diff --git a/README.md b/README.md
index 52eb6bab5fd8995f1c3865b05dea5a14b3bbbfc9..28a4e003354b24c068ce80490867a2d18177868a 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@
 * [On-Boarding to IICS](./docs/on-boarding-to-iics.md)
 * [Logging in](./docs/logging-in.md)
 * [Training](./docs/training/training.md)
-* [Best Practices And Recommendations](./docs/best-practices/)
+* [Best Practices And Recommendations](./docs/best-practices/README.md)
 * [Integration Tutorials](./docs/tutorials/README.md)
 * [Secure Agents](./docs/secure-agent.md)
 * [Shared Orgs and Sub Orgs](./docs/shared-org-vs-sub-org.md)
diff --git a/docs/best-practices/README.md b/docs/best-practices/README.md
index fcb05e0991f11184b4ff27aca4596c97989e4c0a..c83e432df87dfb367db069e694ab146ab69666c8 100644
--- a/docs/best-practices/README.md
+++ b/docs/best-practices/README.md
@@ -2,9 +2,10 @@
 
 Here are some recommended best practices for designing and working with integrations in IICS.
 
-* [Working In a Shared Environment](best-practices/shared-environment.md)
-* [Naming Conventions](best-practices/naming.md)
-* [AWS S3 as a Flat file alternative](best-practices/flat-file-alternative.md)
-* [Cloud Data Integration (CDI) vs. Cloud Application Integration (CAI)](best-practices/cai-vs-cdi.md)
-* [Migrating Assets between Organizations](best-practices/asset-migration.md)
-* [Email Alerting](best-practices/email-alerting.md)
+* [Working In a Shared Environment](docs/best-practices/shared-environment.md)
+* [Naming Conventions](docs/best-practices/naming.md)
+* [AWS S3 as a Flat file alternative](docs/best-practices/flat-file-alternative.md)
+* [Cloud Data Integration (CDI) vs. Cloud Application Integration (CAI)](docs/best-practices/cai-vs-cdi.md)
+* [Migrating Assets between Organizations](docs/best-practices/asset-migration.md)
+* [Email Alerting](docs/best-practices/email-alerting.md)
+* [Firewall Expectations](docs/best-practices/firewallexpectation.md)
diff --git a/docs/best-practices/firewallexpectation.md b/docs/best-practices/firewallexpectation.md
new file mode 100644
index 0000000000000000000000000000000000000000..a8c9b823132d20fe629a70ed5b187209364db87d
--- /dev/null
+++ b/docs/best-practices/firewallexpectation.md
@@ -0,0 +1,14 @@
+# Firewall Expectations
+
+For a database to successfully be accessed by IICS, it must first accept connections from the IICS Secure Agent. If the database has a firewall associated with it, then any attempt at connecting without altering the firewall will most likely result in an error (only providing the vague error message of ‘Connection Refused’ within IICS).
+
+For connection to be successful, the database admin must edit the firewall to allow communications from the Secure Agent through. There are two secure agents running under the label ei.secureagent.wisc.edu - one for the test organization, and one for production - and each one has a separate IP address. These addresses are listed below.
+
+|Organization|IP|
+|:-------|:---------------|
+|test | 3.230.240.5 |
+|production | 3.19.12.147 |
+
+Once the connection in IICS and the firewall rules in the database are set up, they can easily be tested by using the ‘test connection’ button in IICS. If the connection is unsuccessful, it is recommended you double-check the connection properties within IICS, and check the firewall traffic in the database to make sure no connection attempts are being blocked.
+
+Note that there is an additional layer of firewalls contained within edge routers that encompasses all inbound traffic to the UW system. When using certain ports (notably 1433), the traffic will be blocked by the edge router. If you have determined this might be the case, you should contact the Integration Team at integration-platform@doit.wisc.edu for support.