To configure OPC communication to pass through a firewall, you must open a port for DCOM communication and provide application exceptions. Specifically, you must configure your firewall as below.
OPC Client PC configuration: First, you must provide exceptions for DCOM's end-point mapping (EPMAP) functions on TCP port 135. You must also provide exceptions for OPC Client applications.
OPC Server PC configuration: First, you must provide exceptions for DCOM's end-point mapper (EPMAP) on TCP port 135. Then you must provide exceptions for both the OPC Server as well as OpcEnum.
DCOM will take over from there, and will only require enabling 4 ports to establish communication. Luckily, DCOM will find these ports automatically.
DCOM can also be configured to pass information across static (or fixed) ports so it can work well with external or hardware firewalls. In this case, only 2 ports will be necessary.
OPCTI's Level 2: OPC Security and Level 4: Advanced OPC Projects cover this configuration extensively. For automated firewall configuration, refer to OPC Rescue.
Additional resources: