If the user use CheckPoint SecuRemote/SecureClient, it is easy to create the rules.
This passage is from the CheckPoint manual.
If a SecuRemote/SecureClients is located behind a non-Check Point firewall, the following ports must be opened on the firewall to allow SecuRemote/SecureClient traffic to pass:
Table 1-16 ports to open for non-Check Point firewalls port explanation
Code:
UDP port 500 | always, even if using IKE over TCP
TCP port 500 | only if using IKE over TCP
IP protocol 50 ESP | unless always using UDP encapsulation
UDP port 2746 | configurable; only if using UDP encapsulation
UDP port 259 | only if using MEP, interface resolving or interface High Availability
If you think this are to much, contact the Firewall Administrator at the CheckPoint side and ask if he supports Visitor Mode (HTTPS).