I've got a fairly typical dmz setup as below:
Internet (External) Watchguard Firewall (80 and 443 open) MS Windows 2003 Web Servers (in a workgroup) (Internal) MS ISA Firewall (80, 443 and 1433 open) MS Windows 2003 Db Servers
We now have a requirement to use MSDTC on the web servers and blow the following holes in our internal firewall:
Open 135 RPC EPM (end point mapper) Open 1433 TDS SQL traffic when using TCP/IP Open 1434 SQL 2000 Integrated Security Open 5100-5200 MSDTC [Dynamically assigned a port by the EPM]
I'm worried that these extra ports will be a security risk so my question is not how to do this, rather should I do this? Obviously there's always a risk opening extra ports, but is it common/normal to run MSDTC in the DMZ? Should I ask the developers to adopt a different solution?
Regards,
Daniel