Depending on the type of secure file transfer protocol you intend to use, you may need to configure your server to accept traffic over different ports. Below, we provide an overview of the commonly used control and data ports for FTP and FTP over TLS/SSL (commonly known as FTPS) connections.

Types of FTPS and FTP Connections

The Control Connection

The control connection is always the first connection established with an FTP server. The control connection’s purpose is to allow clients to connect and to send commands to the server and receive server responses.

  • Port 21 is considered the default control connection port for FTP connections
  • Port 990 is the accepted default control connection port for FTPS

Using these default ports is not mandatory – the administrator is free to change the listener to use any free port on the system as the listening port. However, if the administrator is running a software-based firewall, the administrator must be certain that [incoming] connections are not blocked on the port chosen for the control connection. If the port that an FTP or FTPS server is listening on is blocked, no one will be able to see or connect to the FTP server.

The Data Connection

The second type of connection is called the data connection. This is the connection through which an FTP server exchanges file listings and transfers files. When an FTP client uses the control connection to instruct an FTP Server to send a file listing or transfer a file, the actual data exchange takes place on the data connection. The data connection is usually where most of the confusion and problems arise for FTP server administrators.

  • Port 20 is the most commonly used data connection port for FTP
  • Port 989 is the accepted default data connection port for FTPS

Differences Between FTP and FTPS Port Connection Usage – Implicit Versus Explicit 

The main difference between the FTP and FTPS ports’ usage is the expected security behavior of clients and servers communicating through them. A server that receives a request via Port 990 will immediately perform an SSL handshake, because connection via that port implies the desire for a secure connection (Implicit security). Control connections established via Port 21 will require an additional AUTH command to invoke security (known as Explicit security because the client must explicitly ask to secure the connection).