What rule does a customer need to place on their firewall to have a PC connected via SITE TO SITE VPN and to enable the ability to use the MGMT VIP to connect my boxes?

NG

The entry point into the VIP network is the Control Center server IP. So if your ng admin client is on the other side of a site-to-site tunnel, then you must advertise the VIP network in the site-to-site tunnel configuration, and then the firewall that is in the same location as the control center needs to have a static route that says the VIP network is reachable by using the CC server ip address as the gateway. Then you also most likely need a firewall rule on the CC box that source NAT the traffic to its own IP