Always forget how to do this and have to research it again.
This time the scenario is getting an X session on a db server to install oracle software, but the sys admin has locked down the ports so that only the conventional ones (ssh) are open to the outside (well inside the intranet) world (found out using /sbin/iptables --list) . At least vnc is still installed.
Of course the box is open for ssh - so using the very handy tool plink we first set off a vncserver process on the remote box noting down the port being used
Then run the following from the command line on my local windows workstation
plink.exe -ssh -L 5900:localhost:5903 REMOTE_USER@REMOTE_SERVER -pw PASSWORD
This tunnels from the local 5900 port to the remote 5903 port on REMOTE_SERVER by opening a remote session for REMOTE_USER with PASSWORD
Then by opening a vnc viewer locally looking at localhost:5900 we get the desired vnc session.