There are three types of FTP connections possible (Cerberus FTP Server supports all three):
Plain, unencrypted FTP that defaults over port 21. Most web browsers support basic FTP.
Implicit SSL/TLS encrypted FTP that works just like HTTPS. Security is enabled with SSL as soon as the connection starts. The default FTPS port is 990. This protocol was the first version of encrypted FTP available, and while considered deprecated, is still widely used. None of the major web browsers support FTPS.
Explicit FTP over SSL/TLS. This starts out as plain FTP over port 21, but through special FTP commands is upgraded to TLS/SSL encryption. This upgrade usually occurs before the user credentials are sent over the connection. FTPES is a somewhat newer form of encrypted FTP (although still over a decade old), and is considered the preferred way to establish encrypted connections because it can be more firewall friendly. None of the major web browsers support FTPES.
These three protocols should not be confused with the SFTP protocol. SFTP is an entirely different file transfer protocol that runs over SSH2.
Controlling what types of FTP are Allowed
You can control the types of FTP connections allowed at both the user level, and at the listener level.
Restricting FTP connections at the User level
For a user or group account, the Require Secure Control and Require Secure Data constraints are meant to enforce that the connection is encrypted using either FTPS or FTPES. If Require Secure Control is checked, FTP over port 21 will be denied login if the user attempts to authenticate without upgrading the connection to use encryption. If the FTP connection is upgraded to use encryption (upgraded to FTPES), then the user will be allowed to send login credentials and attempt to login. Cerberus requires an FTP listener to allow FTP or FTPES connections.
FTPS connections are always encrypted, and connections that come through on an FTPS listener will always be allowed to attempt to login.
The user and group constraints Allow FTP and Allow FTPS is meant to control what protocol a user can login over. If Allow FTP is selected for a user, then both FTP and FTPES connections will be allowed to attempt to login over an FTP listener. This can be further restricted to only allowing FTPES connections by selecting the Require Secure Control and Require Secure Data constraints for the user.
You can create combinations of these options to allow exactly the type of protocol and security settings that you prefer.
To allow any protocol, as long as it is secure, leave Allow FTP and Allow FTPS checked, and make sure Require Secure Control and Require Secure Data are checked.
This will allow connecting over implicit FTPS listeners on port 990, and explicit FTPES connections over FTP listeners on port 21 (as long as the connection gets upgraded to TLS/SSL encryption before the user attempts to login).
Restricting FTP connections at the Listener level
In addition to the fine-grain control, administrators have at the user level, broader restrictions can be enforced at the listener level. FTP listeners also have the Require Secure Control and Require Secure Data settings. These settings are checked first before a user even attempts to login. If the Require Secure Control and Require Secure Data options are specified for an FTP listener, then only secure FTPES connections will be allowed. These settings are enforced before the individual user settings are checked.