I understand about callbacks.  I also understand that you will (likely) never have callbacks from SQL server, especially to a web application.  From a web application, all queries to SQL server will (likely) be synchronous, and SQL Server will never on its own ask to establish a connection to the web server.

Let's say the web server is running in a DMZ.  SQL Server is running inside firewall on a server named ServerA.  The web server is the DCOM "client".  The application on the web server will open a DCOM connection to ServerA SCM by making a request on port 135, and it returns message to use port 5010.  The web server now makes a request for connection on port 5010 to ServerA, SQL Server does its work and returns its results on the same connection on port 5010.  Web server does not need ports 135 or 5010 open, because it initiated the connection with those ports, and ServerA replies back to web server.  The ports only need to be open for web server if it is accepting connections, not initiating connections, true?  ServerA needs these ports open, because it is accepting connections on those ports. 

Or, not being a network engineer, is my understanding of firewalls and networks wrong.  I understand firewalls to block or allow unsolicited requests.  If the machine behind the firewall initiates the connection, the response back will go through the firewall to the initiating machine.