As you probably already know, FTP uses multiple connections on multiple ports to perform file transfers.
Many firewalls "understand" plan text FTP and can open/close the appropriate ports dynamically if you specifically configure "FTP" (rather than "TCP port 21") on firewall rules. However, when FTPS is used, the control channel the firewall would usually read is encrypted, so firewall technicians find they need to open up ranges of high inbound TCP ports to get FTPS to work in passive mode. (We do not recommend the use of active mode FTPS transfers; fortunately most clients that can do FTPS select passive mode transfers by default.)
To avoid ridiculous ranges (e.g., "allow TCP from all to ports 1024-65535"), specific ranges of inbound passive ports can be configured on both your FTP server and your firewall. These instructions show how to configure a passive FTP port range on Serv-U. (Related instructions show how to require the use of passive mode transfers in Serv-U.)
Serv-U 14.0 and later
3. Click the "Save" button in the "Network Settings" panel.
4. To test, connect to Serv-U using an FTP client that is set up to use passive mode. Connect to the server from outside your firewall, attempt several directory listings and transfers, and make sure passive transfers work.