WinSCP and PuTTY Notes

Needed a place to record some notes about WinSCP and PuTTY...

Tunneling in WinSCP

Sometimes, especially when behind a corporate firewall, it's useful to know how to set up WinSCP for use via "tunneling."

First, find and reach a Linux box to which you have rights. You'll use that host as the tunnel. Let's assume for this example that ours is

To expand the example, let's also assume that we must operate through a proxy. Ours here is an HTTP proxy over port 8080,

Once you have that, follow the steps below. Remember that this is for just one site and you must do it within the context of that site. If at any time during these steps you click on Session in the upper-left corner of the left pane and see anything other than the hostname/username pair you're creating a session for (in our example here:, then it won't work.

  1. Create the new account:
    1. Set Host name and Port number.
    2. Set User name and Password.
    3. Click Save and choose to save with password.

    4. Always save with password, accept to save new sites, etc. unless you share your host with others or specifically do not wish the convenience of not having to enter a password when connecting.
  3. Click on Advanced options (below, left).
  5. Click on Connection -> Proxy
    1. Set up proxy (usually using HTTP), proxy hostname and port number.

    2. Your proxy may require a username and password. If so, fill them in.
    3. Save again with password.
  7. Click on Connection -> Tunnel.
    1. Check the box Connect through SSH tunnel.
    2. Set Host name and Port number.
    3. Set User name and Password.

    4. Save with password as before.
  9. Execute the copy you wish to effectuate to the remote server by clicking Login and proceeding as usual.

Setting up port-forwarding in PuTTY

This works with putty similarly and this utility has similar proxy and tunneling settings of its own.

Normally, I just use putty to get into my Linux host and do stuff when I'm on a Windows machine and don't have a Linux command line handy. However, it can do much more such as this operation in support of helping Thunderbird get mail from Google.

Having launched putty, we create a session and save it. Let's use the same make-believe host as higher up in the WinSCP example.

This example is a little confusing since it's the before and after: to set up forwarding of port 3128 (arbitrarily chosen), you type "3128" into Source port, click the Dynamic button and then Add. The result is "D3128" in the Forwarded ports list.

Of course, you do have to launch putty and authenticate for this to work. Here, I happen to be logged into (not, but) another host.

Turning to Thunderbird, I set up my Google mail account over IMAP as must be done.

Then, I go into Tools -> Options -> Advanced -> Network & Disk Space -> Connection -> Settings. There I set up my proxy, just as I would for Firefox browsing. I also set up a SOCKS (v5) proxy for the local host ( on port 3128.

Magically after this, I'm getting my Google mail into Thunderbird despite running behind a firewall and proxy set-up at work.

Port-forwarding, masquerading, firewall and NAT


All machines in your internal network appear at the same (set of) public addresses. I.e., you can have 8 public IP addresses, and a network of 200 machines with private addresses using them to go "outside". When a host inside wants to open a connection to the outside, the connection gets assigned an ID address and port from this pool. It was conceived as a way of conserving IPv4 addresses when it became clear they were going scarce, and then (ab)used as a security measure (any incomming connections are at the mercy of the machine doing the translating). This is usually called NAT (Network Address Translation), if there is just one public address it is more accurately called PAT (Port Address Translation, only ports are translated). But both are usually named NAT.

Port forwarding

All traffic directed at a certain IP address and port is sent to another address and port, any responses follow the reverse path. This is usually coupled with masquerading (i.e., outside accesses the HTTP or SMTP ports on one of the masquerading addresses, traffic to that port is handled by the internal machine offering that service). It can also be done if both the forwarder and its target have public addresses, but it is rather pointless.


A machine filtering traffic between networks, typically an internal network and the Internet, but it could also separate two internal networks. The firewall inspects connection requests and/or flowing traffic, and denies traffic (or modifies it). Is usually combined with the above two.

Masquerading = NAT

Port forwarding = telling NAT to forward new incoming traffic on a certain port to another IP and port "behind it".

If you didn't set up port forwarding on A, B isn't going to receive any new incoming connections from outside of A.