Since this post regards ISPConfig someone should mention that the
should be written into /etc/proftpd_ispconfig.conf
To make it really work you should add
PassivePorts 60000 60100
(or any range you like) before <IfModule mod_tls.c> and open the respective ports in your firewall.
The background is, that the firewall can't inspect the encrypted traffic and therefore can't determine the passive ports the filetransfer will take (and hence can't open them). With the above settings you will force proftpd to take the specified ports which you opened in the firewall.
At least that's the way that finally worked for me.