It is no good idea to allow direct access to Exchange servers from the Internet without additional protection. Using username/password to access mailboxes is certainly not enough!
In the past we have seen many attacks even using zero day exploits.

There are multiple ways to access mailboxes:

• Web browsers using Outlook Web Access (OWA)
• Mobile devices using Exchange Active Sync (EAS)
• Outlook clients using MAPI over HTTP and Outlook Anywhere (RPC over HTTP)

Protect each access path by ApplicGate!

Place ApplicGate between the Internet and your Exchange server and enable following features:

Outlook Web Access (OWA)

• In that case the Exchange server acts as web server communicating via https.
• Install ApplicGate WEBAUTH to intercept the https traffic.
• Enable additional authentication at ApplicGate using client certificates, One-Time Password (OTP, via SMS or email) or Time-base One-Time Password (TOTP using Google or Microsoft Authenticator at your smartphone)

Exchange Active Sync (EAS)

• EAS is based on https.
• Install ApplicGate EASSIP to control the data flow between your mobile devices and your Exchange Server
• Monitor and block devices, add additional authentication by client certificates as necessary

Outlook Clients

• Outlook clients communicate by using a HTTP(S) based protocols.
• Install ApplicGate WEBAUTH for additional authentication by certificates, OTP or TOTP.
• Now only authenticated sources are allowed to access the Exchange server.