According to Wikipedia, FTPS have some firewall incompatibilities:
Because FTP utilizes a dynamic secondary port (for data channels),
many firewalls were designed to snoop FTP protocol control messages in
order to determine which secondary data connections they need to
allow. However, if the FTP control connection is encrypted using
TLS/SSL, the firewall cannot determine the TCP port number of a data
connection negotiated between the client and FTP server. Therefore, in
many firewalled networks, an FTPS deployment will fail when an
unencrypted FTP deployment will work. This problem can be solved with
the use of a limited range of ports for data and configuring the
firewall to open these ports.
However, another question on Stackexchange Serverfault lists some ways to solve your problem:
To know exactly what ports you will need to open, you will need to
either:
a) talk to the vendor to get specifics about how their system has been
configured.
b) Use a protocol analyzer, such as tcpdump or wireshark, to look at
the traffic, both from outside your firewall and inside your firewall
You need to find out which port is the Control Connection. You list 3,
which seems odd to me. Assuming the server only works in PASV
(passive) mode, you need to figure out how the server is configured to
allocated DATA ports. Have they locked down the DATA channel to a
single inbound port? Have they locked down the DATA channel to a small
range or ports?
With these answers, you can start configuring your firewall.
(Answeared by pcapademic on May 21 '09 at 20:28).
