The ShadowProtect Console connects to remote agents using DCOM - hence the need to open Port 135. However, it is not the inbound traffic to Port 135 that is tricky, its allowing the resultant callback message to return to the Console. As a result of the way DCOM (and the underlying RPC service) are set up by default, the associated port is not fixed. Instead it is generated from a range. In other words, you cannot simply open a specific port for inbound traffic to the machine running the Console. Some firewalls are smart enough to handle this call back if DCOM uses TCP (which is the normal default protocol). If DCOM uses any other protocol (e.g. UDP) then connection through the firewall can get more complicated.
Most firewalls, including the Windows Firewall, includes a predefined Exeception Rule for DCOM-related inbound and outbound connections. Sometimes you have to experiment with some of the options.
Whatever ports you open (e.g. 135), just make sure you add some restriction on where those requests come from (e.g. local subnet etc.).
Since WMI also uses DCOM, you can use WBEMtest to double-check a connection independent of the ShadowProtect Console. Depending on what firewall you use, you can probably find details in their KB/FAQ regarding DCOM and WMI exceptions.
Regards
FT