SSL traffic will not get any help from the firewall filter for FTP. As a matter of fact it will (most likely) prevent SSL from working. So we have to look for other options on how to enable it.
The easiest way to configure Windows Firewall to allow FTPS traffic is to put the NT service for FTP7 on the inbound exception list. The NT Service name is "Microsoft FTP Service" or "ftpsvc". This service is hosted in generic service process host called svchost.exe so it is not possible to put it on the exception list thought the program exception.
Warning: FTPSVC service doesn’t listen to any ports other than configured endpoints for ftp sites and data connection ports that are setup for data transfers. But you should double check the listening endpoints for FTPSVC by using netstat –n –a –o. The –o switch allows listing the process ID (or PID) of the listening process. Find out the PID for FTPSVC and check the listening endpoints.
The following 4 steps will allow both non-secure and SSL FTP traffic through firewall.
1) FTPSVC service has to get tagged with FTPSVC service SID. It is new security feature introduced for Vista / Windows 2008. "Microsoft FTP Publishing Service for IIS 7.0 RC0" doesn’t have service SID enabled by default so the following command line has to be run to enable service SID.
sc sidtype ftpsvc unrestricted
Note: Changing of sidtype will not be necessary in future releases of Microsoft FTP Publishing Service for IIS 7.0 after RC0 release
2) Restart ftpsvc service for the previous step to take effect
net stop ftpsvc & net start ftpsvc
3) Setup Windows Firewall to allow "ftpsvc" service to listen on all ports it opens.
netsh advfirewall firewall add rule name="FTP for IIS7" service=ftpsvc action=allow protocol=TCP dir=in
4) Make sure that FTP filter for Windows Firewall is disabled
netsh advfirewall set global Statefulftp disable
Warning: Do not use active FTP connections with SSL if client is behind NAT. It will not work.