How do I configure Windows Firewall for FTP Server

Depends on if you're using Active or Passive ftp. Here's the chart from this site which has a great explanation of the differences from a port perspective:

 Active FTP :
     command : client >1023 -> server 21
     data    : client >1023 <- server 20

 Passive FTP :
     command : client >1023 -> server 21
     data    : client >1023 -> server >1023

So:

• Active FTP - the firewall must allow incoming connections on TCP/21 and outgoing connections on TCP>1023.
• Passive FTP - the firewall must allow incoming connections on TCP/21 and TCP>1023

If you're going to use Passive ftp the best thing to do is to configure the ftp server to use a specific (limited) port range for the client to connect to for the data stream and then open that range on the firewall.

If you used a real firewall, it would be able look at the PASV command inside the FTP control channel (TCP/21) and open the data port accordingly. Therefor, you only need to open TCP/21 and the firewall takes care of the rest.

Of course, the usual SOHO routers (and software FWs) won't do this for you. In this case you should stick with a defined port range (~3 ports per concurrent user) like squillman recommended.

I have a similar strange problem that all the ports (21, 20, and 5500 for pasv) are open in windows firewall (server 2003) yet telnet proves that even 21 is blocked when the firewall is on. Everything works fine whenever the firewall is off. And on top of that, there are certain times of the day (totally random) when it works regardless. Until it doesn't. And when it doesn't, turning off windows firewall fixes it. It's not the FTP server, that's not even logging an attempt to connect.