WinSCP, Putty and Tunnels

Hi,
We need access to <Server B> via <Server A> and to do that we are using SSH Tunnels. I followed your directions in https://winscp.net/eng/docs/guide_tunnel which I found in your F.A.Q and was successfully able to get to the step/line "putty.exe <Server A> -L 3111:<Server B>:22" and was able to login to <Server A> as expected. But I am not able to get this step : Connecting through the tunnel to work!!!! Here is the Event-log form <Server A>

2011-01-10 19:35:38 Opening forwarded connection to <Server B>:8080
2011-01-10 19:35:38 Forwarded connection refused by server: Connect failed [Connection refused]

This shell command when executed in <Server A> succeeds in logging to <Server B>: ssh -i .ssh/id.key GT@<Server B>. However, I am not a big fan of command-line and would like to get WinSCP (UI) interface to <Server B>, if possible, so that ops like transfer of files etc are much faster...

My WinSCP version 4.1.9(build 416)

Please let me know if this is possible?

Thanks!

In your putty.exe command line, there's <Server B>:22, while in the error message, there's <Server B>:8080. Why?

Also note that single-hop tunnel can be set up directly in WinSCP, you do not have to use PuTTY.
See https://winscp.net/eng/docs/ui_login_tunnel

Hi prikryl,
Yes, I can use WinSCP for the first hop and in-fact I do use that. I only use putty command so I can WinScp to ServerB. My goal is to WinSCP to ServerB.

Regarding ports being 22 and 8080, sorry about the confusion. It's 8080 everywhere, i just copy-pasted from https://winscp.net/eng/docs/guide_tunnel so you would know exactly where I got to in that help doc (https://winscp.net/eng/docs/guide_tunnel)...

Please let me know how to WinSCP to ServerB?

Thanks!

Sorry, I have no idea why it does not work for you.

GT, are you admin on Server A &/or Server B? If so, would you mind creating me an account to test with? I know you read those docs, but weren't able to get it to work, so other than you typing Step-by-Step what you did/tried, I'd like to test it 1st hand.

The one thing I noticed from what you already posted is...

GT wrote:

This shell command when executed in <Server A> succeeds in logging to <Server B>: ssh -i .ssh/id.key GT@<Server B>.

...that looks like it uses public key auth...perhaps Server B only allows public key auth?...so were you using public key auth when you tried to set it up thru WinSCP?...& did you copy the key from Server A to wherever WinSCP is installed?

Also, you could try to setup a temporary tunnel for testing...

• Login to Server A, via the command line (however you already do that).
  
• Run the command (change ports as needed)...
  
  

  ssh -i .ssh/id.key GT@<Server B> -L 3111:Server-B:22

...OK, if I typed that correctly, that will login from Server A to Server B, the same way as you always have, however, it should also set up a temporary tunnel. Depending on Server A's firewall, this forward might not be accessible from your WinSCP computer (so that may not work yet). But it should be accessible from another Server A command line. So open another Server A command line & type...(change ports/syntax as needed)...

...that should attempt to connect to Server A's tunnel to Server B (kinda unnecessary, but were just testing here).

Hopefully I didn't make any mistakes above, but tell me what happens. Perhaps add -v to some of those commands for more verbose output, if anything goes wrong.

For future posts lets get things clear...

• Client 1 is the "WinSCP computer"
  
  • Is this computer inside the same network as Server A or not?
• Server A is the 1st HOP
  
  • This Server has SSH/SFTP on port: <???>
• Server B is the Target Computer
  
  • This Server has SSH/SFTP on port: <???>

...also, please add any other facts about any of the computers involved, that you think might be relevant. For example, are all the computers located on the internet? Like Client 1 is your home computer? Server A is your web host's computer? Server B is your web host's MySQL server? (& not directly accessible from the net?) Are you admin on any or all computers?

Looks like GT was connecting through http proxy which broke the connection (:8080). Since actual IP addresses were removed from logs, it is only a guess.