.

Thanks,
JC

One more thing; I found the relevant FAQ entry here:

https://winscp.net/eng/docs/guide_tunnel

Unless I am missing something the instructions in this FAQ appear to be incomplete. The setup described in the FAQ would not, in fact, allow an FTP connection through an SSH tunnel set up by PuTTY, as they neglect to take care of setting up the second FTP data connection through the tunnel.

There are two options. One would be to set it up in active mode, requiring the client to accept incoming connections on some data port, which would require connections to the pass-through server from the FTP server to be forwarded back through the tunnel to the client (I do not know how to configure this in PuTTY, I don't even know if this is possible -- I am not an SSH tunneling expert). To support this option, however, you have to be able to tell WinSCP to always use a specified port/range of ports for accepting active mode data connections. The other is to set it up in passive mode, which requires a second outgoing port forward to be set up through the tunnel, and the ability to ignore the server's passive mode IP (which is the missing piece in my puzzle). The ability to also override the passive mode port is not necessary as long as you set up port forwarding to use the same local port number that the remote FTP server is using for passive connections.

In both cases, passive and active, WinSCP is either lacking the necessary options or I just can't find them to support connections over SSH tunnels created by external tools (for active, ability to specify active listen port, for passive, ability to override passive connection IP). The FAQ and other online documentation does not cover either of these, and without them I'm curious as to how anybody has ever gotten WinSCP working this way.

Thanks,
JC

Has anybody ever successfully configured WinSCP to connect to an FTP server through a tunnel set up by a different application? Still hoping for some insight on this.

Thanks!

The FAQ actually covered tunneling SFTP/SCP sessions only, although it was never mentioned. I have updated the FAQ to cover FTP sessions too. However please note that I have not tested it actually :-) So please let me know if it works.

Also this issue is being tracked already.

I tried to follow the same procedure but no success, when connecting to FTP where I have direct connection but only for port 22 so I tried to make SSH tunneling with Putty for SOCKS and added into WinSCP session IP of the FTP server and non-standard port (250) for the FTP server..

guestnumberone wrote:

I tried to follow the same procedure but no success, when connecting to FTP where I have direct connection but only for port 22 so I tried to make SSH tunneling with Putty for SOCKS and added into WinSCP session IP of the FTP server and non-standard port (250) for the FTP server..

Can you give us more details and a complete WinSCP session log file and PuTTY event log?