Is there a way to restrict FTPS ports on both the server & client side of the connection?
I've already read this answer and I have vsftpd set to restrict passive port usage to a narrow range on the server side. I've verified that this restriction does work -- for the server. However, if the client is behind a firewall itself and is carefully restricting access on that end, the connections fail. Inspecting with tcpdump, it appears that arbitrary high ports on the client side are being used.
SFTP is not an option. (Believe me, I wish it were.)
In theory yes but I'm not aware of any FTP client software that will allow you to specify the source port and to be honest it'll probably cause more problems than solve if you started start messing with the source ports on a client device. It's really only the destination port that gets adjusted, I've never seen a firewall that locked down ports inside or out based on the source port, it's always the destination
Another reason not too play around with the source port is that it will more than likely get changed when it hits the source clients router/firewall. Most offices/home only have 1 external IP so in order to keep track of connections the internal IPs and source ports are changed by the firewall dynamically, which is commonly referred to as port address translation (PAT) as such even if you did specify the source port on the client there is no guarantee that it'll be the same when it hits the server.
The client (or their IT dept) would have to allow those ports on their firewall. You can't really do much other than tell them what ports need to be open outbound.
Those high ports on the client are probably just the ephemeral ports on the host trying to make the connection, it's the outbound destination port (the ones you configured on your server side) that are most likely blocked on their firewall for outbound use.