Enter in all the connection information on the main putty screen. Sounds like you will be using port 443 instead of 22 to connect from the outside. Then go to the Tunnels section and put in 5092 for the Source port. Put in localhost:5900 for the destination. Leave the radio buttons to Local and Auto. Click Add so it shows up in the list and then open up the connection
When you open up the connection, you will have access to "localhost:5900" from the perspective of the server. You can access it from your local port 5092.
To connect to the server using vnc, plug in localhost:5092 for the host.
Using a fairly recent version of SecureCRT (I'm running 7.3.7 for this example), here is how you do it:
1.) Set up a new connection to your jump-off server (ext) with the IP address 1.1.1.1, as given in your example. Give the connection a name, "Jump-off server", and save it in your Sessions folder.
2.) Test that you can connect to the jump-off server as desired. You have indicated that only access with an SSH key is possible: You might want to import that key using ssh-agent functionality (use the "Tools" menu > "Manage Agent Keys..." > "Add...") if you want to enter your passphrase just once.
3.) Set up a new connection for your dev box. As with step 1.), use the correct IP address - 1.2.3.4, as given in your example - and name it "Development box". Save this session in your Sessions folder. Test this connection: It should fail at this point, because you're connecting directly. Close the window.
Now you have the raw information needed, but one extra step is required, to associate the jump-off box as the connection needs to go through "Jump-off box" in order to connect to "Development box".
4.) Right-click on the "Development box" connection in your Sessions folder, and select "Properties". Go to "Connection" -> "SSH2" and click on the "Firewall:" drop-down option. Click on "Select Session...", and then pick "Jump-off server" from the Sessions menu, and then click "OK" to accept the value, then "OK" again to exit the properties menu.
This now associates your jump-off box with your development box, so it is used as an intermediary when trying to establish a connection to your development box. It even works if you have a different SSH port in use on your jump-off box (e.g. 65000) versus your development box (e.g. 22), because SecureCRT will simply use the configuration you have set up for each host.
Try the "Development box" connection again, with or without a "Jump-off box" connection open, and you should find it works as you wanted.
Best Answer
In Putty Tunnels configuration for the localPi:3333, pick tunnel type Dynamic (instead of Local or Remote). Enter source port 3334, leave empty tunnel destination. The final string should read D3334.
Now configure your Windows browser to use SOCKS proxy at localhost:3334.
SOCKS protocol means that even if a Windows browser will send TCP traffic to one IP, the browser includes "inside" the TCP traffic the target IP address. The Dynamic tunnel is SOCKS-compatible, so the tunnel decodes the target IP and instructs your remotePi to connect to target IP on your behalf.
Your communication with localPi:3333 doesn't talk at all to localPi's sshd. It only does 3333 tunneling. The 3334 tunneling is between localWin's putty and remotePi's sshd.