1st of all , don't expose tcp 445, this is for windows filesharing and not required for exchange access.
Preferred way is to configure dns-forwarder to return internal IP for exchange when using its external name.
hairpin is only needed if you can't do DNS trick.
Only on the IP subnet hosting the exchange server, you'll need full hairpin: dNAT rule combined with sNAT
For all guest networks, the dNAT rule suffices.
the dNAT rule translate publicIP into local IP of exchange server.
the sNAT rule changes source IP of the client into an IP address of the ER, making al incoming connections come from a single IP.
