What Settings are Recommended when HTTPS Decryption is Prohibited?

Question: It is not allowed to decrypt HTTPS connections at the place of deployment (because we are not the owner of that network). What settings are recommended to still filter network access?

Answer: The Web Safety is primarily designed to filter based on the content of pages transferred through network connections and thus ability to look into the traffic is important. Nevertheless, it is still possible to setup the application in such a way that it filters non encrypted HTTP protocol and domain names being connected to (so called SNI/Domain filtering).

First, ensure your Admin UI / Squid Proxy / HTTPS Decryption settings is set to Disabled as indicated on the following screenshot.

Then, in each of the filtering policies in Admin UI / Web Filter / Policies / Policy / Advanced clear the Decrypt HTTPS Connections checkbox and Show blocked page for initial HTTPS connections checkbox as indicated on the following screenshot.

From now on your proxy will not decrypt HTTPS connections and connections to sites that trigger blocking by for example SNI (domain name in SSL certificate) will be just terminated. Note no standard blue blocked page will be shown to the user because showing it requires to have HTTPS decryption in place.