Reading Microsoft's Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010, it looks like encryption is baked in for client access in all flavors (OWA, EAS, etc). 2FA is available with Forefront TMG.
Why would an organization require a VPN client like Cisco Anyconnect, for example, in order to connect to Exchange for email? What does it provide that a pure MS Exchange 2010/Forefront TMG 2010 based architecture build does not?