I have setup a FTP site that requires SSL but when I try connect to it externally I get the error:

220 Microsoft FTP Service 534 Policy requires SSL.

I know - I set it so! Why doesnt it fetch the SSL cert from the site and allow me to logon?!

(Incidentally beware of all the tutorials that Allow but do not Require SSL - while that will solve the problem it will be because SSL is not being used!).

I suspect it may be I need a client that supports FTPS (FTP over SSL) and Windows explorer just uses IE which does not. But trying FileZilla and WinSCP I get a little further but then it hangs on TLS/SSL negotiation expecting a response from the server....

UPDATE: I have tried (from: http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings/):

1. Configure the Passive Port Range for the FTP Service.
2. Configure the external IPv4 Address for a Specific FTP Site.
3. Configure the firewall to allow the FTP service to listen on all ports that it opens.
4. Disabling stateful FTP filtering so that Windows Firewall will not block FTP traffic.

And still I get (in FileZilla trying both Active and Passive):

Status: Connecting to 203.x.x.x:21...
Status: Connection established, waiting for welcome message...
Response:   220 Microsoft FTP Service
Command:    AUTH TLS
Response:   234 AUTH command ok. Expecting TLS Negotiation.
Status: Initializing TLS...
Error:  Connection timed out
Error:  Could not connect to server

The Windows firewall logs unhelpfully have nothing to say..

UPDATE2: Turning the firewall off does not resolve the problem.

I cannot believe how difficult it is to get something so simple to work and even once following the documentation it does not work.

UPDATE3: Running FileZilla locally connecting through the loopback works in Active mode, in Passive mode I get up to:

Command:    LIST
Response:   150 Opening BINARY mode data connection.
Error:  GnuTLS error -53: Error in the push function.

Turning the firewall off at both ends I can still not connect the client and get the same error as above.