Changing the name of a SQL Server machine

Overview
If you change the machine name of a machine with SQL Server installed, you need to do a few things in SQL Server after the machine name change. This article outlines those steps. The article applies to SQL Server 7.0, 2000, 2005 and 2008.

Note: If the SQL Server is installed in a cluster, you should reinstall or hire an expert (who probably will tell you to reinstall). Thanks to SQL Server MVP Geoff N. Hiten for catching that.

Step 1 (7.0)
The SQL Server service will not start after the machine name change. You will get a Windows error message box: "Your SQL Server installation is either corrupt or had been tampered with (unknown package id) Please rerun setup."
All you have to do is to follow the advice. Pop in the SQL Server CD and run setup again. Setup will not reinstall anything, it will only make the adjustments needed so you can start SQL Server again.

Step 2 (all versions)
After starting SQL Server, you need to take care of the sysservers table in the master database. SQL Server stores the local machine name here and this will not match if you have renamed the machine in Windows. This is also easy to fix:

EXEC sp_dropserver 'oldservername'
GO
EXEC sp_addserver 'newservername', 'local'
GO

You need to replace above with the old machine name and with the new machine name.

Step 3 (7.0 and 2000)
In this last step, you need to handle the sysjobs table in the msdb database. There is one row in sysjobs for each SQL Server agent job. In the column originating_server, you find the name of the server where the job was created. This is to support master and target server (MSX). If a job is created on a master server, you cannot modify the job definition on the targer server; all modifications has to be done on the master server.

So, if you changed the machine name, SQL Server will think that the job originated on a master server, and you will not be able to do anything with that job definition. You can handle this in two ways:

1. Rename the machine back to the old name, script the job definitions, delete the jobs, rename the machine to the new name again and use the script to re-create the jobs. See Error 14274 Occurs When You Update a SQL Agent Job After Renaming Windows Server for more information.

2. I find it easier to modify the sysjobs table directly. Note that this isn't supported and if you don't feel confident with doing below, don't; use above steps instead.

DECLARE @srv sysname
SET @srv = CAST(SERVERPROPERTY('ServerName') AS sysname)
UPDATE sysjobs SET originating_server = @srv

If this is a target server (you have jobs sent from a master server), you have to exclude them, so you don't convert those jobs into local jobs:

WHERE originating_server = ''

You need to replace above with the old machine name.

Read this if you deploy images with SQL Server installed
The "Distributed Transaction Coordinator" service (DTC) creates a GUID in the registry when it is installed. Below is an example of a path for the key, for a SQL Server instance named "Fresh":
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\FRESH\MSSQLServer\ResourceMgrID

If you image such an installation using Ghost or some other imaging software, you will have duplicates of this GUID on your machines and your distributed transactions will fail. You can delete this key and a new key with a unique value will be created next time the SQL Server is started. Make sure that you don't have any open distributed transactions when doing this.

Reference: http://www.karaszi.com/SQLServer/info_change_server_name.asp

How to know w3wp.exe process belong to which apppool

run this command:
cscript c:\windows\system32\iisapp.vbs

windows command for control Access Control Lists

CACLS.exe

Display or modify Access Control Lists (ACLs) for files and folders.

Access Control Lists apply only to files stored on an NTFS formatted drive, each ACL determines which users (or groups of users) can read or edit the file. When a new file is created it normally inherits ACL's from the folder where it was created.

Limitations

Cacls cannot display or modify the ACL state of files locked in exclusive use.

Cacls cannot set the following permissions: change permissions, take ownership, execute, delete use XCACLS to set any of these.

Windows File Replication with robocopy

A better way to replicate is to use the ROBOCOPY utility from the resource kit tools.

There are at least 4 ways that you can use ROBOCOPY to do your replication:

1. A manually invoked batch file:

robocopy \\\admin$\system32\repl\export\ \\\admin$\system32\repl\import /s /v /r:1 /w:1 /eta
robocopy \\\admin$\system32\repl\export\ \\\admin$\system32\repl\import /s /v /r:1 /w:1 /eta

NOTE: and are the names of the computers being synchronized.

The first time that you replicate, use SCOPY to preserve permissions and then use ROBOCOPY which will maintain the permissions.

2. You can cause the above batch file to continuously loop:

:LOOP
robocopy \\\admin$\system32\repl\export\ \\\admin$\system32\repl\import /s /v /r:1 /w:1 /eta
robocopy \\\admin$\system32\repl\export\ \\\admin$\system32\repl\import /s /v /r:1 /w:1 /eta
Sleep 1800
goto LOOP

Sleep is a Resource Kit utility. The above sleeps for 1800 seconds, ½ hour.

3. Schedule the batch file from number 1.

The schedule service runs under the context of the system account which is local and has no network access. Create a new user account that is a member of the domain admin group with a non-blank, non-expiring password. In user manager for domains, give it all the advanced rights it may ever need including logon as a service and batch job.

In control panel services, stop the schedule service. Configure it to start automatically and to use this new account. Start the scheduler service.

AT 12:00AM /every:m,t,w,th,f,sa,su \Folder\replicate.bat
AT 08:00AM /every:m,t,w,th,f,sa,su \Folder\replicate.bat
AT 12:00PM /every:m,t,w,th,f,sa,su \Folder\replicate.bat
AT 08:00PM /every:m,t,w,th,f,sa,su \Folder\replicate.bat

4. Run it as a service

You can use the batch file from number 2 and Instsrv.exe to create the regiistry entries for the SRVANY service. These utilites are also from the Resource Kit.

NOTES:

You use the /purge option to delete files on the destination that have been removed from the source if you wish to emulate this replicator service function.

You may wish to limit the default retries as the destination files may be in an open status. Using /R:5 /W:5 will timeout faster.

If you pipe the output, check that your log file isn't consuming too much space.

You can run ROBOCOPY on any machine, even a Workstation. It does not have to run on the source or destination computer.

If absolute symmetry between the source and destination directories is needed, the /purge, /e, /t, and event /is switches can be used. See the online help and the Robocopy.wri file, you may not need to be this exacting.

Reference: http://windowsitpro.com/article/articleid/71934/jsi-tip-0609---a-better-way-to-replicate.html

How To Create a User-Defined Service

Download Microsoft Windows Server 2003 Resource Kit Tools at
http://download.microsoft.com/download/8/e/c/8ec3a7d8-05b4-440a-a71e-ca3ee25fe057/rktools.exe

The Windows NT Resource Kit provides two utilities that allow you to create a Windows NT user-defined service for Windows NT applications and some 16-bit applications (but not for batch files).

Instrsrv.exe installs and removes system services from Windows NT and Srvany.exe allows any Windows NT application to run as a service.

Overview

The Microsoft® Windows® Server 2003 Resource Kit Tools are a set of tools to help administrators streamline management tasks such as troubleshooting operating system issues, managing Active Directory®, configuring networking and security features, and automating application deployment.

The following tools are provided:

• Acctinfo.dll (documented in Readme.htm)
• Adlb.exe: Active Directory Load Balancing Tool
• Admx.msi: ADM File Parser
• Atmarp.exe: Windows ATM ARP Server Information Tool
• Atmlane.exe: Windows ATM LAN Emulation Client Information
• Autoexnt.exe: AutoExNT Service
• Cdburn.exe: ISO CD-ROM Burner Tool
• Checkrepl.vbs: Check Replication
• Chklnks.exe: Link Check Wizard
• Chknic.exe: Network Interface Card Compliance Tool for Network Load Balancing
• Cleanspl.exe: Spooler Cleaner
• Clearmem.exe: Clear Memory
• Clusdiag.msi: Cluster Diagnostics and Verification Tool
• Clusfileport.dll: Cluster Print File Port
• Clusterrecovery.exe: Server Cluster Recovery Utility
• Cmdhere.inf: Command Here
• Cmgetcer.dll: Connection Manager Certificate Deployment Tool
• Compress.exe: Compress Files
• Confdisk.exe: Disk Configuration Tool
• Consume.exe: Memory Consumers Tool
• Creatfil.exe: Create File
• Csccmd.exe: Client-Side Caching Command-Line Options
• Custreasonedit.exe: Custom Reason Editor (documented in Readme.htm)
• Delprof.exe: User Profile Deletion Utility
• Dh.exe: Display Heap
• Diskraid.exe: RAID Configuration Tool
• Diskuse.exe: User Disk Usage Tool
• Dnsdiag.exe: SMTP DNS Diagnostic Tool (documented in Readme.htm)
• Dumpfsmos.cmd: Dump FSMO Roles
• Dvdburn.exe: ISO DVD Burner Tool
• Empty.exe: Free Working Set Tool
• Eventcombmt.exe: Check Replication
• Fcopy.exe: File Copy Utility for Message Queuing
• Frsflags.vbs
• Getcm.exe: Connection Manager Profile Update
• Gpmonitor.exe: Group Policy Monitor
• Gpotool.exe: Group Policy Objects
• Hlscan.exe: Hard Link Display Tool
• Ifilttst.exe: IFilter Test Suite
• Ifmember.exe: User Membership Tool
• Inetesc.adm: Internet Explorer Enhanced Security Configuration
• Iniman.exe: Initialization Files Manipulation Tool
• Instcm.exe: Install Connection Manager Profile
• Instsrv.exe: Service Installer
• Intfiltr.exe: Interrupt Affinity Tool
• Kerbtray.exe: Kerberos Tray
• Kernrate.exe: Kernel Profiling Tool
• Klist.exe: Kerberos List
• Krt.exe: Certification Authority Key Recovery
• Lbridge.cmd: L-Bridge
• Linkd.exe
• Linkspeed.exe: Link Speed
• List.exe: List Text File Tool
• Lockoutstatus.exe: Account Lockout Status (documented in Readme.htm)
• Logtime.exe
• Lsreport.exe: Terminal Services Licensing Reporter
• Lsview.exe: Terminal Services License Server Viewer
• Mcast.exe: Multicast Packet Tool
• Memmonitor.exe: Memory Monitor
• Memtriage.exe: Resource Leak Triage Tool
• Mibcc.exe: SNMP MIB Compiler
• Moveuser.exe: Move Users
• Mscep.dll: Certificate Services Add-on for Simple Certificate Enrollment Protocol
• Nlsinfo.exe: Locale Information Tool
• Now.exe: STDOUT Current Date and Time
• Ntimer.exe: Windows Program Timer
• Ntrights.exe
• Oh.exe: Open Handles
• Oleview.exe: OLE/COM Object Viewer
• Pathman.exe: Path Manager
• Permcopy.exe: Share Permissions Copy
• Perms.exe: User File Permissions Tool
• Pfmon.exe: Page Fault Monitor
• Pkiview.msc: PKI Health Tool
• Pmon.exe: Process Resource Monitor
• Printdriverinfo.exe: Drivers Source
• Prnadmin.dll: Printer Administration Objects
• Qgrep.exe
• Qtcp.exe: QoS Time Stamp
• Queryad.vbs: Query Active Directory
• Rassrvmon.exe: RAS Server Monitor
• Rcontrolad.exe: Active Directory Remote Control Add-On
• Regini.exe: Registry Change by Script
• Regview.exe (documented in Readme.htm)
• Remapkey.exe: Remap Windows Keyboard Layout
• Robocopy.exe: Robust File Copy Utility
• Rpccfg.exe: RPC Configuration Tool
• Rpcdump.exe
• Rpcping.exe
• RPing: RPC Connectivity Verification Tool
• Rqc.exe: Remote Access Quarantine Client
• Rqs.exe: Remote Access Quarantine Agent
• Setprinter.exe: Spooler Configuration Tool
• Showacls.exe
• Showperf.exe: Performance Data Block Dump Utility
• Showpriv.exe: Show Privilege
• Sleep.exe: Batch File Wait
• Sonar.exe: FRS Status Viewer
• Splinfo.exe: Print Spooler Information
• Srvany.exe: Applications as Services Utility
• Srvcheck.exe: Server Share Check
• Srvinfo.exe: Remote Server Information
• Srvmgr.exe: Server Manager
• Ssdformat.exe: System State Data Formatter
• Subinacl.exe
• Tail.exe
• Tcmon.exe: Traffic Control Monitor
• Timeit.exe (documented in Readme.htm)
• Timezone.exe: Daylight Saving Time Update Utility
• Tsctst.exe: Terminal Server Client License Dump Tool
• Tsscalling.exe: Terminal Services Scalability Planning Tools
• Uddicatschemeeditor.exe: UDDI Services Categorization Scheme Editor
• Uddiconfig.exe: UDDI Services Command-line Configuration Utility
• Uddidataexport.exe: UDDI Data Export Wizard
• Usrmgr.exe: User Manager for Domains
• Vadump.exe: Virtual Address Dump
• Vfi.exe: Visual File Information
• Volperf.exe: Shadow Copy Performance Counters
• Volrest.exe: Shadow Copies for Shared Folders Restore Tool
• Vrfydsk.exe: Verify Disk
• Winexit.scr: Windows Exit Screen Saver
• Winhttpcertcfg.exe: WinHTTP Certificate Configuration Tool
• Winhttptracecfg.exe: WinHTTP Tracing Facility Configuration Tool
• Winpolicies.exe: Policy Spy
• Wins.dll: WINS Replication Network Monitor Parser
• Wlbs_hb.dll & Wlbs_rc.dll: Windows Load Balancing Server Network Monitor Parsers

To create a Windows NT user-defined service, perform the following steps:

1. At a MS-DOS command prompt(running CMD.EXE), type the following command:
   
   path\INSTSRV.EXE My Service path\SRVANY.EXE
   
   where path is the drive and directory of the Windows NT Resource Kit (i.e., C:\RESKIT) and My Service is the name of the service you are creating.
   
   Example:
   C:\Program Files\Resource Kit\Instsrv.exe Notepad C:\Program Files\Resource Kit\Srvany.exe
   NOTE: To verify that the service was created correctly, check the registry to verify that the ImagePath value under
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name
   is set to point to SRVANY.EXE. If this is not set correctly, the service will stop shortly after it starts and return an Event ID 7000 "The service name failed to start."
   
   WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
   
   For information about how to edit the registry, view the "Changing Keys And Values" online Help topic or the "Add and Delete Information in the Registry" and "Edit Registry Data" online Help topics in Registry Editor.
   
   NOTE: You should back up the registry before you edit it.
2. Run Registry Editor (Regedt32.exe)and locate the following subkey:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
3. From the Edit menu, click Add Key. Type the following and click OK:
   
   Key Name: Parameters
   Class :
4. Select the Parameters key.
5. From the Edit menu, click Add Value. Type the following and click OK:
   
   Value Name: Application
   Data Type : REG_SZ
   String : \
   
   where \ is the drive and full path to the application executable including the extension (i.e., C:\WinNT\Notepad.exe)
6. Close Registry Editor.

By default, a newly created service it configured to run Automatically when the system is restarted. To change this setting to Manual, run the Services applet from Control Panel and change the Startup value to Manual. A service set to Manual can be started in one of several ways:

- From the Services applet in Control Panel

- From a MS-DOS command prompt, type the following:

NET START

- Use the Sc.exe utility from the Resource Kit. Type the following from a MS-DOS command prompt:

\Sc.exe start

where is the drive and directory of the Windows NT Resource Kit (i.e., C:\Reskit).

For more information on installing and removing a user-defined service, please see the Srvany.wri document provided with the Windows NT Resource Kit utilities (i.e., C:\Reskit\Srvany.wri). This document can also be found on the Windows NT Resource Kit CD in the Common\Config directory.

Reference: http://support.microsoft.com/kb/137890

How to setup a website to access content on a remote NAS server

One of the more common questions in the newsgroups. "How can I have my content on a remote server vs. the local web server?". This article is a step by step how-to serve content from a remote server. This article assumes there are two machines, 1 web server and 1 content server. Lets get started.

Assumptions

• Two servers running Windows 2003
• Local user id on each machine with the same user id with same password

Setting up environment.

• Create a user called RemoteContentUser and password PA$$@Word! on both machines
• Create a folder on the server acting as the remote nas server called RemoteContent
• Create a website on your web server, point the website to your remote share.
• Set the User id and Password on the virtual directory as the same as the local user id you created.

Creating the local user id that will be used to authenticate to the remote share. You could also create using Computer Management MMC.

• Create user on web server.

• Create user on remote machine.

• Create remote directory (This command creates the C:\RemoteContent folder)

• Create RemoteContent$ Share (This allows access directly to the content using a UNC Path)

• Using CACLS to grant the RemoteContentUser 'READ' permissions on the content folder

• Screen shot from Windows Explorer showing the NTFS permissions.

• Change directory to C:\RemoteContent
• Create sample Default.asp that will be displayed from the web server.
• Create sample Default.aspx that will be displayed from web server
• Use the ECHO command to create the Default.asp and Default.aspx adding some sample content

Setup the WebSite

• Open Internet Information Services Manager

• Right Click on Web Sites and Select a New Web Site

• Click Next
• Enter your domain name.
• Click Next

• Type in the UNC (Universal Naming Convention) path \\ServerName\RemoteContent$
• Click Next

• Uncheck "Always use the authenticated users credentials when validating access to the network directory"
• Click Next

• Type in local user name, for our article this is RemoteContentUser and "PA$$@Word!"
• Confirm password

• Click OK
• Click Next
• Select READ, Run Scripts (such as ASP)
• Click Next

• Click Finish

• Notice the Default.asp, Default.aspx page displayed in the right pane.

• Browse the Classic Default.asp webpage

To run ASPX webpages you'll need to ensure the local user has MODIFY permission to the temporary folder where .NET pages are compiled. If you do not, you could get this error listed below.

• Grant local RemoteContentUser 'CHANGE' permissions on the temporary folder where ASP.NET pages are compiled. This can be any user, we are just using a local user for an example. Security should be kept in mind when setting up your environment.
• Here is the command cacls "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files" /T /E /G remotecontentuser:C

• Browse the Default.aspx webpages.

If you continue to have issues executing ASP.NET webpages. You probably need to grant CASPOL permissions. The command is listed below.

CASPOL

Here is a sample error when executing ASP.NET content on a remote share.

System.Security.SecurityException: Security error. Source Error: Line 57: private static System.Collections.ArrayList __fileDependencies; Line 58: Line 59: public Default_aspx() { Line 60: System.Collections.ArrayList dependencies; Line 61: if ((ASP.Default_aspx.__intialized == false)) { Source File: D:\ASPNetTemp\authors_gfweis\3070428c\5b9f07db\9nidezwv.0.cs Line: 59 Stack Trace: [SecurityException: Security error.] GfWeis._Default..ctor() +0 ASP.Default_aspx..ctor() in D:\ASPNetTemp\authors_gfweis\3070428c\5b9f07db\9nidezwv.0.cs:59

CASPOL to the Rescue

What is CASPOL? This is a command line utility to adjust the security on the CLR and .NET framework. There is also two MMC's under the Administrative Tools to help adjust the CAS settings. In order to see all the settings CASPOL can do, open a command prompt and type in CASPOL /? Be very careful before adjusting these settings. This shouldn't be done on your production server without first testing on development server. Here is more information on MSDN about CASPOL as well as many other tools provided by the .NET framework. Code Access Security Policy Tool (Caspol.exe) (Allows you to examine and modify machine, user, and enterprise-level code access security policies.)

Here is the command that did the trick!

caspol -m -ag 1 -url "file://\\ServerName\RemoteContent$\*" FullTrust -exclusive on

Here is a couple of troubleshooting command line items used.

• caspol -s off //This turns off CAS security
• caspol -s on //This turns on CAS Security
• caspol -rs //Resets CAS security.

In conclusion, this is just one example of how to setup a website to access content on a remote server. We would suggest setting up a test environment so you understand the settings before implementing into a production environment. We used a local user on both servers, if you have a Active Directory Domain available you could use a Domain user vs. a local user.

Reference: http://www.iislogs.com/articles/23/

Forwarding FTP

With SSH Secure Shell version 3.0 and above it is possible to easily forward FTP connections by using a command with the following syntax:

ssh2 -L ftp/x:ftpdserver:y username@sshdserver

FTP forwarding is an extension to the generic port forwarding mechanism. The FTP control channel can be secured by using generic port forwarding, but since the FTP protocol requires creating separate TCP connections for the files to be transferred, all the files would be transferred unencrypted when using generic port forwarding, as these separate TCP connections would not be forwarded automatically.

To protect also the transferred files, use FTP forwarding instead. It works similarly to generic port forwarding, except that the FTP forwarding code monitors the forwarded FTP control channel and dynamically creates new port forwardings for the data channels as they are requested. To see exactly how this is done, two different cases need to be examined: the active mode and the passive mode of the FTP protocol.

FTP in passive mode

In passive mode, the FTP client sends the command 'PASV' to the server, which reacts by opening a listener port for the data channel and sending the IP address and port number of the listener as a reply to the client. The reply is of the form '227 Entering Passive Mode (10,1,60,99,6,12)'.

When the Secure Shell client notices the reply to the PASV command, it will create a local port forwarding to the destination mentioned in the reply. After this the client will rewrite the IP address and port in the reply to point to the listener of the newly created local port forwarding (which exists always in a local host address, 127.0.0.1) and pass the reply to the FTP client. The FTP client will open a data channel based on the reply, effectively tunneling the data through the SSH connection, to the listener the FTP server has opened. The net effect is that the data channel is secure all the way except from the Secure Shell server to the FTP server, if they are on different machines. This sequence of events happens automatically for every data channel.

Since the port forwarding is opened to a local host address, the FTP client must be run on the same machine as the Secure Shell client if passive mode is used.

FTP in active mode

In active mode, the FTP client creates a listener on a local port, for a data channel from the FTP server to the FTP client, and requests the channell by sending the IP address and the port number to the FTP server in a command of the following form: 'PORT 10,1,60,99,6,12'. The Secure Shell client intercepts this command and creates a remote port forwarding from the Secure Shell server's localhost address to the address and port specified in the PORT command.

After creating the port forwarding, the Secure Shell client rewrites the address and port in the PORT command to point to the newly opened remote forwarding on the Secure Shell server and sends it to the FTP server. Now the FTP server will open a data channel to the address and port in the PORT command, effectively forwarding the data through the SSH connection. The Secure Shell client passes the incoming data to the original listener created by the FTP client. The net effect is that the data channel is secure the whole way except from the Secure Shell client to the FTP client. This sequence of events happens automatically for every data channel.

Since the port forwarding is made to a local host address on the Secure Shell client machine, the FTP client must be run in the same host as the Secure Shell client if passive mode is used.

Where end-to-end encryption of FTP data channels is desired, the FTP server and Secure Shell server need to reside on the same host, and the FTP client and the Secure Shell client will likewise need to reside on the same host. If this is the case, both active or passive mode can be used.

Note: Consider using sftp2 or scp2 instead of FTP forwarding to secure file transfers. It will require less configuration than FTP forwarding, since the SSH Secure Shell server already has sftp-server2 as a subsystem, and sftp2 and scp2 clients are included in the distribution. Managing remote user restrictions on the server machine will be easier, since you do not have to do it also for FTP.

Reference: http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Port_Forwarding.html

Port Forwarding

Port forwarding, or tunneling, is a way to forward otherwise insecure TCP traffic through SSH Secure Shell. You can secure for example POP3, SMTP and HTTP connections that would otherwise be insecure - see Figure Encrypted SSH2 tunnel.

---

Figure : Encrypted SSH2 tunnel

---

The client-server applications using the tunnel will carry out their own authentication procedures, if any, the same way they would without the encrypted tunnel.

The protocol/application might only be able to connect to a fixed port number ( e.g. IMAP 143). Otherwise any available port can be chosen for port forwarding.

Privileged ports (below 1024) can be forwarded only with root privileges.

There are two kinds of port forwarding: local and remote forwarding. They are also called outgoing and incoming tunnels, respectively. Local port forwarding forwards traffic coming to a local port to a specified remote port.

For example, if you issue the command

ssh2 -L 1234:localhost:23 username@host

all traffic coming to port 1234 on the client will be forwarded to port 23 on the server (host). Note that localhost will be resolved by the sshdserver after the connection is established. In this case localhost therefore refers to the server (host) itself.

Remote port forwarding does the opposite: it forwards traffic coming to a remote port to a specified local port.

For example, if you issue the command

ssh2 -R 1234:localhost:23 username@host

all traffic which comes to port 1234 on the server (host) will be forwarded to port 23 on the client (localhost).

It is important to realize that if you have three hosts, client, sshdserver, and appserver, and you forward the traffic coming to the client's port x to the appserver's port y, only the connection between the client and sshdserver will be secured. See Figure Forwarding to a third host. The command you use would be something like the following:

ssh2 -L x:appserver:y username@sshdserver

---

Figure : Forwarding to a third host

Reference: http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Port_Forwarding.html