If your client machine has a static address or is being statically NATed, you may not need to make any firewall changes, assuming you allow all outbound traffic and the server operates only in Passive mode (PASV). One thing not mentioned is whether or not your firewall is performing NAT and whether or not it is static NAT or dynamic NAT. Using SFTP, or scp, makes the network administrator's job a lot easier - everything happens on the server's port 22, and the transaction follows the normal client/server model.
If that information is secured by SSL, the firewall can't read it or change it. In an ordinary FTP session, the information about data connections is read, and for NAT modified, by the firewall in order for the firewall to dynamically open the needed ports. My understanding of FTP over SSL (ftps) is that it doesn't work well with firewalls and NAT.