DTC firewall requirements?


I'm attempting to set up an environment in which a TransactionScope originating on a web server (asp.net) will flow a transaction through WCF to an application server and subsequently through to the database. Since I'm forced to use a SQL Server 2005 database, this often causes the transaction to be 'promoted' to a distributed transaction (several service calls could be wrapped in this TransactionScope), which means the Distributed Transaction Coordinator needs to be enabled.

I've successfully got it working on a local box where the web server and app server are hosted on the same machine, connecting to a remote database. DTC communicates on port 135 for RPC connections (as well as an upper range). I don't have a two box setup to test on...for DTC to work, does port 135 need to be opened (from a firewall perspective) for communication between the web server and application server, or just on the application server talking to the database? I'm getting pushback from the deployment folks about opening up 135 from the web to app server, was wondering if this was even necessary. I've yet to find doc online that clarifies this for me.

Kind of a fringe question, was hoping for some insight from someone out there who might have run into this.




I believe that it's worse than that as DTC uses RPC calls to coordinate. You might be able to fix these to a certain port range, but it's complicated. I had a project with similar issues -- using more than one connection even to the same server promoted queries to DTC. I ended up refactoring the code to share connections after unsuccessfully trying to navigate the firewall issues. I could get it to work in our QA environment, but not in production. There were some differences: QA was all VMs, production was real hardware on the SQL server and clustered, as well. The OS loads were as similar as possible, but there may have been minor patch differences as the QA box had a wider range of apps than the production box.

This MSDN article might be of some use: http://support.microsoft.com/kb/306843