SSL based protocols are designed to be resilient against man-in-the-middle attacks. The firewall would be that man in the middle. The only ways to solve your problems that I can see are: 1. Bite the bullet, open the ports 2. Force users to use Active mode FTP, so they open all those ports instead of you 3. See if your SFTP server has an option to force users to use specific ports. This may make opening the interfaces a little easier. 4. Put the SFTP server on your firewall. This is hardly ideal, but better than the alternatives? 5. Offer regular FTP-through-VPN instead of SFTP >So am I correct that the only option is to open a large chunk of ports >so that the data connection can be established? This seems like 2 steps >forward and 1 step back!
