FTP commands are initiated by the client, which opens a TCP connection called the control (or command) channel to the server. This control channel is used for the entire duration of a session between the client and server. A session typically begins when the client logs in, and ends when the quit command is sent to the server. The control channel is used exclusively for sending FTP commands and reading server replies - it is never used to transfer files. In FTP and FTPS this is usually port 21.
File transfers and directory listings use a separate, transient connection for each transfer or listing. The client issues a command to open a data connection (passive, using the PASV command, or active, using the PORT command). In passive mode, the server replies with a port number that the client must connect to for the data transfer. In active mode, the client sends a port number to the server, which connects back to it.
Now firewalls are usually configured by default to allow TCP connections out or in on port 21. They are not configured by default to allow connections on the data ports. With FTP, this isn't an issue - the firewall inspects the control channel, sees the data port number that is sent, and automatically opens this port so the data connections are permitted. FTP users don't even notice.
Unfortunately, with FTPS this is not possible - the control channel is encrypted and the firewall can't inspect it to obtain the data port numbers to open. So the data connection fails, even though the user can login and issue commands.
The only solution to this is to configure the firewall to open the data port numbers permanently. FTPS servers must be configured to only use a fixed range of data port numbers, and these are set up in the firewall. If active mode is used, clients must be similarly configured to use a fixed range of port numbers.