Transferring files securely requires a comprehensive understanding of the connections, ports, and IP addresses utilized by FTP (File Transfer Protocol) and FTPS (FTP over TLS/SSL). The FTP protocol and its secure version, FTPS, operate over TCP (Transmission Control Protocol). This guide provides an in-depth look at the commonly used control and data ports for these protocols, their differences, and firewall considerations.

Understanding FTPS and FTP Connections

FTP and FTPS connections primarily consist of two types of connections: the control connection and the data connection. These connections are initialized by the client and are vital for data transfer.

The Control Connection

The control connection is the initial link, also known as the control channel, established when a client connects to an FTP server using the server’s IP address. Its purpose is to grant clients access to the server and enable them to send commands (FTP commands) and receive server responses.

  • TCP Port 21 is the default control connection port for FTP, often called FTP port 21.
  • Port 990 is the default control connection port for FTPS.

These ports are where the server side initiates an FTP session. However, these default ports are not set in stone. As a server administrator, you are free to adjust the listener to any open port on the system. But if you’re running a software-based firewall, ensure your router doesn’t block the chosen port. If blocked, your FTP or FTPS server will be invisible and inaccessible to users.

The Data Connection

The data connection is the pathway through which the FTP server exchanges file listings (like directory listings in ASCII format) and transfers files. This is where the FTP client instructs the server to send a file listing or transfer a file.

  • Port 20 is the most common data connection port for FTP.
  • Port 989 is the default data connection port for FTPS.

Understanding and managing data connections can be challenging for server administrators, as this is where most complications arise. Two modes, active FTP and passive FTP (PASV), dictate how the client and server establish these connections.

In active mode, the client opens a random port, sends the FTP server the information via a PORT command, and waits for the server to initiate the connection. However, active FTP often faces issues with firewalls blocking incoming connections.

In passive mode FTP, after authentication, the server opens a random port, sends this port number back to the client via the PASV command, and waits for the client to initiate the data connection. Passive mode is generally more firewall-friendly, as the connections are all initiated from the client side.

FTP vs. FTPS Port Connection Usage – Implicit vs. Explicit

FTP and FTPS use different ports, and these choices dictate the security behavior of clients and servers. FTPS can operate in two modes: Explicit FTPS and Implicit FTPS.

In Implicit FTPS, connections established via Port 990 will automatically perform an SSL/TLS (Secure Sockets Layer/Transport Layer Security) handshake, implying a secure connection.

On the other hand, in Explicit FTPS, connections established via Port 21 need an additional AUTH command to enable security, i.e., to start the SSL/TLS session. The security features of FTPS protect your data from being sent as plain text or unencrypted over the network protocol.

Firewall Considerations

When using FTPS, specific firewall ports must be open to ensure smooth file transfers. The command and data channels must be open on the client and server. Understanding the range of ports to open can be complex, requiring careful configuration of your port range and endpoints.

In some cases, you may also need to facilitate FTP port forwarding. Hence the need for intelligent FTPS servers like Cerberus FTP Server.


Understanding FTP and FTPS ports is crucial for secure file transfers. The choice between FTP and FTPS and the preferred port numbers often depends on your specific security needs and system configurations.

Apps and command-line tools help implement and manage these protocols, ensuring permissions are correctly set and public key authentication is used when needed. Using a secure, turnkey file transfer solution like Cerberus will make this much easier on you with its robust set of management features. Feel free to download a trial to experience secure file transfer like never before. Your first 25 days are free.

Frequently Asked Questions

Is FTPS port 21 or 990?

FTPS typically uses port 990 for control connections and port 989 for data connections under implicit security. However, FTPS can also use port 21 when operating under explicit security. It’s essential to understand the difference between FTPS vs HTTPS for secure file transfers.

Does FTPS use port 22?

No, FTPS does not use port 22. This port is primarily associated with SFTP (SSH File Transfer Protocol, part of Secure Shell). Read more about the differences in SCP vs SFTP on our blog.

What is the difference between port 21 and 990?

Port 21 is FTP’s default control connection port, while port 990 is the same for FTPS. The main difference lies in their expected security behavior. Port 990 implies implicit security, whereas port 21 can be used with explicit security. Read our blog post on how secure is FTP to learn more about these differences.

What port is FTP and FTPS?

FTP uses port 21 for control connections and port 20 for data connections. FTPS uses port 990 for control connections and port 989 for data connections under implicit security. When using explicit security, FTPS can also use port 21. Learn more about securing an FTP or SFTP server on our blog.

Remember, knowledge about these protocols and ports and RFC 959 (the original FTP standard) can help you secure and manage file transfers effectively.