The most common issue is active/passive + NAT problem.
In a nutshell, most TCP connections are made TO a particular port and then back on an ephemeral port that's specified in the session setup.
Firewalls dig this. They can allow all outbound, and know when to let stuff back in cuz they saw the ephemeral port being specified when they first let stuff out.
FTP is different. A client uses a PORT or PASV command that tells the server of a new set of ports to use for the data transfer. This command is issued in the upper, application layers. A plain TCP/IP firewall can't see that happening. The server attempts to setup this basically new connection and an intervening firewall says, "Whoa, BS. I don't let this port in!"
One of the best explanations I've found is on ISAServer.org:
http://www.isaserver.org/articles/How_t...ocol_Challenges_Firewall_Security.html
Couple options for ya...
Passive FTP option in IE is under:
Internet options | advanced | Browsing category | Use Passive FTP
You can also ensure your FTP server is either on the edge of your network or behind a firewall that is application layer aware (ISA, Checkpoint)
