Well, I actually found something useful on Checkpoint's site (that doesn't happen often), but it's not what I wanted to hear.
We want to avoid browser configurations, we were hoping this solution could be transparent.
If anyone has done any clever work-arounds, I'd be interested to know. We have WAY too many desktops to want to go through this, even via GPO.
This procedure configures the HTTP Security Server to work with HTTPS:
1) Define a Security Server for https reject rule:
Set resource to "Enforce URI capabilities".
Select all in connection methods (including Tunneling).
Set the URI type to UFP.
Set the Match Action to "Blocked".
NOTE: When the warning pops up, click "OK".
2) Define an accept rule for https.
3) In Global properties > SmartDashboard Customization > Advanced Configuration > Configure > FireWall-1 > Web Security > HTTP Protocol:
Check http_connection__method_proxy and http_connection_method_tunneling.
4) In each client browser, define the FW-1 as a proxy.
For Internet Explorer, open a browser. Select Tools->Internet Option->Connections->Lan settings->Proxy server Advance. In Security, define the FW-1 address and port (443).
5) Install the Policy.