What filtering settings are recommended when NO HTTPS decryption is allowed?
It is not allowed to decrypt HTTPS connections at the place of deployment (because we are not owner of the network). What settings are recommended to still filter network access?
The Web Safety is primarily designed to filter based on the content of pages transferred through network connections and thus ability to look into the traffic is important. Nevertheless, it is still possible to setup the application in such a way that it filters non encrypted HTTP protocol and domain names being connected to (think SNI filtering).
Ensure your UI / Squid Proxy / HTTPS Decryption settings is set to Disabled as indicated on the following screenshot.
In each of the filtering policies in UI / Web Filter / Policies / Policy / Advanced clear the [ ] Decrypt HTTPS / SSL Connections checkbox and [ ] Show blocked page for initial HTTPS connections checkbox as indicated on the following screenshot.
From now on your proxy will not decrypt HTTPS connections and connection to sites that trigger blocking by for example SNI (domain name in SSL certificate) will be just terminated. Note no standard blue blocked page will be shown to the user because showing it requires to have HTTPS decryption in place.