I think I've had a win (it's always nice to end the week on a high note). I cracked the shits and plugged my laptop in place of the Windows Terminal Server (my laptop also has the Firewall-1 GUI software installed) and with the firewall policy unloaded (via the console) I was able to make a connection to the management server. I then edited the object for the firewall, told it to reget the topology (taking into account the change of interface names) saved it, pushed the policy and lo and behold, I could SSH to the management server.
That said, I now cannot make an RDP connection to the terminal server, so I'm not sure if Windows freaked out over a duplicate IP address and took itself off the network, or if I plugged the cable back into the wrong interface. I'll look at that on Monday.