using hub VPN is one way to do it, like described in the 5.9 product guide (page 1114: https://kc.mcafee.com/agent/index?page=content&id=PD25995). It could probably be done quite easily without hub config too if you have separate VPN elements for client VPN and for site-to-site VPN. Add the clients' virtual IP range as a site to the client VPN gateway, so that the site is only enabled in the S2S VPN, then use Forward VPN access rules to send client VPN traffic to the other sites.
is it also possible to route traffic from one vpn client to another?
I have connected some Clients with a single McAfee VPN Client policy to the internal Network.
But is it possible to let the Clients "talk" to each other?
indeed it is. You'd need a forward rule like this:
source: Virtual IP range
destination: Virtual IP range
service: as needed
action: Forward VPN -> Client VPN
authentication: can be left empty, or define specific users/groups if the access should be restricted
source VPN: Client VPN
The virtual IP range must also be included in the VPN site.