Just found out how to make it work. You may find it helpful too.
PROBLEM: FTP7 doesn't follow the Data Channel Port Range set in the "FTP Firewall Support" setting.
SYSTEM: Windows Small Business Server 2008 Premium Edition x64, IIS7 with FTP7
I followed this to set up FTPS (FTP over SLL):
http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/
The port range I used was 2000-3000. I set the firewall with this range to match.
It worked for a while, but not on the next day.
In the FTP log, I found out this:
>> 227 Entering Passive Mode (*,*,*,*,217,44). (* masked my ip address)
217,44 means port number 217*256+44 = 55596, that's totally out of the range 2000-3000 defined.
I tried to change the FTP7 setting in IIS UI (IIS7 > Sites > (the FTP site I use) > FTP Firewall Support). But the "Data Channel Port Range" was dimmed. It can be changed in C:\Windows\System32\inetsrv\config\applicationHost.config though. Anyways it didn't help. The port range I entered was just ignored.
It turned out that windows follow its own default dynamic port range. Here is the command to view and change it:
http://support.microsoft.com/kb/929851/
netsh int ipv4 show dynamicport tcp
netsh int ipv4 set dynamicport tcp start=10000 num=1000
Anyways I used the 2nd command to set to a new range, and set the firewall to match it. Problem solved.
Is the problem a bug? Or did I set something wrong?