The Setup: Server 2008 R2 Enterprise with IIS 7.5 Home connection with dynamic external IP
The Goal: Encrypted passive ftp server with AD integration no client side adjustments (save making sure to use ftpes in their client)
The Problem: I'm running on a home connection with a dynamic external IP and the firewall is apparently doing something screwy
What Happens: It works intermittently (its broken more often than not) The control ports seem to work fine but not the data ports, because it can contact authenticate and its gets all the way to the point where its supposed to pull the Virtual directory
Dump of FileZilla console follows(identifying info is edited):
Status: Resolving address of xxxxx.dyndns.org
Status: Connecting to 123.123.123.123:21...
Status: Connection established, waiting for welcome message...
Response: 220 Microsoft FTP Service
Command: AUTH TLS
Response: 234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER topherhead
Status: TLS/SSL connection established.
Response: 331 Password required for topherhead.
Command: PASS ********
Response: 230-[[welcome message is usually here]] site 222222
Response: Directory has 624,490,864,640 bytes of disk space available.
Response: 230 User logged in.
Command: SYST
Response: 215 Windows_NT
Command: FEAT
Response: 211-Extended features supported:
Response: LANG EN*
Response: UTF8
Response: AUTH TLS;TLS-C;SSL;TLS-P;
Response: PBSZ
Response: PROT C;P;
Response: CCC
Response: HOST
Response: SIZE
Response: MDTM
Response: REST STREAM
Response: 211 END
Command: OPTS UTF8 ON
Response: 200 OPTS UTF8 command successful - UTF8 encoding now ON.
Command: PBSZ 0
Response: 200 PBSZ command successful.
Command: PROT P
Response: 200 PROT command successful.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
Response: 227 Entering Passive Mode (123,123,123,123,253,199).
Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: GnuTLS error -53: Error in the push function.
The chances are good that your firewall supports FTP by watching the control connection (basically what you pasted above) and opening ports dynamically to enable the data connection to be made (where it said: "150 Opening BINARY mode data connection.").
You've encrypted the control connection. The firewall can't see inside to do that.
What you'll want to do is edit the firewall to permit a range of ports (how many depends on the number of clients you'll have) to enter (or leave, if you're permitting "active" PORT commands instead of or in addition to PASV). You will then need to configure the FTP server to only use those ports.
It is hard / annoying, but I've seen it work with at least one secure FTP server