Yes, you can use additional external IPs (one would be required to cover each port overlap).
IP1:80 > IIS
IP2:80 > Exchange
IP1:443 > IIS
IP2:443 > Exchange
IP3:443 > NAS.server
IP4:443 > music.server
There are only three choices: HTTP, HTTPS(APLN), DNS.
No other ports are allowed for authentication.
Yes, you can change the port of exchange.
In your current situation (only 1 external IP and no “proxy”), you can only assign each external port to one specific internal device.
So you are forced to do something like:
21 > ftp.server
22 > sftp.server
80 > IIS
81 > Exchange
443 > IIS
444 > Exchange
445 > NAS.server
446 > music.server
Using each port only once.
Now that may appear to resolve your problem.
But in 90 days all certs will be expired and you will be forced to renew them.
Those renewals can only be done via HTTP/HTTP/DNS.
So from that list…
Only IIS will automatically succeed to renew.
And that is where the real problem is - automation.